When it comes to the cybersecurity problem, where is rock bottom?
Was it WannaCry, a ransomware attack. Or similar and perhaps even worse attack that hit just weeks later? Was it the Yahoo breaches? Or Equifax and Uber? Intel and Apple leaving our computer management accounts wide open? Banking computer systems hacked and many millions stolen? Or critical infrastructure hackers going after water, power and utility grids? Or Russian interference in the U.S. election?
It is clear that Internet security is in a state of crisis. Reeling from one attack after another, we sometimes appear dazed and confused rather than handling it as a crisis. The world will spend $90 billion this year on information security, but it does not seem to help much in stopping hacks and human errors (like leaving default passwords and storing secrets to wide open public cloud accounts).
The rhetoric in this article says that internet’s very existence as we know it now is at stake. It tells that we need fresh, practical approaches to protecting an internet, but it does not provide any new working ideas for solutions.
43 Comments
Tomi Engdahl says:
MACOS UPDATE ACCIDENTALLY UNDOES APPLE’S “ROOT” BUG PATCH
https://www.wired.com/story/macos-update-undoes-apple-root-bug-patch/?mbid=social_fb
WHEN A COMPANY like Apple rushes out a software patch for a critical security bug, it deserves praise for protecting its customers quickly. Except, perhaps, when that patch is so rushed that it’s nearly as buggy as the code it was designed to fix.
Earlier this week, Apple scrambled to push out a software update for macOS High Sierra, to sew up a glaring hole in the operating system’s security measures: When any person or malicious program tried to log into a Mac computer, install software, or change settings, and thus hit a prompt for a username and password, they could simply enter “root” as a username, no password, and bypass the prompt to gain full access to the computer.
Tomi Engdahl says:
http://www.epanorama.net/newepa/2017/05/06/intel-amt-firmware-vulnerability-cve-2017-5689/
http://www.epanorama.net/newepa/2017/05/02/remote-security-exploit-in-all-2008-intel-platforms-semiaccurate/
Tomi Engdahl says:
http://www.epanorama.net/newepa/2017/09/08/its-time-to-build-our-own-equifax-with-blackjack-and-crypto-techcrunch/
Tomi Engdahl says:
As you may know, Intel ME is terrible for everyone including Windows/Linux/*BSD users.
https://twitter.com/nixcraft/status/936888226274406402 Thanks!
Tomi Engdahl says:
Apple releases security update to fix login bug in macOS High Sierra operating system
https://www.techworm.net/2017/12/apple-releases-security-update-fix-login-bug-macos-high-sierra-operating-system.html
Tomi Engdahl says:
Event the most secure organizations can’t keep their secrets inside:
New York Times:
Former NSA employee Nghia H. Pho pleads guilty to taking classified files home, where, officials say, Russian hackers stole the files via Kaspersky software
Former N.S.A. Employee Pleads Guilty to Taking Classified Information
https://www.nytimes.com/2017/12/01/us/politics/nsa-nghia-pho-classified-information-stolen-guilty.html
A former National Security Agency employee admitted on Friday that he had illegally taken from the agency classified documents believed to have subsequently been stolen from his home computer by hackers working for Russian intelligence.
Nghia H. Pho, 67, of Ellicott City, Md., pleaded guilty to one count of willful retention of national defense information, an offense that carries a possible 10-year sentence.
But in court documents, prosecutors did disclose that he worked from 2006 to 2016 for the N.S.A.’s “Tailored Access Operations.” The unit, whose name has now been changed to Computer Network Operations, is the N.S.A.’s fastest-growing component.
He kept those materials, some in digital form, at his home in Maryland, according to prosecutors.
Mr. Pho is one of three N.S.A. workers to be charged in the past two years with mishandling classified information, a dismal record for an agency that is responsible for some of the government’s most carefully guarded secrets.
Mr. Pho took the classified documents home to help him rewrite his resume. But he had installed on his home computer antivirus software made by Kaspersky Lab, a top Russian software company, and Russian hackers are believed to have exploited the software to steal the documents, the officials said.
Tomi Engdahl says:
Even Highly Skilled Cyber-Thieves Make Stupid Mistakes, or Do They?
https://www.bleepingcomputer.com/news/security/even-highly-skilled-cyber-thieves-make-stupid-mistakes-or-do-they/
Cobalt, a highly-skilled group of hackers who target banks and financial institutions, may have committed a mistake and accidentally leaked a list of all their current targets, according to Yonathan Klijnsma, a security researcher with RiskIQ.
The error occurred in a spear-phishing campaign that took place last week, on November 21.
Tomi Engdahl says:
Unfortunately, all it takes is one missed patch to present system vulnerabilities to cybercriminals.
Tomi Engdahl says:
Security
NSA employee pleads guilty after stolen classified data landed in Russian hands
NSA employee pleads guilty after stolen classified data landed in Russian hands
http://www.zdnet.com/article/former-nsa-staffer-pleads-guilty-after-classified-data-theft/
The classified data was later collected by Kaspersky software running on the staffer’s home computer.
