Here is my collection of security trends for 2012 from different sources:
Windows XP will be the biggest security threat in 2012 according to Sean Sullivan, security advisor at F-Secure: “People seem to be adding new systems without necessarily abandoning their old XP machines, which is great news for online criminals, as XP continues to be their favourite target.”
F-Secure also says also that it might not be long before the cyber criminals turn their attentions to tablet devices. Attacks against mobile devices have become more common and I expect this to continue this year as well.
Americans more susceptible to online scams than believed, study finds. A recent survey from The Ponemon Institute and PC Tools dives into this question and reveals a real gap between how aware Americans think they are of scams and how likely they actually are to fall for them.
Fake antivirus scams that have plagued Windows and Mac OSX during the last couple of years and now it seems that such fake antivirus scams have spread to Android. Nearly all new mobile malware in Q3 2011 was targeted at Android.. When antivirus software becomes a universally accepted requirement (the way it is on Windows is the day), has the platform has failed and missed the whole point of being mobile operating system?
Cyber criminals are developing more sophisticated attacks and the police will counterattack.
Mobile phone surveillance will increase and more details of it will surface. Last year’s findings have included Location data collecting smart-phones, Carrier IQ phone spying busted and Police Surveillance system to monitor mobile phones. In USA the Patriot Act lets them investigate anything, anywhere, without a warrant. Now they are on your devices and can monitor everything. Leaked Memo Says Apple Provides Backdoor To Governments: “in exchange for the Indian market presence” mobile device manufacturers, including RIM, Nokia, and Apple (collectively defined in the document as “RINOA”) have agreed to provide backdoor access on their devices.
Geo-location tagging in smartphones to potentially cause major security risks article says that geo-location tagging security issues are likely to be a major issue in 2012—and that many users of smartphones are unaware of the potentially serious security consequences of their use of the technology. When smartphones images to the Internet (to portals such Facebook or Flickr) there’s a strong chance they will also upload the GPS lcoation data as well. This information could be subsequently misused by third parties.
You need to find your balance between freedom and security (
Vapauden ja turvallisuuden tasapaino). Usernames poured out for all to see, passwords and personal identification numbers are published. A knowledge of access management is even more important: who has the right to know when and where the role of functioning? Access, identity and role management are essential for the protection of the whole system. Implementation of such systems is still far from complete.
When designing networked services, the development of safety should taken into account in the planning stage, rather than at the end of execution. Even a secure network and information system can not act as operating a vacuum.
Reliability of the server certificates will face more and more problems. We can see more certificate authority bankruptcies due cyber attacks to them. Certificate attacks that have focused on the PC Web browsers, are now proven to be effective against mobile browsers.
Stonesoft says that advanced evasion techniques (AET) will be a major threat. Stonesoft discovered that with certain evasion techniques (particularly when combined in particular combinations) they could sneak common exploits past many IDS/IPS systems (including their own, at the time last summer). Using the right tool set (including a custom TCP/IP stack) attackers could sneak past our best defenses. This is real and they foresee a not too distant future where things like botnet kits will have this as a checkbox feature.
Rise of Printer Malware is real. Printer malware: print a malicious document, expose your whole LAN says that sending a document to a printer that contained a malicious version of the OS can send your sensitive document anywhere in Internet. Researchers at Columbia University have discovered a new class of security flaws that could allow hackers to remotely control printers over the Internet. Potential scenario: send a resume to HR, wait for them to print it, take over the network and pwn the company. HP does have firmware update software for their printers and HP Refutes Inaccurate Claims; Clarifies on Printer Security. I wonder how many more years until that old chain letter, where some new insidious virus infects everything from your graphics card to your monitor cable, becomes true.
Unauthorized changes in the BIOS could allow or be part of a sophisticated, targeted attack on an organization, allowing an attacker to infiltrate an organization’s systems or disrupt their operations. How Do You Protect PCs from BIOS Attacks? The U.S. National Institute of Standards and Technology (NIST) has drafted a new computer-security publication that provides guidance for computer manufacturers, suppliers, and security professionals who must protect personal computers as they start up “out of the box”: “BIOS Integrity Measurement Guidelines,” NIST Special Publication 800-155.
According to Stonesoft security problems threaten the lives and the year 2012 may be the first time when we lose lives because of security offenses. According to the company does this happen remains to be seen, but the risk is due to industrial SCADA systems attacks against targets such as hospitals or automated drug delivery systems. I already posted around month ago about SCADA systems security issues.
849 Comments
Tomi Engdahl says:
GOP chairman: Google ‘supportive’ of controversial cybersecurity bill CISPA
http://thehill.com/blogs/hillicon-valley/technology/221977-gop-chairman-google-supportive-of-controversial-cybersecurity-bill-cispa
Rogers, the chairman of the House Intelligence Committee, said Google has been “supportive” of his Cyber Intelligence Sharing and Protection Act (CISPA), which has angered some of the same Internet activists who joined with Google to defeat the Stop Online Piracy Act (SOPA).
“They’ve been helpful and supportive of trying to find the right language in the bill,” Rogers said, adding that Google wants to protect consumers’ privacy and prevent regulation of the Internet.
A coalition of activist groups, including many veterans of the fight against anti-piracy legislation earlier this year, organized protests this week against CISPA, warning it would undermine online privacy.
Google played a central role in the protests against SOPA and PIPA, blacking out its logo and gathering more than 7 million signatures for a petition against the legislation.
The company warned that the anti-piracy bills would lead to censorship of the Internet.
But Rogers said technology companies support his cybersecurity bill because it relies on voluntary information-sharing to help companies combat cyberattacks.
Other supporters of CISPA include Microsoft, IBM, Oracle, Symantec, AT&T and Verizon.
CISPA, which is scheduled for a vote in the House next week, would tear down legal barriers that discourage companies from sharing information about cyberattacks.
Tomi Engdahl says:
Spoiler Alert: Your TV Will Be Hacked
http://entertainment.slashdot.org/story/12/04/18/0312206/spoiler-alert-your-tv-will-be-hacked
With rising popularity of Internet-enabled TVs, the usual array of attacks and exploits will soon be coming to a screen near you. ‘Will Internet TVs will be hacked as successfully as previous generations of digital devices? Of course they will. Nothing in a computer built into a TV makes it less attackable than a PC. … Can we make Internet TVs more secure than regular computers? Yes. Will we? Probably not. We never do the right things proactively.
Tomi Engdahl says:
Spy tech exports from Europe face tighter scrutiny
Strasbourg mulls new rules on surveillance software by 2013
http://www.theregister.co.uk/2012/04/18/eu_may_monitor_tech_exports/
The EU could soon introduce rules to monitor the deployment of internet censorship technology in autocratic regimes including China and Saudi Arabia.
The European Parliament is proposing a resolution to strengthen the accountability of countries that export gear used to block websites and eavesdrop on mobile communications.
“There is a race between those harnessing new media to the purpose of liberation and those who seek to use it for repression,” said Richard Howitt, a British Labour-party MEP and the investigator appointed to look into the issue.
The resolution, which is expected to be passed in Strasbourg on Thursday, will ask the European Commission to come up with rules for improving oversight of EU countries’ exports of tools that can be used for censorship by next year.
The use of surveillance, censoring and spy software came to light after nations bent on restricting access to information and communication channels turned to countries where freedom of speech and other human rights are supposed to be upheld.
However, he also said that “surveillance equipment, including telephone intercept equipment, covers a wide variety of equipment and software, and generally is not controlled because of its use for a wide variety of legitimate uses and its easy and widespread availability”.
Tomi Engdahl says:
Security researcher unearths plans for Iran’s halal Internet
http://arstechnica.com/tech-policy/news/2012/04/iran-publishes-request-for-information-for-halal-internet-project.ars
Iran appears to have recently published a Persian-language “Request for Information” (RFI) for an even-more filtered and monitored version of the Internet than what presently exists in the Islamic Republic. The RFI calls for “proper conditions for domestic experts in order to build a healthy Web and organize the current filtering situation,” and lists a deadline of April 19, 2012.
