Here is my collection of security trends for 2012 from different sources:
Windows XP will be the biggest security threat in 2012 according to Sean Sullivan, security advisor at F-Secure: “People seem to be adding new systems without necessarily abandoning their old XP machines, which is great news for online criminals, as XP continues to be their favourite target.”
F-Secure also says also that it might not be long before the cyber criminals turn their attentions to tablet devices. Attacks against mobile devices have become more common and I expect this to continue this year as well.
Americans more susceptible to online scams than believed, study finds. A recent survey from The Ponemon Institute and PC Tools dives into this question and reveals a real gap between how aware Americans think they are of scams and how likely they actually are to fall for them.
Fake antivirus scams that have plagued Windows and Mac OSX during the last couple of years and now it seems that such fake antivirus scams have spread to Android. Nearly all new mobile malware in Q3 2011 was targeted at Android.. When antivirus software becomes a universally accepted requirement (the way it is on Windows is the day), has the platform has failed and missed the whole point of being mobile operating system?
Cyber criminals are developing more sophisticated attacks and the police will counterattack.
Mobile phone surveillance will increase and more details of it will surface. Last year’s findings have included Location data collecting smart-phones, Carrier IQ phone spying busted and Police Surveillance system to monitor mobile phones. In USA the Patriot Act lets them investigate anything, anywhere, without a warrant. Now they are on your devices and can monitor everything. Leaked Memo Says Apple Provides Backdoor To Governments: “in exchange for the Indian market presence” mobile device manufacturers, including RIM, Nokia, and Apple (collectively defined in the document as “RINOA”) have agreed to provide backdoor access on their devices.
Geo-location tagging in smartphones to potentially cause major security risks article says that geo-location tagging security issues are likely to be a major issue in 2012—and that many users of smartphones are unaware of the potentially serious security consequences of their use of the technology. When smartphones images to the Internet (to portals such Facebook or Flickr) there’s a strong chance they will also upload the GPS lcoation data as well. This information could be subsequently misused by third parties.
You need to find your balance between freedom and security (
Vapauden ja turvallisuuden tasapaino). Usernames poured out for all to see, passwords and personal identification numbers are published. A knowledge of access management is even more important: who has the right to know when and where the role of functioning? Access, identity and role management are essential for the protection of the whole system. Implementation of such systems is still far from complete.
When designing networked services, the development of safety should taken into account in the planning stage, rather than at the end of execution. Even a secure network and information system can not act as operating a vacuum.
Reliability of the server certificates will face more and more problems. We can see more certificate authority bankruptcies due cyber attacks to them. Certificate attacks that have focused on the PC Web browsers, are now proven to be effective against mobile browsers.
Stonesoft says that advanced evasion techniques (AET) will be a major threat. Stonesoft discovered that with certain evasion techniques (particularly when combined in particular combinations) they could sneak common exploits past many IDS/IPS systems (including their own, at the time last summer). Using the right tool set (including a custom TCP/IP stack) attackers could sneak past our best defenses. This is real and they foresee a not too distant future where things like botnet kits will have this as a checkbox feature.
Rise of Printer Malware is real. Printer malware: print a malicious document, expose your whole LAN says that sending a document to a printer that contained a malicious version of the OS can send your sensitive document anywhere in Internet. Researchers at Columbia University have discovered a new class of security flaws that could allow hackers to remotely control printers over the Internet. Potential scenario: send a resume to HR, wait for them to print it, take over the network and pwn the company. HP does have firmware update software for their printers and HP Refutes Inaccurate Claims; Clarifies on Printer Security. I wonder how many more years until that old chain letter, where some new insidious virus infects everything from your graphics card to your monitor cable, becomes true.
Unauthorized changes in the BIOS could allow or be part of a sophisticated, targeted attack on an organization, allowing an attacker to infiltrate an organization’s systems or disrupt their operations. How Do You Protect PCs from BIOS Attacks? The U.S. National Institute of Standards and Technology (NIST) has drafted a new computer-security publication that provides guidance for computer manufacturers, suppliers, and security professionals who must protect personal computers as they start up “out of the box”: “BIOS Integrity Measurement Guidelines,” NIST Special Publication 800-155.
According to Stonesoft security problems threaten the lives and the year 2012 may be the first time when we lose lives because of security offenses. According to the company does this happen remains to be seen, but the risk is due to industrial SCADA systems attacks against targets such as hospitals or automated drug delivery systems. I already posted around month ago about SCADA systems security issues.
849 Comments
Tomi Engdahl says:
Privacy spat: Microsoft vs. Google vs. the truth
Expert who helped write relevant privacy standard says they’re both wrong
http://digg.com/newsbar/topnews/privacy_spat_microsoft_vs_google_vs_the_truth
“Companies have discovered that they can lie in their [P3P Compact Privacy Statements] and nobody bothers to do anything about it. … Companies have also discovered that, due to a bug in IE, if they have an invalid [privacy statement], IE will not block it.”
She said that Google is not alone in circumventing P3P and that this issue points to a larger problem in browser privacy. In fact, Facebook presents a P3P statement that says: “Facebook does not have a P3P policy.” That line is an invalid P3P privacy statement so it essentially turns off IE cookie blocking, she said. “Thousands” of other sites have P3P privacy statements that don’t match their actual practices, she said. …
“The excuse everyone uses to justify this circumvention is that P3P is dead and IE breaks the cool things they want to do on their website, so therefore it is OK to circumvent browser privacy controls,”
Tomi Engdahl says:
Facebook to Microsoft: P3P is outdated, what else ya got?
http://www.zdnet.com/blog/facebook/facebook-to-microsoft-p3p-is-outdated-what-else-ya-got/9332
Summary: Facebook has confirmed it is also bypassing IE’s privacy settings. The social networking giant has told the software giant that P3P is outdated. As they say on the playground: too bad, so sad.
P3P was developed 5 years ago and is not effective in describing the practices of a modern social networking service and platform.
By default, IE blocks cookies that have CPs deemed unsatisfactory from a privacy perspective (such as collecting anything identifiable). Facebook is essentially saying that it is completely aware of the bug in IE that allows them to use an invalid CP so that the browser does not block the social network’s cookies. Since PP3 is outdated, Facebook is telling Microsoft to use something better. Until then, the social networking giant has no plans to change its practices.
Tomi Engdahl says:
Obama unveils Consumer Privacy Bill of Rights
http://news.cnet.com/8301-27080_3-57383300-245/obama-unveils-consumer-privacy-bill-of-rights/
The Obama administration plans to work with Congress to enact legislation to protect peoples’ online privacy based on a Consumer Privacy Bill of Rights being unveiled tomorrow.
“The principles are genuinely good,” he told CNET in an e-mail. “The problem is that there is no plan for implementation or enforcement.”
Consumer online privacy is a hot topic these days, with complaints that Google and Facebook, among others, compromise the privacy of consumers in order to boost advertising opportunities and revenues.
Web Firms to Adopt ‘No Track’ Button
http://online.wsj.com/article_email/SB10001424052970203960804577239774264364692-lMyQjAxMTAyMDIwMzEyNDMyWj.html
A coalition of Internet giants including Google Inc. has agreed to support a do-not-track button to be embedded in most Web browsers—a move that the industry had been resisting for more than a year.
The reversal is being announced as part of the White House’s call for Congress to pass a “privacy bill of rights,” that will give people greater control over the personal data collected about them.
The new do-not-track button isn’t going to stop all Web tracking. The companies have agreed to stop using the data about people’s Web browsing habits to customize ads, and have agreed not to use the data for employment, credit, health-care or insurance purposes. But the data can still be used for some purposes such as “market research” and “product development” and can still be obtained by law enforcement officers.