Eugene Kaspersky: We would quit Moscow if Russia asked us to spy
http://www.zdnet.com/article/eugene-kaspersky-we-would-quit-moscow-if-russia-asked-us-to-spy/
Kaspersky Lab founder hits back at espionage claims.
Tomi Engdahl says:
Security News This Week: A New Bill Wants Jail Time for Execs Who Hide Data Breaches
https://www.wired.com/story/a-new-bill-wants-jail-time-for-execs-who-hide-data-breaches/
It’s been a rough week for a lot of people, but particularly for Apple. On Tuesday, a security researcher tweeted information about a dire bug in the company’s macOS High Sierra operating system that allowed anyone being prompted for system user credentials to bypass the authentication by simply typing “root” as the username and leaving the password blank. Apple rushed to push out a necessary update on Wednesday, but botched it a bit; if you hadn’t yet updated to macOS 10.13.1, but had gotten the patch, your eventual jump to 10.13.1 would reintroduce the “root” bug. Not ideal!
Tomi Engdahl says:
It’s a Wonderful Time of the Year…for Hackers
http://www.securityweek.com/its-wonderful-time-yearfor-hackers
The holiday season is in full swing and once again we can expect to see a surge in cyber attacks targeting retailers and consumers. Research from the National Retail Federation shows that spending during the winter holidays outstrips retail sales during all other holidays throughout the year – combined! From Black Friday to sales in January, this is the most wonderful time of the year for retailers, and this trend will likely continue. A survey by RetailMeNot (PDF) shows that consumers are expected to spend an average of $743 holiday shopping between Black Friday and Cyber Monday this year, a 47 percent increase from 2016’s average of $505.
Unfortunately, increased spending also makes this a wonderful time of the year for cybercriminals seeking a share of the action. But the good news is that by understanding the tactics, techniques and procedures (TTPs) of cybercriminals, there’s a lot retailers and consumers can do to remediate risk.
Tomi Engdahl says:
The Evolution of Data Leaks
https://www.wired.com/story/evolution-of-data-leaks/
To the certainties of life that are death and taxes, add data breaches. And the ways that bad guys take our digital stuff are constantly changing: Companies have gotten smarter about how they secure information, but hacking and phishing are rising—fast. “It’s easier to fool people than technology,” says Adam Levin, founder of Cyberscout, which has been analyzing US data breaches for more than a decade. “No system is more secure than the weakest link, and the weakest link is always people.” Based on data from CyberScout and the Identity Theft Resource Center
Tomi Engdahl says:
Should Social Media be Considered Part of Critical Infrastructure?
http://www.securityweek.com/should-social-media-be-considered-part-critical-infrastructure
Russia interfered in the U.S. 2016 election, but did not materially affect it. That is the public belief of the U.S. intelligence community. It is a serious accusation and has prompted calls for additions to the official 16 critical infrastructure categories. One idea is that ‘national elections’ should be included. A second, less obviously, is that social media should be categorized as a critical industry.
The reason for the latter is relatively simple: social media as a communications platform is being widely used by adversary organizations and nations to disseminate their own propaganda. This ranges from ISIS using it as a recruitment platform, to armies of Russian state-sponsored trolls manipulating public opinion via Twitter.
Russian interference, or opinion manipulation, has not been limited to the U.S. Both France and Germany worried about it prior to their own national elections.
The DHS introduces its definition of the critical infrastructure with, “There are 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” These include ‘energy’, ‘finance’, ‘transport’, ‘communications’ and ‘IT’. Maintaining the availability and continued operation of all of these sectors is clearly critical to the well-being of the nation. Maintaining the availability of social media does not seem so critical.
Harkins’ argument, however, is that the world has changed since the origins of the critical infrastructure classification.
Tomi Engdahl says:
Cyber-attacks are actions that target computers and network systems designed to disrupt the normal operations of the system. These actions can be initiated locally (from within the physical facility) or remotely (from outside). These attacks are normally intentional, but in fact could be unintentional due to poor security threat prevention. Cybersecurity is protection of assets against these attacks
Tomi Engdahl says:
US credit repair biz damages own security: 111GB of personal info exposed in S3 blunder
Oh look, another AWS misconfiguration spillage
https://www.theregister.co.uk/2017/12/02/national_credit_federation_aws_leak/
The National Credit Federation, a US credit repair biz, left 111GB of thousands of folks’ highly sensitive personal details exposed to the public internet, according to security researchers.
In yet another AWS S3 configuration cockup, Americans’ names, addresses, dates of birth, photos of driver licenses and social security cards, credit reports from Equifax, Experian, and TransUnion, detailed financial histories, and credit card and bank account numbers, were all left sitting out in the open for miscreants to find, it is claimed.
Credit Crunch: Detailed Financial Histories Exposed for Thousands
https://www.upguard.com/breaches/credit-crunch-national-credit-federation
Tomi Engdahl says:
Expert gives Congress solution to vote machine cyber-security fears: Keep a paper backup
Hot take from crypto-guru Prof Matt Blaze
https://www.theregister.co.uk/2017/12/01/us_voting_machine_security_hearing/
With too many electronic voting systems buggy, insecure and vulnerable to attacks, US election officials would be well advised to keep paper trails handy.
