Here is my collection of security trends for 2012 from different sources:
Windows XP will be the biggest security threat in 2012 according to Sean Sullivan, security advisor at F-Secure: “People seem to be adding new systems without necessarily abandoning their old XP machines, which is great news for online criminals, as XP continues to be their favourite target.”
F-Secure also says also that it might not be long before the cyber criminals turn their attentions to tablet devices. Attacks against mobile devices have become more common and I expect this to continue this year as well.
Americans more susceptible to online scams than believed, study finds. A recent survey from The Ponemon Institute and PC Tools dives into this question and reveals a real gap between how aware Americans think they are of scams and how likely they actually are to fall for them.
Fake antivirus scams that have plagued Windows and Mac OSX during the last couple of years and now it seems that such fake antivirus scams have spread to Android. Nearly all new mobile malware in Q3 2011 was targeted at Android.. When antivirus software becomes a universally accepted requirement (the way it is on Windows is the day), has the platform has failed and missed the whole point of being mobile operating system?
Cyber criminals are developing more sophisticated attacks and the police will counterattack.
Mobile phone surveillance will increase and more details of it will surface. Last year’s findings have included Location data collecting smart-phones, Carrier IQ phone spying busted and Police Surveillance system to monitor mobile phones. In USA the Patriot Act lets them investigate anything, anywhere, without a warrant. Now they are on your devices and can monitor everything. Leaked Memo Says Apple Provides Backdoor To Governments: “in exchange for the Indian market presence” mobile device manufacturers, including RIM, Nokia, and Apple (collectively defined in the document as “RINOA”) have agreed to provide backdoor access on their devices.
Geo-location tagging in smartphones to potentially cause major security risks article says that geo-location tagging security issues are likely to be a major issue in 2012—and that many users of smartphones are unaware of the potentially serious security consequences of their use of the technology. When smartphones images to the Internet (to portals such Facebook or Flickr) there’s a strong chance they will also upload the GPS lcoation data as well. This information could be subsequently misused by third parties.
You need to find your balance between freedom and security (
Vapauden ja turvallisuuden tasapaino). Usernames poured out for all to see, passwords and personal identification numbers are published. A knowledge of access management is even more important: who has the right to know when and where the role of functioning? Access, identity and role management are essential for the protection of the whole system. Implementation of such systems is still far from complete.
When designing networked services, the development of safety should taken into account in the planning stage, rather than at the end of execution. Even a secure network and information system can not act as operating a vacuum.
Reliability of the server certificates will face more and more problems. We can see more certificate authority bankruptcies due cyber attacks to them. Certificate attacks that have focused on the PC Web browsers, are now proven to be effective against mobile browsers.
Stonesoft says that advanced evasion techniques (AET) will be a major threat. Stonesoft discovered that with certain evasion techniques (particularly when combined in particular combinations) they could sneak common exploits past many IDS/IPS systems (including their own, at the time last summer). Using the right tool set (including a custom TCP/IP stack) attackers could sneak past our best defenses. This is real and they foresee a not too distant future where things like botnet kits will have this as a checkbox feature.
Rise of Printer Malware is real. Printer malware: print a malicious document, expose your whole LAN says that sending a document to a printer that contained a malicious version of the OS can send your sensitive document anywhere in Internet. Researchers at Columbia University have discovered a new class of security flaws that could allow hackers to remotely control printers over the Internet. Potential scenario: send a resume to HR, wait for them to print it, take over the network and pwn the company. HP does have firmware update software for their printers and HP Refutes Inaccurate Claims; Clarifies on Printer Security. I wonder how many more years until that old chain letter, where some new insidious virus infects everything from your graphics card to your monitor cable, becomes true.
