Year 2017 will not have any turn towards better data security. The internet is rife with such well-known than the unknown threats. The company’s systems are supposed to be protected.Hackers are going to continue to look for new ways to extort and steal information from businesses and organizations, which unfortunately means those businesses and organizations will have to continue to look for new ways to protect themselves.
Critical infrastructure cames under attack in 2017. Critical infrastructures must be better protected from criminals and terrorists who take advantage of modern technologies that are essential for the functioning of society and the economy. IT security functions of industrial control systems (ICS), energy grids and IoT networks needs to be improved in 2017.
There is push for better web security in 2017. Starting New Year’s Day, Google’s Chrome will begin labeling as “insecure” all websites that transmit passwords or ask for credit card details over plain text HTTP. Beginning in January 2017 (Chrome 56), HTTP sites that transmit passwords or credit cards are marked as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.
SHA-1 is insecure. Starting on Jan 1, 2017, most CAs will migrate to SHA-2 certificates, and major browser makers have already announced plans to adopt the change, including Microsoft, Google, and Mozilla. Their browsers will no longer trust sites that use SHA-1 starting with that date, and they will mark these websites as insecure. 1/3 of Websites Use SHA-1 Certificates Despite Looming Deadline. SHA-1 will still hang around, like a fart in a spacesuit, for many years to come because some people are lazy enough not to make the change.
There will be changes in how security is viewed in 2017 by businesses. We will likely see cloud adoption continue to grow across the United States, network visibility will no longer just be an option, AI and machine learning will shake old security models, and IoT-powered attacks will continue to rise. All of this will factor into how businesses set up, monitor and secure their networks.
The Commoditization of Cyberattacks Will Make Them More Frequent in 2017. More and more companies suffer from disruption to business due to cyber attacks. Cyber-attacks cause companies significant financial losses, but the studies shows that companies are not prepared for attacks. According to Gartner, by 2018 only 40 per cent of large companies have official plans in case of cyber attacks. Last year, the percentage was zero.
Strap yourself in for a bumpy ride in 2017. 2016 sucked. 2017 won’t be much better, sorry. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. DDoS attack toolkits have been around for years, as have services that will enable you to pay for an attack. Expect to see more of them. It seems that 2017 promises to be the most dramatic year yet in DDoS conflict. Whale-sized DDoS attacks will increase, the IoT will become a bigger factor in DDoS and DDoS will overshadow ransomware attacks and is used for extortion. Expect to see the Internet of Things (IoT) and other connected devices play an important part in these attacks.
Biometric identification will become more common in 2017, but it will not replace passwords. Fingerprint identification has become increasingly common in smartphones and already the technology is fast and reliable. This year biometric identification devices were sold for 4.5 billion dollars (most of them go to smart phones and laptops). 91 percent of biometric sales were fingerprint sensors, four per cent of face detection and three per cent iris detection.
Biometrics Won’t Kill Passwords any time soon. Even though PIN codes and passwords are actually pretty lousy protection case against skilled cybercriminal, the password will never disappear entirely, as two per cent of the world’s population is persons with a fingerprint not suitable for biometric identifier to work. Other biometric identification systems have also similar limitations and/or are not yet commonly available at reasonable cost. While biometrics, including fingerprint-, face-, iris-, palm- and speech-recognition, will continue to grow as a more secure substitute for passwords, they will not render passwords obsolete. Until the other common biometrics become commonplace, passwords are here to stay until circa 2030.
Fights with encryption and backdoors for them is not over in 2017. Many public figures in law enforcement have consistently argued that device encryption presents a new threat to police powers of investigation. On the other side House Judiciary Committee’s Encryption Working Group report says encryption backdoors pose a security threat, siding with tech experts in their latest report . The problem is that any system allowing police to get into those encrypted system (let it be phone, computer or communications) could also be exploited by criminals. Any action in this space should weigh any short-term benefits against the longterm impacts. Many industry experts will rightly tell you there is no such thing as partial data encryption. You either have a fully capable system or none at all.
Given the security events of 2016, coupled with the rapid advancements and adoption of cloud computing, 2017 will be the year in which many finally accept that network infrastructure and security will have to be rethought from the ground up. In 2017 the cloud will become a risk for users: The cloud becoming insecure – extortion and IoT openings.
The rivalry between the network attacks and network security is in acceleration. Crippling Internet services with denial of service attacks are becoming more common throughout the world. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. IoT-powered attacks will continue to rise and stopping the attack is not easy. For most companies the key thing is that the attack traffic is stopped before it reaches the company’s Internet connection or servers (needs to use telecom operator and external services increase). In addition to service disturbion Denial of Service Attacks are often used as distraction during the actual data burglary.DDoS may take over from ransomware as a cause for concern.
In 2017 the IT and security professionals talk about more about business risks. Historically, firewalls, DLP, antivirus, SIEM and other technical point solutions have been the centerpiece of security conversations, but the mindset is slowly shifting from technology to risk. The goal of stopping all attacks and preventing all business impact has been recognized as a fool’s errand, and has shifted to measuring risk and minimizing business impacts. Cyber security is increasingly being viewed as a risk management problem.
In 2017 ‘Security’ Must be Added to our Existing Ethical and Philosophic Concerns Over Artificial Intelligence and Algorithms. Algorithms soon run the world. They present problems that are seriously questioned on both ethical and philosophic grounds; and they have become the basis of fictional Armageddons.
Cyber insurance will be more thoughs as on solution for handling cyber risks in 2017. The global cyber insurance market is expected to generate $14 billion by 2022, according to a new report published by Allied Market Research (AMR). That figure represents an impressive compound annual growth rate (CAGR) of nearly 28% from 2016 to 2022.
In 2017 Big Brother will be watching you 24/7.Those of you who’ve read George Orwell’s book 1984 or seen the movie ,will remember how the citizens of the fictitious totalitarian state of Oceana are constantly under surveillance by order of its dictator, Big Brother. So now swap your home desktop computer, laptop or smart phone for the fictitious telescreen and not only are you sitting in front of what is a modern day version of the Big Brother telescreen you are also walking around with one in your pocket or handbag. Sound a bit far fetched to you? Well it’s set to become a reality in many countries.
Users will want better security or at least to feell more secure in 2017. Many people are prepared to to extremes for better security. According to a recent survey of over 2,000 adults conducted by Harris Poll Nearly 40% of Americans Would Give Up Sex for a Year or eating their favourite food in Exchange for Better Online Securit, meant they’d never have to worry about being hacked. When you consider that 87 percent of U.S. adults use the internet, it makes sense that cyber security is one of the biggest concerns today. The single biggest thing people can do to help keep their online identity safe is probably the easiest – a solid password – and not giving it to other people. Still nearly 50% of people have shared a password to an e-mail account or to an account like Netflix.
Security Becomes A Multi-System Issue and more people talking about the issue. Design teams will have to bake strategies in from the start, no matter how insignificant the device.The good news is that it more people talking about the issue. The real challenge is packing enough security features into designs to prevent security breaches of every sort, including those that can come from other electronics that weren’t even considered as part of the design process. Just as devices get more sophisticated, so do hackers.The reality is that security breaches can even cause physical harm. It’s time to look at this at a multi-system, multi-disciplinary level. Otherwise, we literally could be playing with fire.
Block chains have been a big trend for several years. The block chain market is divided now when 2017 starts. During the autumn 2016, we have seen a number of initiatives on cooperation between the financial sector and consulting companies. Microsoft has chosen a platform for Ethereum-block chain and offers it to the Azure cloud service. IBM has jumped Hyperledger consortium bandwagon and offering their own block chains to Bluemix service. Google and Amazon still shine by their absence. Even banks may prefer to see the use of cloud for the block chains.
Other prediction articles worth to look:
What Lies Ahead for Cybersecurity in 2017?
