Security trends 2017

3,151 Comments

1. March 6, 2017 at 1:10 pm

   Tomi Engdahl says:

   The Potential for Blockchain to Transform Electronic Health Records
   https://hbr.org/2017/03/the-potential-for-blockchain-to-transform-electronic-health-records

   A vexing problem facing health care systems throughout the world is how to share more medical data with more stakeholders for more purposes, all while ensuring data integrity and protecting patient privacy.

   Traditionally, the interoperability of medical data among institutions has followed three models: push, pull, and view (discussed below), each of which has its strengths and weaknesses. Blockchain offers a fourth model, which has the potential to enable secure lifetime medical record sharing across providers.

   Push is the idea that a payload of medical information is sent from one provider to another. In the U.S. a secure email standard called Direct is used to provide encrypted transmission between sender (for example, an E.R. physician) and receiver (for example, your primary care doctor). Although this has worked for health care providers in the past, it assumes that infrastructure is in place to actually make it work, such as the existence of an electronic provider directory for the community and a set of legal agreements enabling widespread sharing of data. Push is a transmission between two parties, and no other party has access to the transaction.

   Pull is the idea that one provider can query information from another provider.

   View is the idea that one provider can view the data inside another provider’s record.

   All of these approaches work technologically, but the policies surrounding them are subject to institutional variation, local practice, state laws, and the rigor of national privacy policy enforcement.

   Blockchain is a different construct, providing a universal set of tools for cryptographic assurance of data integrity, standardized auditing, and formalized “contracts” for data access.

   Imagine that every EHR sent updates about medications, problems, and allergy lists to an open-source, community-wide trusted ledger, so additions and subtractions to the medical record were well understood and auditable across organizations. Instead of just displaying data from a single database, the EHR could display data from every database referenced in the ledger. The end result would be perfectly reconciled community-wide information about you, with guaranteed integrity from the point of data generation to the point of use, without manual human intervention.

   MedRec doesn’t store health records or require a change in practice. It stores a signature of the record on a blockchain and notifies the patient, who is ultimately in control of where that record can travel. The signature assures that an unaltered copy of the record is obtained. It also shifts the locus of control from the institution to the patient, and in return both burdens and enables the patient to take charge of management.

   A Case Study for Blockchain in Healthcare:
   “MedRec” prototype for electronic health records and medical research data
   https://www.healthit.gov/sites/default/files/5-56-onc_blockchainchallenge_mitwhitepaper.pdf

   Reply
2. March 6, 2017 at 1:28 pm

   Tomi Engdahl says:

   Despite the spiel, we’re still some decades from true anti-malware AI
   Vendors stuff jargon into antivirus marketing mix
   https://www.theregister.co.uk/2017/02/13/ai_agav_marketing_confusion_opinion/

   Opinion The cybersecurity industry is investing heavily in “machine learning” technologies in the hope of providing a more dynamic defence against malware. The practical upshot of this is that the delegates to the RSA Conference next week are likely to hear a lot about artificial intelligence in next-generation antivirus (NGAV) even though neither term is particularly well defined.

   The need for improved defences is clear enough, driven both by the volume of malware variants pushed out by the bad guys and the stratospheric rise in ransomware.

   Releasing multiple variants of their nasties has also become standard practice among cybercrooks.

   Pattern recognition

   The security industry’s response to this has been automation and cloud-based technologies. Anti-malware is long past reliance on signature detection alone. Whitelisting, heuristics (generic detection), behaviour-based detection have all come into play as part of a multi-layered defences.

   It’s a complicated, and not infrequently criticised, mix.

   For the last few years, vendors have talked about their use of the cloud as a differentiator from competitors. More recently, in the last few months, there has been a sea change in marketing messages and talking about “artificial intelligence” has become de rigeur.

   Next week’s RSA Conference is set to become a battleground for contrasting marketing claims about artificial intelligence and anti-malware.

   Self-described next-generation antivirus firms, exemplified by Cylance, will argue that they are the first to apply artificial intelligence against the malware menace. In reality the technology is, in the opinion of this security writer, better described as pattern recognition and data analytics.

   This approach brings benefits such as a much smaller footprint on client machines, a lower attack surface and a reduction in the number of updates needed. The marketing material doesn’t about talk that, though – it talks about Cylance as the “first company to apply artificial intelligence, algorithmic science and machine learning to cybersecurity”.

   A load of spiel?

   Established vendors are also claiming to use AI. Avast, Sophos (partly because of its recent acquisition of next-gen vendor Invincea) and more will also be talking artificial intelligence at San Francisco.

   Long-standing experts argue that pattern recognition, theorem proving, neural networks, expert systems, machine vision – all “AI techniques” – have been applied in the anti-malware world for years.

   The appearance of an alternative to AI for anti-malware would suggest that artificial intelligence is an established technique for combating malware.

   Frankly, I’m skeptical.

   Reply
3. March 6, 2017 at 5:44 pm

   Tomi Engdahl says:

   New York Times:
   Sources: ability of Trump-linked data firm Cambridge Analytica to create “psychographic” profiles of consumers for precise ad targeting is exaggerated

   Data Firm Says ‘Secret Sauce’ Aided Trump; Many Scoff
   https://www.nytimes.com/2017/03/06/us/politics/cambridge-analytica.html?_r=0

   Standing before political and business leaders in New York last fall, Alexander Nix promised a revolution.

   Many companies compete in the market for political microtargeting, using huge data sets and sophisticated software to identify and persuade voters. But Mr. Nix’s little-known firm, Cambridge Analytica, claimed to have developed something unique: “psychographic” profiles that could predict the personality and hidden political leanings of every American adult.

   “Of the two candidates left in the election, one of them is using these technologies,” Mr. Nix said, referring to Donald J. Trump.

   Reply
4. March 6, 2017 at 9:05 pm

   Tomi Engdahl says:

   Jim Finkle / Reuters:
   Consumer Reports will begin assessing cyber security and privacy safeguards when scoring products, publishes first draft of standards for the new testing

   Consumer Reports to consider cyber security in product reviews
   http://www.reuters.com/article/us-cyber-consumerreports-idUSKBN16D0DN

   Consumer Reports, an influential U.S. non-profit group that conducts extensive reviews of cars, kitchen appliances and other goods, is gearing up to start considering cyber security and privacy safeguards when scoring products.

   Consumer Reports will gradually implement the new methodologies

   “This is a complicated area. There is going to be a lot of refinement to get this right,” Rerecich said.

   The effort follows a surge in cyber attacks leveraging easy-to-exploit vulnerabilities in webcams, routers, digital video recorders and other connected devices, which are sometimes collectively referred to as the internet of things.

   “Personal cyber security and privacy is a big deal for everyone. This is urgently needed,”

   The first draft of the standards are available online

   The
   Digital
   Standard
   https://thedigitalstandard.org/

   The Digital Standard is an ambitious, open, and collaborative effort to create a digital privacy and security standard to help guide the future design of consumer software, digital platforms and services, and Internet-connected products.

   The standard defines and reflects important consumer values that must be addressed in product development: electronics and software-based products should be secure, consumer information should be kept private, ownership rights of consumers should be maintained, and products should be designed to combat harassment and help protect freedom of expression.

   Reply
5. March 6, 2017 at 10:12 pm

   Tomi Engdahl says:

   Ian Allison / International Business Times:
   Maersk and IBM pilot using blockchain tech to track global supply of shipping containers, aims to add 10M to this blockchain by end of year

   Maersk and IBM aim to get 10 million shipping containers onto global supply blockchain by year-end
   http://www.ibtimes.co.uk/maersk-ibm-aim-get-10-million-shipping-containers-onto-global-supply-blockchain-by-year-end-1609778

   A pilot involved the shipping of Schneider Electric goods from the Port of Rotterdam to the Port of Newark.

   IBM and Maersk, the largest container ship operator on the planet, have completed an end-to-end digitised supply chain pilot using distributed ledger technology. The blockchain, deployed using Hyperledger Fabric, will begin scaling a network of shippers, freight forwarders, ocean carriers, ports and customs authorities later this year.

   There are some compelling metrics. Of the 70 million containers shipped each year, the goal is get 10 million of them on this blockchain by year-end, said IBM. Container shipping equals about half the value of all maritime trade – a large chunk of global GDP. IBM reckons that going entirely digital could save shipping carriers about $38bn per year.

   In carrying out a test case using avocados from Mombasa to Rotterdam, IBM calculated the cost of the movement of the shipping container itself was about $2000. The cost of the paperwork associated with it comes to $300, so an estimated 15% – 20% of costs can be put done to this and similar inefficiencies around timing and visibility.

   The blockchain shadowed the entire process from raising a purchase order to the goods being delivered, which can take as long as 60 days.