Unauthorized changes in the BIOS could allow or be part of a sophisticated, targeted attack on an organization, allowing an attacker to infiltrate an organization’s systems or disrupt their operations. How Do You Protect PCs from BIOS Attacks? The U.S. National Institute of Standards and Technology (NIST) has drafted a new computer-security publication that provides guidance for computer manufacturers, suppliers, and security professionals who must protect personal computers as they start up “out of the box”: “BIOS Integrity Measurement Guidelines,” NIST Special Publication 800-155.
According to Stonesoft security problems threaten the lives and the year 2012 may be the first time when we lose lives because of security offenses. According to the company does this happen remains to be seen, but the risk is due to industrial SCADA systems attacks against targets such as hospitals or automated drug delivery systems. I already posted around month ago about SCADA systems security issues.
849 Comments
Tomi Engdahl says:
If the threat of online crime are to be reduced, people’s behavior should be better understood.
“Online safety is based on the technology, even if it is really about people. Engineering, we are pretty good, but people’s understanding of the use of the internet we do not know that much,” Bassett says.
The key is for example a deeper understanding of web attacks, making motivations.
“People take more risks in the internet then when in real life, but we do not know the reasons and the relevant nuances in more detail,”
Source:
http://www.3t.fi/artikkeli/uutiset/teknologia/nettirikollisuus_taittuu_paremmalla_ihmistuntemuksella
Kylie Knoedler says:
We are pleased, the capability as a copywriter along with the structure on your web site might be most educational. fengshui
Kena says:
There are been recently following your blog site to get a month or two roughly and have picked up a huge amount of information as well as loved the process that you’ve organised your site. I am looking to work my extremely individual web site nevertheless. I believe it’s too general i must consentrate on a great deal of more compact matters. Becoming all things to all or any individuals is just not everything that their damaged around always be.
Tomi Engdahl says:
Hackers claim breach of China Telecom, Warner Bros. networks
http://news.cnet.com/8301-1009_3-57446348-83/hackers-claim-breach-of-china-telecom-warner-bros-networks/
SwaggSec says it lifted more than 900 login credentials from the Chinese ISP and that the company did little to defend itself after it discovered the breach.
In its message on Pastebin, SwaggSec said obtaining more than 900 admin usernames and passwords during a hack on China Telecom was “as simple as we assumed it would be.”
“China Telecom’s SQL server had an extremely low processing capacity, and with us being impatient, after about a month straight of downloading, we stopped,” the Pastebin post said. “However, a few times we accidentally DDoS’d their SQL server. I guess they thought nothing of it, until we left them a little message signed by SwaggSec.”
After identifying the breach, China Telecom moved is SQL server but neglected to make a public statement or change its passwords. “At any moment, we could have and still could destroy their communication infrastructure leaving millions without communication,” it said.
Similarly, the group taunted Warner Bros. for its “ignorance” of its security vulnerabilities
setup a email says:
I really like it when individuals come together and share ideas.
Great website, continue the good work!
Tomi Engdahl says:
According to recent reports from Symantec, HP, and Microsoft attacks against corporate, government, and education systems rose in 2011. Despite the number of vulnerabilities being reported that year actually having dropped.
One of the primary driving factors behind this increase has been the rise of exploit kits – highly polished, easy-to-use systems sold on the black market that automate the process of attacking thousands of systems at once.
Source: https://www3.gotomeeting.com/register/795473790
Tomi Engdahl says:
Microsoft Update and The Nightmare Scenario
http://www.f-secure.com/weblog/archives/00002377.html
About 900 million Windows computers get their updates from Microsoft Update. In addition to the DNS root servers, this update system has always been considered one of the weak points of the net. Antivirus people have nightmares about a variant of malware spoofing the update mechanism and replicating via it.
Turns out, it looks like this has now been done. And not by just any malware, but by Flame.
The full mechanism isn’t yet completely analyzed, but Flame has a module which appears to attempt to do a man-in-the-middle attack on the Microsoft Update or Windows Server Update Services (WSUS) system. If successful, the attack drops a file called WUSETUPV.EXE to the target computer.
This file is signed by Microsoft with a certificate that is chained up to Microsoft root.