Network Infrastructure, Visibility and Security in 2017
DDoS in 2017: Strap yourself in for a bumpy ride
Cybersecurity Industry Outlook: 2017 to 2021 | CSO Online
IBM’s Cybersecurity Predictions for 2017 – eForensics
https://eforensicsmag.com/ibms-cybersecurity-predictions-2017/
Top 5 Cybersecurity Threats to Watch Out for in 2017
Experts Hopeful as Confidence in Risk Assessment Falls
3,151 Comments
Tomi Engdahl says:
The Amazon S3 Outage Is What Happens When One Site Hosts Too Much of the Internet
https://www.wired.com/2017/02/happens-one-site-hosts-entire-internet/
If you’ve been having trouble using some of your favorite apps today, you’re not alone. Users have reported trouble with sites and apps like Medium, Slack, and Trello.
The problems seem to stem from trouble with Amazon’s cloud storage service S3, which Amazon confirmed is experiencing “high error rates,” particularly on the East Coast. Several other Amazon services appear to be having problems as well, but countless sites rely on S3 to host images and other files. Even Amazon’s site itself relies on S3, leading to some baffling updates from the company.
The outages bring to mind the attack on an internet company called Dyn last October that brought much of the web to its knees. Technologically, the S3 outage doesn’t bear much resemblance to the Dyn incident, but the effect is similar: So many sites and apps are down that it feels almost like the internet itself is malfunctioning. That flies right in the face of the promise of the internet.
Amazon outage and the attack on Dyn prove, the internet is actually pretty brittle.
The “winner takes all” dynamic of the tech industry concentrates more and more power into fewer and fewer companies. That consolidation has implications for competition but also affects the resilience of the internet itself. So many people rely on Gmail that when the service goes down, it’s as if email itself has gone offline, even though countless other email providers exist. Facebook is practically synonymous with the internet for many people all over the world.
Amazon plays its own outsized role. Amazon won’t say exactly how big its cloud is, but in 2012 one analyst estimated that Amazon hosted around 1 percent of the entire web. It has only grown since then
The S3 storage service alone hosts about 1.6 times more data than its major competitors combined, according to the analyst firm Gartner.
Even many sites not fully hosted by Amazon take advantage of its Cloudfront service
According to the firm Datanyze, Cloudfront is by far the most widely used service of its kind. Meanwhile, Google and Microsoft—two other giants—have emerged as Amazon’s major cloud competitors.
Amazon’s cloud itself relies on the decentralization of the internet. It has servers all over the world, though customers generally pick which regions to host their data. Even within a region, Amazon has multiple data centers in case one goes offline. But Amazon occasionally runs into problems that knock out services for an entire region.
Tomi Engdahl says:
Kara Swisher / Recode:
Yahoo’s head lawyer Ron Bell was fired over 2014 breach; CEO Marissa Mayer lost cash bonuses from 2016 and stock awards from 2017 — The blame for the massive breach falls on Ron Bell and not where it belongs — at the top. — Yahoo’s CEO Marissa Mayer has gotten her pay docked …
Yahoo’s head lawyer is taking the fall for its hacking, while CEO Marissa Mayer is getting her pay docked
The blame for the massive breach falls on Ron Bell and not where it belongs — at the top.
http://www.recode.net/2017/3/1/14783686/yahoos-lawyer-ousted-hacking-marissa-mayer-pay-docked
Yahoo’s CEO Marissa Mayer has gotten her pay docked — giving up a cash bonus from 2016 and a stock award for 2017, which seems to be worth about $14 million — for the massive breach of the Internet giant’s customer database.
Recode first broke the news of the incursion, which has impacted hundreds of millions of users of the service, revealing all kinds of sensitive information.
But, said an independent committee, Mayer did not mean to run such a loose security ship, noting, it “did not conclude that there was an intentional suppression of relevant information.”
So when is the lawyer the one who gets dinged for hacking screw-ups? Never. Let’s be clear, most people inside Yahoo think Mayer and the board should have shouldered the bulk of the blame for the breach.
Dan Goodin / Ars Technica:
Yahoo says forged cookie hack affected 32M accounts, targeted 26 specific accounts, and was connected to the same state-sponsored attackers behind 2014 breach — Nation-sponsored attackers targeted 26 specific accounts. — Yahoo CEO Marissa Mayer said she’ll forgo her 2016 bonus …
Yahoo cookie hacks affected 32 million accounts, CEO forgoes bonus
Nation-sponsored attackers targeted 26 specific accounts.
https://arstechnica.com/security/2017/03/marissa-mayer-forgoes-bonus-after-yahoo-botches-hack-investigation/
Yahoo CEO Marissa Mayer said she’ll forgo her 2016 bonus and any stock award for this year after the company admitted it failed to properly investigate hack attacks that compromised more than a billion user accounts.
“When I learned in September 2016 that a large number of our user database files had been stolen, I worked with the team to disclose the incident to users, regulators, and government agencies,” she wrote in a note published Monday on Tumblr. “However, I am the CEO of the company and since this incident happened during my tenure, I have agreed to forgo my annual bonus and my annual equity grant this year and have expressed my desire that my bonus be redistributed to our company’s hardworking employees, who contributed so much to Yahoo’s success in 2016.”
Tomi Engdahl says:
Reuters:
White House official: the administration doesn’t want to reform FISA surveillance law, supports its “clean reauthorization”
White House supports renewal of spy law without reforms: official
http://www.reuters.com/article/us-usa-trump-fisa-idUSKBN16855P
The Trump administration does not want to reform an internet surveillance law to address privacy concerns, a White House official told Reuters on Wednesday, saying it is needed to protect national security.
The announcement could put President Donald Trump on a collision course with Congress, where some Republicans and Democrats have advocated curtailing the Foreign Intelligence Surveillance Act, or FISA, parts of which are due to expire at the end of the year.
“We support the clean reauthorization and the administration believes it’s necessary to protect the security of the nation,” the official said on condition of anonymity.
Tomi Engdahl says:
Dan Frommer / Recode:
Twitter ramps up proactive measures against abusive accounts and now lets users mute specific words from their timelines and mute accounts without profile pics — Most importantly, Twitter is speeding up its pace of taking action against harassment. — Twitter is announcing a few new anti-harassment features today:
Twitter will now let you mute specific words from your timeline — and mute ‘eggs’ without profile photos
Most importantly, Twitter is speeding up its pace of taking action against harassment.
http://www.recode.net/2017/3/1/14776186/twitter-mute-timeline-eggs
Tomi Engdahl says:
Business cyber security very weak
Accenture’s recent safety index, only one-third, or 34 percent of organizations have the necessary skills to monitor critical areas of the business. – Cyber security a turning point has been reached. Companies have not kept highly motivated and skilled attackers swing, says Accenture Finnish security director Yacine Zaitri.
Accenture’s recent study shows that up to 73 per cent of organizations around the world is not able to fully protect the company’s most important information assets and processes cyber threats.
Zaitrin, this requires that the organization adopt a new approach to security. It must protect enterprises from the inside out, through the entire business value chain.
Source: http://www.etn.fi/index.php/13-news/5935-yritysten-kybersuojaus-erittain-heikkoa
More: https://www.accenture.com/us-en/insight-accenture-security-index
Tomi Engdahl says:
Encryption Smackdown: PlayStation 4 vs. Xbox One!
http://www.securityweek.com/encryption-smackdown-playstation-4-vs-xbox-one
TLS Protocol Preference: Same
Forward Secrecy Winner: Xbox One
Symmetric Key Winner: Xbox One
Certificate Winner: Xbox One
SSL Server Score Winner: Xbox One
So, Kudos to Microsoft’s Xbox One console, which is the clear winner in this Encryption Smackdown!
Tomi Engdahl says:
Online Fraud in the U.S. Grew Dramatically Post-EMV
http://www.securityweek.com/online-fraud-us-grew-dramatically-post-emv
The introduction of EMV (Europay, MasterCard, Visa) cards, also known as chip-and-PIN cards, into the U.S. has had the expected effect: with card present fraud more difficult, fraudsters have moved to on-line card-not-present fraud. Domestic online fraud became 79% riskier in 2016 than it had been in 2015, according to figures come from the Forter/MRC Fraud Attack Index
The relative simplicity of cloning non-EMV cards made domestic (ie, US) off-line card-present fraud attractive. This is no longer easy. The introduction of more secure EMV cards has driven fraudsters from card-present to card-not-present fraud — EMV was never going to eliminate fraud, it was merely going to change its nature. This is shown in the fraud attack index for 2016, rising from $2.7 in Q4 2015 to $4.98 in Q4 2016.