The document appears to be the latest step in what Iranian government officials have previously called the “halal Internet.” The government has not yet explained precisely what they mean, nor what its technical capabilities are, nor when it would launch.
“Currently the matter of Internet cleanup is being done via filtering at the Internet gateways of our country, which has had its own set of problems,” the RFI states, according to an English translation of the document.
Iran not likely cutting off Internet entirely
Revolution Guard network
Defeating the “Electronic Curtain”
Tomi Engdahl says:
White House issues privacy warning on CISPA-style laws
Even Berners-Lee and the EFF weigh in
http://www.theregister.co.uk/2012/04/18/white_house_cispa/
The White House has struck a pro-privacy stance on online security legislation such as the Cyber Intelligence Sharing and Protection Act (CISPA), which comes up for vote in the US House of Representatives next week.
“The nation’s critical infrastructure cyber vulnerabilities will not be addressed by information sharing alone,” National Security Council spokeswoman Caitlin Hayden told The Hill. “Information sharing provisions must include robust safeguards to preserve the privacy and civil liberties of our citizens. Legislation without new authorities to address our nation’s critical infrastructure vulnerabilities, or legislation that would sacrifice the privacy of our citizens in the name of security, will not meet our nation’s urgent needs.”
While careful not to mention CISPA by name, the White House statement comes up at an interesting time for the law. CISPA has over 100 politicians signed up in support ahead of next week’s vote but a wave of online protest has been growing against it, similar to that seen against SOPA and PIPA, with the EFF beginning a week of protests against CISPA on Monday.
“CISPA would allow ISPs, social networking sites, and anyone else handling Internet communications to monitor users and pass information to the government without any judicial oversight,” said EFF Activism Director Rainey Reitman in a statement
As it stands CISPA would set up a mechanism to disperse security updates to commercial companies and utilities. It would also allow government agencies to request personal data on suspects from companies or utilities, indemnify companies who handed it over.
Tomi Engdahl says:
“Chrome is the best security for all browsers, but the protection of privacy is not so good,” said the security company F-Secure ‘s Chief Research Officer Mikko Hypponen, the ICT Expo 2012 trade fair in Helsinki on Thursday.
Research Director advises users to avoid the use of Java. If the Java have to be used, such as Sampo bank web site, then it should be used in different than a normal web browser used for web browsing.
“Please visit our web site such as Firefox and Chrome use the other navigation,” Hypponen said.
“Google and Facebook work in network as so-called Big Brother, that is, will know all the movements and actions of users, “Hypponen said.
Research Director notes that the use of Chrome you give yourself your data to Google. Chrome’s popularity has grown rapidly in recent times and has passed the Firefox browser, moving as soon as the second most popular browser.
Users will be aware that Google becomes aware of everything that visitors are searching for search engines.
“The problem is that Google sees everything we do in Google Adverts, Ads and Analytics, which can be found nowadays almost every web page,” Hypponen explained.
“Facebook users to know the same steps outside the site. It takes advantage of Facebook to the sides of the buttons, “Hypponen said.
Hypponen said the threats to your computer and mobile threats are different. “The mobile is a different attack tactics”
“The mobile malware has been allocated to complete than the other way around computers. Linux is in fact the most popular destination, while on Windows and Apple has not been observed in the mobile malware at all, “Hypponen said.
Source: http://www.tietoviikko.fi/kaikki_uutiset/fsecuren+hypponen+kayta+verkkopankissa+toista+selainta/a801359?s=r&wtm=tietoviikko/-19042012&
Tomi Engdahl says:
Mac OS X invulnerability to malware is a myth, says security firm
http://arstechnica.com/apple/news/2012/04/kaspersky-lab-mac-os-x-invulnerability-to-malware-is-a-myth.ars
Mac users can expect more OS X botnets, drive-by downloads, and mass malware from here on out. That’s according to security researchers from Kaspersky Lab, who said during a press conference on Thursday morning that anti-malware software is now a necessity for Mac users, and that “Mac OS X invulnerability is a myth.”
The firm acknowledged that malware for the Mac has existed for years but only recently started gaining more momentum thanks to a critical increase in Mac market share. In the case of Flashback (also known as Flashfake), the malware morphed from a socially engineered installation app to an attack that targeted an unpatched Java vulnerability.
(It’s worth noting that Kaspersky says the latest Flashback infection was spread via hijacked WordPress sites thanks to a vulnerability in the blog software. This means that trusted blogs visited by Mac users could have been used to spread the infection, debunking the myth that infections only happen by visiting shady websites or opening unidentified files.)
“Market share brings attacker motivation,”
DC van service to BWI says:
Informative and interesting at the same time. Will be back to see others too.Thank you very much.
Tomi Engdahl says:
Suckers! A Decade of Successful Internet Scams
http://www.securitynewsdaily.com/295-suckers-a-decade-of-successful-internet-scams.html
Based on their distribution and frequency, PandaLabs identifies the following as the most common scams of the decade
How do you avoid these scams? Well, if it sounds too good to be true – someone offering you money, companionship or a job out of the blue – then it almost certainly is.
“If recovering the stolen money was difficult in the old days, it is even harder now because criminals’ tracks are often lost across the Web,” Corrons said. “The best defense is to learn how to identify these scams and avoid taking the bait.”
Does he Love me says:
I would like to add that in case you do not currently have an insurance policy or you do not participate in any group insurance, you may well make use of seeking the aid of a health insurance agent. Self-employed or individuals with medical conditions ordinarily seek the help of an health insurance specialist. Thanks for your writing.
Tomi Engdahl says:
Cyber arms race will be next step in computer warfare, says F-secure’s Mikko Hypponen
http://www.theinquirer.net/inquirer/news/2169722/cyber-arms-race-step-warfare-secures-mikko-hypponen
SECURITY FIRM F-secure’s chief security researcher, Mikko Hypponen has warned that we are entering into a cyber warfare revolution, and that governments will soon attempt to outdo each other based on their computer weapons’ prowess.
The internet security expert said in an exclusive interview with The INQUIRER that any future crisis between technically advanced nations will involve cyber elements.
“I wasn’t expecting [war games] so soon,” Hypponen said.
“We’ve seen a revolution in defence technology and in technology generally over the past 60 to 70 years and I believe we are right now seeing the beginning of the next revolution: a cyber warfare revolution, which is going to as big as the revolutions we’ve seen so far in technology becoming part of defence, and part of wars,” he added.
Hypponen also predicted that it won’t be long before the world sees its first cyber arms race, including cyber war rehearsals to prove how strong countries are and boasting about their cyber skills to make other countries pay attention.
“Like nuclear in the sixties, cyber attacks are a deterrent and deterrents only work if your perceived enemies know that you have it,” he said.
At the beginning of this year, a report put out by the World Economic Forum rated cyber attacks as the fourth most likely risk to occur over the next 10 years.
Tomi Engdahl says:
Google Bumps Its Rewards For Friendly Hackers To As Much As $20,000 Per Web Bug
http://www.forbes.com/sites/andygreenberg/2012/04/23/google-bumps-its-rewards-for-friendly-hackers-to-as-much-as-20000-per-bug/
On Monday Google announced that it’s now offering as much as $20,000 to researchers who find new ways to hack its web services and then report those security vulnerabilities to the company’s security team to help them fix the flaws.
We’re confident beyond any doubt the [Vulnerability Reward] program has made Google users safer,” Google security staffers Michael Zalewski and Adam Mein wrote in a blog post.
But some hackers say that even $60,000 for a well-crafted hacking technique undervalues information that often fetches more than $100,000 from government agencies that use the same techniques to spy on users in secret. French security firm and exploit seller Vupen told me in March that it wouldn’t hand over its Chrome-hacking techniques to Google even for $1 million, and an exploit broker who goes by the handle the Grugq told me that the hackers who targeted Chrome in Google’s contest could have earned double the payout if they’d sold their exploits to offensive hackers.