“It’s a good start,”
Susan Wojcicki, senior vice president of advertising at Google, said the company is pleased to join “a broad industry agreement to respect the ‘Do Not Track’ header in a consistent and meaningful way that offers users choice and clearly explained browser controls.”
Tomi Engdahl says:
GPS attacks risk maritime disaster, trading chaos
http://www.reuters.com/article/2012/02/22/us-security-gps-idUSTRE81L00E20120222
Satelite navigation systems are at risk from criminals, terrorists or even just bored teenagers, with the potential to cause major incidents from maritime disasters to chaos in financial markets, leading experts warned on Wednesday.
Experts are worried about havoc that could be caused if GNSS signals were illegally jammed
Widely available on the internet, jammers are not illegal to own but are illegal to use. Just how widespread they are is unclear
While jamming poses an immediate threat, a potentially more serious risk is posed by “spoofing” – creating false GPS signals to alter users perceptions of time or location. Until recently, while theoretically possible, such technology was not seen as viable or affordable.
“The financial exchanges that depend so much on their own credibility and on people’s trust of the markets could be damaged fairly significantly by routine manipulation of the time stamps that they apply to all of their transactions,” he said.
Tomi Engdahl says:
Apple, Google and Others in Agreement on App Privacy
http://bits.blogs.nytimes.com/2012/02/22/california-attorney-general-reaches-deal-on-app-privacy/
California’s attorney general, Kamala D. Harris, said on Wednesday that the state had reached an agreement with Amazon.com, Apple, Google, Hewlett-Packard, Microsoft and Research in Motion to strengthen privacy protections for smartphone owners who download mobile applications.
The agreement will force developers to post conspicuous privacy policies detailing what personal information they plan to obtain and how they will use it. It also compels app store providers like Apple and Google to offer ways for users to report apps that do not comply.
“Your personal privacy should not be the cost of using mobile apps, but all too often it is,”
In a statement, Ms. Harris’s office said that only 5 percent of mobile apps offer a privacy policy, leaving smartphone owners in the dark about what developers, advertisers and analytic services do with their “location, contacts, identity, messages and photos.”
Tomi Engdahl says:
FCC chairman calls on ISPs to adopt new security measures
http://www.networkworld.com/news/2012/022212-fcc-chairman-calls-on-isps-256451.html
FCC Chairman Julius Genachowski called on ISPs to notify subscribers whose computers are infected with malware and tied to a botnet and to develop a code of conduct to combat botnets. Genachowski also called on ISPs to adopt secure routing standards to protect against Internet Protocol hijacking and to implement DNSSEC, a suite of security tools for the Internet’s Domain Name System.
If ISPs don’t take these steps, they will risk a backlash from subscribers who have lost trust in online commerce
“The cyberthreat is growing,” he said. “If we fail to tackle these challenges, we will pay the price in the form of diminished safety, lost privacy, lost jobs and financial vulnerability — billions of dollars potentially lost to digital criminals.”
The problems of botnets, IP hijacking and domain name fraud, and potential solutions, were priorities identified by the FCC’s Communications Security, Reliability and Interoperability Council and other participants, Genachowski said.
ISPs can help battle botnets by detecting infections on subscribers’ computers and notifying them of the problems, he said. Botnets, often used to launch cyberattacks, can control millions of computers, he said. “Botnets have been central to a very large percentage of the website crashes you’ve heard of, and that you haven’t,” he said.
DNSSEC can help prevent domain name fraud, “but adoption in the private sector has been slow,”
“emphasizing the need for the development of practical solutions” to minimize cybersecurity threats.
Tomi Engdahl says:
Secret UK Network Hunts GPS Jammers
http://yro.slashdot.org/story/12/02/23/030256/secret-uk-network-hunts-gps-jammers
A secret network of 20 roadside listening stations across the UK has confirmed that criminals are attempting to jam GPS signals on a regular basis.
UK Sentinel study reveals GPS jammer use
http://www.zdnet.co.uk/news/networking/2012/02/22/uk-sentinel-study-reveals-gps-jammer-use-40095106/
Government-funded trials involving the police have revealed more than a hundred incidents of GPS jammer use in the UK.
“The idea behind Sentinel is to detect and locate interference,” Chronos Technology’s divisional manager Andy Proctor told ZDNet UK on Wednesday. “Until you physically get a jammer in your hands you can’t claim 100 percent it’s a jammer, because you don’t know what’s been causing the interference.”
“These events were real and corroborated,” Curry told ZDNet UK at the GNSS Vulnerability: Present Dangers, Future Threats 2012 conference.
GPS jammers work by broadcasting a strong local signal on the same frequency as GPS, effectively drowning the weak GPS signal broadcast by satellites. People illegally jam GPS for a number of reasons, Curry told the audience at the conference at the National Physical Laboratory. These include evasion of company-vehicle or covert tracking, and stealing high-value vehicles.
“Our modern society is almost completely reliant on GPS,” Humphreys told the conference. “It could be deadly.”
The Sentinel technology works by relaying incidents of GPS interference to a central server, Proctor told ZDNet UK. The sensor is a black box that contains a high-sensitivity GPS sensor, in some cases a rubidium atomic clock, and an embedded Linux processing unit running proprietary software using C++, PHP, and a MySQL backend database.
Tomi Engdahl says:
Four year olds used to steal their parents’ data
Davey Winder reveals how malware writers are tricking young children into installing trojans
BitDefender Online Threats Lab, one of the security vendors doing research in this area of cybercrime, uncovered a whole bunch of Flash-based games, colourful and attractive to young kids, which came complete with a trojan that has been designed to appeal to those same youngsters.
That’s where the scum behind these scams are being so clever, because most of these game sites are genuine enough, but have been compromised in order to insert a nice big “click here for more games” or just a “click here” button that then takes the clicker to a different site, where another game pops up or downloads while at the same time a remote access trojan (RAT) capable of stealing financial data is installed.
Remember that the unsuspecting parents are not being required to take any great leap of faith here, because all the games in question were being hosted on legitimate and very high-traffic sites.
The moral of this tale? Don’t use your laptop as a babysitter, and don’t be one of the 24.7% of parents who, according to BitDefender’s research, don’t supervise their young kids’ online activity.
Read more: Four year olds used to steal their parents’ data | Enterprise | Real World Computing | PC Pro http://www.pcpro.co.uk/realworld/373066/four-year-olds-used-to-steal-their-parents-data#ixzz1nIqpCxdz
Tomi Engdahl says:
The cyber-weapons paradox: ‘They’re not that dangerous’
http://www.theregister.co.uk/2012/02/24/cyber_weapons/
When it comes to bombs, the more powerful they are, the bigger their impact. With a cyber-weapon, the opposite is true: the more powerful it is, the more limited the damage it causes. The deeper a bug can get into any given system, the less likely it is to trouble anything else.
And that’s why cyber-weapons aren’t real weapons,
[Having] more destructive potential is likely to decrease the number of targets, the risk of collateral damage and the political utility of cyber-weapons.
Rid’s point is that cyber weapons that can attack any web target tend to be low-level and quite crap: DDoS bots that can take a website offline temporarily or deface it, tools that cause inconvenience and sometimes embarrassment.
Weaponised code does not come with an explosive charge. Potential physical damage will have to be created by the targeted system itself, by changing or stopping ongoing processes.
Simply knocking a site offline would alert the target to the problem immediately and probably cause a back-up to kick in. Serious damage would require an intelligent malware agent that was capable of changing ongoing processes while hiding the changes from their operators, Rid says.