The greater part of international fraud against US merchants has always been on-line; and is always a higher risk than domestic fraud. In absolute terms, it decreased by 13% compared to 2015 but is still 62.4% riskier than domestic fraud
For online fraud, the criminals need to obtain the victims’ payment credentials. Forter notes a shift in account takeover (ATO) against merchant sites to ATO against online payment accounts. “A growing recent trend in the realm of account takeover (ATO),”
Forter puts this shift down to improvements in merchants’ cyber security combined with the ‘unprecedented data breaches of the last few years.’ These “included account and password information and this, combined with the fact that many consumers continue to reuse passwords across multiple accounts, has made this form of attack easier to carry out.”
The big target in this shift to online fraud has been clothing — apparel. Attacks against apparel rose 69.9% over 2016. “This is partly due to fraudsters who are moving online post-EMV continuing to operate in an industry with which they are comfortable,”
THE FORTER/MRC
FRAUD ATTACK INDEX
http://l.forter.com/hubfs/Global%20Fraud%20Index_09%20(2).pdf
Tomi Engdahl says:
WordPress Plugin With 1 Million Installs Has Critical Flaw
http://www.securityweek.com/wordpress-plugin-1-million-installs-has-critical-flaw
Researchers discovered that NextGEN Gallery, a WordPress image gallery plugin that has more than 1 million active installs, is affected by a critical SQL injection vulnerability.
Tomi Engdahl says:
The Importance of Speaking the Same Language in Security
http://www.securityweek.com/importance-speaking-same-language-security
Security Leaders Must Speak the Language of the Audience They Are Trying to Communicate With
On the webinar, we discussed various aspects of the CISO role, and how they relate to the long term career of a CISO. One of the aspects we discussed was the need to communicate clearly upwards (to executives and the board) downwards (to those within the security organization), and “sideways” (to other key stakeholders).
As those of you who travel know, there are always a few conversations that must take place in the local language.
As security leaders, we need to speak the language of the audience we’re trying to communicate with. Risk, reporting, and metrics are three important topics within information security, and they all mean drastically different things to different audiences.
a good security leader needs to speak several different “languages” on a continual basis. Even if a given audience understands the material you are trying to communicate to them, they will not be able to internalize the message you want to convey unless it is communicated in terms they can understand.
Tomi Engdahl says:
Building an ICS cybersecurity ecosystem
http://www.controleng.com/single-article/building-an-ics-cybersecurity-ecosystem/c34c70df3c1d3bfd89702d09643da363.html
Companies, governments, and vendors need to develop a cyber ecosystem that encompasses more than just the four walls of their organization to help mitigate a threat that becomes more sophisticated every single day.
Government organizations, private companies, and public-private partnerships that operate critical infrastructure are facing significant security risks as attacks against industrial control systems (ICSs) grow in volume. Control systems are becoming more interconnected and Ethernet-based architectures are more common for companies, despite their increased potential security risks. ICSs are an integral part of critical infrastructure that facilitates operations in vital industries that people rely on every day. Developing a cyber ecosystem that encompasses more than just the four walls of a company is critical in mitigating a threat that grows every single day.
Threats and cyber incidents—malicious or accidental—occur every day on industrial control networks. It is easier than ever to exploit vulnerabilities in industrial protocols, networks, and equipment.
Corporations and government organizations must collaborate to further develop critical infrastructure protection solutions that do more than meet the minimum requirements.
The U.S. Department of Homeland Security (DHS) has identified three core principles for developing cyber ecosystems: Automation, interoperability, and authentication.
Automation — enabling rapid incident detection and response. Automation is a strategy that incorporates making decisions with specified actions as a response to cyber situations at machine speed instead of human response speed.
Interoperability — enabling distributed threat detection across devices. Interoperability must remove the technical constraints from organizations, so that they collaborate seamlessly in cyber defense automation.
Authentication — enabling trusted communication for automated collaboration in a secure manner. As automated decisions are made, authentication provides the assurance that the partners involved are authentic.
Maintaining ICS integrity requires a thorough understanding of the communication standards used among all the various ICS components to maintain safe and efficient operations. In this cyber-physical layer, it can be difficult to spot communications errors, cybersecurity threats, and poor network health problems. The symptoms are obvious: sluggish human-machine interface (HMI) updates, unexplained shutdowns, and precarious failures of ICS components. A robust and healthy operational technology (OT) network is key to preventing these failures.
Tomi Engdahl says:
The Black Report
https://www.nuix.com/download/White%20paper%20-%20The%20Black%20Report
There’s no shortage of research reports about cybersecurity. A web search
for the term “cybersecurity reports” yielded 11.5 million results; the top hits
included such familiar names as Mandiant–FireEye, Dell, IBM, AT&T, Cisco,
Google, Microsoft, ISACA, Verizon, Symantec, Trustwave, and Force Point
With so many of the biggest names in the industry publishing
reports, how can yet another report provide additional value
or insight? How can it avoid being white noise?
Let’s suppose that new report was fundamentally different
than the rest; it reported new information from a unique
perspective in a way that showed being different would
actually make a difference.
The Template for a Generic
Cybersecurity Report
During my tenure in the cybersecurity space, I have read
literally hundreds of threat reports that all seemed to report
the same thing. While there were variations in the data
samples upon which the reports based their findings and
conclusions, the overall messaging remained constant:
• Attacks are happening all over the world
• Attacks are growing in frequency across all target verticals
• No data is safe
• Organizations are failing to prevent or detect attacks in
any sort of meaningful way
• Governments all over the world are looking to introduce
legislation to compel the private sector to increase its
security posture
There is clearly value in providing measurable statistics that
security professionals can use to communicate the gravity
of the challenges they face to executive decision makers and
boards of directors. These reports lend credence to the difficult
messages that they need to deliver and that the business needs
to understand: This is not a game, the threat is real, and we
either take preventative measures now or (much more difficult
and expensive) reactive measures later. But are those messages
telling the right story in the right way to the target audience?
Countless security vendors and solution providers have
claimed their widgets were all you needed to prevent
attacks and if you would only buy this feature or that add-
on, your organization would be practically un-hackable.
Well, we all bought their solutions, deployed them within
our environments, and expected to be safe; yet we were still
compromised.
The data and articles contained in this report will illuminate
the true nexus between attacker methodology and
defensive posture; showing you which countermeasures
will improve your security posture and which are a waste of
money and resources
Tomi Engdahl says:
DDoS attacks over 100 Gbps increase 140%
This entry was posted on Thursday, February 23rd, 2017.
https://www.rambus.com/blogs/ddos-attacks-over-100-gbps-increase-140/
A recent report published by Akamai confirms a 140% percent year-over-year increase in DDoS attacks greater than 100 Gbps. The report also notes that 7 of the 12 Q4 2016 “mega attacks” with traffic greater than 100 Gbps can be directly attributed to the Mirai botnet.
Interestingly, the number of IP addresses involved in DDoS attacks grew significantly in Q4 2016, despite DDoS attack totals dropping overall. Perhaps not surprisingly, the United States sourced the most IP addresses participating in DDoS attacks – totaling more than 180,000.
“As we saw with the Mirai botnet attacks during the third quarter, unsecured Internet of Things (IoT) devices continued to drive significant DDoS attack traffic,” stated Akamai’s Martin McKeay. “With the predicted exponential proliferation of these devices, threat agents will have an expanding pool of resources to carry out attacks, validating the need for companies to increase their security investments. Additional emerging system vulnerabilities are expected before devices become more secure.”