Except it isn’t signed really by Microsoft.
Microsoft has announced an urgent security fix to revoke three certificates used in the attack.
The fix is available via — you guessed it — Microsoft Update.
Tomi Engdahl says:
Flame Hijacks Microsoft Update to Spread Malware Disguised As Legit Code
http://www.wired.com/threatlevel/2012/06/flame-microsoft-certificate/
It’s a scenario security researchers have long worried about, a man-in-the-middle attack that allows someone to impersonate Microsoft Update to deliver malware — disguised as legitimate Microsoft code — to unsuspecting users.
And that’s exactly what turns out to have occurred with the recent Flame cyberespionage tool that has been infecting machines primarily in the Middle East and is believed to have been crafted by a nation-state.
According to Microsoft, which has been analyzing Flame, along with numerous antivirus researchers since it was publicly exposed last Monday, researchers there discovered that a component of Flame was designed to spread from one infected computer to other machines on the same network using a rogue certificate obtained via such a man-in-the-middle attack. When uninfected computers update themselves, Flame intercepts the request to Microsoft Update server and instead delivers a malicious executable to the machine that is signed with a rogue, but technically valid, Microsoft certificate.
Tomi Engdahl says:
Apple Releases Guide To iOS Security
http://techcrunch.com/2012/06/04/apple-releases-guide-to-ios-security/
Apple has introduced a guide to iOS security, which was posted to Apple.com sometime in late May, but is just now being noticed outside the Apple developer community. The publication is notable because it’s the first time Apple has published a comprehensive guide intended for an I.T. audience. (Apple’s developer-friendly documentation on security matters is easy to spot, however).
The new guide includes four sections dedicated to topics like system architecture, encryption and data protection, network security, and device access.
Tomi Engdahl says:
United Nations views Flame as cybersecurity opportunity
http://news.cnet.com/8301-1009_3-57446906-83/united-nations-views-flame-as-cybersecurity-opportunity/
Representative for United Nations agency, which has taken credit for helping to discover the Flame malware, tells CNET that world leaders gave agency the “mandate as sole facilitator” for boosting Internet security.
The United Nations has seized on the appearance of the Flame worm, which targeted computers in the Middle East, to argue that it should have more authority to deal with cybersecurity threats on the Internet.
Last week, the United Nations’ International Telecommunication Union circulated a statement about Flame saying the malware “reinforces the need for a coordinated response” that could come from “building a global coalition.” It took credit for Flame’s discovery, saying Kaspersky Lab identified it “following a technical analysis requested by the ITU.”
The prospect of greater ITU involvement in Internet governance and cybersecurity — the topic of an international summit in Dubai in December and something the agency has increasingly focused on — is not likely to be uniformly applauded.
“But nobody trusts the ITU,” Lewis says. “That doesn’t justify the hysteria we saw on the Hill, but it does justify not giving the ITU greater responsibility.”
“The Flame story indicates that governments aren’t cybersecurity experts,” Harper says. “There are lots of cybersecurity experts. The ITU and the U.S. Congress are not two of them.”
Tomi Engdahl says:
Data Protection Officer Role Will Be Key If You Operate in the E.U.
http://www.cio.com/article/707471/Data_Protection_Officer_Role_Will_Be_Key_If_You_Operate_in_the_E.U.?page=1&taxonomyId=3137
The European Union is considering sweeping new data protection laws that would mandate many organizations in Europe formally appoint a Data Protection Officer (DPO). To get ahead of the potential high demand for qualified candidates, organizations should consider defining their needs now.
“The CEOs, or whoever’s running this business, are going to be responsible for hiring people that can communicate,”
“There are a ton of very smart people who get IT security, but they don’t have the ability to make it viral among the employee base. They have to be passionate about credentials and be good communicators that can work with the people in the business and the executive team. This isn’t a role for someone right out of college.”