But some hackers say that even $60,000 for a well-crafted hacking technique undervalues information that often fetches more than $100,000 from government agencies that use the same techniques to spy on users in secret. French security firm and exploit seller Vupen told me in March that it wouldn’t hand over its Chrome-hacking techniques to Google even for $1 million, and an exploit broker who goes by the handle the Grugq told me that the hackers who targeted Chrome in Google’s contest could have earned double the payout if they’d sold their exploits to offensive hackers.
Google is betting that hackers are driven not just by money, but by the motivation to make users safer rather than help exploit buyers to spy on them.
Tomi Engdahl says:
Iran’s Oil Industry Hit By Cyber Attacks
http://news.slashdot.org/story/12/04/24/0229203/irans-oil-industry-hit-by-cyber-attacks
Iran disconnected computer systems at a number of its oil facilities in response to a cyber attack that hit multiple industry targets during the weekend. A source at the National Iranian Oil Company (NIOC) reportedly told Reuters that a virus was detected inside the control systems of Kharg Island oil terminal, which handles the majority of Iran’s crude oil exports.
Iran Took Systems Offline After Cyber Attack Hit Oil Industry
http://www.securityweek.com/iran-took-systems-offline-after-cyber-attack-hit-oil-industry
Multiple Targets Hit During Cyber Attack Targeting Iranian Oil Industry
Iran disconnected computer systems at a number of its oil facilities in response to a cyber attack during the weekend, according to reports.
A source at the National Iranian Oil Company (NIOC) reportedly told Reuters that a virus was detected inside the control systems of Kharg Island oil terminal, which handles the majority of Iran’s crude oil exports. In addition, computer systems at Iran’s Oil Ministry and its national oil company were hit.
Back in 2010, Iran was discovered to be the main target of the infamous Stuxnet worm, which targeted the country’s uranium enrichment program. The country was also hit by Duqu, believed by many to be related to Stuxnet. Since then, the country has bolstered its cyber defenses
“Iran’s Revolutionary Guard claims to have created a “hack-proof” network for all sensitive data,” blogged Chester Wisniewski, senior security advisor at Sophos Canada. “I have yet to see a hack-proof network and if they have convinced themselves it’s true, perhaps that is part of the problem…One thing is clear, whether you are an oppressive regime, or simply an average small business, anyone who depends upon the internet will face malware threats and hacking attempts.”
To many in the security industry, the news comes hardly as a surprise. “Attacks on critical infrastructure are more common than many think. Because of a lack of disclosure in these industries many incidents ranging from sabotage and intellectual property theft to extortion go unreported,” Brian Contos, security director & consumer security strategist at McAfee told SecurityWeek.
“There is a strong expectation that we are going to see more attacks targeting critical infrastructure around the world,” Contos added. “Most organizations within critical infrastructure operate with a mix of legacy and modern equipment leveraging applications and protocols that facilitate both. This duality makes their assets vulnerable to a wider range of attacks than organizations in industries like retail and finance.”
“The real news here is that this type of campaign could clearly have a serious and detrimental impact- both financially and socio-politically,”
Tomi Engdahl says:
It’s up to parents to protect children online, says Google
http://www.telegraph.co.uk/technology/google/9222453/Its-up-to-parents-to-protect-children-online-says-Google.html
Parents are to blame if children view pornography online, an executive of Google has said.
Naomi Gummer, a public policy analyst at the internet giant, said it was a “myth” that laws can prevent children from viewing explicit material, because the pace of technological development would render legislation a “blunt instrument”.
She told a conference of child welfare experts: “The idea that laws can adequately protect young people is a myth. Technology is moving so fast that legislation is a blunt tool for addressing these challenges.
“But also the truth is that parents are complicit in their kids using underage social networking sites. It is about education, not using legislative leavers.”
Tomi Engdahl says:
Proof-of-Concept Android Trojan Uses Motion Sensors To Steal Passwords
http://it.slashdot.org/story/12/04/23/1836201/proof-of-concept-android-trojan-uses-motion-sensors-to-steal-passwords
TapLogger, a proof-of-concept Trojan for Android developed by resarchers at Pennsylvania State University and IBM, uses infrormation from the phone’s motion sensor to deduce what keys the user has tapped
This demonstration is simply showing a covert channel for information leakage that people may not have thought about before.
Tomi Engdahl says:
Interview with SANS’ Ed Skoudis: America losing the cybersecurity war to hackers
http://blogs.computerworld.com/20072/interview_with_sans_ed_skoudis_america_losing_the_cybersecurity_war_to_hackers
As much as we don’t like to hear about it, America is not winning the cyberwar. Malicious hackers are winning and China has penetrated “every major U.S. company.”
Skoudis is a security expert on hacker attacks and defenses, a world-renowned author and senior security consultant with InGuardians.
Yet officials confirmed that China has hacked every major US company. What do you have to say to the many people who believe reports of such cyberattacks are only scare tactics to give the government more power and control over private systems?
Ed Skoudis: In helping companies and government agencies respond to computer attacks, we have seen detailed evidence of foreign nation states deep inside computer networks of financial services companies, critical infrastructure systems, and manufacturing companies. We not only see the streams of packets going to and from other countries, we can also watch the attackers’ activities on the computer systems, as they search for sensitive information to gain competitive economic advantage, as well as to plan command-and-control software.
Ed Skoudis: The US Government has many tens of thousands of people that are focused on information security compliance, where they measure this or that security aspect on an annual basis for an assessment report. Unfortunately, such measurements are just a limited snapshot in time, and the efforts of these people at mere measurement tend to be a bureaucratic exercise which provides little help in actually securing their organizations. Their paper-based measurements usually don’t find the bad guys who are so deeply embedded on their computer systems.
What we need are more people with in-depth, hands-on skills for hunting down bad guys on already-infected networks. That is, we need expertise in draining the swamp — people experienced in finding the very subtle control channels and backdoors planted by the bad guys and eradicating them.
Ed Skoudis: The SCADA infrastructure associated with the power grid is a big concern. These systems were built without the intention of ever connecting them to a public network such as the Internet. Unfortunately, though, these systems are now controlled from networks that are indeed interconnected with the Internet. A computer attacker could exploit a power company computer network through the Internet, and then pivot through other networks to ultimately hit SCADA systems. Worse yet, even when SCADA systems are air-gapped from public networks, attackers have been remarkably effective in hoping that air gap with their infections using USB thumb drives or compromised laptops that are connected to the target network.
By attacking power grid systems, attacker could cause significant physical damage to the network, resulting in large scale blackouts that could require a lot of time to fix, possibly days or weeks.
Tomi Engdahl says:
Wannabe infosec kingpins: Forget tech, grab a clipboard
Ditch the debugger, bone up on biz risk management
http://www.theregister.co.uk/2012/04/25/ciso_advice_risk_management/
Budding chief information security officers (CISOs) would be better off boning up on business, communication, and risk management skills than getting bogged down in detailed discussions about technology, according to a panel of senior security professionals.
The overwhelming message from the InfoSecurity Summit 2012 in Hong Kong, was that CISOs need to be trusted and they need to add value, but most importantly they must understand risk in all areas of the business and then manage that risk proactively.
“The days of the CISO being technology-focused are over; the role is much more transversal now,” argued Jerome Walter, chief security officer Asia Pacific at French bank Natixis. “You should build relationships. Each department has different risk, different issues and you need to create an image of trust so they’ll come to you.”
“You need to deeply understand what the business does to be effective,” he said. “You need to better understand how the business operates more than you need to know about the security technology – that can be handled by someone else.”
This is not to say that CISOs should have no competence in technology
“The fundamental principles of security have stayed the same over the years and a good CISO has to have enough understanding of technology to communicate with the tecchie people and the higher level management,” he explained.
Tomi Engdahl says:
Cloudy crypto SSO firm: Passwords must go
Ping Identity: Forget ‘insecure and annoying’ logins… and buy our kit
http://www.theregister.co.uk/2012/04/25/ping_identity/
The firm is using the Infosec show to promote Ping One, launched in late March as a way of offering ID-as-a-service. Ping Identity is also talking up the potential for single sign-on in the clouds to sound the death knell for passwords.