Akamai’s report follows an equally sobering warning from Juniper Research that cybersecurity has reached a “boiling point” as the threat landscape continues to widen.
As we’ve previously discussed on Rambus Press, Mirai malware infects vulnerable IoT devices by continuously scanning the Internet for systems utilizing factory default or hard-coded usernames and passwords. According to cybersecurity journalist Brian Krebs, vulnerable devices are then seeded with malicious software that turns them into ‘bots,’
It is therefore important for consumers to be cognizant of the very real threat posed by insecure IoT devices, such as connected appliances, routers, IP cameras and digital video recorders. Unlike PCs and mobile devices such as tablets or smartphones, serious or even critical vulnerabilities are very rarely addressed with firmware updates by manufacturers in a timely manner.
With the number of devices, sensors and actuators are projected to reach over 46 billion by 2021, making the specter of attackers exploiting vulnerable and poorly secured IoT devices loom ever larger.
One approach to achieving a safer IoT environment would see devices secured throughout their lifecycle from chip manufacture, to day-to-day deployment, to decommissioning. This can be accomplished with a silicon-based hardware root-of-trust that offers a range of robust security options for IoT devices, including secure connectivity between the IoT device and cloud services
Akamai Releases Fourth Quarter 2016 State of the Internet / Security Report
Q4 report highlights a 140 percent Year over Year increase in DDoS attacks greater than 100 Gbps SQLi web application attacks increased by 44 percent Year over Year
https://www.akamai.com/us/en/about/news/press/2017-press/akamai-releases-fourth-quarter-2016-state-of-the-internet-security-report.jsp
Tomi Engdahl says:
The massive AWS outage hurt 54 of the top 100 internet retailers — but not Amazon
http://www.businessinsider.com/aws-outage-hurt-internet-retailers-except-amazon-2017-3?r=US&IR=T&IR=T
Amazon Web Services has become so powerful that when it goes down, it takes down a large chunk of the internet with it, as the world found out Tuesday.
Systems were back to normal on Wednesday, according to the company and other sources that watch the internet. Amazon has yet to offer a detailed explanation on what happened and why its S3 cloud storage service went awry.
The problem highlighted one scary thought for internet businesses: that a single company, Amazon, and its technology are responsible for much of the revenue to be made in cyberspace.
During AWS’ four-hour disruption, S&P 500 companies lost $150 million, according to analysis by Cyence
54 of the top 100 internet retailers were affected with a decrease of 20% or greater in performance, and three websites went down completely: Express, Lululemon, and One Kings Lane.
Websites that on average usually require a few seconds to load took more than 30 seconds.
Amazon and its e-commerce sites like Zappos were most likely spared for an easy reason: They have designed their sites to spread themselves across multiple Amazon geographic zones, so if a problem crops up in one zone, it doesn’t hurt them. This is, naturally, the recommended way to use a cloud service
But it’s also more complicated and more expensive, things that most other e-commerce sites would prefer to avoid.
When that AWS flatlines like that, almost the whole internet is in trouble.
Tomi Engdahl says:
$310m AWS S3-izure: Why everyone put their eggs in one region
Lessons learned from Tuesday’s cloud, er, fog storage mega-failure
https://www.theregister.co.uk/2017/03/02/aws_s3_meltdown/
The system breakdown – or as AWS put it, “increased error rates” – knocked out a single region of the AWS S3 storage service on Tuesday. That in turn brought down AWS’s hosted services in the region, preventing EC2 instances from launching, Elastic Beanstalk from working, and so on. In the process, organizations from Docker and Slack to Nest, Adobe and Salesforce.com had some or all of their services knocked offline for the duration.
According to analytics firm Cyence, S&P 500 companies alone lost about $150m (£122m) from the downtime, while financial services companies in the US dropped an estimated $160m (£130m).
The epicenter of the outage was one region on the east coast of America: the US-East-1 facility in Virginia. Due to its lower cost and familiarity with application programmers, that one location is an immensely popular destination for companies that use AWS for their cloud storage and virtual machine instances.
Coders are, ideally, supposed to spread their software over multiple regions so any failures can be absorbed and recovered from. This is, to be blunt, too difficult to implement for some developers; it introduces extra complexity which means extra bugs, which makes engineers wary; and it pushes up costs.
For instance, for the first 50TB, S3 storage in US-East-1 costs $0.023 per GB per month compared to $0.026 for US-West-1 in California. Transferring information between apps distributed across multiple data centers also costs money:
Then there are latency issues, too
“Being the oldest region, and the only public region in the US East coast until 2016, it hosts a number of their earliest and largest customers,”
After US-East-1′s cloud buckets froze and services vanished, some developers discovered their code running in other regions was unable to pick up the slack for various reasons.
“It is hard to say exactly what happened, but I would speculate that whatever occurred created enough of an issue that multiple sites attempted to fail over to other zones or regions simultaneously,” Charles King, principal analyst with Pund-IT, told El Reg.
“It’s like trying to pour one hundred gallons of water through a one gallon hose, and you end up with what looks like a massive breakdown.”
The takeaway, say the industry analysts, is that companies should consider building redundancy into their cloud instances just as they would for on-premises systems. This could come in the form of setting up virtual machines in multiple regions or sticking with the hybrid approach of keeping both cloud and on-premises systems. And, just like testing backups, testing that fail overs actually work.
While the outage will probably do little to slow the move of companies into cloud services, it could give some a reason to pause, and that might not be a bad thing.
Tomi Engdahl says:
“The biggest takeaway here is the need for a sound disaster recovery architecture and a plan that meets the needs and constraints of the application. This may be through usage of multiple regions, multiple clouds, or other fallback configurations.”
Source: https://www.theregister.co.uk/2017/03/02/aws_s3_meltdown/
Tomi Engdahl says:
GoDaddy DNS has gone diddy
We’ll try and sort it out by the end of the day, it says
https://www.theregister.co.uk/2017/03/02/godaddy_dns_has_gone_diddy/
An unspecified technical infrastructure issue has left GoDaddy customers with serious DNS issues this morning.
Despite a status page claims that all is green and healthy at registrar and web hosting business GoDaddy, customers have been complaining on Twitter
Tomi Engdahl says:
Police Forget To Turn On Body Cameras. Can Taser’s Connected Holster Fix That?
https://www.fastcompany.com/3068594/the-future-of-policing/taser-connected-holster-automatic-body-camera-recording
A system by police supplier Taser aims to automatically activate the company’s cameras during encounters with the public.
Technology, no matter how smart, only works if you use it, or simply remember to turn it on.
To ensure accountability during police encounters, Axon, Taser’s police body camera division, has announced a small sensor for gun holsters that can detect when a gun is drawn and automatically activate all nearby cameras. The sensor, Signal Sidearm, is part of a suite of products aimed at reducing the possibility that officers will fail to or forget to switch on their cameras during encounters with the public.
Taser also sells sensors that activate the company’s body cameras and dashboard cameras when a police cruiser’s door has opened or its lights have been switched on, as well as a battery pack for the Taser electroshock weapon that prompts cameras to record when the weapon is armed. By activating all cameras within a 30-foot radius, the suite of products can help police create a multi-angle video of a police encounter.
Tomi Engdahl says:
Threats to Financial Services Firms, All that Glitters isn’t Gold
http://www.securityweek.com/threats-financial-services-firms-all-glitters-isn%E2%80%99t-gold
Financial institutions have long been an attractive target for threat actors due to the information they hold, their role as part of critical national infrastructure and their often global presence. It’s natural to think that their adversaries are all financially motivated, but many are not. In 2016 we saw drivers like hacktivism, ideological differences and intelligence gathering also motivating attacks.
In order to better defend against financially- and non-financially motivated attacks, we must continually strive to understand the threats and the actors behind them.
Extortion. In the last year we saw multiple DDoS-based extortion attempts including DD4BC, the Armada Collective and copycat actors, Kadyrovtsy and vimproducts. In a relatively new twist, extortion actors are attempting to bribe both the institution and its customers, gaining a potential second revenue stream.