   Ramesh Gopinath, a vice president at IBM said: “Every relevant document and approval was captured on the blockchain. It had to be a shadow by definition; customs are going to use whatever they are going to use as the standard process, but our system took it through the entire process.

   “We are announcing this so we can now start to scale and get others to participate. This is a solution for industry, not just Maersk.”

   In the pilot customs signed off with just an iPad and I can imagine a farmer using a mobile phone to sign off on transactions.

   “In my view there are two classes of solutions you can have that transform the global trade world,” said Gopinath. “One has got to do with everything around the flow of goods; the other is the flow of the money associated with it, the financing and all that. Both will eventually come together”

   Reply
6. March 6, 2017 at 10:36 pm

   Tomi Engdahl says:

   A dull, duller, security?

   “Security is sucks!” This is a direct quote from female friend when he goes in one end of the working day in the car on Wednesday. Feedback continued: “Security is the only task interfere with work and slow down the pace of progress!”

   Can the user feedback, and it is through the experience of information security in general, be positive? I would argue that yes you can.

   The key to happiness has already risen to cult recurring conversation with users.

   Successes again I have collected every time I have been face to face with the users of the importance of security of everyday working life.

   Last week I visited Finland to the very top cyber security company: The afternoon ended in front of huge technology pornography. We admired each other more complicated abbreviations. However, the end of the day we were openly agree that none of the technical solution is not impervious. Corporate security package always depends on the individual users’ choices.

   Information security technologies for improved operational rules of the game or rarely facilitate users’ daily life, rather the opposite.

   Source: http://www.tivi.fi/Kumppaniblogit/dna/tylsa-tylsempi-tietoturva-6626155

   Reply
7. March 6, 2017 at 10:41 pm

   Tomi Engdahl says:

   MacKeeper:
   Major spam group River City Media left 1.4B email addresses, combined with real names, IPs, and often physical addresses, exposed online — Today we release details on the innerworkings of a massive, illegal spam operation. The situation presents a tangible threat to online privacy …

   Spammergate: The Fall of an Empire
   https://mackeeper.com/blog/post/339-spammergate-the-fall-of-an-empire

   A cooperative team of investigators from the MacKeeper Security Research Center, CSOOnline, and Spamhaus came together in January after I stumbled upon a suspicious, yet publicly exposed, collection of files. Someone had forgotten to put a password on this repository and, as a result, one of the biggest spam empires is now falling.

   The leaky files, it turns out, represent the backbone operations of a group calling themselves River City Media (RCM). Led by known spammers Alvin Slocombe and Matt Ferris, RCM masquerades as a legitimate marketing firm while, per their own documentation, being responsible for up to a billion daily email sends.

   Spammers expose their entire operation through bad backups
   Faulty Rsync setup exposes River City Media’s entire operation, group is one of Spamhaus’ top offenders (infographic)
   http://www.csoonline.com/article/3176433/security/spammers-expose-their-entire-operation-through-bad-backups.html

   Something’s not right:

   “If you have not changed your Skype and Hipchat passwords as yet, please do so ASAP,” wrote Alvin Slocombe in early February on HipChat.

   He suspected the company had been hacked. In his all-staff message, he urged everyone to rotate passwords for “anything that we may have stored any information on in the past.”

   The assumptions were wrong though.The company wasn’t hacked. Yet, the reality is, RCM still experienced a severe data breach – one they were directly responsible for. By this point, their backups had been exposed for more than a month.

   Vickery had discovered everything. From Hipchat logs and domain registration records, to accounting details, infrastructure planning and production notes, scripts, and business affiliations. In addition, Vickery uncovered 1.34 billion email accounts. These are the accounts that will receive spam, or what RCM calls offers.

   “Nobody would knowingly give their email address to spammers, so they have to be tricked into it. Usually, there is some kind of offer for a ‘free gift’ in exchange for giving up an email address and personal information. The fine print of these offers allows the company to share their address with their ‘partners’ which ends up also being their partner’s partners, and their partner’s partner’s partners, until every spammer on the planet has their address,” explained Spamhaus’ Mike Anderson.

   “Meanwhile, the original contract for handing over the address is never fulfilled, since it turns out to be impossible to redeem the ‘free gift’ or only with extreme difficulty.”

   Law enforcement was informed about the breach and the questionable activities it exposed.

   The process works like this: RCM will send messages for a given campaign to these warm-up accounts, and since they’re not generating complaints from these messages (they’re not going to complain about themselves after all), the Email Service Provider or affiliate program will mark them as a good sender. Once they have a solid reputation built-up, they’re ready to blast the rest of the internet with their offers.

   If RCM is caught spamming, the domain being used is dropped and replaced. The process is the same for affiliate IDs.

   Reply
8. March 6, 2017 at 10:46 pm

   Tomi Engdahl says:

   Cyrus Farivar / Ars Technica:
   Federal prosecutors drop charges in another of 135+ Playpen child porn cases in order to keep the source code of its Tor hack secret

   To keep Tor hack source code secret, DOJ dismisses child porn case
   DOJ: “Disclosure is not currently an option.”
   https://arstechnica.com/tech-policy/2017/03/doj-drops-case-against-child-porn-suspect-rather-than-disclose-fbi-hack/

   Rather than share the now-classified technological means that investigators used to locate a child porn suspect, federal prosecutors in Washington state have dropped all charges against a man accused of accessing Playpen, a notorious and now-shuttered website.

   “The government must now choose between disclosure of classified information and dismissal of its indictment,” Annette Hayes, a federal prosecutor, wrote in a court filing on Friday. “Disclosure is not currently an option. Dismissal without prejudice leaves open the possibility that the government could bring new charges should there come a time within the statute of limitations when and the government be in a position to provide the requested discovery.”

   The Department of Justice is currently prosecuting over 135 people nationwide whom they believe accessed the illegal website. However, in order to find those people, federal authorities seized and operated the site for 13 days before closing it down. During that period, the FBI deployed a Tor exploit that allowed them to find out those users’ real IP addresses.

   The DOJ has called this exploit a “network investigative technique,” (NIT) while many security experts have dubbed it as “malware.”

   Last year, US District Judge Robert Bryan ordered the government to hand over the NIT’s source code in Michaud. Since that May 2016 order, the government has classified the source code itself, thwarting efforts for criminal discovery in more than 100 Playpen-related cases that remain pending.

   Since the prosecution against Playpen defendants has unfolded, many have pleaded guilty

   Talk is cheap, hacking is cheaper

   Since these cases began, a new change to federal judicial rules will make it easier for lower-level federal judges, known as magistrates, to issue warrants authorizing future NITs that are valid anywhere in the country, rather than being limited to their own judicial district. Some advocates are finding that prospect alarming.

   Talk is cheap, hacking is cheaper

   “My concern with the economics of hacking is that if the government hacks enough people, hacking not only becomes an attractive way of surveilling but it becomes the cheapest way to spy on people,” he said in December 2016.

   “My concern is that when they hack enough people, surveillance becomes so cheap—hacking becomes cheaper than even a single hour of law enforcement overtime that this will become the tool of first resort,” he continued. “Hacking will be the first tool in the toolkit that they reach for, before they go undercover. Before they try and convince someone the old-fashioned way. My concern is that hacking is making spying far too cheap.”

   However, some legal experts have argued that such “lawful hacking” is an appropriate way for the government to combat the so-called “going dark” problem—the widespread use of sophisticated anti-surveillance tools, such as Tor and other forms of encryption that stymie traditional law enforcement.

   Reply
9. March 7, 2017 at 8:33 am

   Tomi Engdahl says:

   That big scary 1.4bn leak was basically nothing but email addresses
   Spammers hoard contact details on millions of netizens, we can non-exclusively reveal
   https://www.theregister.co.uk/2017/03/07/rcm_email_megaleak/

   The “1.4 billion identity leak” that was hyped up before the weekend involved, no, not a database ransacking at Facebook, YouTube, or anything that important.

   No, instead, a US-based spam-slinging operation accidentally spilled its treasure chest of email addresses used to deluge netizens with special offers, marketing crap and the like.

   The 200GB table includes real names, email addresses, IP addresses, and “often” physical addresses, it is claimed.

   “Someone had forgotten to put a password on this repository,” Vickery said. The data was, basically, a backup held in a poorly secured rsync-accessible system. It is alleged that chat logs and internal files in the repository show RCM staff discussing Slowloris-like techniques to overload mail servers and persuade the machines to accept hundreds of millions of messages.

   Reply
10. March 7, 2017 at 8:37 am

    Tomi Engdahl says:

    Researchers Find 26 Security Flaws in 9 Popular Android Password Managers
    https://www.bleepingcomputer.com/news/security/researchers-find-26-security-flaws-in-9-popular-android-password-managers/

    A team of German security professionals has discovered 26 security flaws in nine of the world’s most popular Android password managers.