This is according to Dr Matt Blaze, a University of Pennsylvania computer science professor and top cryptographer, who spoke to Congress this week about cyber-threats facing voting machines and election infrastructure.
Among Blaze’s recommendations is that rather than rely on purely electronic voting machines to log votes, officials use optical scan machines that retain a paper copy of each voter’s ballot that can be consulted if anyone grows concerned about counting errors or tampering. In other words, due to the fact that everything has bugs and flaws, truly paperless voting systems should be a no-no.
Tomi Engdahl says:
Senators Propose New Breach Notification Law
http://www.securityweek.com/senators-propose-new-breach-notification-law
Senators Propose New Data Protection Bill Following Equifax and Uber Breaches
Following the Equifax breach and the hidden Uber breach, three U.S. senators have introduced the Data Security and Breach Notification Act. Its purpose is to ensure better protection of personal information, and to provide a nationwide standard breach notification requirement. It is effectively a re-introduction of the 2015 bill of the same name.
“The recent data breaches, from Uber to Equifax, will have profound, long-lasting impacts on the integrity of many Americans’ identities and finances, and it is simply unacceptable that millions of them may still not know that they are at risk, nor understand what they can and should do to help limit the potential damage,” said Senator Baldwin.
“We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers,” said Nelson. “Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal. When it comes to doing what’s best for consumers, the choice is clear.”
There are three noteworthy aspects to this bill: 30 days to disclose following a breach; up to five years in prison for failure to do so; and the FTC with NIST to draw up recommendations on the technology or methodologies necessary to avoid such sanctions.
Tomi Engdahl says:
The potential for regulatory confusion can be seen in a comparison between this data ‘privacy’ requirement and that of Europe’s General Data Protection Regulation (GDPR).
Tomi Engdahl says:
Is this a good or terribly bad idea?
Facebook asks users for nude photos in project to combat revenge porn
https://www.theguardian.com/technology/2017/nov/07/facebook-revenge-porn-nude-photos
In Australia pilot effort, company will ‘hash’ images, converting them into digital fingerprints that prevent any other attempts to upload the same pictures
Tomi Engdahl says:
The Cumulative Effect of Major Breaches: The Collective Risk of Yahoo & Equifax
http://www.securityweek.com/cumulative-effect-major-breaches-collective-risk-yahoo-equifax
Until quite recently, people believed that a dizzying one billion accounts were compromised in the 2013 Yahoo! breach… and then it was revealed that the real number is about three billion accounts.
That raises the question: so what? Isn’t all the damage from a four-year-old breach already done?
The answer: not at all. For those who have taken control of the compromised accounts, or who possess confidential information about a billion or more individuals, the Yahoo! breach is the gift that will keep on giving.
First of all, the consequences of the breach are not yet fully realized. Criminals have only recently started using compromised email accounts to spread ransomware and spam. As email service providers increasingly use the age of the sending account as an indicator of risk, the value to criminals of long-established but compromised accounts has started to increase. These accounts become a circumvention strategy for criminals wishing to reliably deliver malicious emails. As the value of an established account goes up, the damage that can be done by using the compromised accounts does, too.
Second, criminals have only recently started to mine the contents of compromised accounts to identify promising opportunities – but that is increasingly happening now, and is becoming another source of value to the Yahoo! attackers (and anybody who has already purchased compromised accounts from them.) To a large extent, we are still in the “manual effort” phase of this type of attack, wherein attackers have not yet understood exactly what they are looking for, and therefore, have not yet written scripts to automate the task. Once their understanding matures and they automate the process, the vast volumes of compromised accounts will turn into new criminal opportunities
Tomi Engdahl says:
The Worst Password Offenders of 2017
http://www.securityweek.com/worst-password-offenders-2017
Password management firm Dashlane has published a list of what it believes are the top ten password offenders for 2017. It comprises six ‘government’ entries (including the President of the United States and the entire UK Government), and four organizations. Topping the list is Donald Trump, joined by Paul Manafort at #9 and Sean Spicer at #10.
To be fair, it is as much Trump the administration as it is Trump the person that is being called out. Dashlane points to a Channel 4 News investigation in January 2017 that said “Passwords used by Donald Trump’s incoming cyber security advisor Rudy Giuliani and 13 other top staff members have been leaked in mass hacks.”
In reality, the majority of people have had at least one password exposed by the many mass hacks that have plagued the internet this decade, so the biggest problem is not whether a password appears in the dark web listings, but whether it is still being used by the user of that password. Dashlane comments, “many of the top staff members Trump handpicked, including multiple cabinet secretaries, senior policy directors — even cybersecurity advisor Rudy Giuliani — were reusing insecure, simple passwords.”