Ransomware. Spam emails, malicious attachments and exploit kits such as RIG or Sundown, are likely to remain viable delivery methods for ransomware in 2017. However, we also expect to see more copycats and more targeted delivery methods, prompted largely by the success rate of variants such as SamSam. A rise in Ransomware-as-a-service models will make it easier for these types of attacks to proliferate.
Targeted intrusions. Throughout 2016, a relatively large number of network intrusions targeting the financial services and banking sector were reported, including several major thefts. We can expect that bad actors will continue to exploit bank networks in order to affect fraudulent transfers, theft of sensitive data from corporate networks, the deployment of point-of-sale (PoS) malware, and intrusions to enable a mule team to physically steal cash from ATMs.
Business Email Compromise (BEC). Criminal actors have continued to employ typosquatted domains and compromised legitimate email accounts in order to engage in BEC based fraud.
Banking Trojans. I recently covered this topic in detail as a surge in banking trojan variants is catching many by surprise.
Non-financially motivated attacks
Hacktivism. Anti-establishment, anti-corruption, religion, environmental concerns or perceptions of human rights abuses are the typical drivers cited by hacktivists. In 2016, attacks from these actors typically included DDoS attempts, defacement and data leakage against the websites of companies or organizations
Ideologically-driven insiders. The most notable example in 2016 was the “Panama Papers” data breach
Intelligence gathering. Multiple cyber-espionage campaigns targeting the financial services industry were detected in 2016 including the Patchwork (aka, Dropping Elephant) and OilRig campaigns. In these types of operations, actors seek obscurity to maintain the persistence necessary to fulfill their intelligence gathering requirements.
Tomi Engdahl says:
Forged Cookie Attack Affected 32 Million Yahoo Users
http://www.securityweek.com/forged-cookie-attack-affected-32-million-yahoo-users
The recently disclosed security incident involving forged cookies affected 32 million user accounts, Yahoo said in its annual filing to the U.S. Securities and Exchange Commission (SEC).
Yahoo has suffered several major breaches over the past years, which led to the company slashing the price of the $4.8 billion Verizon acquisition deal by $350 million.
The Internet giant disclosed one of the breaches in September 2016, when it told users that a threat actor, believed to be sponsored by a nation state, had stolen roughly 500 million accounts from its network in late 2014. In December 2016, the company disclosed an even bigger breach, one that occurred in August 2013 and affected one billion accounts.
Tomi Engdahl says:
Apps Containing Malicious IFrames Found on Google Play
http://www.securityweek.com/apps-containing-malicious-iframes-found-google-play
Recent analysis has found 132 Android applications in the official Google Play app store that have been infected with tiny hidden IFrames linking to malicious domains, Palo Alto Networks researchers warn.
The IFrames were found in the applications’ local HTML pages, which is most probably the result of the app developers’ development platforms being infected. According to Palo Alto’s security researchers, the malware infecting these platforms might have been designed to search for HTML pages and inject malicious content at the end of the found pages.
This also means that the mobile malware originated from infected development platforms without developers’ awareness. Previous examples of similar issues include the XcodeGhost compiler malware designed to target iOS and OS X, and the Vpon ad SDK for iOS.
Tomi Engdahl says:
New Malware Will Soon Start “AtomBombing” U.S. Banks
http://www.securityweek.com/new-malware-will-soon-start-atombombing-us-banks
New Dridex 4 Banking Malware With AtomBombing Code Injection is Expected to be Used Against U.S. Banks
A new version of the Dridex banking malware has been detected targeting European banks, and is expected to be used against U.S. financial institutions in the coming months. Dridex 4 incorporates the usual range of software improvements that we have come to expect from professionally maintained malware — but it is also the first major malware to have adopted the new code injection technique known as ‘AtomBombing’.
AtomBombing was described by researchers at enSilo in October 2016. It is so named because of its use of Windows’ atom tables — read/writable stores of data that can be used by multiple applications. Malicious code can be written to the atom tables, and then retrieved and injected into executable memory space.
Tomi Engdahl says:
Next Windows 10 Release Brings Improved Control of Updates, Privacy
http://www.securityweek.com/next-windows-10-release-brings-improved-control-updates-privacy
Windows 10 Creators Update, the platform iteration expected to arrive next month, will provide users with improved control over software updates and privacy settings, Microsoft says.
users will benefit from new privacy and diagnostic data collection settings, while also getting increased control over such settings through the web-based privacy dashboard the company launched in January.
In a blog post, John Cable, Director of Program Management within the Windows Servicing and Delivery (WSD) team, says that the upcoming improvements are based on the feedback Microsoft received from users via channels such as the Feedback Hub application, social media, and Windows forums.
Providing customers with more choice and control in the Creators Update
https://blogs.windows.com/windowsexperience/2017/03/01/providing-customers-choice-control-creators-update/
Tomi Engdahl says:
Safest phones based on Android
On the side of the smartphone market is a small niche area in which the requirements are very different. Enforcement and intelligence agencies need to fully secure devices. There are several, from Finland, and common to all of them is that the phones are Andrdoi-based manufacturers.
Security phones Oululainen Bittiumin Tough Mobile is known in Finland certainly the best. The device has components that detect physical intrusion. All user information is strongly encrypted (AES-256). The data can be wiped with one push of a button, and the same can also be done EEA.
Sectra The Dutch, in turn, announced that it has received the Barcelona MWC fair in the Tiger / R-designs with NATO Restricted approval.
Blackberry praises DTEK50-model “the world’s safest.” It has its own software, which continually monitors the operating system and applications.
Aircraft manufacturer Boeing and Blackberry Common Black-enabled smartphone is multi-intelligence service. It encrypts all data traffic and all the data is disposed of at the touch of a button.
One of the best-protected and probably the most expensive security phone is an Israeli Sirin Labs Solar, which comes with a price in excess of EUR 15 thousand.
Source: http://www.etn.fi/index.php/72-ecf/5945-turvallisimmat-puhelimet-perustuvat-androidiin
Tomi Engdahl says:
Good USB – Protecting Your Ports With Two Microcontrollers
http://hackaday.com/2017/03/02/good-usb-protecting-your-ports-with-two-microcontrollers/
If you’ve ever needed an example of why you should not plug random USB peripherals into your computer, you need only look at BadUSB. The BadUSB attack relies on the fact that the microcontroller inside every USB device is a black box. If you plug a USB thumb drive into your computer, the microcontroller could quickly set up an additional network interface, forward all your traffic to the attacker’s server, and still keep serving up all those files and documents on the drive. Do you want a thumb drive that attaches a virus to every file? Bad USB can do that.
Until now, there is no cure or fix for a device using an implementation of BadUSB. [Robert Fisk] just came up with the first prophylactic USB device, designed to keep BadUSB off your computer. He’s calling it USG, and it’s basically a hardware firewall for USB devices.
The USG is Good, not Bad
https://github.com/robertfisk/USG/wiki
The USG is a firewall for your USB ports. It connects between your computer and an untrusted USB device, isolating the badness with an internal hardware firewall.
Why should I use a USG?
Say you just bought yourself a shiny new USB flash drive. You rip it out of the packaging and plug it straight into your computer. Oops, big mistake!
Do you know who developed your flash drive’s firmware? (It’s probably not the company name printed on the packaging)
Has the firmware been audited for backdoors and malicious functionality?
Can you confirm that the firmware running on your drive hasn’t been maliciously modified during or after manufacture?
Antivirus will not save you
Antivirus scanners cannot detect BadUSB because there is no virus to detect. Malicious USB commands reach directly into your USB driver stack, bypassing file-based scanners.