The E.C.’s proposed legislative package is intended to both harmonize the data protection laws across the E.U. member states and update them to address the new technological reality (like cloud computing).
One of the new laws would require all private sector companies with more than 250 employees, all private sector companies whose core activities involve regular monitoring of individuals and all public authorities to formally appoint a data protection officer (DPO).
“The data protection officer must be empowered by the organization to act as an independent assessor of its compliance with data protection laws and report to the board of directors in doing so,”
“The E.U. regulation specifically requires the data protection officer to coordinate data protection by design and privacy impact assessment initiatives and to be responsible for data security initiatives generally”
The new legislation would require organizations to demonstrate that they have undertaken regular data protection audits and privacy impact assessments using recognized industry standards, including demonstrating that privacy compliance and risk mitigation steps have been implemented before putting in place new processing systems and activities.
Tomi Engdahl says:
A Pandora’s Box We Will Regret Opening
http://www.nytimes.com/roomfordebate/2012/06/04/do-cyberattacks-on-iran-make-us-vulnerable-12/a-pandoras-box-we-will-regret-opening
If somebody would have told me five years ago that by 2012 it would be commonplace for countries to launch cyberattacks against each other, I would not have believed it. If somebody would have told me that a Western government would be using cybersabotage to attack the nuclear program of another government, I would have thought that’s a Hollywood movie plot. Yet, that’s exactly what’s happening, for real.
Cyberattacks have several advantages over traditional espionage or sabotage. Cyber attacks are effective, cheap and deniable. This is why governments like them.
In that sense, it’s a bit surprising that the U.S. government seems to have taken the credit and the blame for Stuxnet. Why did they do it? The most obvious answer seems to be that it’s an election year
The downside for owning up to cyberattacks is that other governments can now feel free to do the same. And the United States has the most to lose from attacks like these. No other country has so much of its economy linked to the online world.
Tomi Engdahl says:
LinkedIn Confirms Hack And Leak Of “Some” User Passwords
http://techcrunch.com/2012/06/06/linkedin-speaks-some-of-those-compromised-passwords-are-from-linkedin-accounts/
Shortly after it was reported that nearly 6.5 million LinkedIn account passwords were leaked onto the net, LinkedIn leapt into action and mounted their own investigation.
Though most of the morning was spent claiming that they could not confirm a security breach, a new announcement on their blog reveals that at least some of those leaked passwords correspond to LinkedIn accounts.
In case you’re curious about the sorts of passwords that appear in the sizable password hash dump, the team at FictiveKin have launched a tool called LeakedIn that takes a text input, hashes it with the SHA-1 algorithm, and checks it against the leaked file. So far, the usual suspects like “linkedin” and “password” are among those that have been leaked, though with passwords that weak it’s no surprise they were among the first to be cracked.
Tomi Engdahl says:
That Was Fast: Criminals Exploit LinkedIn Breach For Phishing Attacks
http://bits.blogs.nytimes.com/2012/06/06/that-was-fast-criminals-exploit-linkedin-breach-for-phishing-attacks/
After hackers posted millions of encoded LinkedIn passwords to a Russian hacker site on Wednesday, criminals used news of the breach to trick unsuspecting users into downloading malware that can be used to extract financial gain.
Shortly after the breach surfaced, LinkedIn users began receiving e-mails from what, at first glance, looked like LinkedIn.
Several security researchers confirmed that the e-mails were scams and advised users to avoid clicking on any links in e-mails from LinkedIn and to only navigate to the site by typing LinkedIn.com directly into their browsers.
If users have not already, they should immediately change their LinkedIn password and the password to any other site where they might have used the same password.
Tomi Engdahl says:
Clean IT project considers terrorist content database
http://www.itnews.com.au/News/303729,clean-it-project-considers-terrorist-content-database.aspx
European governments outline partnership with internet industry.
Internet users could contribute to an official blacklist of suspected terrorist content under the European Commission’s budding ‘Clean IT’ project.