He adds that “all publicly-known cyber-weapons have far less ‘firepower’ than is commonly assumed”.
Speaking to The Reg earlier this week, Rid said that the systems we really should be worried about are industrial control systems – SCADA – computer systems that control the national grid, public transport, chemical mixing in factories andprison doors. These are the systems that he claims have poor security set-ups:
One of the computer hacks with the greatest physical impact ever came from an angry Australian sewage worker who used his knowledge of pumping systems to pay back an employment grudge. -> spilling more than a million litres of raw sewage into local parks, rivers
He said that government needs to understand industrial control systems.
Tomi says:
Google adds Do Not Track button to Chrome
http://www.theregister.co.uk/2012/02/24/google_chrome_do_not_track/
Google’s Chrome browser has added a Do Not Track option that will prevent websites using your browser history to target ads at you. Google has not yet added a Do Not Track option into Chrome, but instead is now making the third-party Keep My Opt Outs Chrome extension available in its Chrome Web Store.
Pioneered by Mozilla Firefox, the Do Not Track convention adds a field in the HTTP header of each web page instructing websites not to take info about you from your browser. Commonly used to prevent overly personal targeted ads, Do Not Track also stops web visitors having their data picked through by websites’ social features and analytics engines. Microsoft claims that Internet Explorer doesn’t track its users and Do not Track is an option in Safari.
Once a user turns on the Do Not Track header, she told us, Chrome will transmit that directive to sites to which the user navigates. Websites and advertisers will see the header in the user’s web request, and treat the user’s browsing data in accordance with those DAA principles, including opting the user out of ad targeting and ads using third-party cookies.
tomi says:
Cambridge’s Capsicum Framework Promises Efficient Security For UNIX/ChromeOS
http://tech.slashdot.org/story/12/02/26/0030242/cambridges-capsicum-framework-promises-efficient-security-for-unixchromeos?
Communications of the ACM is carrying two articles promoting the Capsicum security model developed by Robert Watson (FreeBSD — Cambridge) and Ben Laurie (Apache/OpenSSL, ChromeOS — Google) for thin-client operating systems such as ChromeOS.
http://cacm.acm.org/magazines/2012/3/146250-technical-perspective-the-benefits-of-capability-based-protection/fulltext
http://cacm.acm.org/magazines/2012/3/146252-a-taste-of-capsicum/fulltext
They demonstrate how Chrome web browser sandboxing using Capsicum is not only stronger, but also requires only 100 lines of code, vs 22,000 lines of code on Windows!
So, we have our first solid metric: it’s 220 times as hard to make Windows secure as it is for BSD or Linux ???
It may sound that way, but it doesn’t read that way.
Specifically, Capsicum is a Unix (and therefore heavily C- and process-based) framework for sandboxing applications.
Capsicum also debuted, like, years ago. I doubt it will pick up steam because the necessary underpinnings will never be adopted in the Linux kernel. For one thing, anything which comes from FreeBSD always has to be re-engineered, and usually poorly.
Second, there are two interest groups in the Linux community that dictate security frameworks: the SELinux people and the anti-SELinux people. The anti-SELinux folk are already wedded to a host of alternatives. Capsicum will have a cold reception.
Tomi Engdahl says:
http://pastebin.com/D7sR4zhT
Today WikiLeaks began publishing The Global Intelligence Files – more than five million emails from the Texas-headquartered “global intelligence” company Stratfor. The emails date from between July 2004 and late December 2011. They reveal the inner workings of a company that fronts as an intelligence publisher, but provides confidential intelligence services to large corporations, such as Bhopal’s Dow Chemical Co., Lockheed Martin, Northrop Grumman, Raytheon and government agencies, including the US Department of Homeland Security, the US Marines and the US Defense Intelligence Agency
The Global Intelligence Files
http://wikileaks.org/gifiles
Tomi Engdahl says:
Disruptions: Growing Too Big for a Conscience
http://bits.blogs.nytimes.com/2012/02/26/growing-too-big-for-a-conscience/
In 2000, when Google could count its employees by the dozen, it adopted its now famous mantra: Don’t be evil.
Google considered it such a cornerstone of its operating philosophy that it was included in the S-1 filing
This month alone Google has been caught up in more privacy debates than I’ve eaten hot meals. There was the mobile apps problem
Then it was discovered that Google was circumventing privacy settings on Web browsers to track the behavior of consumers.
company’s latest privacy policy updates, in which it merged all of a user’s data from across Google products, are “troubling for a number of reasons” and “invade consumer privacy.”
A product released last month called Google Search Plus Your World seems to go against the company’s founding principles.
But as Google has grown, and the company sees the threat of others on the horizon, it seems that “do the right thing” may have been paused to prevent itself from fading like a Yahoo or an AOL.
Does all this add up to a clear sign that Google has given up on its first principles?
Tomi Engdahl says:
WikiLeaks Tightens Ties To Anonymous In Leak Of Stratfor Emails
http://www.forbes.com/sites/andygreenberg/2012/02/27/wikileaks-tightens-ties-to-anonymous-in-leak-of-stratfor-emails/
The leaderless collective Anonymous once acted as WikiLeaks’ vigilante avenger, attacking the secret-spilling group’s enemies while WikiLeaks kept a careful remove from their offensives. But with the leak of a vast trove of emails from the private intelligence firm Stratfor, Anonymous now says it’s upgraded its relationship with WikiLeaks from friendly acquaintance to partner.
Tomi Engdahl says:
INTELLIGENCE FIRM Stratfor has responded to a massive leak of its emails by calling the leakers “thieves”.
The firm has been hacked twice by Anonymous. However it is the booty from the earlier attack that has pushed it to comment.
Emails from that attack have been published by Wikileaks and are online now. Stratfor is not happy.
Source: The Inquirer (http://s.tt/15RBQ)
tomi says:
In Attack on Vatican Web Site, a Glimpse of Hackers’ Tactics
http://www.nytimes.com/2012/02/27/technology/attack-on-vatican-web-site-offers-view-of-hacker-groups-tactics.html
The elusive hacker movement known as Anonymous has carried out Internet attacks on well-known organizations like Sony and PBS. In August, the group went after its most prominent target yet: the Vatican.
The attack, albeit an unsuccessful one, provides a rare glimpse into the recruiting, reconnaissance and warfare tactics used by the shadowy hacking collective.
“We have seen the tools and the techniques that were used in this attack used by other criminal groups on the Web,” said Amichai Shulman, Imperva’s chief technology officer. “What set this attack apart from others is it had a clear timeline and evolution, starting from an announcement and recruitment phase that was very public.”
“Anonymous is a handful of geniuses surrounded by a legion of idiots,” said Cole Stryker, an author who has researched the movement. “You have four or five guys who really know what they’re doing and are able to pull off some of the more serious hacks, and then thousands of people spreading the word, or turning their computers over to participate in a DDoS attack.”
“Part of the reason ‘Op Megaupload’ was so successful is that they’ve learned from their past mistakes,” said Gabriella Coleman, an associate professor at McGill University who has studied Anonymous. Professor Coleman said the hackers had been using a new tool to better protect their anonymity. “Finally people felt safe using it,” she said. “That could explain why it was so big.”
“Anonymous is an idea, a global protest movement, by activists on the streets and by hackers in the network,”
Tomi Engdahl says:
IT staffers on ragged edge of burnout and cynicism
Stress survey says companies failing staff
http://www.theregister.co.uk/2012/02/27/it_staff_stress_survey/
RSA 2012 A survey of stress levels among IT security staff, thought to be the first of its kind, has shown that an alarming number of staffers are suffering dangerous levels of cynicism, leaving them depressed and unable to function properly.