Tomi Engdahl says:
MALWARE USES BLINKING HARD DRIVE LEDS TO TRANSMIT DATA TO NEARBY CAMERAS
http://www.securitynewspaper.com/2017/02/23/malware-uses-blinking-hard-drive-leds-transmit-data-nearby-cameras/
Tomi Engdahl says:
https://www.google.fi/amp/s/www.wired.com/2016/11/great-now-even-headphones-can-spy/amp/
Tomi Engdahl says:
Tony Cook / Indianapolis Star:
Mike Pence used an AOL account for sensitive emails when he was governor of Indiana, raising security and transparency concerns; the account was hacked in 2016
Pence used personal email for state business — and was hacked
http://www.indystar.com/story/news/politics/2017/03/02/pence-used-personal-email-state-business—-and-hacked/98604904/
Vice President Mike Pence reportedly used a private email account to conduct public business, including homeland security matters, while he was governor of Indiana. Records of the emails were obtained by IndyStar through a public records request. Dwight Adams/IndyStar
Vice President Mike Pence routinely used a private email account to conduct public business as governor of Indiana, at times discussing sensitive matters and homeland security issues.
Emails released to IndyStar in response to a public records request show Pence communicated via his personal AOL account with top advisers on topics ranging from security gates at the governor’s residence to the state’s response to terror attacks across the globe. In one email, Pence’s top state homeland security adviser relayed an update from the FBI regarding the arrests of several men on federal terror-related charges.
Tomi Engdahl says:
Internet Security? Not Even Close
http://semiengineering.com/internet-security-not-even-close/
The number of threats continues to expand. It’s time the tech industry began embracing solutions.
This week’s outage at Amazon Web Services is yet another reminder that Internet security is still not quite there.
Amazon isn’t a second-tier cloud services provider. It’s one of the biggest cloud companies on the planet. If Amazon can’t get it right, it’s hard to imagine anyone can. The company’s Simple Storage Service, aka S3, was the target, and it took about five hours before this online storage was up and running.
Compared with other outages, damage was minimal. It doesn’t appear that private data was hacked, which is good because one of Amazon’s S3 customers is the U.S. Securities and Exchange Commission. As a point of reference, Yahoo suffered from three successive attacks that gave hackers access to data from at least 1.5 billion accounts. And Target’s 2015 breach compromised the data of 40 million customers.
There are four major problems, and a number of remedial steps that will be required. Among the problems:
1. Existing security protocols are insufficient. Large companies such as financial institutions point to their compliance with Transport Layer Security and its predecessor, Secure Sockets Layer, as industry best practices. The truth is these are more like a speed bump for attackers than an impenetrable force field.
2. Legacy infrastructure only can offer so much protection. The number of new threats that are proliferating on the darknet is like the scene out of apocalyptic movie where natural or evil forces threaten to destroy civilization.
There is no single solution to these problems, but there are steps that can be taken to make future attacks less rewarding for cyber attackers.
To begin with, security needs to be designed in at the system level. While most of the attacks so far have been at the software or networking level, compromising the security of hardware and embedded software has the potential to do far more damage. Gain access to the hardware, and you potentially gain access to far more than a single company.
While the chip industry has been focused on hardware-software co-design, it really needs to be hardware-software-security co-design. Security needs to include everything from obfuscation techniques and authentication to complete separation of signal paths, a security certification for black-box IP that is used in these devices, and an end-to-end supply chain tracking for every piece of hardware and IP that is used in a device.
In addition, security needs to be monitored at all levels. A device that connects to the Internet should be recognized as secure or insecure, or somewhere in between.
Tomi Engdahl says:
Six IoT Security Predictions
https://www.securerf.com/six-iot-security-predictions/?utm_campaign=Email%20Newsletter&utm_source=hs_email&utm_medium=email&utm_content=43668617&_hsenc=p2ANqtz–olLK12vJuba4awBcFKGEmX8CNsZ5McVtEOP2xpvgRLJ3WR21Qb5WvgolCp8GUHnA-vVn2kbLMuaddpz7Qu1hgj4o_6LOYCSXYSRL8axr-mFQfkJY&_hsmi=43668688
New, Unexpected Things in the Internet of Things Will Increase Security Breaches
IoT Will Be a Fact of Life – and Pose Increased Risks for Homeowners
IoT Security Standards Will Emerge
IoT Product Developers Will Increase Their Focus on Security
Quantum-resistant Cryptography Goes from “Nice to Have” to “Must Have” Status
There Will be a New Focus on Educating Consumers About IoT Security
Tomi Engdahl says:
Mike Isaac / New York Times:
Sources: Uber had a program to identify enforcement officers and stealthily prevent them from successfully hailing cars, to help drivers avoid sanctions — SAN FRANCISCO — Uber has for years engaged in a worldwide program to deceive authorities in markets where its low-cost ride-hailing service …
How Uber Used Secret Greyball Tool to Deceive Authorities Worldwide
https://www.nytimes.com/2017/03/03/technology/uber-greyball-program-evade-authorities.html
Uber has for years engaged in a worldwide program to deceive the authorities in markets where its low-cost ride-hailing service was being resisted by law enforcement or, in some instances, had been outright banned.
The program, involving a tool called Greyball, uses data collected from the Uber app and other techniques to identify and circumvent officials. Uber used these methods to evade the authorities in cities such as Boston, Paris and Las Vegas, and in countries like Australia, China, Italy and South Korea.
Greyball was part of a broader program called VTOS, short for “violation of terms of service,” which Uber created to root out people it thought were using or targeting its service improperly. T
Tomi Engdahl says:
New York Times:
Sources and public records shed light on Pentagon program developing cyberweapons to sabotage North Korean missiles before they lift off
Trump Inherits a Secret Cyberwar Against North Korean Missiles
https://www.nytimes.com/2017/03/04/world/asia/north-korea-missile-program-sabotage.html
Three years ago, President Barack Obama ordered Pentagon officials to step up their cyber and electronic strikes against North Korea’s missile program in hopes of sabotaging test launches in their opening seconds.
An examination of the Pentagon’s disruption effort, based on interviews with officials of the Obama and Trump administrations as well as a review of extensive but obscure public records, found that the United States still does not have the ability to effectively counter the North Korean nuclear and missile programs.
Mr. Trump has signaled his preference to respond aggressively against the North Korean threat.
He could order the escalation of the Pentagon’s cyber and electronic warfare effort, but that carries no guarantees. He could open negotiations with the North to freeze its nuclear and missile programs, but that would leave a looming threat in place.
The decision to intensify the cyber and electronic strikes, in early 2014, came after Mr. Obama concluded that the $300 billion spent since the Eisenhower era on traditional antimissile systems, often compared to hitting “a bullet with a bullet,” had failed the core purpose of protecting the continental United States.
So the Obama administration searched for a better way to destroy missiles. It reached for techniques the Pentagon had long been experimenting with under the rubric of “left of launch,” because the attacks begin before the missiles ever reach the launchpad, or just as they lift off.
Advocates of the sophisticated effort to remotely manipulate data inside North Korea’s missile systems argue the United States has no real alternative because the effort to stop the North from learning the secrets of making nuclear weapons has already failed.
Tomi Engdahl says:
Sean Gallagher / Ars Technica:
Researchers uncover PowerShell Trojan that uses DNS queries to get its orders
Researchers uncover PowerShell Trojan that uses DNS queries to get its orders
https://arstechnica.com/security/2017/03/researchers-uncover-powershell-trojan-that-uses-dns-queries-to-get-its-orders/
Delivered by “secure” Word doc, pure PowerShell malware fetches commands from DNS TXT records.
Researchers at Cisco’s Talos threat research group are publishing research today on a targeted attack delivered by a malicious Microsoft Word document that goes to great lengths to conceal its operations. Based entirely on Windows PowerShell scripts, the remote access tool communicates with the attacker behind it through a service that is nearly never blocked: the Domain Name Service.
Tomi Engdahl says:
If Trump Spoils Privacy Pact, We’ll Pull It, EU Official Warns
https://www.bloomberg.com/news/articles/2017-03-02/if-trump-spoils-privacy-pact-we-ll-pull-it-eu-official-warns?cmpid=socialflow-twitter-business&utm_content=business&utm_campaign=socialflow-organic&utm_source=twitter&utm_medium=social
Vera Jourova spent months working with the Obama administration on a deal to protect Europeans from digital surveillance by U.S. spies. With a new occupant now in the White House, the EU’s privacy czar says she’s prepared to rip up the pact if the Americans don’t adhere to its terms.