    The list of tested apps includes MyPasswords, Informaticore, LastPass, Keeper, F-Secure Key, Dashlane, Hide Pictures Keep Safe Vault, Avast Passwords, and 1Password. All tested apps were installed on at least 500,000 devices, with some apps having millions of users.

    The research team says these apps featured different kinds of security flaws, listed below:

    Storage of master password in plain text
    Encrypting master password but leaving encryption key hard-coded in the app’s source code
    Leaving user passwords in the phone’s shared clipboard space, where other apps could retrieve them
    Some password manager apps were vulnerable to data residue attacks (password recovery after uninstallation of password manager app)
    Apps were vulnerable to browser autofill phishing attacks
    Some password manager apps came with their own browser that was leaking user data

    All found issues have now been fixed

    In total, security researchers found 26 security bugs, ranging from low to critical-level issues. The research team went public with their findings at the start of the week.

    Reply
11. March 7, 2017 at 8:38 am

    Tomi Engdahl says:

    CA Technologies to pay $614M for Burlington cybersecurity firm
    http://www.bizjournals.com/boston/news/2017/03/06/ca-technologies-to-pay-614m-for-burlington.html?page=all

    Burlington security software company Veracode will be acquired by CA Technologies for $614 million in cash, the companies announced Monday.

    The acquisition is expected to close in the first quarter of 2018.

    Veracode is one of the largest cybersecurity firms in Massachusetts, with 375 employees in the state as of April 2016.

    Founded in 2006, Veracode makes cloud-based software that allows developers to test and monitor the security of their applications during the building and deployment process. The company has more than 1,400 customers, including Boeing and Thomson Reuters.

    CA Technologies, which provides enterprise clients with an array of software products, says Veracode will help it appeal to midsize enterprises.

    “Software is at the heart of every company’s digital transformation. Therefore, it’s increasingly important for them to integrate security at the start of their development processes, so they can respond to market opportunities in a secure manner,”

    Reply
12. March 7, 2017 at 9:38 am

    Tomi Engdahl says:

    Testing For Security
    http://semiengineering.com/testing-for-security/

    So far, the best solution appears to be a team of white-hat hackers. That’s not good enough.

    Ever since the IoT became a household name, people have been strategizing about ways to utilize non-secure devices to mount an attack.

    The first instances of using electricity to overload a device’s circuits, thereby neutralizing existing security features, came to light in some of the earliest car hacking incidents. These are basically side-channel attacks using what amounts to an electronic stun grenade.

    The distributed denial of service attack on Dyn last October took this concept to a new level.

    So what can be done about this? The answer is plenty. Some steps already are being taken. Security clearly needs to be built into every aspect of a device, from design through to manufacturing and beyond. On the design side, authentication keys need to be hidden away, and most of the advanced hardware developed today already does this. In some cases that security is active, which requires power and adds to the overall cost. In others it is passive, which may include tamper-resistance that renders hardware useless if someone tries to grind away the package and insert a probe.

    Software remains vulnerable, in part because that portion of a device is never completely finished. Even if over-the-air updates are safe, there are other weaknesses that can be compromised. It’s impossible to find all of them. Sometimes they are discovered by teams of white-hat hackers. The worst-case scenario is they don’t get reported for years because they are actively in use by criminals or teams of hackers with the deep resources of organized crime or nation states.

    The third piece of the puzzle involves the supply chain. Counterfeit parts and IP are rampant.

    There are several steps required to address these problems.

    First, devices need to be tested to ensure they match the final spec.

    Second, data needs to be reviewed after every breach to identify what went wrong.

    This is basically a big data problem caused by a triumvirate of complexity of hardware and software, an extended supply chain, and myriad use cases and connections. All of that data needs to be mined to identify anomalies so that simpler tests can be developed to avoid future problems.

    And finally, hackers will always be the first one in the door, which puts security companies in a reactive position. That won’t change completely.

    At present, the best solution is a combination of anti-virus software, extra code and circuitry developed to prevent hardware attacks, and a team of white-hat hackers to continually look for weaknesses. The pieces that are missing are the up-front verification of what is being developed and manufactured, and the after-the-fact deep analysis of what goes wrong at a systemic level.

    Reply
13. March 7, 2017 at 10:32 am

    Tomi Engdahl says:

    Another Day, Another “IoT” Backdoor
    http://hackaday.com/2017/03/06/another-day-another-iot-backdoor/

    As if you needed any reason other than “just for the heck of it” to hack into a gadget that you own, it looks like nearly all of the GSM-to-IP bridge devices make by DBLTek have a remotely accessible “secret” backdoor account built in. We got sent the link via Slashdot which in turn linked to this story on Techradar. Both include the scare-words “Chinese” and “IoT”, although the devices seem to be aimed at small businesses, but everything’s “IoT” these days, right?

    What is scary, however, is that the backdoor isn’t just a sloppy debug account left in, but rather only accessible through an elaborate and custom login protocol.

    Undocumented Backdoor Account in DBLTek GoIP
    https://www.trustwave.com/Resources/SpiderLabs-Blog/Undocumented-Backdoor-Account-in-DBLTek-GoIP/

    Reply
14. March 7, 2017 at 10:34 am

    Tomi Engdahl says:

    Poachers are trying to hack animal tracking systems
    https://www.helpnetsecurity.com/2017/03/06/hack-animal-tracking-systems/

    Animal tracking through electronic tagging has helped researchers gain insight into the lives of many wild animal species, but can also be misused by wildlife poachers, hunters, animal-persecution groups and people interested in seeing and interacting with the animals – all to the detriment of our animal brethren.

    A recent paper by a group of researchers from several Canadian and US universities has pointed to several instances of misuse or attempted misuse of the tracking technology

    Troubling issues at the frontier of animal tracking for conservation and management
    http://onlinelibrary.wiley.com/doi/10.1111/cobi.12895/full

    Reply
15. March 7, 2017 at 12:44 pm

    Tomi Engdahl says:

    Angus Crawford / BBC:
    BBC investigates Facebook’s failure to remove sexualized images of children; Facebook reports BBC journalists to UK’s National Crime Agency

    Facebook failed to remove sexualised images of children
    http://www.bbc.co.uk/news/technology-39187929

    Facebook has been criticised for its handling of reports about sexualised images of children on its platform.

    The chairman of the Commons media committee, Damian Collins, said he had “grave doubts” about the effectiveness of its content moderation systems.

    Mr Collins’ comments come after the BBC reported dozens of photos to Facebook, but more than 80% were not removed.

    When provided with examples of the images, Facebook reported the BBC journalists involved to the police and cancelled plans for an interview.

    It subsequently issued a statement: “It is against the law for anyone to distribute images of child exploitation.”

    On its welcome page, Facebook says it does remove obscene material.

    “Nudity or other sexually suggestive content” it states are not allowed on the platform.

    “The fact that Facebook sent images that had been sent to them, that appear on their site, for their response about how Facebook deals with inappropriate images…the fact that they sent those on to the police seemed to me to be extraordinary,” he said.

    Reply
16. March 7, 2017 at 12:52 pm

    Tomi Engdahl says:

    Shellshock Attacks Still Cheap and Easy: IBM
    http://www.securityweek.com/shellshock-attacks-still-cheap-and-easy-ibm

    Two and a half years after being discovered, the Shellshock vulnerability continues to be abused in attacks, and for a good reason: it is a very cheap and easy attack, IBM says.

    Discovered in September 2014, Shellshock is a vulnerability found within the bourne-again shell (BASH), the default command shell in almost each and every Linux and Unix system at the time. An attacker able to abuse the security flaw could execute commands with super-user privileges remotely.

    Tracked as CVE-2014-6271, the issue was found to affect a great deal of devices, including Web servers and Internet-of-Things (IoT) devices such as DVRs, printers, automotive entertainment systems, routers and even manufacturing systems. Mac OS X systems were also impacted.

    With many applications relying on BASH, an attacker could exploit the vulnerability by sending a command sequence to the web server to be interpreted with the BASH.

    In July 2015, researchers warned that Shellshock was still being abused, and the attacks continue nearly two years later. Many vulnerable devices haven’t been patched to this day, and attackers are enticed to continue hitting those targets.

    “Attackers need only a server, basic programming skills and access to malware to carry out this type of attack. The level of knowledge and effort required is quite low. Fraudsters can simply launch attacks against hundreds of different IP addresses per minute and wait to hit a vulnerable server by chance,” IBM’s Joerg Stephan explains.

    To carry out a Shellshock attack, an attacker only needs to spend around $5 a month, Stephan says. For just over $30, an attacker could target around 1 million servers within a six-month period, which could translate into 100,000 victims, as roughly 10% of all servers remain unpatched, IBM says.

    To show just how simple it would be to come up with the necessary code, IBM’s researcher published some basic Python code that can do the trick.