The survey (securityburnout.org) was organized by Jack Daniel, founder of the Security B-Sides conference, joined by friends in the industry who are becoming increasingly concerned with the lack of support within the IT community for staff.
Less than half of those surveyed felt that they weren’t exhausted by their job, and 13 per cent reported levels of exhaustion and cynicism that are highly deleterious to someone’s health. As an industry, IT – and particularly IT security – showed an average score for job cynicism that was at the extreme edge of what’s healthy. Over a quarter of those surveyed felt that they were not achieving their job’s goals.
“Other professions know that this is a problem and have strategies to deal with it, but there’s no recognition of this in IT,”
He pointed out that security professionals are known for workaholic tendencies – joking that most people loved 40-hour weeks so much they worked two of them every seven days – but warned the risk of staff burnout is very real. The nature of the job was also an issue, in measuring the effectiveness of what you do – with IT security it only takes one mistake and the end result can be disastrous.
“When you go to conferences you realize how much stress behavior we show,” he said. “How many people get drunk and then get fired because of behavior at conventions – it happens with every ShmooCon and DevCon. That’s an indicator that there’s a problem.”
Management may also be the problem, not the IT worker. “As an experiment,” Corman said, “explain to your children what it is you’re trying to explain to your chief security officer. If they get it and he doesn’t, then the problem isn’t with you.”
Tomi Engdahl says:
Record and replay in global navigation satellite system testing
http://www.eetimes.com/design/military-aerospace-design/4236908/Record-and-replay-in-global-navigation-satellite-system-testing?Ecosystem=communications-design
So, we began to research a system that would have the ability to record live GPS signals and then replay these into products under test. The brief was that it would offer realistic data, in the same way as live sky, but that it would also be consistent, with the ability to repeat a test, or ‘scenario’, as many times as necessary. It would also need to be affordable.
With nothing else available, Racelogic decided to design something that could record live global navigation satellite system (GNSS) signals and replay these into devices under test, offering the blend of realism and repeatability that they needed at an affordable price. In 2008, we developed LabSat – see figure 1 – which had the ability to record raw GPS RF signals from a live antenna to be replayed at a later date. Users could now easily record a journey and replay this on the bench with identical results.
SatGen allows the user to define a custom route, anywhere in the world, at a predefined time and date. There is even a Google Earth import feature which makes the definition of the profile very simple. This profile information is then converted into a scenario file which can be replayed on LabSat devices.
LabSat is now used in several industries. For example, Nokia and Blackberry use LabSat for testing smartphones
On the input side, there is a high speed digital input which is sampled on every GPS sample, providing a tightly synchronized record of the digital data. The recorded digital data is then reproduced on the output port at the same time as the GPS RF data is replayed.
LabSat has a built-in GPS engine, which is used to monitor the output during the replaying of GPS data.
Racelogic can supply a synchronized video system which is fitted to the car at the same time, which records video alongside the GPS RF data.
Tomi Engdahl says:
Stonesoft released Mass Security For Business
http://masssecurity.stonesoft.com/
It promises to be a
A MORE INTELLIGENT ANSWER TO THE SECURITY AND CONNECTIVITY NEEDS OF MULTI-LOCATION BUSINESSES
“Don’t be fooled by the low cost promises of point solutions and consumer-grade firewalls. They quickly become costly as maintenance man-hours tally up year per year, branch by branch. “
Tomi Engdahl says:
Cyber-security startup to flash major Android soft spots at RSA
Ex-McAfee bods grab $26m to take on hackers
http://www.theregister.co.uk/2012/02/28/crowdstrike_launch_new_security_tactic/
Three big-hitters in the world of cyber security have launched a firm that intends to unmask hackers and their motives, and they’ve scooped up $26m to get it started. As one of its first acts, CrowdStrike plans to unveil an overview of Android’s weak spots in a demo at the RSA on 29 Feb.
CrowdStrike launched in “stealth-mode” last week. The firm is headed up by George Kurtz, former McAfee CTO.
Promising a “new strategy” on cyber security, CrowdStrike said it would home in on the people behind malware rather than the software itself in a bid to protect companies and government from hackers at the highest level.
“The person or organization pulling the trigger (or deploying the malware) is the one that you ultimately need to focus on. The type of gun or ammunition they may be using is interesting, but in most cases not strategically relevant
Instead of endlessly patching flaws, Kurtz argues, anti-hackers should target the soft mistake-prone humans behind the malware
As for the end product, George was reluctant to drop many details about what a CrowdStrike report would look like: “It’s not a static report, it’s not a powerpoint, it’s dynamic thing,” he told us.
Tomi Engdahl says:
Hacking breach made us stronger says RSA
Attack causes rethink on security skills
http://www.theregister.co.uk/2012/02/28/hacking_rsa_made_stronger/
RSA 2012 RSA president Art Coviello has said the hacking attack that breached its servers ended up making the company stronger and more effective.
“Since the breach we’ve dedicated ourselves to regaining and maintaining your confidence in us, with a sense of urgency as never before to apply the lessons we’ve learned first hand,” he told delegates at the opening keynote of RSA 2012 in San Francisco.
The SecureID attacks should put the last nail in the coffin of perimeter defense he said, and it had caused a rethink within RSA as to what was needed and the skills and tools needed by the modern security professional. He outlined three areas that need to be managed.
First, companies have to get a lot better at risk management. This means acknowledging the vulnerability of everyone to attack, the likelihood of being a target and the value of what can be stolen.
Secondly security needs to be a lot more agile. The sheer volume and skill of attackers means security systems have to be much more responsive to new threats.
Finally, big data is coming to security, he proclaimed. Companies need to absorb and analyze vast volumes of threat data and formulate policies to counter threats.
The IT security industry seldom hired from the military he said, but the military mindset is what’s needed. The security professional needs to be “offensive in their mindset,”
Tomi Engdahl says:
How to sneak into a security conference
A social engineering expert details how he managed to go anywhere he wanted at RSA 2012, and then got a free conference badge under a pseudonym to boot
http://www.csoonline.com/article/701040/how-to-sneak-into-a-security-conference
Tomi Engdahl says:
The Best Free Antivirus for 2012
Even if your budget doesn’t include any money for antivirus protection, you’ve got plenty of good choices for free antivirus.
http://www.pcmag.com/article2/0,2817,2388652,00.asp?ipmat=294660&ipmtype=3
If only every computer user in the world would install antivirus software, the Internet would be a safer place.
Given the quality of free antivirus tools around, there’s really no excuse to do without. Here’s a run-down on your choices.
Tomi Engdahl says:
Apple Loophole Gives Developers Access to Photos
http://bits.blogs.nytimes.com/2012/02/28/tk-ios-gives-developers-access-to-photos-videos-location/
Developers of applications for Apple’s mobile devices, along with Apple itself, came under scrutiny this month after reports that some apps were taking people’s address book information without their knowledge.
As it turns out, address books are not the only things up for grabs. Photos are also vulnerable. After a user allows an application on an iPhone, iPad or iPod Touch to have access to location information, the app can copy the user’s entire photo library, without any further notification or warning, according to app developers.
Tomi Engdahl says:
The top 13 security myths
Security experts hammer on security ideas they say are both widely believed and false
http://www.infoworld.com/slideshow/33387/the-top-13-security-myths-187168
14 Questions Every Business Should Ask About Backups
http://blog.softlayer.com/2012/14-questions-every-business-should-ask-about-backups/
Tomi Engdahl says:
“EFF has released version 2 of the HTTPS Everywhere browser extension for Firefox, and a beta version for Chrome. The Firefox release has a major new feature called the Decentralized SSL Observatory. This optional setting submits anonymous copies of the HTTPS certificates that your browser sees to their Observatory database allowing them to detect attacks against the web’s cryptographic infrastructure. It also allows us to send real-time warnings to users who are affected by cryptographic vulnerabilities or man-in-the-middle attacks. At the moment, the Observatory will send warnings if you connect to a device has a weak private key due to recently discovered random number generator bugs.”