Ping One allows firms to offer workers access to a range of cloud-based applications (Salesforce, Google Apps etc) through a portal or virtual desktop that they only need to sign into once, avoiding the need to remember sign-in credentials for the multiple different applications they need to use. Information on what application a user is entitled to log into is taken from one central user directory, such as Microsoft Active Directory. Federated SSO protocols such as SAML, OAuth, and OpenID are used to exchange tokens that allow users to access applications.
Single sign-on (SSO) has been a holy grail for segments of the security industry for years. And vendors have offered up appliances and services, largely targeted at enterprises, to do just that for some years. The technology is designed to cut down on help-desk calls by workers who have forgotten their passwords and other similar costly distractions.
PingOne is being targeted towards SMEs, departments in larger firms and application providers.
In practice, IT managers have told us that SSO offers a way to reduce the amount of passwords corporates are obliged to manage – but that it cannot achieve the one-password-to-rule-them-all goal the marketing hype around the technology promises to offer.
“Passwords are insecure and annoying,” Oberg told El Reg. “They have to go,” he added
In place of passwords, Oberg favours multi-factor authentication using one-off four digit passcodes sent to mobile phones, as well as pattern-based authentication or biometrics (such as fingerprint readers). “Multi-factor authentication can reduce, if not eliminate, the number of passwords,” he said. “We should be moving towards strongly authenticated non password-based identity,” he added.
Tomi Engdahl says:
Should the FDA Assess Medical Device Defenses Against Hackers?
http://science.slashdot.org/story/12/04/24/1942212/should-the-fda-assess-medical-device-defenses-against-hackers
The vulnerability of wireless medical devices to hacking has now attracted attention in Washington. Although there has not yet been a high-profile case of such an attack, a proposal has surfaced that the Food and Drug Administration or another federal agency assess the security of medical devices before they’re sold.
Should FDA Assess Medical Device Defenses Against Hackers?
http://www.informationweek.com/news/healthcare/security-privacy/232900818
Federal advisory board calls for Congress to assign responsibility for preventing medical cyber-attacks.
The vulnerability of wireless medical devices to hacking has attracted attention in Washington. Although there has not yet been a high-profile case of such a cyber-attack, the Information Security and Privacy Advisory Board, which advises the Office of Management and Budget (OMB) and the National Institute of Standards and Technology (NIST), recently proposed that the Food and Drug Administration (FDA) or another federal agency assess the security of medical devices before they’re sold.
Congressional interest in the issue was prompted by a public demonstration of how easy it is to hack into a medical device: Security researcher Jeremy Radcliffe hacked his own insulin pump at a recent conference in Las Vegas, using a dongle attached to a PC port to change settings on the device wirelessly.
In 2008, researchers at the Medical Device Security Center in Amherst, MA, also hacked pacemakers and defibrillators wirelessly. An article in Wired Magazine noted that an attacker could use such an approach to kill somebody by sending a fatal shock to a pacemaker, for example.
The FDA has so far received no reports of patient safety incidents tied to the hacking of medical devices such as heart monitors and infusion pumps. But a Department of Veterans Affairs (VA) study showed that between January 2009 and spring 2011, there were 173 incidents of medical devices being infected with malware.
Meanwhile, the Information Security and Privacy Advisory Board (ISPAB) believes the government should take action now. In a March 30 letter to OMB, ISPAB chair Daniel J. Chenok said, “The lack of cybersecurity preparedness for millions of software-controlled medical devices puts patients at significant risk of harm.”
Chenok suggested that the FDA should work with NIST “to research cybersecurity features that could be enabled by networked or wireless medical devices in Federal settings.”
Firewall can stop medical device ‘hacking’
http://www.upi.com/Science_News/2012/04/12/Firewall-can-stop-medical-device-hacking/UPI-19931334276290/
U.S. researchers say a prototype firewall can keep hackers from interfering with wireless medical devices such as pacemakers and insulin-delivery systems.
A team of scientists from Purdue and Princeton universities had previously demonstrated how medical devices could be hacked, potentially leading to catastrophic consequences.
“You could imagine all sorts of scary possibilities,”
The potentially vulnerable devices include pacemakers and continuous glucose monitoring and insulin delivery systems for patients with diabetes, now in use by hundreds of thousands of people, a Purdue release said Thursday.
While risk of devices being hacked may be low, he said, security measures are merited before “attacks” in the lab are replicated on real systems.
The researchers have created a prototype system called MedMon, for medical monitor, which acts as a firewall to prevent hackers from hijacking the devices.
“It’s an additional device that you could wear, so you wouldn’t need to change any of the existing implantable devices,” Raghunathan said. “This could be worn as a necklace, or it could be integrated into your cellphone, for example.”
Tomi Engdahl says:
Watchdog finds undeleted data on second-hand disk drives
http://www.bbc.com/news/technology-17827562
One in 10 second-hand hard drives still contain the original user’s personal information, suggests an investigation by the UK’s Information Commissioner’s Office (ICO).
It purchased devices from auction sites such as eBay and computer fairs.
Of the 200 hard disks collected, 11% contained personal information.
At least two of the drives had enough information to enable someone to steal the former owners’ identities, the watchdog said.
A separate survey by the ICO indicated that one in 10 people who had disposed of a mobile phone, computer or laptop had not wiped the device.
21% of users now chose to sell their old mobile phones, computers and laptops rather than get rid of them, it suggested. It added that the trend was even more common among 18-24 year-olds among whom the figure rose to 31%.
“We live in a world where personal and company information is a highly valuable commodity,”
“It is important that people do everything they can to stop their details from falling into the wrong hands.”
Tomi Engdahl says:
UK hardware recyclers are rubbish at security
http://www.theinquirer.net/inquirer/news/2170098/uk-hardware-recyclers-rubbish-security
The ICO has warned that people are becoming sponges for the muck put out by online scammers and are in danger of being seen as a “soft touch” because they keep doing stupid things like throwing away hard drives with their personal data on them.
In an investigation the ICO found that one in ten secondhand drives sold on the internet could contain personal information. It used the term “residual” here, suggesting that some attempts may have been made to delete data.
In a study the ICO and a computer forensics company looked at 200 hard drives, 20 memory sticks and 10 mobiles phones that they sourced via online auction sites and computer trade fairs.
A staggering 34,000 files with personal or corporate information were recovered from the devices, including information about the employees and clients of four organisations.
“Many people will presume that pressing the delete button on a computer file means that it is gone forever. However this information can easily be recovered.”
The ICO has published guidance to help individuals securely delete information from their devices.
Tomi Engdahl says:
Survey: Malware Response teams fear 2012 threats will grow in number and sophistication
http://www.controleng.com/single-article/survey-malware-response-teams-fear-2012-threats-will-grow-in-number-and-sophistication/2948af285a.html
A survey by Norman ASA reveals more than half of IT leaders believe that malware threats are their biggest worry for 2012. They’re also worried that the new malware is too sophisticated for their analysis and security capabilities.
More than half of IT leaders (62 percent) fear that malware is growing more sophisticated faster than they can upgrade their analysis capabilities. Additionally, 58 percent cited the growing number of threats as their biggest worry for 2012.
These findings, a concern for manufacturing, automation, and control cyber security efforts, are part of a major survey of malware analysis trends completed by an independent research firm for Norman ASA.
“It is widely recognized that the volume and sophistication of threats continues to grow dramatically, yet many organizations are only incrementally adding resources to better understand these threats,” said Darin Andersen, vice president and general manager, North America for Norman. “Analysis is a critical component of a comprehensive defense-in-depth strategy. Failure to maintain an updated understanding of these threats will leave networks increasingly vulnerable.”
Organizations that do plan to beef up their security capabilities will have a difficult time this year.
More than half of survey respondents (54 percent) use both internally-developed and commercially-available anti-malware analysis solutions. IT leaders who use commercial solutions outnumber those who have internally-developed solutions by more than 4-to-1 (37 percent versus 9 percent).