Tomi Engdahl says:
Why everything is hackable
Computer security is broken from top to bottom
https://www.economist.com/news/science-and-technology/21720268-consequences-pile-up-things-are-starting-improve-computer-security?etear=sponsor-openandsecure
As the consequences pile up, things are starting to improve
Tomi Engdahl says:
Modern computer chips are typically designed by one company, manufactured by another and then mounted on circuit boards built by third parties next to other chips from yet more firms. A further firm writes the lowest-level software necessary for the computer to function at all. The operating system that lets the machine run particular programs comes from someone else. The programs themselves from someone else again. A mistake at any stage, or in the links between any two stages, can leave the entire system faulty—or vulnerable to attack.
It is not always easy to tell the difference.
Source: https://www.economist.com/news/science-and-technology/21720268-consequences-pile-up-things-are-starting-improve-computer-security?etear=sponsor-openandsecure
Tomi Engdahl says:
What happened in 2017 from http://www.darkreading.com/drdigital/20171212td?cid=DRTD01A_20171212&_mc=DRTD01A_20171212&elq_mid=82029&elq_cid=14916437
‘WannaCry’ Rapidly Moving Ransomware Attack Spreads to 74 Countries
A wave of ransomware infections took down a wide swath of UK hospitals and is rapidly moving across the globe.
Equifax Data Breach Prompts Calls for Tougher Security Requirements on Data Aggregators
Credit report bureau discloses breach that exposed data on 143 million US consumers.
DEF CON Rocks the Vote with Live Machine Hacking
Jeff Moss, founder of the hacker conference, is planning to host a full-blown election and voting system for hacking in 2018 at DEF CON, complete with a simulated presidential race.
Putin Directed Cyberattack, Propaganda Operation to Influence US Election
US Office of the Director of National Intelligence releases unclassified version of intel community’s findings on Russia’s attempts to influence US presidential race via cyberattacks, leaks, and pure propaganda.
Adobe’s Move to Kill Flash Is Good for Security
In recent years, Flash became one of the buggiest widely used apps out there.
DoJ Indicts Russian FSB Officers and Cybercriminals in Yahoo Breach
Russian intelligence officials hired renowned cybercriminals to do their bidding in massive hacks that compromised Yahoo, Gmail, and other email accounts of millions of people in the US, Russia, and elsewhere.
Cybersecurity Faces 1.8 Million Worker Shortfall by 2022 (ISC)2 report shows the skills shortage is getting worse.
Tomi Engdahl says:
ROCA Crypto Flaw could have big Impact on Internet of Things
https://securityledger.com/2017/10/crypto-flaw-roca-wide-impact-internet-things/
Tomi Engdahl says:
U.S. Prosecutors Confirm Uber Target of Criminal Probe
http://www.securityweek.com/us-prosecutors-confirm-uber-target-criminal-probe
A letter made public Wednesday in Waymo’s civil suit against Uber over swiped self-driving car secrets confirmed the ride-share service is the target of a US criminal investigation.
Uber is also a target of investigations and lawsuits over the cover-up of a hack that compromised personal information of 57 million users and drivers.
Uber purportedly paid data thieves $100,000 to destroy the swiped information — and remained quiet about the breach for a year.
Tomi Engdahl says:
Three Plead Guilty in Mirai Botnet Attacks
http://www.securityweek.com/three-plead-guilty-mirai-botnet-attacks
US officials unveiled criminal charges Wednesday against a former university student and two others in the Mirai botnet attacks which shut down parts of the internet in several countries starting in mid-2016.
The Justice Department announced plea agreements for Paras Jha, 21 — a former Rutgers University computer science student who acknowledged writing the malware code — and Josiah White, 20, and Dalton Norman, 21, who helped profit from the attacks.
In documents unsealed Wednesday, Jha admitted writing the code for the botnet which harnessed more than 100,000 “internet of things” (IoT) devices such as cameras, light bulbs and appliances to launch the attacks.
By commanding an army of bots — or computers under control of the attackers — the malware shut down networks and websites in the United States, Germany, Liberia and elsewhere.
The malware was used to make money through “click fraud,” a scheme that makes it appear that a real user has clicked on an advertisement for the purpose of artificially generating revenue, according to officials.
The three generated some $180,000 from the scheme in bitcoin, Justice officials added.
Tomi Engdahl says:
Traffic to Major Tech Firms Rerouted to Russia
http://www.securityweek.com/traffic-major-tech-firms-rerouted-russia
Internet traffic for some of the world’s largest tech firms was briefly rerouted to Russia earlier this week in what appeared to be a Border Gateway Protocol (BGP) attack.
OpenDNS-owned Internet monitoring service BGPmon reported the incident on Tuesday. BGPmon noticed that 80 IP prefixes for organizations such as Google, Microsoft, Apple, Facebook, NTT Communications, Twitch and Riot Games had been announced by a Russian Autonomous System (AS).
It happened twice on Tuesday and each time it only lasted for roughly three minutes. The first event took place between 04:43 and 04:46 UTC, and the second between 07:07 and 07:10 UTC.
Tomi Engdahl says:
Hackers halt plant operations in watershed cyber attack
https://www.reuters.com/article/us-cyber-infrastructure-attack/hackers-halt-plant-operations-in-watershed-cyber-attack-idUSKBN1E8271
(Reuters) – Hackers likely working for a nation-state recently invaded the safety system of a critical infrastructure facility in a watershed attack that halted plant operations, according to cyber investigators and the firm whose software was targeted.