Source:
http://yro.slashdot.org/story/12/02/29/2011247/effs-https-everywhere-detects-and-warns-about-cryptographic-vulnerabilities
Tomi Engdahl says:
‘Kill yourself now’ – Torvalds throws openSUSE security tantrum
Root password protocol ‘mentally diseased’
http://www.theregister.co.uk/2012/02/29/torvalds_tantrum_opensuse/
Torvalds has posted a rant on Google+ about his experience installing openSUSE on a MacBook Air. The installation requires the root password for many functions and he went to the Bugzilla thread to argue that this was a stupid policy, which got changes in some areas of the code, like adding wireless networks.
“If you have anything to do with security in a distro, and think that my kids (replace “my kids” with “sales people on the road” if you think your main customers are businesses) need to have the root password to access some wireless network, or to be able to print out a paper, or to change the date-and-time settings, please just kill yourself now. The world will be a better place,” he said.
Torvalds has come in for criticism for not using bypass code in openSUSE to eliminate some of the need for root password access, and has been slammed for taking the rant public.
Tomi Engdahl says:
Android allows every app access to your photos, Google considering fix
http://www.theverge.com/2012/3/1/2836234/android-allows-every-app-access-to-your-photos-google-considering-fix
Two days ago, the New York Times reported on an issue in iOS that allows third-party apps to access your photos if you them grant permission to access your location. That’s a bit of a hole in Apple’s walled-garden approach to privacy and security, and we quickly heard from sources that Apple was working on a fix.
Today, the NYT is back with news that Android apps can also access all your photos without receiving direct permission, but the situation is markedly different.
Google told us in a statement: the company says Android was designed to allow users to access their photos from a removable memory card.
Et Tu, Google? Android Apps Can Also Secretly Copy Photos
http://bits.blogs.nytimes.com/2012/03/01/android-photos/
It’s not just Apple. Photos are vulnerable on Android phones, too.
It turns out that Google, maker of the Android mobile operating system, takes it one step further. Android apps do not need permission to get a user’s photos, and as long as an app has the right to go to the Internet, it can copy those photos to a remote server without any notice, according to developers and mobile security experts. It is not clear whether any apps that are available for Android devices are actually doing this.
“We can confirm that there is no special permission required for an app to read pictures,” said Kevin Mahaffey, chief technology officer of Lookout, a company that makes Android security software. “This is based on Lookout’s findings on all devices we’ve tested.”
In response to questions, Google acknowledged this and said it would consider changing its approach.
Tomi Engdahl says:
If I can shop and bank online, why can’t I vote online?
http://verifiedvoting.org/
There is widespread pressure around the country today for the introduction of some form of Internet voting in public elections that would allow people to vote online, all electronically, from their own personal computers or mobile devices. Proponents argue that Internet voting would offer greater speed and convenience, particularly for overseas and military voters and, in fact, any voters allowed to vote that way.
However, computer and network security experts are virtually unanimous in pointing out that online voting is an exceedingly dangerous threat to the integrity of U.S. elections. There is no way to guarantee that the security, privacy, and transparency requirements for elections can all be met with any practical technology in the foreseeable future…
Read more:
http://verifiedvoting.org/downloads/votingtransactions/
It is not actually “safe” to conduct ecommerce transactions online. It is in fact very risky, and more so every day. Essentially all those risks apply equally to online voting transactions.
The technical security, privacy, and transparency requirements for voting are structurally different from, and actually much more stringent than, those for ecommerce transactions. Even if ecommerce transactions were safe, the security technology underpinning them would not suffice for voting. In particular, the voting security and privacy requirements are unique and in tension in a way that has no analog in the ecommerce world.
Ecommerce transactions may be relatively safe for consumers, but they certainly are not safe for financial institutions or merchants. Banks, credit card companies, and online merchants lose billions of dollars a year in online transaction fraud 3 despite huge investments in fraud prevention and recovery.
Tomi Engdahl says:
Exclusive: How Sony is fighting back
http://www.scmagazine.com.au/Feature/293365,exclusive-how-sony-is-fighting-back.aspx
Systems that monitor staff and user behaviour could detect social attacks.
So when the entertainment giant looked to revamp its security in the wake of the devastating hacking attacks against its PlayStation Network last year, the former McAfee Chief Security Officer answered the call.
By the end of 2011, Sony had been attacked more than 20 times by ‘hacktivists’ angry at its attempts to prevent modification to its PlayStation 3 console. The attacks ranged from petty denial of service attacks, to defacements and ultimately took Sony’s PlayStation Network online gaming platform offline for almost a month.
Like many large organisations, Sony is not a single beast but a network of thousands of minds in hundreds of countries. To a social engineer, each staffer is a potential target with different levels of vulnerability and privilege.
Tomi Engdahl says:
Prof. J. Alex Halderman Tells Us Why Internet-Based Voting Is a Bad Idea (Video)
http://it.slashdot.org/story/12/03/10/2351259/prof-j-alex-halderman-tells-us-why-internet-based-voting-is-a-bad-idea-video
On March 2, 2012, Timothy wrote about University of Michigan Professor J. Alex Halderman and his contention that there is no way to have secure voting over the Internet using current technology. In his video, Alex explains what he meant and tells us about an experiment (that some might call a prank) he and his students did back in 2010, when they (legally) hacked a Washington D.C. online voting pilot project.
Tomi Engdahl says:
Symantec is unmoved by Norton Anti Virus source release
SECURITY FIRM Symantec was expecting hacker group Anonymous to release the source code for its 2006 Norton Anti Virus product.
“We anticipate that at some point, Anonymous will also post the code for the 2006 version of Norton Internet Security, which they also claim to possess. As we have already stated publicly, this is old code, and Symantec and Norton customers will not be at an increased risk as a result of any further disclosure related to these 2006 products.”
Symantec quickly responded to the leak on Twitter, confirming that the release was its code, but adding that it would not affect its users.
Source: The Inquirer (http://s.tt/178To)
Tomi Engdahl says:
‘Honey Stick’ Project Tracks Fate of Lost Smartphones
http://mobile.slashdot.org/story/12/03/12/2351227/honey-stick-project-tracks-fate-of-lost-smartphones
“In order to get a look at what happens when a smartphone is lost, Symantec conducted an experiment, called the Honey Stick Project, where 50 fully-charged mobile devices were loaded with fake personal and corporate data and then dropped in publicly accessible spots in five different cities …Tracking showed that 96-percent of the devices were accessed once found (PDF), and 70-percent of them were accessed for personal and business related applications and information. Less than half of the people who located the intentionally lost devices attempted to locate the owner. Interestingly enough, only two phones were left unaccounted for; the others were all found.”
The Honey Stick Project Home Page
Understanding the Human Threats to Mobile-Accessible Information
http://www.streetwise-security-zone.com/members/streetwise/adminpages/honeystickproject
The Symantec Smartphone Honey Stick Project REPORT
http://www.symantec.com/content/en/us/about/presskits/b-symantec-smartphone-honey-stick-project.en-us.pdf
Tomi Engdahl says:
ester hacker brags of mobe attack on Anonymous
http://www.theregister.co.uk/2012/03/13/jester_qr_exploits/
A hacker known as The Jester claims to have siphoned personal information from prominent members of Anonymous, a US politician and other assorted “enemies” after running a mobile malware-based attack that relied on the curiosity of his intended victims. The raid is unconfirmed.