“IT leaders are falling behind and are turning increasingly to automated commercial solutions to close the gap,” Andersen said. “Fewer than half of surveyed companies will have bigger malware analysis budgets this year, and even among many of those, their teams will have limited time to train the new personnel.”
Tomi Engdahl says:
New report on control system cyber security incidents released
http://www.controleng.com/single-article/new-report-on-control-system-cyber-security-incidents-released/07954f07c0.html
RISI, the industrial network security monitoring organization, publishes its survey for 2011.
According to data in the Repository for Industrial Security Incidents (RISI) database, approximately 35% of industrial control system (ICS) security incidents were initiated through remote access. Supporting this finding is RISI survey results that indicate nearly 65% of facilities allow remote access to their control systems. These findings and many more are published in the 2011 Annual Report on Cyber Security Incidents and Trends Affecting Industrial Control Systems.
The 80-page 2011 Annual Report includes detailed analysis of the 220 incidents recorded in the RISI database from 2001 through the end of 2011.
The survey data provide very interesting insight into the current state of control system security especially when compared with data regarding actual incidents. For example, RISI data indicate that the percentage of control system security incidents caused by malware, while still very high (28%), has been steadily declining over the last five years. This trend is supported by survey data that indicate that more than 60% of facilities have implemented patch and anti-malware management programs.
Tomi Engdahl says:
White House Blasts CISPA, Promises Veto
http://www.readwriteweb.com/archives/white-house-blasts-cispa-promises-veto.php
The White House issued a statement today that it “strongly opposes” the Cyber Intelligence Sharing and Protection Act (CISPA) in its current form in the House of Representatives over consumer privacy concerns.
The White House stated that CISPA, “fails to provide authorities to ensure that the Nation’s core critical infrastructure is protected while repealing important provisions of electronic surveillance law without instituting corresponding privacy, confidentiality, and civil liberties safeguards.”
While it opposes CISPA, the White House did say that there needs to be legislation to address critical infrastructure vulnerabilities (such as water and the electric grid). Yet, the White House would like to achieve that, “without sacrificing the fundamental values of privacy and civil liberties for our citizens, especially at a time our Nation is facing challenges to our economic well-being and national security.”
Tomi Engdahl says:
VMware confirms source code leak, LulzSec-affiliated hacker claims credit
http://arstechnica.com/business/news/2012/04/vmware-confirms-source-code-leak-lulzsec-affiliated-hacker-claims-credit.ars
VMware has confirmed a leak of source code from the ESX hypervisor. The code was posted on Pastebin on April 8 by a hacker calling himself “Hardcore Charlie.”
“The fact that the source code may have been publicly shared does not necessarily mean that there is any increased risk to VMware customers,” the company said.
This VMware source code reportedly was stolen from Chinese military contractor CEIEC, the China National Electronics Import-Export Corporation. VMware code wasn’t the only target.
Tomi Engdahl says:
Apple ’10 years’ behind Microsoft on security: Kaspersky
http://malware.cbronline.com/news/apple-10-years-behind-microsoft-on-security-kaspersky-250412
Welcome to Microsoft’s world, Eugene Kaspersky tells Apple
The recent Flashback/Flashfake malware outbreak targeting Apple’s Mac computers is likely to be just the start of a new wave of attacks aimed at the system, according to Kaspersky founder and CEO Eugene Kaspersky.
“I think they are ten years behind Microsoft in terms of security,” Kaspersky told us. “For many years I’ve been saying that from a security point of view there is no big difference between Mac and Windows. It’s always been possible to develop Mac malware, but this one was a bit different. For example it was asking questions about being installed on the system and, using vulnerabilities, it was able to get to the user mode without any alarms.”
Kaspersky added that his company is seeing more and more malware aimed at Macs, which is unsurprising given the huge number of devices being sold.
“Apple is now entering the same world as Microsoft has been in for more than 10 years: updates, security patches and so on,” he added. “We now expect to see more and more because cyber criminals learn from success and this was the first successful one.”
“They will understand very soon that they have the same problems Microsoft had ten or 12 years ago. They will have to make changes in terms of the cycle of updates and so on and will be forced to invest more into their security audits for the software,” Kaspersky told CBR.
Tomi Engdahl says:
The Man Who Hacked Hollywood
http://www.gq.com/news-politics/newsmakers/201205/chris-chaney-hacker-nude-photos-scarlett-johansson
They’ve become a part of the pop-culture landscape: sexy, private shots of celebrities (your Scarletts, your Milas) stolen from their phones and e-mail accounts. They’re also the center of an entire stealth industry. For the man recently arrested in the biggest case yet, hacking also gave him access to a trove of Hollywood’s seamiest secrets—who was sleeping together, who was closeted, who liked to sext. What the snoop didn’t realize was that he was being watched, too
Tomi Engdahl says:
Conficker: Microsoft says two basic security steps might have stopped infections
http://www.networkworld.com/news/2012/042512-microsoft-conficker-258665.html?hpg1=bn
Microsoft Security Intelligence Report: Enterprise security operations let Conficker thrive
According to the latest Microsoft Security Intelligence report, all cases of Conficker infection stemmed from just two attack methods: weak or stolen passwords and exploiting software vulnerabilities for which updates existed.
So using strong passwords and boosting password security in combination with promptly patching known vulnerabilities would have gone a long way toward reducing the number of Conficker infections
Despite these simple steps, Conficker has remained at the top of the enterprise threat list for the past two and a half years, the study says.
The report has recommendations for businesses trying to battle advanced persistent threats (APT), which it describes as targeted attacks that can use a variety of methods and that are carried out by adversaries who are very determined. That determination and commitment to long-term infiltration are the key features of APTs, Rains says.
Businesses should also architect their networks in segments designed to contain successful attacks, giving IT security more time to discover them and respond.
Tomi Engdahl says:
Most of the Internet’s Top 200,000 HTTPS Websites Are Insecure, Trustworthy Internet Movement Says
http://www.pcworld.com/article/254546/most_of_the_internets_top_200000_https_websites_are_insecure_trustworthy_internet_movement_says.html
Ninety percent of the Internet’s top 200,000 HTTPS-enabled websites are vulnerable to known types of SSL (Secure Sockets Layer) attack, according to a report released Thursday by the Trustworthy Internet Movement (TIM), a nonprofit organization dedicated to solving Internet security, privacy and reliability problems.
Half of the almost 200,000 websites in Alexa’s top one million that support HTTPS received an A for the quality of their configurations. This means that they use a combination of modern protocols, strong ciphers and long keys.
Despite this, only 10 percent of the scanned websites were deemed truly secure. Seventy-five percent — around 148,000 — were found to be vulnerable to an attack known as BEAST, which can be used to decrypt authentication tokens and cookies from HTTPS requests.
The BEAST attack was demonstrated by security researchers Juliano Rizzo and Thai Duong at the ekoparty security conference in Buenos Aires, Argentina, in September 2011. It is a practical implementation of an older theoretical attack and affects SSL/TLS block ciphers, like AES or Triple-DES.
The attack was fixed in version 1.1 of the Transport Layer Security (TLS) protocol, but a lot of servers continue to support older and vulnerable protocols, like SSL 3.0, for backward compatibility reasons. Such servers are vulnerable to so-called SSL downgrade attacks in which they can be tricked to use vulnerable versions of SSL/TLS even when the targeted clients support secure versions.
SSL Pulse scans also revealed that over 13 percent of the 200,000 HTTPS-enabled websites support the insecure renegotiation of SSL connections. This can lead to man-in-the-middle attacks that compromise SSL-protected communications between users and the vulnerable servers.
“For your average Web site — which will not have anything of substantial value — the risk is probably very small,” Ristic said. “However, for sites that either have a very large number of users that can be exploited in some way, or high-value sites (e.g., financial institutions), the risks are potentially very big.”
Fixing the insecure renegotiation vulnerability is fairly easy and only requires applying a patch, Ristic said.
TIM plans to perform new SSL Pulse scans and to update the statistics on a monthly basis in order to track what progress websites are making with their SSL implementations.