“If there is a significant change, we will suspend” the accord, Jourova, the European Union’s justice commissioner, said in a Bloomberg interview. “I will not hesitate to do it. There’s too much at stake.”
The pact, clinched last year, was meant to keep data flowing across the Atlantic while ensuring that Europeans enjoyed safeguards from the snooping by American security services. The Privacy Shield plugged holes that led EU judges to overturn a previous accord dating back to 2000
‘Vigilant’ EU
“Unpredictability is a problem if you need to trust something,” Jourova said, adding that she remains “vigilant” about the government’s stance. The EU “expects continuity” and “I will want reconfirmation and reassurances when I will go to Washington.”
Still, “the disruptive political style of the new U.S. administration fills anyone working in the field of privacy with concern,” said Johannes Caspar, one of Germany’s most outspoken data protection commissioners.
“You don’t need to gaze into a crystal ball to see that the air surrounding the Privacy Shield is becoming thinner,”
Tomi Engdahl says:
Cybersecurity rules toughened up for NY financial firms
Regulation in effect from this week, 180 days to comply
https://www.theregister.co.uk/2017/03/03/ny_financial_service_cybersecurity_rules/
Major financial firms operating in New York need to comply with tougher cybersecurity rules that came into effect this week.
The regulation [PDF] by the New York State Department of Financial Services (DFS) covers issues ranging from the maintenance of written policies, testing, governance and auditing, to detection, defence and incident response measures. Banking, insurance or financial services firms licensed to operate in New York must comply. The rules came into effect on 1 March but there is a 180-day grace period before any enforcement actions will be considered.
https://www.governor.ny.gov/sites/governor.ny.gov/files/atoms/files/Cybersecurity_Requirements_Financial_Services_23NYCRR500.pdf
Tomi Engdahl says:
Ryan Knutson / Wall Street Journal:
How iPhone users clicking on a malicious Twitter link forced their phones to dial 911, overwhelming 911 call centers in atleast a dozen US states last October
The Night Zombie Smartphones Took Down 911
https://www.wsj.com/articles/how-a-cyberattack-overwhelmed-the-911-system-1488554972
On a Tuesday night last October in Olympia, Wash., 911 operator Jennifer Rodgers stared at the list of incoming calls on her screen.
Normally, one or two calls at a time would trickle in at this hour. At 9:28 p.m., they began stacking up by the dozens
Ms. Rodgers had no idea what was happening.
the surrounding county were dialing 911 and hanging up before their calls were answered. Then they were dialing 911 again.
“We didn’t mean to call 911!” the operator recalls the girl saying. “I’m not touching the phone! I’m not doing anything! I don’t know how to make it stop!”
For at least 12 hours on Oct. 25 and Oct. 26, 911 centers in at least a dozen U.S. states from California to Texas to Florida were overwhelmed by what investigators now believe was the largest-ever cyberattack on the country’s emergency-response system.
Thousands of 911 calls piled up as the attack ricocheted across the U.S.
“I don’t want to be alarmist, but it’s an emerging crisis,”
Much of the 911 system relies on old-fashioned copper telephone lines, a helpful defense against cyberattacks, which usually need an internet connection. Smartphones pose a new type of risk because each one is essentially a web-enabled computer that can be compromised by malicious software.
By directing phones to call all at once, the 911 systems would be overwhelmed and operators would be unable to answer legitimate calls, according to the researchers.
The cyberattack in October hasn’t been publicly linked to any deaths or serious injuries caused by emergency-response delays during the deluge of 911 calls.
Tomi Engdahl says:
Nanette Byrnes / MIT Technology Review:
Synaps Labs to test image recognition tech in US this summer letting digital billboard owners target ads based on the car you’re driving, after trial in Moscow
Moscow Billboard Targets Ads Based on the Car You’re Driving
https://www.technologyreview.com/s/603743/moscow-billboard-targets-ads-based-on-the-car-youre-driving/
The rise of digital billboards spawns the idea of targeted highway ads, with tests in the U.S. planned for this summer.
Targeted advertising is familiar to anyone browsing the Internet. A startup called Synaps Labs has brought it to the physical world by combining high-speed cameras set up a distance ahead of the billboard (about 180 meters) to capture images of cars. Its machine-learning system can recognize in those images the make and model of the cars an advertiser wants to target. A bidding system then selects the appropriate advertising to put on the billboard as that car passes.
Marketing a car on a roadside billboard might seem a logical fit. But how broad could this kind of advertising be? There is a lot an advertiser can tell about you from the car you drive, says Synaps.
Tomi Engdahl says:
New Cybersecurity Business Report Highlights Geographic Trends
http://www.inc.com/joseph-steinberg/new-cybersecurity-report-highlights-surprising-geographic-trends.html
While certain regions continue to dominate the cybersecurity business, others are emerging and growing significantly.
Tomi Engdahl says:
50 Google Engineers Volunteered to Patch Thousands of Java Open Source Projects
https://www.bleepingcomputer.com/news/security/50-google-engineers-volunteered-to-patch-thousands-of-java-open-source-projects/
Tomi Engdahl says:
How the Gadgets We Love May Make Us More Vulnerable to an Attack
Cyber threats are a growing issue, but most people don’t know that the gadgets they love may be part of the problem.
http://www.inc.com/anne-gherini/are-your-wearables-helping-cyber-criminals.html
In October of 2016 the internet went dark, or at least that is how it felt to many of us
The reality was a large scale distributed denial-of-service (DDoS) attack caused internet platforms and services to be unavailable to large groups of users in Europe and North America.
What makes this even more interesting is that the attack was part of a genre of DDoS attacks that are executed through Internet of Things (IoT) devices (think wearables, printers, cameras, routers, thermostats, baby monitors) via a botnet, a network of internet-connected devices infected with malware and controlled as a group.
The attack in October 2016 was not an outlier. Cybersecurity is a real and growing issue for companies of all sizes, across all industries and around the world. According to the 2017 SonicWall Annual Threat Report, companies experienced both record-high levels of ransomware attacks and the largest-ever DDoS attacks thanks to IoT devices in 2016.
These methods of attack focus on disrupting business and can prove costly for their victims. Ransomware locks down companies’ data and/or systems and demands a certain amount of bitcoin be paid to regain access. According to SonicWall, cyber criminals used this type of malware in 638 million attack attempts in 2016 vs. only 3.8 million in 2015. What’s more is the rise of ransomware-as-a-service, where individuals who want to profit from ransomware don’t need to be IT experts. They simply download and deploy a malware kit, enabling just about anyone to become a cyber criminal.
Between these two methods of attack, companies lost hundreds of millions of dollars to emergency response efforts and business disruptions.
“The cybersecurity landscape is an arms race between business leaders and security professionals on the one hand, and cyber criminals on the other hand,” said Bill Conner, president and CEO, SonicWall. “As with any arms race, advances made by the good guys are often offset by advances made by the bad guys.”
Tomi Engdahl says:
Not Warning Kid About Piracy Makes Father Liable, Court Rules
https://torrentfreak.com/not-warning-kid-about-piracy-makes-father-liable-court-rules-100303/
A German court has ruled that a father is liable for an audiobook his 11-year old son downloaded. The man told the kid to only use the computer for school purposes and not to simply download things. However, the court ruled that this was not a proper anti-piracy instruction.
In a case before a Leipzig court the defendant denied having downloaded an audiobook, as he wasn’t home at the time of the infringement. His wife and 11-year-old son were, and as the case progressed it became clear that the latter was the offender.
Nonetheless, in a rather unique verdict the court decided to hold the father liable. Although it’s not uncommon for parents to be held responsible for the actions of their children, the court specifically referenced a lack of anti-piracy education.
In his defense, the father argued that he’d asked his son to keep any Internet activity limited to school purposes, a statement that was backed up by the man’s partner. In addition, the 11-year-old was warned not to download random things or do anything dangerous.