The Jester said he laid a trap for intended victims by changing the icon for his Twitter account (@th3j35t3r) to a QR-code
Victims induced “by their own curiosity” to scan this QR-code into their mobile phones were taken to a website loaded with mobile browser exploits that targeted both Android and iPhone users. The exploits reportedly relied on security bugs lodged inside the WebKit framework that is used by several mobile browsers.
According to the hacker, malicious code he used in the “attack” handed over the compromised users’ Twitter credentials via a netcat command to the so-called patriot hacker. The Jester claims he checked these credentials against a list of known targets before moving on to the next phase of the attack: further exploitation.
Curiosity Pwned the Cat
http://th3j35t3r.wordpress.com/2012/03/09/curiosity-pwned-the-cat/
Tomi Engdahl says:
New Internet Explorer 10 memory protection features not just for Internet Explorer
http://digg.com/newsbar/topnews/new_internet_explorer_10_memory_protection_features_not_just_for_internet_explorer
The existence of flaws in browsers is nowadays taken for granted: what security researchers are most interested in is the mitigation techniques browsers use to try to render those flaws harmless. Microsoft published a recent blog post discussing some of the new mitigation techniques that will be used in Internet Explorer 10.
What’s new in Internet Explorer 10? Technically, nothing. New to Windows 8, however, is a much improved version of ASLR, Address Space Layout Randomization, and Internet Explorer 10 takes full advantage of the new capabilities. ASLR is another mitigation technique, designed to make it harder to take advantage of software flaws.
ASLR in turn is created to combat these techniques; both of them depend on the DLLs being in predictable locations in memory; the attacker includes the addresses of the different pieces of executable code it wants as part of their attack. By shuffling DLLs around in memory, this predictability no longer exists.
Windows Vista was the first Microsoft operating system to include ASLR, and it was essentially unchanged in Windows 7. ASLR is useful, but it has limitations.
For the third issue, Windows 8 will randomize more kinds of memory allocation.
Taken together, these features will make Windows 8 programs (or at least, Windows 8 programs that opt in to using ForceASLR and HEASLR) harder to exploit, which means that they’ll make Internet Explorer 10 harder to exploit. It’s very likely that the Chrome and Firefox Metro browsers will opt in to these systems too, giving them equal access to the new capabilities.
Tomi Engdahl says:
Internet Crime Focus Of Black Hat Europe
http://www.informationweek.com/news/security/management/232602571
Security and cryptography experts at Amsterdam conference consider the enormity of securing a world where everything–from smartphones to power plants to cars–is connected to the Internet.
“The Internet needs crime.”
So said cryptographer Whitfield Diffie Wednesday in his keynote speech opening this year’s Black Hat Europe conference in Amsterdam.
Diffie’s crime message has obvious upsides for the 400 career information security practitioners, consultants, and analysts who are attending or speaking at this week’s conference, given the job-security repercussions. But sociologically speaking, Diffie’s observation that good guys can’t exist without bad guys also helps explain the rise of–and collective fascination with–cybercriminals and groups such as Anonymous and LulzSec, which while not always engaged in criminal activities, oftentimes have at least skirted the edge of legality.
Tomi Engdahl says:
51% of Internet Traffic Is “Non-Human”
http://tech.slashdot.org/story/12/03/15/0056253/51-of-internet-traffic-is-non-human
“Cloud-based service Incapsula has revealed research indicating 51 per cent of website traffic is through automated software programs, with many programmed for malicious activity. The breakdown of an average site’s traffic is as follows: 5% is due to hacking tools looking for an unpatched or new vulnerability within a site, 5% is scrapers, 2% is from automated comment spammers, 19% is the result of ‘spies’ collating competitive intelligence, 20% is derived from search engines (non-human traffic but benign), and only 49% is from people browsing the Internet.”
51% Of Internet Traffic Is ‘Non-Human’
http://www.itproportal.com/2012/03/14/51-internet-traffic-non-human/#ixzz1p7FFrR84
The breakdown of an average site’s traffic is as follows:
- 5% is due to hacking tools looking for an unpatched or new vulnerability within a site.
- 5% is scrapers.
- 2% from automated comment spammers.
- 19% the result of “spies” collating competitive intelligence.
- 20% derived from search engines (non-human traffic but benign).
- 49% from people browsing the Internet.
Co-founder of Incapsula, Marc Gaffan, said: “Few people realize how much of their traffic is non-human, and that much of it is potentially harmful.”
Read more: http://www.itproportal.com/2012/03/14/51-internet-traffic-non-human/#ixzz1pBHlnvc1
Report: 51% of web site traffic is ‘non-human’ and mostly malicious
http://www.zdnet.com/blog/foremski/report-51-of-web-site-traffic-is-non-human-and-mostly-malicious/2201?tag=mantle_skin;content
Incapsula, a provider of cloud-based security for web sites, released a study today showing that 51% of web site traffic is automated software programs, and the majority is potentially damaging, — automated exploits from hackers, spies, scrapers, and spammers.
Incapsula offers a service aimed at securing small and medium sized businesses. It has a global network of nine data centers that analyze all traffic to a customer’s site and blocking harmful exploits in real-time, while also speeding up page loading times through cached content closer to users.
Tomi Engdahl says:
How Secure is that mobile device?
http://www.controleng.com/single-article/how-secure-is-that-mobile-device/b0c27cb114.html
Real-life study focused on SMB’s shows most companies have incomplete security practices when it comes to using mobile devices with company networks.
Mobilisafe mapped more than 38 million employee mobile device connections that provided key data for their analysis and interim results. This analysis has uncovered several startling insights:
• The majority of SMB’s are highly mobilized, driven by the bring-your-own-device (BYOD) trend of recent years
• SMB IT managers significantly underestimate the quantity and kinds of mobile devices connecting to their network
• SMB IT departments lack solutions to map their corporate standard for information security used with laptops, desktops, and servers to mobile devices. For example, they have tremendous difficulty determining if mobile devices are up-to-date with the latest firmware, and
• Even though there are serious concerns about data risk on mobile devices, SMBs do not feel they have adequate tools to determine those risks and respond to them.
This lack of visibility to mobile devices and their usage can have serious consequences, especially when employee-owned devices are lost, stolen, or resold to others outside the company.
Some key data from the study:
• On average, >80% of employees are already using smartphones and tablets
• A new device model was introduced to a company for every 6.6 employees
• 56% of iOS devices were running out-of-date firmware, and
• 39% of total authenticated devices were inactive >30 days, prompting concerns and conversations with employees about lost, sold, or otherwise misplaced devices with employee credentials and sensitive corporate data.
Tomi Engdahl says:
FBI warns Congress of terrorist hacking
http://www.zdnet.com/blog/security/fbi-warns-congress-of-terrorist-hacking/10601
The Federal Bureau of Investigation (FBI) is warning Congress that terrorist groups may employ hackers to attack the United States. Separately, Anonymous was brought up by the FBI.
Robert S. Mueller III, Director of the Federal Bureau of Investigation (FBI), yesterday warned Congress of terrorist hacking in the “FBI Budget Request for Fiscal Year 2013.” He believes that while terrorists haven’t hacked their way into the U.S. government yet, it’s only a matter of time.
Here’s an excerpt of Mueller’s testimony to a House appropriations subcommittee reviewing the FBI’s budget:
To date, terrorists have not used the Internet to launch a full-scale cyber attack, but we cannot underestimate their intent. Terrorists have shown interest in pursuing hacking skills. And they may seek to train their own recruits or hire outsiders, with an eye toward pursuing cyber attacks. These adaptations of the terrorist threat make the FBI’s counterterrorism mission that much more difficult and challenging.