Tomi Engdahl says:
Ghost of HTML5 future: Web browser botnets
With great power comes great responsibility … to not pwn the interweb
http://www.theregister.co.uk/2012/04/27/html5/
HTML5 will allow web designers to pull off tricks that were previously only possible with Adobe Flash or convoluted JavaScript. But the technology, already widely supported by web browsers, creates plenty of opportunities for causing mischief.
During a presentation at the B-Sides Conference in London on Wednesday, Robert McArdle, a senior threat researcher at Trend Micro, outlined how the revamped markup language could be used to launch browser-based botnets and other attacks. The new features in HTML5 – from WebSockets to cross-origin requests – could send tremors through the information security battleground and turn the likes of Chrome and Firefox into complete cybercrime toolkits.
Many of the attack scenarios involve using JavaScript to create memory-resident “botnets in a browser”, McArdle warned, which can send spam, launch denial-of-service attacks or worse. And because an attack is browser-based, anything from a Mac OS X machine to an Android smartphone will be able to run the platform-neutral code, utterly simplifying the development of malware.
Malicious web documents held in memory are difficult to detect with traditional file-scanning antivirus packages, which seek out bad content stored on disk. JavaScript code is also very easy to obfuscate, so network gateways that look for signatures of malware in packet traffic are trivial to bypass – and HTTP-based attacks pass easily through most firewalls.
“The good stuff in HTML5 outweighs the bad,” he added. “We haven’t seen the bad guys doing anything bad with HTML5 but nonetheless it’s good to think ahead and develop defences.”
Tomi Engdahl says:
Backdoor in mission-critical hardware threatens power, traffic-control systems
http://arstechnica.com/business/news/2012/04/backdoor-in-mission-critical-hardware-threatens-power-traffic-control-systems.ars
In the world of computer systems used to flip switches, open valves, and control other equipment inside giant electrical substations and railroad communications systems, you’d think the networking gear would be locked down tightly to prevent tampering by vandals. But for customers of Ontario, Canada-based RuggedCom, there’s a good chance those Internet-connected devices have backdoors that make unauthorized access a point-and-click exercise.
That’s because equipment running RuggedCom’s Rugged Operating System has an undocumented account that can’t be modified and a password that’s trivial to crack. What’s more, researchers say, for years the company hasn’t bothered to warn the power utilities, military facilities, and municipal traffic departments using the industrial-strength gear that the account can give attackers the means to sabotage operations that affect the safety of huge populations of people.
The backdoor uses the login ID of “factory” and a password that’s recovered by plugging the MAC, or media access control, address of the targeted device into a simple Perl script, according to this post published on Monday to the Full Disclosure security list.
Equipment running the Rugged Operating System act as the switches and hubs that connect programmable logic controllers to the computer networks used to send them commands. They may sit between the computer of a electric utility employee and the compact disk-sized controller that breaks a circuit when the employee clicks a button on her screen. To give the equipment added power, Rugged Operating System is fluent in the Modbus and DNP3 communications protocols used to natively administer industrial control and SCADA, or supervisory control and data acquisition, systems. The US Navy, the Wisconsin Department of Transportation, and Chevron are just three of the customers who rely on the gear, according to this page on RuggedCom’s website.
“The equipment is so widely installed that it would be logical to assume that something I’m doing—whether it’s riding a train, using power, or walking across a cross walk—depends on this.”
Forever day bugs bite again
In acknowledging but not fixing a security vulnerability in software that’s widely used to control critical infrastructure, RuggedCom joins a growing roster of companies marketing wares bitten by so-called forever-day bugs. The term, which is a play on the phrase zero-day vulnerability, refer to documented flaws in industrial systems that will never be fixed. Other members of this group include ABB, Schneider Electric, and Siemens. Indeed, RuggedCom was acquired by a Canada-based subsidiary of Siemens in March.
Tomi Engdahl says:
Microsoft Security Director: “Finland’s computers the world’s cleanest”
“Finland is a data security unique in that it is an example for the rest of the world,” said Microsoft in the security director Tim Rains .
According to a report last year, revised from the machine at the end of a thousand malicious software or viruses found worldwide average of 7 percent. In Finland, the corresponding transmission rate was only 1.6, which is one the world’s lowest. According to statistics only in Japan and China have fewer infections.
“I went six months ago and we have done in Finland , Telia-Sonera ‘s security practices in a case study. It turned out that there IT department to contact rapidly infected the operator and the machine is placed in quarantine, “Reins said.
“Such an active interventionist approach is unique. For example, in the United States would not be able to do so, because the Internet is considered the right to freedom of speech issue, “Reins compares the cultural differences.
Finland is probably explained by the exceptionally high figures for a good awareness of security issues. Microsoft announced in February the European-wide survey, Finns are the most up to date on information security compared to many other European countries.
Source: http://www.tietoviikko.fi/msareena/msuutiset/kaikkiareenauutiset/microsoftin+tietoturvajohtaja+quotsuomen+tietokoneet+maailman+puhtaimpiaquot/a803841?s=r&wtm=tietoviikko/-27042012&
Tomi Engdahl says:
The FBI Workaround For Private Companies To Share Information With Law Enforcement Without CISPA
http://www.forbes.com/sites/kashmirhill/2012/04/26/the-fbi-workaround-for-private-companies-to-share-information-with-law-enforcement-without-cispa/
A debate is currently raging in Washington, D.C. and various politically-engaged spots on the Internet over CISPA, a bill that promises to increase cybersecurity by giving private companies carte blanche to hand over information about cyberthreats they see on their networks.
That saves the government the trouble of getting pesky subpoenas and warrants as required by the Constitution and privacy laws.
Opponents worry about all kinds of sensitive information being served up to the government on a silver platter given the legal immunity granted to companies in the bill and the murky definitions of what constitutes a “cyber threat.”
In 1997, long-time FBI agent Dan Larkin helped set up a non-profit based in Pittsburgh that “functions as a conduit between private industry and law enforcement.” Its industry members, which include banks, ISPs, telcos, credit card companies, pharmaceutical companies, and others can hand over cyberthreat information to the non-profit, called the National Cyber Forensics and Training Alliance (NCFTA), which has a legal agreement with the government that allows it to then hand over info to the FBI. Conveniently, the FBI has a unit, the Cyber Initiative and Resource Fusion Unit, stationed in the NCFTA’s office. Companies can share information with the 501(c)6 non-profit that they would be wary of (or prohibited from) sharing directly with the FBI.
“We can bring the pieces of intelligence together so we can see what it really is,” says Larkin of the advantage of bringing security specialists from different sectors together.
Tomi Engdahl says:
Firms shouldn’t reject ‘bring your own device’, says McAfee CTO [Video]
http://www.theinquirer.net/inquirer/news/2171123/firms-shouldnt-reject-bring-device-mcafee-cto-video
SECURITY OUTFIT McAfee’s CTO Raj Samani told The INQUIRER at the 2012 Infosecurity Conference in London that businesess shouldn’t reject ‘bring your own device’ (BYOD) due to its level of productivity. Instead, organisations should consider the security risks and impliment appropriate protection to take advantage of the trend.
Tomi Engdahl says:
Sophos warns of Mac OS security vulnerabilities at Infosec 2012 [Video]
http://www.theinquirer.net/inquirer/news/2171099/sophos-warns-mac-security-vulnerabilities-infosec-2012-video
SECURITY VENDOR Sophos’ senior technology consultant Graham Cluley warns that it’s time for Apple users to take notice of the threats facing Mac OS X operating systems by securing their computers with antivirus software.
Tomi Engdahl says:
Olympic security: How Atos will ensure that technology systems are protected
http://www.theinquirer.net/inquirer/feature/2170792/olympic-security-atos-ensure-technology-systems-protected
While much of the physical security will be overt and visible – from security guards in hi-viz jackets to police sniffer dogs – those working to ensure the security of the technology in use will be hoping to remain under the radar.
Ensuring the security of the games from a technological point of view is vital, especially when one considers the increase in the types of online threats that now exist compared to previous Olympic events in Vancouver in 2010 or Beijing in 2008.