Tomi Engdahl says:
The future of source code security is consensus-based
https://techcrunch.com/2017/12/19/shift-left-the-future-of-source-code-security-is-consensus-based/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook
The security landscape is ever-changing. It is the most non-constant industry on the planet.
Can we ever reach an end-state where all software running across the world is secure and 100 percent free of breaches?
Let me be brief: No.
Nothing will ever be 100 percent breach free. But, that should not be our measure of success.
CRUNCH NETWORK
The future of source code security is consensus-based
Posted Dec 19, 2017 by Jacek Materna
Jacek Materna
CONTRIBUTOR
Jacek Materna is CTO of Assembla.
The security landscape is ever-changing. It is the most non-constant industry on the planet. New threats appear and new solutions are built to squash them. Rinse, repeat. It’s a never-ending cycle in what seems like no end in sight. What’s the promised land? Can we ever reach an end-state where all software running across the world is secure and 100 percent free of breaches?
Let me be brief: No.
Nothing will ever be 100 percent breach free. But, that should not be our measure of success. Rather, our goals should be around ensuring that as new code is created, it has eyes and scrutiny by as many people and systems as possible without slowing down innovation.
As I wrote in an earlier article, shifting this process as far left as possible ensures the highest efficiency with the least energy. Once in the wild, an increasingly large amount of effort, time and capital is needed to detect, mitigate and address underlying security problems in your code. And, because CIOs are spending 9/10th of their budgets on post-deployment (endpoint, firewalls, etc.), it is no surprise we see Equifax-sized meltdowns in the world pretty regularly now.
The vast amount of noise and data you have to sift through at that phase in the security life cycle almost guarantees you will miss threats. The key to success is hitting it early, when the noise is low. Shifting “left” is this philosophy and it is now gaining steam in the minds of DevOps leaders.
Tomi Engdahl says:
Seven Seas Cybersecurity: Captain, We Have a Problem
http://www.securityweek.com/seven-seas-cybersecurity-captain-we-have-problem
Detecting Compromises Requires Monitoring a Series of Activities Over Time
In the wee hours of April 15, 1912, the unthinkable happened to the unsinkable. The RMS Titanic sank. She and more than 1,500 souls perished in the icy waters of the North Atlantic.
A century later, I sat watching the tragedy unfold as I made my own transatlantic passage aboard an Icelandair flight. I’d thought a three-and-a-half-hour film might make the trip pass faster. Instead, it only made me wonder: How stunning is Kate Winslet? And how safe is modern travel?
A Delicate Balancing Act
Earlier this year, the British television network Channel 5 broadcast “Building the World’s Most Luxurious Cruise Ship,” a documentary about the construction of the Seven Seas Explorer.
It’s All Fun and Games Until Someone Can’t Play Shuffleboard: Confidentiality vs. Integrity vs. Availability
Disaster Aversion: Let History Be a Lesson
When the Titanic sank, there was – and still is – much retrospective talk about what happened, who was to blame and how the tragedy could have been prevented. The iron and rivets were too weak; the bulkheads, too short; the lifeboats, too few. But should’ves, could’ves, would’ves aside, the Titanic taught a hard-knocks, clichéd lesson: Better to be safe than sorry.
Tomi Engdahl says:
PRACTICE MANAGEMENT
8 in 10 doctors have experienced a cyberattack in practice
https://wire.ama-assn.org/practice-management/8-10-doctors-have-experienced-cyberattack-practice
Physicians, overwhelmingly, are finding themselves the target of cyberattacks that disrupt their practices and put patient safety at risk.
A staggering 83 percent of physicians told AMA researchers that their practices have experienced a cyberattack of some type. The 1,300 physicians surveyed also said not enough cybersecurity support is coming from the government that will hold them accountable for a patient information breach.
“The important role of information sharing within clinical care makes health care a uniquely attractive target for cyber criminals through computer viruses and phishing scams that, if successful, can threaten care delivery and patient safety,” said AMA President David O. Barbe, MD, MHA. “New research shows that most physicians think that securely exchanging electronic data is important to improve health care.
Most of the AMA survey respondents report being either very or extremely concerned about future attacks aimed at their practices. All practice settings are at risk, but attacks are twice as likely at medium- and large-size practices. Malware—the broad term for a wide range of malicious software—is a top concern, as are breaches involving the theft of electronic patient health information.
Tomi Engdahl says:
The vast majority of physicians—87 percent—believe their practices are HIPAA compliant, but 83 percent believe HIPAA compliance is “insufficient.”
Tomi Engdahl says:
Robert McMillan / Wall Street Journal:
An informal band of researchers is working over Christmas to prevent hackers from disrupting online services, following PlayStation and Xbox incidents in 2014
Link copied…
Tech
As Videogame Hackers Try to Ruin Christmas, Watchdogs Are on Patrol
Merry band of security buffs spend holidays on alert to make sure cyber-Grinches don’t spoil the fun
https://www.wsj.com/articles/web-warriors-hunt-hacker-grinches-to-save-christmas-1513938603
Earlier this month, three men pleaded guilty to writing software, called Mirai, that is used in many of these attacks. Last year, the men released Mirai’s source code, federal prosecutors say. And that action ushered in a new era of extremely large botnet attacks.