    A bash script would download a bot from the server, save it to a certain path, make the file executable and run it, and could also include a line to execute the bot after each reboot, for persistence.

    Reply
17. March 7, 2017 at 12:55 pm

    Tomi Engdahl says:

    Shamoon-Linked “StoneDrill” Malware Allows Spying, Destruction
    http://www.securityweek.com/shamoon-linked-stonedrill-malware-allows-spying-destruction

    Researchers at Kaspersky Lab have come across a new and sophisticated piece of malware that can be used for both cyber espionage and wiping an infected computer’s storage.

    Dubbed “StoneDrill,” the malware has been linked to the notorious Shamoon 2 and Charming Kitten, aka Newscaster and NewsBeef, a threat actor believed to be located in Iran.

    The security firm has observed the threat being used in attacks aimed at entities in Saudi Arabia and one organization in Europe. Unlike in the case of Shamoon, which is known to have caused significant damage to oil giant Saudi Aramco, there are no reports of damaging attacks involving StoneDrill.

    Reply
18. March 7, 2017 at 1:04 pm

    Tomi Engdahl says:

    What’s Next in Cybersecurity? Ripped From the RSA Conference Floor
    http://www.securityweek.com/whats-next-cybersecurity-ripped-rsa-conference-floor

    The security industry wrapped up what has arguably become the most significant trade show in the security industry: RSA Conference. While it’s always interesting to see what challenges hold the industry’s attention and how vendors plan to address them, I find the most useful information comes from informal conversations with customers and industry colleagues as opposed to official booth presentations.

    Threat Intelligence Sharing Is REAL

    The Cyber Threat Alliance (CTA) announced two new founding and three new associate member companies
    More importantly, the alliance also announced the ongoing development of a new, automated threat intelligence sharing platform.
    The platform better organizes threat information into “adversary playbooks” focused on specific attacks so as to increase the value and usability of collected threat intelligence.

    Great Innovation Happening Around Securing the Endpoint

    Organizations are realizing more than ever that legacy antivirus approaches to securing the endpoint do not work and are actively seeking alternatives. There’s been a great deal of noise around endpoint security, with different vendors advocating different approaches to securing this critical threat vector. The most intriguing alternative to me is one that not only checks for compliance in antivirus replacement boxes, but is also natively integrated with the rest of the network security stack.

    Cybersecurity Needs People

    Without exception, everyone continued to note a lack of qualified cybersecurity staff as a serious issue. Most included identifying, hiring and budgeting for staff in their top three lists of concerns, often in the No. 1 spot.
    We must jointly find a way to build a larger bench of cybersecurity talent, or the shortage of skilled and affordable cybersecurity experts will continue to impact organizations.

    Do Point Products Still Reign?

    The show floor was more crowded than ever thanks to a host of new security companies exhibiting for the first time, each looking at a specific threat vector or technique. While new thinking and innovation are vital, this ad hoc approach to building a cybersecurity infrastructure doesn’t give organizations the complete visibility into their risk posture they need to prevent attacks. Each point product contributes just a part to the overall security of an organization, and point solutions don’t play well together, leaving security gaps that can be exploited.

    Reply
19. March 7, 2017 at 1:07 pm

    Tomi Engdahl says:

    CrowdStrike Vs NSS Labs, Round 2: NSS Hits Back
    http://www.securityweek.com/crowdstrike-vs-nss-labs-round-2-nss-hits-back

    In February 2017, endpoint protection firm CrowdStrike took the unusual step of suing independent product testing organization NSS Labs, “to hold it accountable for unlawfully accessing our software, breaching our contract, pirating our software, and improper security testing.”

    The immediate purpose of the suit was to support action for an injunction to prevent NSS Labs from publishing test result details of CrowdStrike’s Falcon endpoint security product within its latest public test. The injunction failed, and NSS published the results.

    “Given the serious inaccuracies CrowdStrike has been promoting in their blog and elsewhere, we decided that we needed to tell our side of the story,” blogged NSS CEO Vikram Phatak. The blog amounts to a step-by-step refutation of CrowdStrike’s accusations.

    Putting Customers First?
    https://www.nsslabs.com/blog/company/putting-customers-first/

    Then, despite the court’s ruling and memorandum, CrowdStrike published a blog accusing NSS Labs of various nefarious doings.

    Why did we wait to publicly respond to CrowdStrike? We felt the CrowdStrike management team might need some time to reflect on the choices they made, and that some distance would provide them the opportunity to make a course correction. Unfortunately, nothing has changed.

    NSS Labs is committed to providing our enterprises customers with accurate test results so that they can make informed decisions. We anticipated that testing products in the endpoint market would meet with resistance given the historical relationship between vendors and testing organizations.

    The entire test is done on our dime, and all we ask from vendors is that they provide us with their product, along with engineering support before and during the test, should we need it.

    So we are disappointed that in the weeks since the AEP group test was published, CrowdStrike did not reach out to NSS to understand the attacks and evasions they missed. Instead, they have made a concerted effort to obfuscate and divert attention away from their test results – vilifying NSS in an effort to justify their actions.

    Reply
20. March 7, 2017 at 1:26 pm

    Tomi Engdahl says:

    Riot awarded $10 million in Leaguesharp lawsuit settlement
    The League of Legends studio has also been granted control of all Leaguesharp websites.
    http://www.pcgamer.com/riot-awarded-10-million-in-in-leaguesharp-lawsuit-settlement/

    Riot Games’ lawsuit against the League of Legends botting service Leaguesharp has come to an end with a $10 million payout for Riot, and the legally-mandated shutdown of Leaguesharp’s services. The suit, filed last summer, alleged that Leaguesharp was a “gamebreaking” service that let unscrupulous players earn money by “creating and selling accounts that have been artificially leveled,” and that Leaguesharp itself pulled in hundreds of thousands of dollars per month on it.

    Reply
21. March 8, 2017 at 9:55 am

    Tomi Engdahl says:

    Researchers Use Intel SGX to Conceal Malware, Extract Private Keys
    http://www.securityweek.com/researchers-use-intel-sgx-conceal-malware-extract-private-keys

    A group of researchers from Austria’s Graz University of Technology have demonstrated that malware running on Intel SGX (Software Guard Extensions) can attack the host and can be used to extract RSA private keys.

    SGX, an isolation mechanism introduced by Intel in their micro-processors to protect code and data from modification or disclosure, uses special execution environments called enclaves and which work in encrypted memory area, thus protecting an application’s secrets from attackers. According to Intel, cryptographic keys should be stored inside enclaves, because they can thwart side-channel attacks.

    While some argued before that the hardware-supported isolation could result in super malware inside enclaves, others refuted the fears, saying that enclaves always run with user space privileges and cannot perform any I/O operations. In a newly published paper (PDF), Graz University of Technology researchers prove that enclave malware can indeed attack its hosting system.

    Malware Guard Extension:
    Using SGX to Conceal Cache Attacks
    (Extended Version)
    https://arxiv.org/pdf/1702.08719.pdf

    Reply
22. March 8, 2017 at 9:56 am

    Tomi Engdahl says:

    Vault7 by WikiLeaks
    http://www.epanorama.net/newepa/2017/03/07/vault7-by-wikileaks/
    https://wikileaks.org/ciav7p1/

    Today, Tuesday 7 March 2017, WikiLeaks begins its new series of leaks on the U.S. Central Intelligence Agency. Code-named “Vault 7″ by WikiLeaks project claims that recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized “zero day” exploits, malware remote control systems and associated documentation.

    Reply
23. March 8, 2017 at 10:02 am

    Tomi Engdahl says:

    Number of Darknet Sites Plunges After Freedom Hosting Hack
    http://www.securityweek.com/number-darknet-sites-plunges-after-freedom-hosting-hack

    The number of hidden services has dropped significantly following the cyberattack on Freedom Hosting II, which had been estimated to host roughly 20 percent of the sites on the dark web.

    Freedom Hosting II, which hosted nearly 11,000 websites, was brought down by Anonymous-affiliated hackers in early February. The hacktivists accused the service of hosting many child pornography sites, and leaked a large quantity of data from its systems, including over 380,000 user records.

    Reply
24. March 8, 2017 at 10:04 am

    Tomi Engdahl says:

    A Look Back at RSA 2017: 3 Things I Wish I Saw Less Of
    http://www.securityweek.com/look-back-rsa-2017-3-things-i-wish-i-saw-less

    Here are a few things I saw this year that I’m hoping won’t be making an appearance at RSA 2018.