However, according to the court’s verdict, this doesn’t count as an adequate instruction since it lacks a specific explanation as to what illegal downloads are.
Tomi Engdahl says:
Security
You’re taking the p… Linux encryption app Cryptkeeper has universal password: ‘p’
Give ‘p’s a chance… no?
http://www.theregister.co.uk/2017/01/31/cryptkeeper_cooked/
Linux encryption app Cryptkeeper has a bug that causes it to use a single-letter universal decryption password: “p”.
The flawed version is in Debian 9 (Stretch), currently in testing, but not in Debian 8 (Jessie). The bug appears to be a result of a bad interaction with the encfs encrypted filesystem’s command line interface: Cryptkeeper invokes encfs and attempts to enter paranoia mode with a simulated ‘p’ keypress – instead, it sets passwords for folders to just that letter.
Tomi Engdahl says:
Hidden Backdoor Discovered In Chinese IoT Devices
https://tech.slashdot.org/story/17/03/05/1828202/hidden-backdoor-discovered-in-chinese-iot-devices
“A backdoor has been found in devices made by a Chinese tech firm specializing in VoIP products,” reports TechRadar.
Dangerous backdoor exploit found on popular IoT devices
Yet more Internet of Things security woes…
http://www.techradar.com/news/dangerous-backdoor-exploit-found-on-popular-iot-devices
Security outfit Trustwave made the discovery of a hidden backdoor in DblTek’s devices which was apparently put there to allow the manufacturer access to said hardware – but of course, it’s also open to being exploited by other malicious parties.
The backdoor is in the Telnet admin interface of DblTek-branded devices, and potentially allows an attacker to remotely open a shell with root privileges on the target device.
What’s perhaps even more worrying is that when Trustwave contacted DblTek regarding the backdoor last autumn – multiple times – patched firmware was eventually released at the end of December.
However, rather than removing the flaw, the vendor simply made it more difficult to access and exploit. And further correspondence with the Chinese company has apparently fallen on deaf ears.
Other brands
Trustwave notes that the firmware with the hole in it is present on almost every GSM-to-VoIP device which DblTek makes (hardware which is mainly used by SMBs). Trustwave has apparently found hundreds of these devices on the net, and many other brands which use the same firmware, so are equally open to exploit.
The security company also said that it has been able to successfully exploit both the old backdoor, and the new (better hidden) modified version which was patched in at the end of last year.
Tomi Engdahl says:
Google, Microsoft bump bug bounties
Googles’ rise is permanent, Microsoft wants you to give Office 365 a beating
https://www.theregister.co.uk/2017/03/06/google_microsoft_bump_bug_bounties/
Google and Microsoft have both increased the cash on offer under their bug bounty programs.
Google’s priority remains remote code execution flaws, which can now earn white hats up to US$31,337. Google’s ceiling for payments used to be $20,000.
Finding a bug that permits “unrestricted file system or database access” can now result in $13,337 heading your way, up from $10,000.
Microsoft’s also increased its payouts, but only for two months and for a handful of services.
https://www.google.com/about/appsecurity/reward-program/
Tomi Engdahl says:
HackerOne Offers Free Service to Open Source Projects
http://www.securityweek.com/hackerone-offers-free-services-open-source-projects
Bug bounty platform provider HackerOne announced on Thursday that open source projects can benefit from its Professional services at no cost if they can meet certain conditions.
HackerOne, which recently raised $40 million in a Series C financing round, already hosts bug bounty programs for 36 open source projects, including GitLab, Ruby, Rails, Phabricator, Sentry, Discourse, Brave and Django. To date, these projects have resolved more than 1,200 vulnerabilities.
The company hopes to have other open source projects sign up for its services now that it has launched its Community Edition program.
Through the new program, open source applications can use HackerOne’s Pro service for free. The service provides the mechanisms necessary for vulnerability submissions, coordination, analytics, detecting duplicates, and paying out bounties.
https://www.hackerone.com/product/community
Tomi Engdahl says:
Researcher Discloses Google ReCaptcha v2 Bypass
http://www.securityweek.com/researcher-discloses-google-recaptcha-v2-bypass
A researcher managed to bypass Google’s ReCaptcha v2 and has decided to make the discovery public after Google failed to patch it for several months.
Tomi Engdahl says:
Rockstar Games Launches Public Bug Bounty Program
http://www.securityweek.com/rockstar-games-launches-public-bug-bounty-program
Rockstar Games this week launched a public bug bounty program through HackerOne, after running it in private mode for more than nine months.
For the time being, researchers are required to look for vulnerabilities only in a specific set of domains operated by the company.
“No authorization is given to test any other web applications, video game titles or mobile applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program,” the company specifies.
Valid submissions, Rockstar Games says, should include details on the type of issue being reported, the kind of attack, whether it fits a CWE (Common Weakness Enumeration) number, details on the steps necessary to reproduce the issue (issues that can’t be reliably reproduced can’t be fixed, the company notes), info on potential impact of the bug, and details on how a malicious user could potentially benefit from the issue.
To ensure their submissions qualify for a bounty, the researchers should be the first to submit a vulnerability and avoid publicly disclosing or discussing the vulnerability before or after submitting it. The company also published a list of bugs that are excluded from the program
Tomi Engdahl says:
Using Cyber Threat Intelligence to Understand the Cyber Extortion Epidemic
http://www.securityweek.com/using-cyber-threat-intelligence-understand-cyber-extortion-epidemic
When using cyber threat intelligence to track cyber criminal activity and impact, it’s clear that the bad guys follow the path of least resistance and most profit. This is why I wrote about cyber threats not generally being as complex as they’re made out to be. While malicious actors demanding ransoms is not new, the surge of organizations being targeted with fake extortion demands and empty threats is.
Tomi Engdahl says:
SSH Communications Security’s Universal SSH Key Manager
http://www.linuxjournal.com/content/ssh-communications-securitys-universal-ssh-key-manager
Today’s IAM solutions, warns enterprise cybersecurity expert SSH Communications Security, fail to address fully the requirements of trusted access. Organizations lack an efficient way to manage and govern trusted access credentials and have no visibility into the activities that occur within the secure channels that are created for trusted access operations.
UKM helps organizations more effectively manage SSH user key-based and encrypted access, control privileged access and enforce defined compliance policies.
Tomi Engdahl says:
Over 1 million decrypted Gmail and Yahoo accounts allegedly up for sale on the Dark Web
http://www.ibtimes.co.uk/over-1-million-decrypted-gmail-yahoo-accounts-allegedly-sale-dark-web-1609882
Usernames, emails and plaintext passwords of Yahoo and Gmail accounts are reportedly being sold by a Dark Web vendor.
A dark web vendor is reportedly selling over 1 million decrypted Gmail and Yahoo accounts in an underground marketplace. The accounts listed for sale allegedly contain usernames, emails and plaintext passwords.
Yet another 450,000 Gmail accounts were also listed on sale by the same vendor for 0.0199 bitcoins, from various other data breaches that took place between 2010 and 2016, including the Dropbox, the Adobe and other hacks.
It has become increasingly commonplace for hackers to sell user accounts from older data breaches on underground marketplaces, as a way to make a quick buck. These hacked and stolen accounts are used by cybercriminals to perpetuate other crimes such as identity theft.
Tomi Engdahl says:
Researchers Suggest Using Blockchain For Electronic Health Records
https://science.slashdot.org/story/17/03/06/064253/researchers-suggest-using-blockchain-for-electronic-health-records
The CIO at a Boston teaching hospital and two MIT researchers write in the Harvard Business Review that blockchain “has the potential to enable secure lifetime medical record sharing across providers,” calling it “a different construct, providing a universal set of tools for cryptographic assurance of data integrity, standardized auditing, and formalized ‘contracts’ for data access.”
A Case Study for Blockchain in Healthcare:
“MedRec” prototype for electronic health records and medical research data
https://www.healthit.gov/sites/default/files/5-56-onc_blockchainchallenge_mitwhitepaper.pdf