In October 2016, Mirai was used to flood internet service provider Dyn with unwanted network traffic, an event that ground the internet to a standstill for many Americans.
“Mirai scared us to death,” said Dale Drew, chief security strategist with CenturyLink Inc., who is among Ms. Nixon’s fellow botnet fighters.
The battle against such botnets is a year-round effort, but it heats up during the holidays. Last year, just before Christmas, a group calling itself R.I.U. Star Patrol claimed on Twitter to have launched an online attack against Yahoo’s Tumblr Service and, in a YouTube video, threatened to repeat the event on Christmas Day.
However, the researchers disrupted Star Patrol before it could launch the Christmas Day attack.
Researchers believe they may have thwarted a similar plan about two weeks ago. That was when another massive 650,000-unit botnet called Satori—which used code from Mirai—was taken down hours after the security firm Akamai Technologies Inc. published a report identifying its command-and-control server. Ms. Nixon and Mr. Drew said fellow researchers then reached out to the internet service provider asking it to take the server offline.
That takedown seems to have disrupted Satori for now.
Tomi Engdahl says:
Beware the Holiday Hack
https://www.securerf.com/beware-holiday-hack/?utm_campaign=Email%20Newsletter&utm_source=hs_email&utm_medium=email&utm_content=59645269&_hsenc=p2ANqtz-91DaJ1owbCdhy3JOt8HrQsP6cQEMLsK7TF4rIJc6bIGlCAdBI2WpXaQWgEXpMOv0NugtTEIADXXHVetpf_02mNMmMXgw0jjnTrFPo-GmQlAkd-wPM&_hsmi=59645269
Most online 2017 holiday gift guides have one thing in common: IoT gadgets. Wi-Fi video doorbells, wearable health monitors, phone-controlled toy robots, and “smart” ovens are just a few of the thousands of Internet-connected products being offered this holiday season. Such gifts might seem like safe products to give or receive, but reports about recent IoT hacks have shown us that most, if not all, Internet-connected devices are potential targets for hackers.
A few notable 2017 security hacks, breaches, and threats:
Smartwatch Eavesdropping: In November, a German regulator banned the sale of a kids’ smartwatch
IoTroop: Qihoo 360 and Check Point Research recently reported that the IoTroop botnet, also known as “Reaper,” was hijacking IoT devices, such as routers and IP cameras, around the globe at an extremely rapid rate.
Pacemaker Recall: The FDA announced in August that Abbott’s RF-enabled implantable pacemakers contain embedded devices that are vulnerable to wireless attack.
CAN Bus Hack: In August 2017, TrendMicro reported that security research team found that it is possible to turn off a vehicle’s key automated components
Casino Fish Tank Hack: In July, we learned that attackers tried to steal data from a Las Vegas casino by hacking into one of its “smart” fish tanks.
As you will notice by reading through the articles we posted, too many of today’s IoT devices were designed with limited or no security, making those devices vulnerable.
Tomi Engdahl says:
IoT Security News: DoS Attack at Your Door and Semiconductor Stats
https://www.securerf.com/iot-security-news-dos-attack-door-semiconductor-stats/?utm_campaign=Email%20Newsletter&utm_source=hs_email&utm_medium=email&utm_content=59645269&_hsenc=p2ANqtz-91DaJ1owbCdhy3JOt8HrQsP6cQEMLsK7TF4rIJc6bIGlCAdBI2WpXaQWgEXpMOv0NugtTEIADXXHVetpf_02mNMmMXgw0jjnTrFPo-GmQlAkd-wPM&_hsmi=59645269
IoT security and semiconductor industry growth were two of hottest tech-related topics in 2017. Every few weeks, we learned about next-generation IoT hacks, new security-related legislation, and exciting advances in processor technology. Here are a few interesting news items from the past month.
A DoS Attack at Your Door
Amazon Key is a new delivery service that enables a delivery person to enter your home and drop off a package. For $250, you get a digital keypad and a Wi-Fi-connected Amazon Cloud Cam for live streaming each delivery. But wouldn’t you know: Just a few weeks after the service’s launch, a security testing company discovered a way for a hacker to disable the camera while someone enters your home.
Jail Time for Execs Hiding Data Breaches?
Earlier this year, we wrote about the Internet of Things Cybersecurity Improvement Act of 2017, which would establish security requirements for IoT devices procured by government agencies. In late November, US Senate Commerce Committee members revisited the security issue with the introduction of the Data Security and Breach Notification Act, which would establish national data breach reporting standards. If the bill passes, corporate executives will have 30 days to report data breaches or possibly face up to five years in prison.