Threats have evolved to include rogue states looking to make a political point while the eyes of the world are focused on London and online collectives like Anonymous hoping to disrupt the games for reasons possibly too nebulous to comprehend.
“Technology should be invisible at the Olympic Games because that means everything is working well,” Michele Hyron, chief integrator for London 2012 at Atos explained to The INQUIRER.
“For every Games since 2002, Atos business technologists have been continually innovating security infrastructure and London 2012 will be no different.”
“We will be implementing the latest security monitoring solutions to filter, aggregate and prioritise potential IT events, so the team is immediately notified and can react quickly to any unusual or unexpected activity,” she said.
“Before the Games, our business technologists will have completed more than 200,000 hours of testing of the Games’ IT system.”
“You cannot underestimate the important role technology will play in the successful delivery of London 2012,” said chairman of London 2012 Sebastian Coe.
Tomi Engdahl says:
Oracle scrambles to contain 0-day disclosure snafu
http://www.zdnet.com/blog/security/oracle-scrambles-to-contain-0-day-disclosure-snafu/11738
Oracle rushes out a security advisory with workarounds for a dangerous Database Server security flaw that dates back to 2008.
The vulnerability, disclosed by researcher Joxean Koret after he mistakenly thought it had been fixed by Oracle, allows an attacker to hijack the information exchanged between clients and databases.
He went ahead and published technicals of the TNS Listener Poison Attack to urge database administrators to apply the patch but, alas, the issue is still unpatched.
Oracle then rushed out a security alert that confirms the severity of the flaw. ”This vulnerability is remotely exploitable without authentication, and if successfully exploited, can result in a full compromise of the targeted Database,” the company warned.
Tomi Engdahl says:
‘Anonymous’ hackers plan to stop CISPA with Operation Defense: Phase 2 [video]
http://www.bgr.com/2012/05/01/anonymous-hackers-attack-cispa/
In a video recently uploaded to YouTube, Anonymous acknowledged that its traditional DDoS-style of attacks are becoming less effective because companies have upgraded their web servers to withstand such threats. The group states that “we will not stand while our rights are being taken away,” and is planning a traditional protest of the companies who support CISPA.
The protest will begin on Tuesday, May 1st, and continue through June 30th. Anonymous and its supporters will target, AT&T, IBM, Intel, Microsoft, Verizon Wireless, Bank of America, Chase Bank, McGraw-Hill, Coke and Pepsi, Target, WalMart, CVS and Visa, Mastercard and American Express.
Tomi Engdahl says:
ILOQ security alert. This lock, produced in Finland, is an award-winning patented electromechanical cylinder. We have analyzed this lock and believe it has fatal design defects which allow cylinders to be opened covertly within one minute.
http://www.youtube.com/watch?v=empOqaqXHvQ
http://www.iloq.fi/fi/uutiset/?u=3546534
Tomi Engdahl says:
London Olympics ‘not immune’ to cyber attack
Blighty puts together crack team to guard against intrusion
http://www.theregister.co.uk/2012/05/03/francis_maude_olympics_cyber_attack/
Cabinet Office minister Francis Maude has warned that the London Olympics will not be immune to cyber attack.
The man who urged all Blighty to start stocking up on petrol by pouring it into jerry cans said that a crack team has been set up dedicated to guarding the Games against attack.
“The Beijing Olympics saw 12 million cyber security incidents during their Olympics,” he said.
“We have rightly been preparing for some time – a dedicated unit will help guard the London Olympics against cyber attack – we are determined to have a safe and secure Games.”
“High-end cyber security solutions that were used 18 months ago by a limited number of organisations to protect their networks may already be out in the open marketplace – giving cyber criminals the knowledge to get round these protective measures.”
“A recent survey showed that one in seven large organisations have been hacked in the last year, with large organisations facing one outsider attack per week; small businesses face one a month,” he said.
“Intellectual property theft through cyber crime is a major concern. Countries and organisations across the globe are losing billions of pounds each year to cyber criminals.”
However, he insisted that the government was going to resist the temptation to over-regulate the internet and try to take control of it.
“The internet after all has flourished precisely because it has been shaped by its users, not by governments,” he said.
Tomi Engdahl says:
Cyber criminals have been transferred to social media
Online criminals have learned to use social media to network attacks. Security company Symantec reports that spam volume has been reduced, because criminals prefer social media channels instead of e-mail.
Source:
http://www.ts.fi/uutiset/kotimaa/341665/Verkkorikolliset+ovat+siirtyneet+sosiaaliseen+mediaan
Tomi Engdahl says:
Skype Knew of Security Flaw Since November 2010, Researchers say
http://blogs.wsj.com/cio/2012/05/01/skype-knew-of-security-flaw-since-november-2010-researchers-say/
Skype was told a year and a half ago about a security flaw that allows for the location tracking of customers, but left it unfixed, the security researchers who first discovered the vulnerability told CIO Journal.
The flaw, which allows hackers to secretly track IP addresses, should be of interest to CIOs. Skype, which is now owned by Microsoft, said last year about 37% of its 663 million community members use the “Skype product platform occasionally or often for business-related purposes.”
Researchers from Inria, a research institute in France, and the Polytechnic Institute of New York University, shared their original findings on the Skype vulnerability in November 2010, the team’s leader Stevens Le Blond told CIO Journal in a phone call on Tuesday. Their research, which was published in October 2011, showed the team was able to surreptitiously track the city-level location of 10,000 Skype users for two weeks. Last week, Le Blond re-tested his research and found Skype still had not fixed the vulnerability, he said.
When asked about the security flaw, Skype sent CIO Journal a statement stating the company was “investigating reports of a new tool,” used to capture IP addresses. Skype and Microsoft declined to comment further.
“By calling it a ‘new tool’ it means they don’t have to respond as urgently,” Le Blond said. “It makes it seem like they just found out.”
The team discovered they could mask brief calls to Skype users, preventing pop-up notifications and call histories that would identify them from appearing on the recipient’s computer or device. The recipients didn’t know that they had been called, and didn’t have to answer the call in order to be identified.
The researchers say the vulnerability could allow corporate rivals to track the movement of individuals from a company, as they travel between cities and states.
The researchers say they are surprised Skype and Microsoft have yet to solve the problem. Ross, the Polytechnic Institute researcher, says Skype has likely not fixed the vulnerability because it may be “deeply embedded in the code” and might require a “heavy restructuring.”
The process of fixing the security flaw in a platform used by hundreds of millions of people could be risky. “You can introduce new bugs and problems,” he said.
Tomi Engdahl says:
This is almost as good as the zero-day vulnerability from Thursday that affects all of Oracle database customers. Oracle knew of the critical vulnerability since 2008, led the researcher who discovered and reported the vulnerability (four years ago) to believe they had fixed it, only to backtrack after he released the details of the vulnerability, including proof of concept — and say that it “will be fixed in future versions of the product”. It is difficult to fathom how these companies can look themselves in the mirror, knowing how they are leaving their customers hung out to dry like this.
Source:
http://blogs.wsj.com/cio/2012/05/01/skype-knew-of-security-flaw-since-november-2010-researchers-say/
Tomi Engdahl says:
Microsoft Researchers say cybercrime loss estimates are a bunch of bunk
http://www.networkworld.com/community/blog/microsoft-researchers-say-cybercrime-loss-estimates-are-bunch-bunk
Microsoft Researchers Cormac Herley and Dinei Florêncio wrote about ‘The Cybercrime Wave That Wasn’t’ and ‘Sex, Lies and Cybercrime Surveys.’ Do you actually know any cybercrime billionaires? The researchers say you should have no faith whatsoever in the bloated billions to a trillion figures quoted about cybercrime losses. As for the password problem, they asked ‘Is everything we know about password stealing wrong?’
I’m not a really big fan of either the MPAA or the RIAA; their bloated figures on the cost of piracy are either written when high or the numbers are just flat-out made up.