    Unreasonable vendor claims and silver bullets. Every year, countless security vendors roam the show floor at RSA, promising that their latest revolutionary tool is going to solve the entire world’s security problems.
    However, too often these organizations are overpromising and underdelivering

    Scare tactics as a selling tool. Along those lines, many vendors seek to sell their goods by scaring organizations into believing they need them. Highlighting the latest big security breach and claiming to have been able to stop it if only that organization had had their product isn’t a positive way to sell your wares. Additionally, scaring companies into thinking that if they don’t have one specific security component their entire organization is immediately at risk isn’t an effective approach to security either.

    Breach-shaming. All organizations have security risks. Period. While the industry works tirelessly to help organizations avoid being compromised, the fact is that breaches are going to happen. When they do, too often the company that was victimized is barraged by criticism from the rest of the industry, who say they should have implemented this product or this service or this response.

    A promising trend: More collaboration.
    There is one area in particular that was particularly motivating to see: more collaboration. It’s no secret that the threat landscape is continuing to evolve. Integrating technologies and sharing intelligence among the world’s leading security organizations is a crucial way to stay ahead of growing threats. Rather than allowing hackers to target multiple organizations, if each organization was aware of an attack as soon as it happened, the hacker would be stopped in his tracks before he could face his next target.

    Reply
25. March 8, 2017 at 10:05 am

    Tomi Engdahl says:

    Bug Allowed Free Uber Rides
    http://www.securityweek.com/bug-allowed-free-uber-rides

    A bug in Uber could have been used by users to ride for free anywhere where the service is available, a researcher has discovered.

    Prakash reported the vulnerability to Uber via the company’s bug bounty program on HackerOne, which offers rewards between $100 and $10,000 for bugs in several dozen Uber properties. The issue was apparently discovered in August 2016, and Uber was able to fix it the same day the researcher disclosed it. The company awarded the researcher $5,000 for this finding.

    Reply
26. March 8, 2017 at 10:06 am

    Tomi Engdahl says:

    Ransomware Module Found in Shamoon 2.0
    http://www.securityweek.com/ransomware-module-found-shamoon-20

    The Shamoon 2.0 malware used recently in attacks aimed at the Middle East has a fully functional ransomware module that can encrypt files on the infected device, Kaspersky Lab said on Monday.

    Reply
27. March 8, 2017 at 10:06 am

    Tomi Engdahl says:

    Six Flaws Patched With Release of WordPress 4.7.3
    http://www.securityweek.com/six-flaws-patched-release-wordpress-473

    WordPress developers announced on Monday the availability of version 4.7.3, a security release that includes patches for six vulnerabilities and 39 maintenance fixes.

    WordPress 4.7.3 addresses three cross-site scripting (XSS) flaws that can be exploited via media file metadata, video URLs in YouTube embeds, and taxonomy term names. Chris Andrè Dale, Yorick Koster, Simon P. Briggs, Sucuri researcher Marc Montpas, and a user with the moniker “Delta” have been credited for finding these security holes.

    The latest WordPress update also fixes a vulnerability that allows control characters to trick redirect URL validation (reported by Daniel Chatfield), and a bug that can lead to administrators deleting unintended files via the plugin deletion functionality (reported by xuliang).

    Reply
28. March 9, 2017 at 8:12 am

    Tomi Engdahl says:

    Verifone Investigating ‘Limited Cyber Intrusion’
    http://www.securityweek.com/verifone-investigating-limited-cyber-intrusion

    Verifone is investigating a breach that it has described as “a limited cyber intrusion” into its corporate network.” It believes that “that due to our immediate response, the potential for misuse of information is limited.”

    KrebsOnSecurity has published an internal memo dated Jan. 23 sent to all Verifone staff and contractors. It says the payment solutions firm is currently investigating an IT control matter, and asks everyone to change their employee passwords within 24 hours. It also states that employees will no longer be able load new software onto their company desktop and laptop computers; that is, local admin privileges are being removed.

    These two actions are typical responses to an actual or likely breach — although many security professionals will be surprised that staff still had local admin status.

    Reply
29. March 9, 2017 at 8:13 am

    Tomi Engdahl says:

    Google Patches 35 Critical Android Vulnerabilities
    http://www.securityweek.com/google-patches-35-critical-android-vulnerabilities

    Google this week released a new set of monthly security patches for Android to address over 100 vulnerabilities in the platform, 35 of which carry a Critical severity rating.

    All of the above issues should be addressed by security patch levels of 2017-03-05 or later, Google notes on its advisory. The company already started pushing an over-the-air update to Google Devices (Android One, Nexus, and Pixel devices) with the March 05, 2017 security patch level.

    Reply
30. March 9, 2017 at 8:18 am

    Tomi Engdahl says:

    Cybercriminals Target Employees Involved in SEC Filings
    http://www.securityweek.com/cybercriminals-target-employees-involved-sec-filings

    A cybercrime group tracked by FireEye as FIN7 has been observed targeting nearly a dozen organizations in the United States, focusing on personnel that handles filings to the Securities and Exchange Commission (SEC).

    The attack starts with a spear phishing email coming from a spoofed sec.gov email address, which carries a document apparently containing “important” information. Once the document is opened, a VBS script installs a new PowerShell backdoor dubbed POWERSOURCE.

    Reply
31. March 9, 2017 at 8:19 am

    Tomi Engdahl says:

    Bechtel Opens Industrial Cyber Security Lab
    http://www.securityweek.com/bechtel-opens-industrial-cyber-security-lab

    Global engineering and construction giant Bechtel has opened a new cyber security lab aimed at protecting industrial equipment and software that control facilities such as power plants, chemical plants, and other large-scale critical infrastructure operations.

    With the goal of protecting industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems from cyber threats, Bechtel says the lab will leverage its experience designing and implementing National Institute of Standards and Technology Risk Management Framework (NIST-RMF) solutions for its government customers.

    Reply
32. March 9, 2017 at 8:52 am

    Tomi Engdahl says:

    The Skinner adware rears its ugly head on Google Play
    http://blog.checkpoint.com/2017/03/08/skinner-adware-rears-ugly-head-google-play/

    A new member of the ever growing adware-found-on-Google-Play-list has been found. Previous members include Viking Horde, DressCode and CallJam, among many others. The malware, dubbed “Skinner”, was embedded inside an app which provides game related features. The app was downloaded by over 10,000 users, and managed to hide on Google Play for over two months. Skinner tracks the user’s location and actions, and can execute code from its Command and Control server without the user’s permission. The app was removed from the play store after we contacted the Google security team. While Adware are a common threat to users, Skinner displayed new elaborate tactics used to evade detection and maximize the profits by targeting users with unprecedented precision.

    Skinner obfuscates the malicious components of its code to avoid detection. The malicious activity begins only once the malware detects a user activity, such as opening an app, to ensure it is run by a real user.

    Reply
33. March 9, 2017 at 9:00 am

    Tomi Engdahl says:

    How To Stop Your Smart TV From Spying on You
    https://www.wired.com/2017/02/smart-tv-spying-vizio-settlement/

    Reply
34. March 9, 2017 at 9:05 am

    Tomi Engdahl says:

    Federal Criminal Probe Being Opened Into WikiLeaks’ Publication of CIA Documents
    https://politics.slashdot.org/story/17/03/08/1759203/federal-criminal-probe-being-opened-into-wikileaks-publication-of-cia-documents

    A federal criminal investigation is being opened into WikiLeaks’ publication of documents detailing alleged CIA hacking operations, CNN reports citing several U.S. officials.

    The officials said the FBI and CIA are coordinating reviews of the matter. The investigation is looking into how the documents came into WikiLeaks’ possession and whether they might have been leaked by an employee or contractor. The CIA is also trying to determine if there are other unpublished documents WikiLeaks may have.

    Federal criminal probe being opened into WikiLeaks’ publication of CIA documents
    http://edition.cnn.com/2017/03/08/politics/wikileaks-cia-investigation/

    A federal criminal investigation is being opened into WikiLeaks’ publication of documents detailing alleged CIA hacking operations, several US officials told CNN Wednesday.
    The officials said the FBI and CIA are coordinating reviews of the matter.

    The investigation is looking into how the documents came into WikiLeaks’ possession and whether they might have been leaked by an employee or contractor. The CIA is also trying to determine if there are other unpublished documents WikiLeaks may have.
    CIA spokesman Ryan Tripani said the agency had “no comment on the authenticity of purported intelligence documents released by WikiLeaks or on the status of any investigation into the source of the documents.”

    Reply
35. March 9, 2017 at 9:09 am

    Tomi Engdahl says:

    CIA hacking dossier leak reignites debate over vulnerability disclosure
    Spy agencies more interested in stockpiling bugs than closing the gaps
    https://www.theregister.co.uk/2017/03/08/cia_hacking_tool_dump_vuln_disclosure_debate/

    WikiLeaks’ dump of CIA hacking tool documents on Tuesday has kicked off a debate among security vendors about whether intel agencies are stockpiling vulnerabilities, and the effect this is having on overall security hygiene.