Tomi Engdahl says:
Seven Seas Cybersecurity: Captain, We Have a Problem
http://www.securityweek.com/seven-seas-cybersecurity-captain-we-have-problem
Detecting Compromises Requires Monitoring a Series of Activities Over Time
In the wee hours of April 15, 1912, the unthinkable happened to the unsinkable. The RMS Titanic sank. She and more than 1,500 souls perished in the icy waters of the North Atlantic.
A century later, I sat watching the tragedy unfold as I made my own transatlantic passage aboard an Icelandair flight. I’d thought a three-and-a-half-hour film might make the trip pass faster. Instead, it only made me wonder: How stunning is Kate Winslet? And how safe is modern travel?
In its day, the Titanic had been a high-tech marvel. A product of Industrial Revolution innovations, it was grand, luxurious and in hindsight, not as safe as advertised. Its ill-fated passengers fell victim not only to an unforgiving sea, but to human error, outdated maritime safety laws, technological hubris and pernicious vanity.
Today, we expect more, no? At the very least, I don’t expect to run into an iceberg. You know, once I win the lotto and sign up for a luxury cruise.
What I found curious, though, was that while the documentary detailed safety test after safety test, not once did it mention cybersecurity. Of course, that doesn’t mean there wasn’t a plan in place, but it did get me thinking, especially after reading about how hackers can exploit load-balancing software to capsize large vessels.
It’s All Fun and Games Until Someone Can’t Play Shuffleboard: Confidentiality vs. Integrity vs. Availability
Sure, taking over control systems to capsize a ship is extreme, but is it out of the question? It’s not like we haven’t seen hacks happening in the shipping industry. For example, the recent data breach at UK shipper Clarksons and last summer’s NotPetya ransomware attack on shipping giant Maersk. What if hackers decide to take things up a notch?
While a confidentiality breach of a data system – for example, a hacker getting his hands on a passenger manifest – could mean damage to corporate brand, reputation and profits, an integrity or availability breach of a critical onboard navigation, power or cargo management system could prove disastrous. Data theft isn’t fun or a game, but data manipulation or inaccessibility that could result in loss of safety trumps all.
Can we be too careful? Remember that iceberg … Hubris, as we know from the Titanic, can be dangerous.
Disaster Aversion: Let History Be a Lesson
When the Titanic sank, there was – and still is – much retrospective talk about what happened, who was to blame and how the tragedy could have been prevented. The iron and rivets were too weak; the bulkheads, too short; the lifeboats, too few. But should’ves, could’ves, would’ves aside, the Titanic taught a hard-knocks, clichéd lesson: Better to be safe than sorry.
Hard to call it a bright side, but the disaster did at least lead to review and reform of maritime regulations; changes to ship design, lifeboat requirements, wireless operations, ice field navigation; and ultimately, safer travel at sea.
Today, that safety extends to implementing sound cybersecurity practices. A first and imperative step toward ensuring better protection of assets, business and humanity is to assume that everything is connected – and therefore, vulnerable. A second could be to consider investing in a network visibility solution.
Detecting compromises requires monitoring a series of activities over time. Unfortunately, most security tools only have visibility into a certain set of activities and cannot see and comprehend the entire kill chain. With a network visibility solution, companies can see all the data across their infrastructure to help identify weaknesses and improve their security posture. Put simply, it helps optimize existing prevention and detection security tools by simplifying, consolidating and sharing relevant data with them at the right time so they can more quickly expose malware and accelerate threat response and mitigation.
Tomi Engdahl says:
Industry Reactions to U.S. Blaming North Korea for WannaCry
http://www.securityweek.com/industry-reactions-us-blaming-north-korea-wannacry
Tomi Engdahl says:
Mirai Variant “Satori” Targets Huawei Routers
http://www.securityweek.com/mirai-variant-satori-targets-huawei-routers
Hundreds of thousands of attempts to exploit a recently discovered vulnerability in Huawei HG532 home routers have been observed over the past month, Check Point security researchers warn.
The attacks were trying to drop Satori, an updated variant of the notorious Mirai botnet that managed to wreak havoc in late 2016. Targeting port 37215 on Huawei HG532 devices, the assaults were observed all around the world, including the USA, Italy, Germany and Egypt, the researchers say.
Common to these incidents was the attempt to exploit CVE-2017-17215, a zero-day vulnerability in the Huawei home router residing in the fact that the TR-064 technical report standard, which was designed and intended for local network configuration, was exposed to WAN through port 37215 (UPnP – Universal Plug and Play).
The affected device supports a service type named `DeviceUpgrade`, which is supposedly carrying out firmware upgrade actions. By injecting shell meta-characters “$()” in two elements with which the upgrade is carried out, a remote administrator could execute arbitrary code on the affected devices.
Tomi Engdahl says:
How to find an APT attack against a network
https://www.controleng.com/single-article/how-to-find-an-apt-attack-against-a-network/a219fb0bb5e12529d6450413a036d58c.html
Advanced persistent threat (APT) attacks against critical infrastructure are on the rise and companies and users need to learn how to find anomalies in their network and be proactive before serious damage can be inflicted.
It is no secret the Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) issued a warning for critical infrastructure organizations regarding advanced persistent threat (APT) attacks. The main question for users is how to tell if the bad guys are in the system.