On February 28, 2012, the hacktivist group Anonymous hacked into a telephone conversation taking place between FBI authorities in New York and law enforcement in London.
Tomi Engdahl says:
Mobile app privacy: You get what you pay for
GSMA privacy-by-design guidelines embraced by carriers … but not app stores
http://www.theregister.co.uk/2012/03/16/mobile_app_privacy_analysis/
Mobile app privacy controversies have dominated the technology headlines over recent weeks, but the push for tighter privacy standards may upset existing business models, which often use targeted advertising to subsidise the price users pay for the apps.
The GSM Association (GSMA) has responded to heightened concerns about the privacy of mobile applications with the launch of new guidelines designed to offer punters greater transparency and control over how apps use their personal information.
The new privacy enhancing guidelines for mobile application developers were launched at the MWC conference in Barcelona earlier in March. The framework seeks to make privacy-protecting measures a core part of the mobile software development process, not as an afterthought or an “add-on”. The idea of hardwiring privacy into the development process is embodied by the concept of “Privacy by Design” (PbD), where developers would be asked to enable the most restrictive privacy settings by default, for example.
The guidelines seek to bring harmonisation to the widely different approach to privacy applied by disparate developers across multiple companies.
Mobile telcos including Vodafone, Orange and Deutsche Telekom signed up to the policy at MWC12.
“I think the big players are likely to cherry-pick, because with some elements they can do a big promotion that makes them look good in the market. But I think there are also elements that will restrict what they can do and may constrain some of their business models,” Little told Computerworld.
“As more and more ‘free’ applications attempt to monetise their offerings, we will likely see more personal information being shuttled out to marketing and advertising data aggregation firms. Application developers may not even be aware of the privacy violations they are introducing by using third-party advertising libraries,” Veracode researcher Tyler Shields warns in a blog post on mobile app privacy.
Lee argued that greater transparency between app developers and users is needed.
“The situation is something the app development industry needs to address, because it’s eroding customer trust and confidence,” Lee said.
“Surely it would be better to demonstrate to our customers that we can form an open, trustworthy relationship with them, and that they don’t need to review and approve every move we might try to make,” he concluded.
Tomi Engdahl says:
RIAA chief: ISPs to start policing copyright by July 12
http://news.cnet.com/8301-31001_3-57397452-261/riaa-chief-isps-to-start-policing-copyright-by-july-12/
Comcast, Time Warner and Verizon are among the ISPs preparing to implement a graduated response to piracy by July, says the music industry’s chief lobbyist.
The country’s largest Internet service providers haven’t given up on the idea of becoming copyright cops.
Last July, Comcast, Cablevision, Verizon, Time Warner Cable and other bandwidth providers announced that they had agreed to adopt policies designed to discourage customers from illegally downloading music, movies and software. Since then, the ISPs have been very quiet about their antipiracy measures.
Cary Sherman, CEO of the Recording Industry Association of America, said most of the participating ISPs are on track to begin implementing the program by July 12.
Tomi says:
CIA Chief: We’ll Spy on You Through Your Dishwasher
http://www.wired.com/dangerroom/2012/03/petraeus-tv-remote/
More and more personal and household devices are connecting to the internet, from your television to your car navigation systems to your light switches. CIA Director David Petraeus cannot wait to spy on you through them.
Once upon a time, spies had to place a bug in your chandelier to hear your conversation. With the rise of the “smart home,” you’d be sending tagged, geolocated data that a spy agency can intercept in real time when you use the lighting app on your phone to adjust your living room’s ambiance.
“Items of interest will be located, identified, monitored, and remotely controlled through technologies such as radio-frequency identification, sensor networks, tiny embedded servers, and energy harvesters — all connected to the next-generation internet using abundant, low-cost, and high-power computing,” Petraeus said, “the latter now going to cloud computing, in many areas greater and greater supercomputing, and, ultimately, heading to quantum computing.”
Petraeus allowed that these household spy devices “change our notions of secrecy” and prompt a rethink of “our notions of identity and secrecy.” All of which is true — if convenient for a CIA director.
Tomi Engdahl says:
“Fileless” malware installs into RAM
Exploit found in Russian adware invades process, doesn’t install files
http://www.theregister.co.uk/2012/03/18/fileless_malware_found/
Researchers at Kaspersky Labs have found malware which, unusually, does not install any files on its victims PCs.
Once under your machine’s guard, the malware tries to attack Windows User Account Control so it install the Lurk Trojan and connect to an associated botnet. That installation attempt is the malware’s key task, as living in RAM means fileless malware won’t survive a system reboot.
That the malware is able to do so is down to a known Java vulnerability, CVE-2011-3544 to be precise.
Tomi Engdahl says:
Privacy suit filed against Path, Twitter, Apple, Facebook, others
Address book issue with mobile apps prompts privacy lawsuit against app makers.
http://news.cnet.com/8301-27080_3-57399021-245/privacy-suit-filed-against-path-twitter-apple-facebook-others/
Tomi Engdahl says:
Windows Remote Desktop Exploit In the Wild
http://it.slashdot.org/story/12/03/19/014248/windows-remote-desktop-exploit-in-the-wild
Identified as CVE-2012-0002 and patched by Microsoft on Tuesday, the critical vulnerability can be exploited remotely to execute arbitrary code on systems that accept RDP connections.
Doesn’t everyone with a clue use it via a VPN anyway?
How often is it ‘people with a clue’ that attackers are after?
The incident brings into question vulnerability Microsoft’s program which is intended to alert security partners before the patches themselves are released. The idea is to give the security vendors time to prioritise and test the fixes, however in this instance, it left their customers vulnerable.
Tomi Engdahl says:
More than half of Google Play apps could pose security risks
Use of ad libraries creates back door into handsets
http://www.theinquirer.net/inquirer/news/2161964/half-google-play-apps-pose-security-risks
In a recent study of 100,000 apps in the Google Play market, researchers from North Carolina State University (NCSU) found that more than half contained so-called ad libraries. And 297 of the apps included “aggressive” ad libraries that were enabled to download and run code from remote servers, which the boffins warn raises “significant privacy and security concerns”.
“Running code downloaded from the internet is problematic because the code could be anything,”
“For example, it could potentially launch a root exploit attack to take control of your phone – as demonstrated in a recently discovered piece of Android malware called RootSmart.”
He explained that the in-app ad libraries, which are provided by Google, Apple or other third-parties, retrieve advertisements from remote servers and run the ads on a user’s smartphone periodically. Every time an ad runs, the app developer receives a payment. However, the research team warns that the practice opens up potentially serious security holes because the ad libraries receive the same permissions that the user granted to the app itself when it was installed.
The NCSU boffins found that 48,139 of the apps – one in 2.1 – had ad libraries that tracked a user’s location via GPS, presumably to allow an ad library to better target ads to the user.
“These ad libraries pose security risks because they offer a way for third parties – including hackers – to bypass existing Android security efforts. Specifically, the app itself may be harmless, so it won’t trigger any security concerns. But the app’s ad library may download harmful or invasive code after installation.”
Yoshiko Glaves says:
I usually do not leave many responses, however I browsed a few remarks on this page Security trends for 2012 Tomi Engdahl’s ePanorama blog. I actually do have 2 questions for you if it’s allright. Is it simply me or does it seem like a few of the comments look as if they are left by brain dead visitors?