    The leaked documents purport to show how the intel agency infiltrates smartphones, PCs, routers, IoT gear, potentially smart TVs, and other gear, using a range of hacking tools, as previously reported. These capabilities are hardly surprising to anyone who remembers the disclosures from former NSA contractor Edward Snowden back in 2013.

    Reply
36. March 9, 2017 at 9:18 am

    Tomi Engdahl says:

    The CIA Leak Exposes Tech’s Vulnerable Future
    https://www.wired.com/2017/03/cia-leak-exposes-techs-vulnerable-future/

    Yesterday’s Wikileaks dump reiterated something we already knew: Our devices are fundamentally unsafe. No matter what kind of encryption we use, no matter which secure messaging apps we take care to run, no matter how careful we are to sign up for two-factor authentication, the CIA—and, we have to assume, other hackers—can infiltrate our operating systems, take control of our cameras and microphones, and bend our phones to their will. The same can be said of smart TVs, which could be made to surreptitiously record our living-room conversations, and internet-connected cars, which could potentially be commandeered and even crashed.

    Previous security revelations told us that our data wasn’t safe. The Vault 7 leak reminded us that our machines aren’t secure—and, because those machines lived in our homes and on our bodies, they rendered our homes and bodies insecure as well. There is a word for these flaws and holes in code that leave us open to harm, and it’s the same word for the unease that accompanies them: vulnerability.

    If we feel freshly vulnerable, we are not alone. The darlings of the tech industry—which for much of the past decade have convincingly presented themselves as swaggering inevitabilities—are showing signs of vulnerability as well.

    The more powerful and inevitable something appears, the more startling and devastating its weaknesses are when they are exposed. Or, to borrow a phrase, the harder they come, the harder they fall.

    That’s useful to remember when you consider the transformation we are currently undergoing, one in which more and more of our devices become connected to the internet. Whether you call it the “Internet of Things” or the “Internet of Everything” or the “Third Wave” or the “Programmable World,” the long-predicted moment when connectivity becomes as ubiquitous as electricity is nearly upon us. The benefits will be staggering—a world that will know us and adjust to our needs and desires, a universe of data that will impart new wisdom. But so will the vulnerabilities, the opportunities for our worlds to be penetrated, manipulated, and even destroyed by malevolent intruders.

    The Vault 7 leak is not the tech industry’s fault, exactly, but we must ask at what point we stop placing our trust in devices, systems, and people that are inherently undeserving of it? Actually, never mind, we’re past it already. The most troubling aspect of the latest revelations is that there is no way to protect yourself beyond not buying a smartphone

    Reply
37. March 9, 2017 at 9:19 am

    Tomi Engdahl says:

    How the CIA’s Hacking Hoard Makes Everyone Less Secure
    https://www.wired.com/2017/03/cias-hacking-hoard-makes-everyone-less-secure/

    When WikiLeaks yesterday released a trove of documents purporting to show how the CIA hacks everything from smartphones to PCs to smart televisions, the agency’s already shadowy reputation gained a new dimension. But if you’re an average American, rather than Edward Snowden or an ISIS jihadi, the real danger clarified by that leak wasn’t that someone in Langley is watching you through your hotel room’s TV. It’s the rest of the hacker world that the CIA has inadvertently empowered.

    As security researchers and policy analysts dig through the latest WikiLeaks documents, the sheer number of hacking tools the CIA has apparently hoarded for exploiting zero-day vulnerabilities—secret inroads that tech firms haven’t patched—stands out most. If the US intelligence community knows about them, that leaves open the possibility that criminal and foreign state hackers do as well.

    “If the CIA can use it, so can the Russians, or the Chinese or organized crime,”

    A World of Hacks

    It’s no surprise, of course, that one of America’s most well-resourced spy agencies can hack its foreign adversaries. The shock, says Johns Hopkins cryptographer Matt Green, comes instead from the sudden spill of those hacking tools onto the web. “In the same way the military would probably have one technique for killing every single tank in an enemy’s arsenal, you would expect the CIA to collect the same thing,” says Green. “What’s different is that we’re seeing them out in public.”

    “The default position is that the government will disclose, but that doesn’t mean that will happen on every occasion,”

    It’s still unclear whether the Trump administration will continue the previous White House’s Vulnerabilities Equities Process, or how it will address the question of government hacking versus civilian security.

    Reply
38. March 9, 2017 at 12:24 pm

    Tomi Engdahl says:

    ‘It’s just incredible’: Stolen trailer tracked down within minutes via social media
    http://kitchener.ctvnews.ca/it-s-just-incredible-stolen-trailer-tracked-down-within-minutes-via-social-media-1.3316738

    When Mike Schmidt had his trailer stolen, he knew what to expect.

    Any other time a vehicle had quietly disappeared from his business, it had never made its way back. Why would this one be any different?

    Still, frustrated with the theft of the trailer – which his snowmobile racing team uses to tow its vehicles around Ontario – he posted a photo of it to Facebook, just in case somebody knew something.

    People started sharing it immediately. A few minutes later, Schmidt’s phone rang.

    A friend said he had seen the trailer on his way to work that morning.

    Schmidt went down to Brantford to see it for himself. Less than a day later, the truck was back home in Cambridge.

    “It’s just incredible how quickly this happened.”

    Reply
39. March 9, 2017 at 12:39 pm

    Tomi Engdahl says:

    Time’s up for SHA-1 hash algo, but one in five websites still use it
    Google, Microsoft and Mozilla say they won’t trust anyone who hasn’t migrated
    http://www.theregister.co.uk/2017/03/08/sha1_certificate_survey/

    One in five websites (21 per cent) are still using certificates signed with the vulnerable SHA-1 hash algorithm, according to a new survey.

    Reliance on the obsolete hashing technology leaves companies at greater risk of security breaches and compliance problems, certificate management firm Venafi warns.

    Venafi’s latest study shows there has been improvement since November 2016, when a third (35 per cent) of websites were still using SHA-1.

    SHA-1 is an outdated encryption algorithm known to be potentially insecure since 2005. Last month researchers at Google worked with academics to demonstrate a successful collision attack on the algorithm, a practical (if difficult and resource intensive) attack that underlines the need for change.

    Google, Microsoft and Mozilla set deadlines in early 2017 for websites to migrate, saying they would no longer trust sites otherwise.

    Newly issued certificates using the SHA-2 family of hash functions solve these problems, but Venafi’s research shows that many companies have not replaced all their certificates with ones signed by SHA-2. This leaves organisations open to security breaches, compliance problems, and outages that can affect security, availability and reliability.

    “Even though most organisations have worked hard to migrate away from SHA-1, they don’t have the visibility and automation necessary to complete the transition.”

    Reply
40. March 9, 2017 at 12:40 pm

    Tomi Engdahl says:

    Kaspersky fixing serious certificate slip
    Security smashed for 400 MEEELLION users
    http://www.theregister.co.uk/2017/01/04/kaspersky_fixing_serious_certificate_slip/

    Kaspersky is moving to fix a bug that disabled certificate validation for 400 million users.

    Discovered by Google’s dogged bug-sleuth Tavis Ormandy, the flaw stems from how the company’s antivirus inspects encrypted traffic.

    Since it has to decrypt traffic before inspection, Kaspersky presents its certificates as a trusted authority. If a user opens Google in their browser, for example, the certificate will appear to come from Kaspersky Anti-Virus Personal Root.

    The problem Ormandy identified is that those internal certificates are laughably weak.

    Kaspersky fixed the issue on December 28

    Reply
41. March 10, 2017 at 10:05 am

    Tomi Engdahl says:

    Automated Next Gen Cybersecurity Will be Based on Intent
    http://www.securityweek.com/automated-next-gen-cybersecurity-will-be-based-intent

    Implementing Intent-based Network Security (IBNS) Takes Planning, Consideration, and Incremental Implementation

    Ultimately it’s all about information – our ability to automatically and effectively determine what’s new, what’s important, and what’s unusual, regardless of where across the distributed network it exists. A term I’ve started hearing recently that I like refers to this as intent-based network security (IBNS.)

    What do we mean by this term? In short, intent-based network security is the process of applying analytics to the information generated by all of the deployed security devices on a network. Individual security solutions are already capable of delivering significant amounts of independent, unrelated data. As we build out homogenous, interconnected security fabrics, however, we can begin to correlate the enormous amounts of information being generated. This integration is the secret sauce to IBNS, as it allows us to reduce these informatics mountains into molehills, which allows us to automatically refine security in real time as our network and threat landscapes change.

    Another thing that such an integrated approach will hopefully result in is a consistent method for correlating and organizing this information with such things as common naming, reliable data, effectively ranking threats, etc.