“There are indications they are looking for things inside the networks themselves,” said Dana Tamir, vice president of market strategies and security provider, Indegy. “It is very easy to mask their activities. It seems everyone has privileged access. Everyone with gained access to the network can do anything they want. The way we look for things is we first look for anomalies that appear to be suspicious and out of the ordinary. For example, communication between two assets that have never communicated before, or a command that doesn’t meet the kind activity ever done on the network, or the use of new protocols never used before. In addition, we use rule-based policies that determine what is acceptable activities.”
The alert on the US-CERT site warns, “Since at least May 2017, threat actors have targeted government entities and the energy, water, aviation, nuclear, and critical manufacturing sectors, and, in some cases, have leveraged their capabilities to compromise victims’ networks.”
Attackers have chosen their targets rather than attacking targets of opportunity. Typically, this is followed by a spear-phishing campaign using email attachments to leverage Microsoft Office functions to retrieve a document using the server message block (SMB) protocol. This sends the user’s credential hash to the remote server, where “The threat actors then likely used password-cracking techniques to obtain the plaintext password. Once actors obtain valid credentials, they are able to masquerade as authorized users.”
Watering holes are also used to gather credentials.
“The threat actors compromise the infrastructure of trusted organizations to reach intended targets,” the report said. “Although these watering holes may host legitimate content by reputable organizations, the threat actors have altered them to contain and reference malicious content. Approximately half of the known watering holes are trade publications and informational websites related to process control, ICS, or critical infrastructure.”
When credentials have been gained, the attackers use these to access victims’ networks where multi-factor authentication is not in use. Once inside the networks, the attackers download their tools from a remote server.
“This alert shows adversaries are getting into networks and they are getting in deeper and deeper,”
These kinds of warnings and attacks are becoming a bit better known these days, but the question also remains if users are secure.
“Surprising? No. Critical infrastructure presents high value targets that if exploited can produce significant political or financial gain—more than retail or financial industry targets we tend to see in the news,” said David Zahn, GM of the cybersecurity business unit at PAS. “The reason is that the industrial control systems that sit at the end of the industrial facility’s kill chain control in many cases volatile process. This means that an attack can cause physical consequences including injury to plant personnel, community, environment, or production capability.”
Tomi Engdahl says:
Web Trackers Exploit Flaw In Browser Login Managers To Steal Usernames
https://it.slashdot.org/story/17/12/28/0124233/web-trackers-exploit-flaw-in-browser-login-managers-to-steal-usernames
Princeton privacy experts are warning that advertising and analytics firms can secretly extract site usernames from browsers using hidden login fields and tie non-authenticated users visiting a site with their profiles or emails on that domain. This type of abusive behavior is possible because of a design flaw in the login managers included with all browsers. Experts say that web trackers can embed hidden login forms on sites where the tracking scripts are loaded. Because of the way the login managers work, the browser will fill these fields with the user’s login information, such as username and passwords.
Web Trackers Exploit Flaw in Browser Login Managers to Steal Usernames
https://www.bleepingcomputer.com/news/security/web-trackers-exploit-flaw-in-browser-login-managers-to-steal-usernames/
Princeton privacy experts are warning that advertising and analytics firms can secretly extract site usernames from browsers using hidden login fields and tie non-authenticated users visiting a site with their profiles or emails on that domain.
This type of abusive behavior is possible because of a design flaw in the login managers included with all browsers, login managers that allow browsers to remember a user’s username and password for specific sites and auto-insert it in login fields when the user visits that site again.
Experts say that web trackers can embed hidden login forms on sites where the tracking scripts are loaded. Because of the way the login managers work, the browser will fill these fields with the user’s login information, such as username and passwords.
The trick is an old one, known for more than a decade [1, 2, 3, 4, 5], but until now it’s only been used by hackers trying to collect login information during XSS (cross-site scripting) attacks.
Princeton researchers say they recently found two web tracking services that utilize hidden login forms to collect login information.
Fortunately, none of the two services collected password information, but only the user’s username or email address —depending on what each domain uses for the login process.
The two services are Adthink and OnAudience
In this particular case, the two companies were extracting the username/email from the login field, creating a hash, and tieing that hash with the site visitor’s existing advertising profile.
Tomi Engdahl says:
Cyber security in the nuclear industry: Growing threats and evolving practices
Why nuclear power plants are more vulnerable to cyber attacks today
https://www.pwc.com/us/en/industries/capital-projects-infrastructure/asset-classes-sectors/nuclear-power-industry/nuclear-cyber-security.html
Nuclear power plants, like other critical infrastructure, are more vulnerable than ever to cyber attacks. In recognition of this fact, the Department of Homeland Security and the Federal Bureau of Investigation issued a joint report on nuclear cyber attacks with an urgent amber warning, indicating the second highest level of threat.
Tomi Engdahl says:
18 Months Later, WannaCry Still Lurks on Infected Computers
https://www.bleepingcomputer.com/news/security/18-months-later-wannacry-still-lurks-on-infected-computers/