The project aims to create a text that commits the internet industry (web hosts, search engines and ISPs, among others) to helping governments weed out content that incites acts of terror.
Ideally, the solution would be built into popular web browsers (Mozilla Firefox, Microsoft Internet Explorer, Apple Safari, Google Chrome etc) such that users could flag suspicious material regardless of where it is hosted.
An easier but less comprehensive system would be to compel the world’s most popular content hosts – such as Google/YouTube or Amazon – to interface existing flagging systems with those of law enforcement agencies.
“Flagging happens already on some sites,” Klaasen told iTnews. “Many users already flag content they find concerning on services like YouTube. But many of those flags don’t reach law enforcement.”
A related ‘best practice’ proposal calls for governments to establish ‘referral units’ – teams of experts that analyse flagged content to assess its legal status.
Internet content or access providers in Europe are already compelled to forward material to law enforcement if they feel its illegality is crystal clear. But often the line between dissenting content and terrorist content is blurry.
“Usually when illegal material is found on a server hosted by an Internet company and is removed, it pops up two days later somewhere else,” Klaasen said.
“So why not try and create a database where internet companies can check it to see if it’s known illegal material?”
“Again it raises questions. If you have such a database, who is responsible for it? Is there a trusted organisation to maintain it? There are really important questions that we’ll look to address.”
Tomi Engdahl says:
Dept. of Homeland Security to focus on cyber workforce development
http://www.networkworld.com/community/blog/dept-homeland-security-focus-cyber-workforce-development
Secretary of Homeland Security Janet Napolitano today said the agency will form a cybersecurity workforce task group that will consider strategies such as expanding DHS involvement in cyber competitions and university programs, enhancing public-private security partnerships and working with other government agencies to develop a more agile cyber workforce across the federal government.
The new task force will be co-chaired by hacking expert Jeff Moss who now works for the Homeland Security Advisory Council and Alan Paller is director of research at the SANS Institute.
The idea behind the task force is in part to develop strong cybersecurity career paths within DHS and other agencies. “To accomplish this critical task, we have created a number of very competitive scholarship, fellowship, and internship programs to attract top talent,” Napolitano stated.
Tomi Engdahl says:
Gmail hacked by cyber-spies? Google issues security warning for state-sponsored attacks
http://blogs.computerworld.com/20268/gmail_hacked_by_cyber_spies_google_issues_security_warning_for_state_sponsored_attacks
Finding out your Gmail account was hacked would be bad news, but how about if that attack was from suspected state-sponsored hackers? “Warning: We believe state-sponsored attackers may be attempting to compromise your account or computer.” If Google suspects you’ve been targeted by such bad actors, then Google Online Security Blog announced you will see that warning in Gmail.
Google VP Security Engineer Eric Grosse wrote, “If you see this warning it does not necessarily mean that your account has been hijacked. It just means that we believe you may be a target, of phishing or malware for example, and that you should take immediate steps to secure your account.” However he also makes it clear that if users see that warning, it does not imply “Google’s internal systems have been compromised.”
So please be wise about passwords, especially if Google alerts you to being a state-sponsored target.
Google won’t define precisely how it can tell the malicious activity is a state-sponsored attack, since doing so would help bad actors evade detection.
Tomi Engdahl says:
An Update on LinkedIn Member Passwords Compromised
Vicente Silveira, June 6, 2012
http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/
We want to provide you with an update on this morning’s reports of stolen passwords. We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts.
Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid.
These members will also receive an email from LinkedIn with instructions on how to reset their passwords. There will not be any links in this email.
It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases.
Tomi Engdahl says:
Microsoft ‘hardens’ Windows Update from Flame penetration
How the hot malware burned a new hole in Redmond’s backside
http://www.theregister.co.uk/2012/06/07/microsoft_combats_flame_with_additional_hardening/
Microsoft has “hardened” its Windows Update system after researchers discovered the Flame virus can infect PCs by offering itself as an update masquerading as official Microsoft software.