    This is only the first step. Before we can do anything with respect to implementing IBNS, we really need a way to understand and define which data is important, and have a consistent, universal method for describing it.

    There are many things that need to go into creating a system that can truly be defined as providing intent-based network security:

    • Knowing what the system is from a physical perspective (platform/OS)

    • Knowing what the system is normally used for

    • Knowing what the system has historically done

    • Knowing what the system is doing now

    • Knowing who is currently using the system

    • Knowing when the system changes

    As we deploy security more holistically, our ability to understand and observe in real time the activity of a system is improved significantly over a traditionally isolated, perimeter-only security deployment.

    The migration to virtual systems and containers, in particular, also makes the ability to implement intent-based network security more straightforward, as the number of things that a given system are expected (intended) to do is reduced and they become simpler and more granular.

    A similar concept can be applied to Internet of Things (IoT) systems, as they typically only have a very limited set of behaviors and/or intended communications. Understanding these should allow us to observe changes away from this behavior.

    Here are some things to consider as you determine whether your enterprise infrastructure is equipped for transitioning to an intent-based network security strategy:

    • Understand the devices in your network that contain critical data, what they do, where they are, why they are there, what applications are authorized to run on them, and which other devices are allowed to interact with them

    • Understand (or attempt to) the types of devices that your end users are using and how they normally behave

    • Implement systems that can make use of dynamic data when creating security enforcement policies (the days of static 5-tuple rules are hopefully rapidly fading)

    Reply
42. March 10, 2017 at 10:09 am

    Tomi Engdahl says:

    The Connected Toy Conundrum Is Beginning to Boil
    http://www.securityweek.com/connected-toy-conundrum-beginning-boil

    The prediction business is a tricky thing. You can be right, but until you are proven right, you’re either early or wrong. Being early feels just like being wrong—up until the moment you are right.

    When toymaker VTech announced in November 2015 that nearly five million customer records had been leaked (including pictures of and data about children), I predicted that the breach would be a tipping point for security and privacy issues with connected toys. My thesis was based on the notion that nothing stirs the emotions faster than concerns over the privacy and safety of children.

    My prediction didn’t get any traction. Just as I was beginning to embrace the notion that I was wrong, a string of recent events may prove that I was just early.
    Smart toy security troubles are on the rise

    In mid-February, it was reported that Germany’s Federal Network Agency issued a warning to parents about the “My Friend Cayla” doll. The agency, which oversees telecommunications in Germany, advised parents to destroy the doll because it collects and transmits conversations with children.

    The data in the conversations were being parsed by speech recognition software that can turn dialogue into searchable queries. While the agency based their warning on the doll being a “concealed transmitting device” that ran afoul of the law, there was also much concern over regulations protecting the privacy and security of children. Agencies from multiple countries, including the United States’ FTC, expressed concerns over these privacy and security issues.

    In early March, it was reported that toymaker Spiral Toys had been hacked, exposing data from over 800,000 users. The data contained personalized voice messages, pictures, and other data collected via Internet-connected teddy bears and the associated smartphone apps.

    Securing smart devices goes beyond toy manufacturers

    As I have said repeatedly, the term “connected device” should immediately provoke questions such as “to what?”, “for what purpose?”, and “with what level of protection for the data?”

    I do not believe that there is malicious intent on the part of the toy manufacturers. They are looking for an angle to sell toys, and IoT and connected devices are hot topics. They are also financially motivated to hold down production costs for profitability. Having a connected toy adds new cost items such as building the associated app and building the infrastructure (including data storage) to store the collected data. All their key business drivers (e.g., time to market and profitability) are diametrically opposed to notions of building security into the process.

    Take note that this is not a set of issues unique to connected toys. Multiple stories came out in February on the analysis of the end user license agreements for smart televisions. Manufacturers are now warning us not to discuss sensitive subjects in front of our televisions as the conversation will be recorded and stored! This includes the voices of children in our homes.

    It’s time to take IoT security and privacy seriously

    Privacy is an ephemeral subject, particularly in the United States. Other countries take a much more pronounced interest in privacy, where I believe Americans have become numb to the subject after selling our privacy souls for free cell phones. However, the basic, immutable law is simple and must be recognized by consumers: If something is IoT or connected it collects data and that data goes somewhere and is stored. While seemingly benign, that data may combine sensitive information—which can be stolen.

    Add children to the mix and the focus suddenly shifts. The light shed on the problems swiftly burns much brighter.

    The tipping point may have just arrived. On March 6, Consumer Reports announced that they are “launching the first phase of a collaborative effort to create a new standard that safeguards consumers’ security and privacy”. Consumer Reports hopes to push a new open-source standard that addresses privacy and security concerns for connected consumer devices.

    Consumer Reports to Begin Evaluating Products, Services for Privacy and Data Security
    CR partners with other cyber experts, creating a new open-source industry standard to make connected devices safer
    http://www.consumerreports.org/privacy/consumer-reports-to-begin-evaluating-products-services-for-privacy-and-data-security/

    Reply
43. March 10, 2017 at 10:11 am

    Tomi Engdahl says:

    Insecure CloudPets Database Exposed Credentials, Private Data
    http://www.securityweek.com/insecure-cloudpets-database-exposed-credentials-private-data

    A public-facing, insecure CloudPets MongoDB database was found to have leaked the login credentials of over 800,000 users, researchers warn.

    CloudPets is a company that sells internet-connected teddy bears, allowing children and parents to exchange audio messages over the web. The company also claims that its toys provide children with access to “an ever-expanding collection of fun and games.”

    The underlying issue was related to the MongoDB ransack campaign that made headlines early this year, and which recently moved to MySQL databases. Customer data was stored in a MongoDB database that wasn’t properly secured, and, because it was exposed to the Internet, it allowed anyone to access it, steal its content, and even modify it.

    The exposed data was discovered in December last year, and Victor Gevers, co-founder of GDI Foundation, was among the first to try to contact Spiral Toys, the company behind CloudPets, to inform it on the matter. Apparently, other researchers attempted the same, and even journalists did, after being alerted that the company isn’t responding, but to no avail.

    In addition to these user credentials, the leak supposedly impacts nearly 2.2 million customer voice messages. Although not stored in the databases, these voice messages could be accessed by anyone who could guess the URL of the files, because they were stored an Amazon S3 bucket that doesn’t require authentication, researchers say.

    Reply
44. March 10, 2017 at 10:19 am

    Tomi Engdahl says:

    1 in 5 Websites Still Use SHA-1: Report
    http://www.securityweek.com/1-5-websites-still-use-sha-1-report

    While most certificate authorities (CAs) haven’t been issuing certificates using the SHA-1 cryptographic hash function for more than two months, 1 in 5 websites worldwide still use such certificates, according to analysis by security firm Venafi.

    Reply
45. March 10, 2017 at 10:19 am

    Tomi Engdahl says:

    Apache Struts Vulnerability Exploited in the Wild
    http://www.securityweek.com/apache-struts-vulnerability-exploited-wild

    A high severity remote code execution (RCE) vulnerability affecting the Apache Struts 2 framework has been exploited in the wild, warns Cisco’s Talos intelligence and research group.

    The vulnerability, tracked as CVE-2017-5638, can be triggered when performing file uploads with the Jakarta Multipart parser. The security hole, caused due to improper handling of the Content-Type header, allows a remote, unauthenticated attacker to execute OS commands on the targeted system.

    The flaw affects Struts 2.3.5 through 2.3.31 and Struts 2.5 through 2.5.10, and it was addressed on March 6 with the release of versions 2.3.32 and 2.5.10.1.

    Reply
46. March 10, 2017 at 10:19 am

    Tomi Engdahl says:

    Firefox 52 Warns of Login Fields on Insecure Pages
    http://www.securityweek.com/firefox-52-warns-login-fields-insecure-pages

    Released this week, the latest version of the Firefox Web browser warns users when they are entering their passwords on pages that are not secure.

    The change was initially announced last year, when Mozilla introduced the warning in Firefox DevEdition 46, in an attempt to raise awareness on the risks that requesting sensitive information over non-secure connections pose. Last year, the warning was meant for developers, but the latest browser release brings it to end-users as well.

    Starting with Firefox 52.0, users will receive a warning when encountering non-secure HTTP pages with logins. A “This connection is not secure” message will be automatically displayed when the user clicks into the username and password fields on any page that doesn’t use HTTPS.

    Reply
47. March 10, 2017 at 10:51 am

    Tomi Engdahl says:

    Did Alexa hear a murder? We may finally find out
    However, novel and vexing legal questions about IoT data privacy won’t be answered.
    https://arstechnica.com/tech-policy/2017/03/did-alexa-hear-a-murder-we-may-finally-find-out/

    Amazon is handing prosecutors cloud-stored data from its Alexa Voice Service that the Arkansas authorities say might be used as evidence in a murder prosecution.