The cybercrime wave, with all those scary numbers claiming cybercriminals are costing industries somewhere between “billions to $1 trillion,” is a bunch of bunk. Or so Florêncio and Herley wrote more eloquently in a New York Times article. “Cybercrime billionaires are hard to locate because there aren’t any,” they wrote in “The Cybercrime Wave That Wasn’t.” Nevertheless, the cybercrime stats floating around in the fear-factor stratosphere make cybercrime sound like a booming business.
The researchers suggested, “Suppose we asked 5,000 people to report their cybercrime losses, which we will then extrapolate over a population of 200 million. Every dollar claimed gets multiplied by 40,000. A single individual who falsely claims $25,000 in losses adds a spurious $1 billion to the estimate. And since no one can claim negative losses, the error can’t be canceled.”
Tomi Engdahl says:
Symantec: Religious Sites “Riskier Than Porn For Viruses”
http://it.slashdot.org/story/12/05/04/0054204/symantec-religious-sites-riskier-than-porn-for-viruses
“According to Symantec’s annual Internet Security Threat Report, religious and ideological websites have far more security threats per infected site than adult/pornographic sites. Why is that? Symantec’s theory: ‘We hypothesize that this is because pornographic Web site owners already make money from the Internet and, as a result, have a vested interested in keeping their sites malware-free — it’s not good for repeat business,’”
Religious sites ‘riskier than porn for viruses’
http://news.dc1.ninemsn.com.au/technology/8460700/religious-sites-riskier-than-porn-for-viruses
Web wanderers are more likely to get a computer virus by visiting a religious website than by peering at porn, according to a study released on Tuesday.
“Drive-by attacks” in which hackers booby-trap legitimate websites with malicious code continue to be a bane, the US-based anti-virus vendor Symantec said in its Internet Security Threat Report.
Websites with religious or ideological themes were found to have triple the average number of “threats” that those featuring adult content, according to Symantec.
“It is interesting to note that websites hosting adult/pornographic content are not in the top five, but ranked tenth,” Symantec said in the report.
Tomi Engdahl says:
Online crime is not a big threat, the leaders believe in the Finland
As many as 91 percent of the largest Finnish companies’ directors is confident that their companies has protected itself adequately against cybercrime, says Stonesoft in recent Corporate Leadership and Cybercrime barometer.
Although a small language area and a well-built network of Finnish companies reduce the risk of being attacked by cyber criminals, bad guys are the CEO Ilkka Hiidenheimo, according to a sour victory: “And no one not terribly secure. More money is stolen in bits already than the as physical money. ”
He points out that the probalilty that cyber criminals are being caught is negligible, less than one percent.
“And not really know where point between zero and one percent move in between. It is known that some the criminal has been caught. ”
More than 40 per cent of respondents believed that cyber-crime threats grow moderately over the next 12 months.
Finnish directors believes that crime can cause dents in particular to the company’s reputation. The company’s suppression is not perceived as a credible threat, even if information systems are more closely part of the company’s business base.
“Companies should also know how to prepare for unknown threats”
Source:
http://www.tietoviikko.fi/cio/verkkorikollisuus+ei+ole+iso+uhka+uskovat+suomalaisjohtajat/a805546?s=r&wtm=tietoviikko/-04052012&
Tomi Engdahl says:
Consumerization Trend Driving IT Shops “Crazy,” Gartner Analyst Says
http://www.cio.com/article/705448/Consumerization_Trend_Driving_IT_Shops_Crazy_Gartner_Analyst_Says
IT managers who grapple with Bring Your Own Device (BYOD) policies can expect to see an explosion of different devices used by their workers in the next few years.
“The number of devices coming in the next few years will outstrip IT’s ability to keep the enterprise secure,” he said. “IT can’t handle all these devices. They’re going crazy. They get into fights on whether users should get upgrades or not.”
And because IT shops won’t be able to keep up, software vendors will be forced to innovate and create what Dulaney called “beneficial viruses” — software that will be embedded in sensitive corporate data, such as financial or patient information, that’s carried on a smartphone or other mobile device. These beneficial viruses would work like Digital Rights Management (DRM) software seen on music and video files, which require a license to play the file, Dulaney explained.
“It’s time for the SAPs and Oracles to begin thinking about doing that, and it’s a lot harder than we think,” Dulaney said. “Inside every piece of [corporate] data there would be a beneficial virus that whenever the data found itself in the wrong place [such as on an unauthorized device], it would say, ‘I don’t see a license to be here and I will delete myself.’”
Gartner’s current advice to IT shops in managing mobile devices is to consider setting up all or some of three different tiers of support — platform, appliance and concierge. In platform support, IT offers full PC-like support for a device and the device is chosen by IT, and will be used typically in vertical applications.
With appliance-level support, IT supports a narrow set of applications on a mobile device, including server-based and Web-based application support on a wider set of pre-approved devices. Local applications are not supported.
With concierge-level support, IT provides hands-on support, mainly to knowledge workers, for non-supported devices or non-supported apps on a supported device. The costs for support, which can be generous, are charged back to the users under this approach.
Using a Web-based approach was “the easier, quicker and right thing to do, and we didn’t need to tap into the native device” to add a new application, Walton said. Down the road, she said ANICO might find the need to deploy native mobile apps used in the field by agents who handle sensitive data.
“If we go that way, we’d definitely need to look at the security aspect,” she said. “Most agents are independent and we’d have to figure out how to handle the loss of a device.”
Tomi Engdahl says:
Internet Security Threat Report, Volume 17: The 2011 Threat Landscape
http://www.symantec.com/threatreport/?om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedin_2012Apr_worldwide_ISTR17
The Internet Security Threat Report provides an overview and analysis of the year in global threat activity. The report is based on data from the Global Intelligence Network, which Symantec’s analysts use to identify, analyze, and provide commentary on emerging trends in attacks, malicious code activity, phishing, and spam. Here are some highlights from the threat landscape of 2011:
Symantec blocked a total of over 5.5 billion malware attacks in 2011, an 81% increase over 2010.
Web based attacks increased by 36% with over 4,500 new attacks each day.
403 million new variants of malware were created in 2011, a 41% increase of 2010.
SPAM volumes dropped by 13% in 2011 over rates in 2010.
39% of malware attacks via email used a link to a web page.
Mobile vulnerabilities continued to rise, with 315 discovered in 2011.
Tomi Engdahl says:
European e-identity plan to be unveiled this month
http://www.zdnet.co.uk/news/regulation/2012/05/03/european-e-identity-plan-to-be-unveiled-this-month-40155152/
Authorities in Europe are ready to lay out plans to introduce an electronic identity system across Europe, with the proposals to be unveiled at the end of this month.
On Wednesday, the European Commission published a strategy document aimed at setting up systems to protect children online.
A spokesman for digital agenda commissioner Neelie Kroes said the Commission “will have full e-ID proposals on 30 May”.
The document, entitled European Strategy for a Better Internet for Children, gives a rough outline of proposals to harmonise protections across member states for children using online services. It contains many suggestions for the increased use of age classification, as well as the inclusion of “efficient” parental controls “on any type of device and for any type of content, including user-generated content”.
The age classification scheme, which is meant to feed into new data protection rules that take specific account of children’s privacy and ‘right to be forgotten’, will largely be a matter of industry self-regulation. However, the language of the e-ID clause suggested that one element will be mandatory.
“The Commission… intends to propose in 2012 a pan-European framework for electronic authentication that will enable the use of personal attributes (age in particular) to ensure compliance with the age provisions of the proposed data protection regulation,” the Commission said in the document, adding that member states should “ensure the implementation of EU legislation in this field at national level”.
As part of this, the industry will be expected to introduce “technical means” of electronic identification and authentication, it noted.
The strategy document also said the Commission will adopt a pan-EU “initiative on notice-and-takedown procedures” for websites. This will extend not only to child sexual abuse images, but to “all categories of illegal content”.
Questions remain as to whether the e-ID system will have uses beyond age classification, and whether every citizen will be required to use the system, with the implications this has for online anonymity. In addition, the document did not describe what technology is needed to apply parental controls to any type of device
Dustin Ritter says:
Value the particular publish, carry on retaining about!