And, if you are posting on other online social sites, I’d like to keep up with you. Could you post a list of the complete urls of all your public sites like your twitter feed, Facebook page or linkedin profile?
tomi says:
https://twitter.com/#!/epanoramanet
Tomi Engdahl says:
Report: Hacktivists Out-Stole Cybercriminals in 2011
http://www.wired.com/threatlevel/2012/03/hacktivists-beat-cybercriminals/
Just two years ago, cybercriminal gangs were behind record-breaking data breaches that resulted in the theft of millions of customer records. But the year 2011 will be remembered as the year hacktivists out-stole cybercriminals to take the top data breach award, according to a new report released by Verizon on Thursday.
More than 100 million of the 174 million stolen records Verizon tracked in 2011 were stolen by hacktivist groups, according to the authors of Verizon’s 2012 Data Breach Investigations Report.
“Many, troubled by the shadowy nature of its origins and proclivity to embarrass victims, found this trend more frightening than other threats, whether real or imagined,” according to the authors of the Verizon report. “Doubly concerning for many organizations and executives was that target selection by these groups didn’t follow the logical lines of who has money and/or valuable information. Enemies are even scarier when you can’t predict their behavior.”
An example is the restaurant and hospitality industry, which has been the hardest hit industry when it comes to data loss, accounting for 54 percent of breaches. Retail was the next hardest hit, with 20 percent of breaches. This is not surprising since most criminal breaches are financially motivated
More than 112,000 payment cards were compromised from 163 franchise locations, and at least 800 other retail computer systems in various hotels, movie theaters, medical facilities, cafes and pizzerias were also compromised by the same group, resulting in more than $20 million in losses.
Verizon’s 2012 Data Breach Investigations Report.
http://www.wired.com/images_blogs/threatlevel/2012/03/Verizon-Data-Breach-Report-2012.pdf
Verizon: Hacktivists stole 100 million+ records in 2011
http://news.cnet.com/8301-27080_3-57402063-245/verizon-hacktivists-stole-100-million-records-in-2011/
Hacktivists emerge as a big threat in 2011, targeting large organizations and stealing more records than financially motivated criminals, report finds.
Financially motivated criminals were behind most of last year’s data breaches, but hacktivists stole almost twice as many records from organizations and government agencies, according to the Data Breach Investigations Report being released by Verizon today.
In total, there were 855 data breaches across 174 million stolen records, representing the second highest data loss Verizon researchers have seen since they began compiling data in 2004. More than 80 percent used hacking, nearly 70 percent incorporated malware, and only 7 percent used social tactics.
Lost business costs from a breach declined 34 percent to $3 million, which includes abnormal turnover of customers, or churn, increased customer acquisition activities, reputation losses, and diminished goodwill.
Not surprisingly, organizations that have a chief information security officer had lower costs for data breaches. “It is a signal that the organization has got its act together from a governance perspective and are more likely to be able to deal with a breach from a regulatory and controls standpoint,” Ponemon said.
http://www.tietoviikko.fi/kaikki_uutiset/haktivistit+kyberterroristeja+suurempi+uhka+yritysverkoille/a792648?s=r&wtm=tietoviikko/-22032012&
In previous years, Verizon found out that most of the launch cyber-attacks have been relatively easily preventable. According to 96 percent of the attacks “were not very challenging,” and that up to 97 percent of all attacks would have been preventable with light or reasonable precautions.
Tomi Engdahl says:
Verizon Study Confirms 2011 Was The Year Of Anonymous, With 100 Million Users’ Data Breached By Hacktivists
http://www.forbes.com/sites/andygreenberg/2012/03/22/verizon-study-confirms-2011-was-the-year-of-anonymous-with-100-million-credentials-breached-by-hacktivists/
Anonymous may have had a rough 2012 so far, with dozens of its most active members arrested and one of its leaders and organizers revealed as a government informant. But a quick look at the stats shows that in terms of pure information mayhem, 2011 was its most effective year yet.
On Thursday, Verizon released its annual Data Breach Investigations Report, [PDF here] the largest study of its kind, and one that delves into data from hundreds of the company’s breach responses, along with those performed by law enforcement agencies including the U.S. Secret Service as well as Australian, Dutch, U.K. and Irish police. The result of this year’s study is clear enough: In 2011, hacktivists made their presence felt in the world of information security more than ever before, and by some measures even more than the financial criminals who usually dominate data breach statistics.
Of the 855 breach incidents from the last year that Verizon’s security team analyzed, three percent were attributed to “hacktivists.” That may seem like a small proportion, but Verizon’s director of security research Wade Baker says it’s giant compared to the same category in previous studies
But the real impact of last year’s radical hacktivism can be seen in the numbers of actual compromised records–each one representing data attached to an individual. Of the 177 million records stolen by hackers over the last year, 100 million were taken by hacktivists.
Of those data-stealing hacktivist attacks, the vast majority were the work of Anonymous or one of the movement’s subgroups, says Bryan Sartin, vice president of Verizon’s RISK security group. “At least three out of four were Anonymous, where a group like LulzSec or a message saying ‘We are Legion’ claimed credit.”
Verizon’s Baker notes that the hacktivist attacks the study analyzed show a lower number of skilled attacks on targets that produced a higher volume of stolen data when compared to the tactics of typical financially-motivated cybercriminals.
Tomi Engdahl says:
Meet the Hackers Who Get Rich Selling Spies Zero-Day Exploits
http://it.slashdot.org/story/12/03/21/1855202/meet-the-hackers-who-get-rich-selling-spies-zero-day-exploits
Forbes profiles Vupen, a French security firm that openly sells secret software exploits to spies and government agencies. Its customers pay a $100,000 annual fee simply for the privilege of paying extra fees for the exploits that Vupen’s hackers develop, which the company says can penetrate every major browser, as well as other targets like iOS, Android, Adobe Reader and Microsoft Word.
Meet The Hackers Who Sell Spies The Tools To Crack Your PC (And Get Paid Six-Figure Fees)
http://www.forbes.com/sites/andygreenberg/2012/03/21/meet-the-hackers-who-sell-spies-the-tools-to-crack-your-pc-and-get-paid-six-figure-fees/
“We wouldn’t share this with Google for even $1 million,” says Bekrar. “We don’t want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.”
Those customers, after all, don’t aim to fix Google’s security bugs or those of any other commercial software vendor. They’re government agencies who purchase such “zero-day” exploits, or hacking techniques that use undisclosed flaws in software, with the explicit intention of invading or disrupting the computers and phones of crime suspects and intelligence targets.
In that shady but legal market for security vulnerabilities, a zero-day exploit that might earn a hacker $2,000 or $3,000 from a software firm could earn 10 or even 100 times that sum from the spies and cops who aim to use it in secret.
Bekrar won’t detail Vupen’s exact pricing, but analysts at Frost & Sullivan, which named Vupen the 2011 Entrepreneurial Company of the Year in vulnerability research, say that Vupen’s clients pay around $100,000 annually for a subscription plan, which gives them the privilege of shopping for Vupen’s techniques.
And sources familiar with the company’s business say that a single technique from its catalog often costs far more than its six-figure subscription fee.
Even at those prices, Vupen doesn’t sell its exploits exclusively.
Bekrar claims that it carefully screens its clients, selling only to NATO governments and “NATO partners.”
“We do the best we can to ensure it won’t go outside that agency,” Bekrar says. “But if you sell weapons to someone, there’s no way to ensure that they won’t sell to another agency.”
Vupen is hardly alone in the exploit-selling game, but other firms that buy and sell hacking techniques, including Netragard, Endgame and larger contractors like Northrop Grumman and Raytheon, are far more tight-lipped than Bekrar’s small firm in Montpellier, France. Bekrar describes his company as “transparent.” Soghoian calls it “shameless.”