    The Seattle-based company originally had balked at a warrant demanding the recorded voice and transcription data from an Amazon Echo near a murder scene. The company claimed that the data, and the responses from the voice assistant itself, were protected by the First Amendment. What’s more, Amazon said that the Arkansas authorities had not demonstrated a “compelling need” for the data.

    But the novel and vexing questions this case poses—such as what is the legal standard for when data from an Echo or other Internet of Things devices can be used in a court of law—won’t be answered. The reason? The murder defendant, James Bates, agreed late Monday to allow Amazon to forward his Echo’s data to Arkansas prosecutors.

    “Because Mr. Bates is innocent of all charges in this matter, he has agreed to the release of any recordings on his Amazon Echo device to the prosecution,” his attorneys said

    The warrant for the Echo data surrounds the 2015 death of Victor Collins.

    The warrant noted that the Echo “is constantly listening for the ‘wake’ command of ‘Alexa’ or ‘Amazon’ and records any command, inquiry, or verbal gesture given after that point, or possibly at all times without the ‘wake word’ being issued, which is uploaded to Amazon.com’s servers at a remote location.”

    But in its argument against giving up the Echo data, Mimesis noted a case about the privacy rights of one’s purchase history.

    Amazon Isn’t Fighting for You
    http://mimesislaw.com/fault-lines/amazon-isnt-fighting/16747

    March 3, 2017 (Fault Lines) — If you have ever bought anything from Amazon, you know the creepy follow-up. All of a sudden, anything related to the product you looked at on the Amazon site starts showing up on your Facebook page and in the margins of whatever Internet article you are reading. So what if it was evidence against you for murder?

    Amazon has your back. A Bentonville, Arkansas criminal case has put Amazon in the hot seat. One of its customers is suspected of murder. The police think Alexa, Amazon’s new in-home shopping device, may have heard what happened. They obtained a search warrant for Alexa’s records. Amazon is fighting back. In an interesting argument, Amazon’s lawyers have asserted that not only do your First Amendment rights prevent government snooping, so do those of your trusty robot assistant.

    The typical argument when the government starts snooping around your business comes from the Fourth Amendment, which is supposed to ban warrantless searches and seizures unless one of 19,000 exceptions is present. But Amazon’s lawyers are taking a different approach by arguing the First Amendment.

    In today’s world, the majority of people’s lives are lived online. If you sit down and really think about the amount of information you disclose to computers on a daily basis, it is staggering. While most people handle all of their financial transactions online and spout off every opinion that pops into their head all over Facebook or Twitter accounts, those same people are very concerned with privacy, apparently.

    If you can’t shop Amazon in peace, you might just decide no more online shopping at all.

    Amazon is acting a lot less like our computer overlord and more like a stalwart defender of freedom. Amazon’s motion cites numerous examples, complete with dramatic language, of courts restricting the government’s right to learn about the public’s reading habits.

    We have willingly given up a lot of our privacy. Its only logical that will come back to bite us. If you think the same company that reads your email and social media posts and uses that information to make billions of dollars has suddenly decided to guard your privacy, you are probably relying on the wrong party to protect those rights.

    Reply
48. March 10, 2017 at 10:52 am

    Tomi Engdahl says:

    Google’s reCAPTCHA turns “invisible,” will separate bots from people without challenges
    Google says it can separate man from machine without any tricky tests or checkboxes.
    https://arstechnica.com/gadgets/2017/03/googles-recaptcha-announces-invisible-background-captchas/

    Google’s reCAPTCHA is the leading CAPTCHA service (that’s “Completely Automated Public Turing test to tell Computers and Humans Apart”) on the Web. You’ve probably seen CAPTCHAs a million times on sign-up pages across the Web; to separate humans from spam bots, a challenge will pop up asking you to decipher a picture of words or numbers, pick out objects in a grid of pictures, or just click a checkbox. Now, though, you’re going to be seeing CAPTCHAs less and less, not because Google is getting rid of them but because Google is making them invisible.

    The old reCAPTCHA system was pretty easy—just a simple “I’m not a robot” checkbox would get people through your sign-up page. The new version is even simpler, and it doesn’t use a challenge or checkbox. It works invisibly in the background, somehow, to identify bots from humans. Google doesn’t go into much detail on how it works, only saying that the system uses “a combination of machine learning and advanced risk analysis that adapts to new and emerging threats.” More detailed information on how the system works would probably also help bot-makers crack it, so don’t expect details to pop up any time soon.

    Tough on bots
    Easy on humans
    https://www.google.com/recaptcha/intro/invisible.html

    Introducing the Invisible reCAPTCHA!

    Reply
49. March 10, 2017 at 10:59 am

    Tomi Engdahl says:

    The Promise of Blockchain Is a World Without Middlemen
    https://developers.slashdot.org/story/17/03/09/2139242/the-promise-of-blockchain-is-a-world-without-middlemen

    The Harvard Business Review has an interesting article about how Blockchain technology may bring down the cost of business transactions and enable new ways of doing things: “Consider the problem that small manufacturers have dealing with giants like Wal-Mart. To keep transaction costs and the costs of carrying each product line down, large companies generally only buy from companies that can service a substantial percentage of their customers.

    The Promise of Blockchain Is a World Without Middlemen
    https://hbr.org/2017/03/the-promise-of-blockchain-is-a-world-without-middlemen

    The blockchain is a revolution that builds on another technical revolution so old that only the more experienced among us remember it: the invention of the database. First created at IBM in 1970, the importance of these relational databases to our everyday lives today cannot be overstated. Literally every aspect of our civilization is now dependent on this abstraction for storing and retrieving data. And now the blockchain is about to revolutionize databases, which will in turn revolutionize literally every aspect of our civilization.

    IBM’s database model stood unchanged until about 10 years ago, when the blockchain came into this conservative space with a radical new proposition: What if your database worked like a network — a network that’s shared with everybody in the world, where anyone and anything can connect to it?

    Blockchain experts call this “decentralization.” Decentralization offers the promise of nearly friction-free cooperation between members of complex networks that can add value to each other by enabling collaboration without central authorities and middle men.

    Reply
50. March 10, 2017 at 11:03 am

    Tomi Engdahl says:

    Nearly 200,000 Wi-Fi Cameras Are Open To Hacking
    https://it.slashdot.org/story/17/03/09/2212227/nearly-200000-wi-fi-cameras-are-open-to-hacking

    What started as an analysis of a simple security flaw in a random wireless IP camera turned into seven vulnerabilities that affect over 1,250 camera models and expose nearly 200,000 cameras to hacking. The flaws affect a generically named product called Wireless IP Camera (P2P) WIFICAM, manufactured by a (currently unnamed) Chinese company, who sells it as a white-label product to several other camera vendors.

    Nearly 200,000 WiFi Cameras Open to Hacking Right Now
    https://www.bleepingcomputer.com/news/security/nearly-200-000-wifi-cameras-open-to-hacking-right-now/

    What started as an analysis of a simple security flaw in a random wireless IP camera turned into seven vulnerabilities that affect over 1,250 camera models and expose nearly 200,000 cameras to hacking.

    The flaws affect a generically named product called Wireless IP Camera (P2P) WIFICAM, manufactured by a (currently unnamed) Chinese company, who sells it as a white-label product to several other camera vendors.

    Security researcher Pierre Kim says the firmware produced by this Chinese vendor comes with several flaws, which have all made their way down the line into the products of other companies that bought the white-label (unbranded) camera. In total, nearly 1,250 camera models based on the original camera are affected.

    According to Kim, the cameras are affected by a total of seven security flaws. The biggest ones are listed below.

    Backdoor account – Telnet runs by default, and everyone can log in with the following credentials

    Pre-auth info and credentials leak – An attacker can bypass device authentication procedures by providing empty “loginuse” and “loginpas” parameters when accessing server configuration files

    Pre-auth RCE as root – An attacker can bypass the authentication procedure and execute code on the camera under the root user just by accessing an URL with special parameters.

    Streaming without authentication – An attacker can access the camera’s built-in RTSP server on port 10554 and watch a live video stream without having to authenticate

    Cloud – The camera provides a “Cloud” feature that lets customers manage the device via the Internet. This feature uses a clear-text UDP tunnel to bypass NATs and firewalls. An attacker can abuse this feature to launch brute-force attacks and guess the device’s credentials.

    Nearly 200,000 vulnerable cameras available online right now

    Yesterday, Kim said that around 185,000 vulnerable cameras could be easily identified via Shodan. Today, the same query yields 198,500 vulnerable cameras.

    “I advise to IMMEDIATELY DISCONNECT cameras [from] the Internet,” Kim said in a blog post. “Hundreds of thousands [of] cameras are affected by the 0day Info-Leak. Millions of them are using the insecure Cloud network.”

    Reply