Redmond said in a blog post yesterday that it was continuing to analyse Flame and repeated that it would “evaluate additional hardening of both the Windows Update channel and our code signing certificate controls”.
It warned any customers who do no have their Windows Update software set to automatic configuration to install the latest patch immediately, which will thwart Flame’s man-in-the-middle attack.
Microsoft added that it had waited until it was clear that most of its customers were protected against the malware before publishing more details about how so-called “cryptographic collisions” had been used in those attacks.
Hence, all the panic coming out of Redmond towers to ensure that its customers have all updated their Windows software to prevent their systems being compromised by Flame.
Tomi Engdahl says:
Md5crypt Password scrambler is no longer considered safe by author
http://phk.freebsd.dk/sagas/md5crypt_eol.html
The md5crypt password scrambler was created in 1995 by yours truly and was, back then, a sufficiently strong protection for passwords.
New research has shown that it can be run at a rate close to 1 million checks per second on COTS GPU hardware, which means that it is as prone to brute-force attacks as the DES based UNIX crypt was back in 1995: Any 8 character password can be found in a couple of days.
As the author of md5crypt, I implore everybody to migrate to a stronger password scrambler without undue delay.
Please notice that there is _no_ advantage in everybody in the world using the exact same algorithm, quite the contrary in fact.
All major internet sites, anybody with more than 50.000 passwords, should design or configure a unique algorithm (consisting of course of standard one-way hash functions like SHA2 etc) for their site, in order to make development of highly optimized password brute-force technologies a “per-site” exercise for attackers.
Thanks for listening,
Tomi Engdahl says:
This week has been a busy one for stolen passwords, and we have already seen Linkedin and Eharmony confess to having lost users’ passwords to hacking. Now the UK-based music streaming web site Last.fm has stepped forward and admitted that it too has had passwords stolen.
Source: The Inquirer (http://s.tt/1dEMu)
Tomi Engdahl says:
Germany reveals secret techie soldier unit, new cyberweapons
We have ways of making you pwned
http://www.theregister.co.uk/2012/06/08/germany_cyber_offensive_capability/
CyCon 2012 Germany has confirmed that its military maintains an operational cyberwarfare unit with offensive capabilities.
The admission, which appeared in parliamentary documents published on Tuesday, gave no details of the size of the unit much less any operations that it might have run. However documents delivered to the German federal defence committee did reveal that the unit has been operating for six years since 2006, a year before the cyber-attack on Estonia and four years before the discovery of the infamous Stuxnet worm.
“The initial capacity to operate in hostile networks has been achieved,” the papers explain
“The German MoD see a potential in having an offensive cyber-op capability as well as an ability to defend critical infrastructures”, most notably military systems, Dr Heintschel von Heinegg explained.
Tomi Engdahl says:
Flame: UN urges co-operation to prevent global cyberwar
http://www.bbc.com/news/technology-18351995
The UN has urged countries to seek a “peaceful resolution” in cyberspace to avoid the threat of global cyberwar.
The comments by the head of the UN’s telecommunications agency came a week after Flame, one of the most complex cyber-attacks to date, was uncovered.
Dr Hamadoun Toure told the BBC that he did not suspect the US of being behind the attack.
He added that developing countries were being helped to defend themselves more adequately against threats.
He said he did not consider Flame to be an act of cyberwar.
“It hasn’t reached that level yet as it has been detected in time,” he added.
When asked about the attack’s possible source, he said: “All indications are that Flame has been created by a nation state, that’s clear.
When asked about the attack’s possible source, he said: “All indications are that Flame has been created by a nation state, that’s clear.
“The ITU is not mandated to make a judgement on who is responsible. Our role is to work with partners to promote better co-operation.”
“There is a fine line between security and freedom.”
“Some people try to oppose them. We say no, we want both. You can’t be free if you’re not secure. You can’t have privacy without security – that’s why we want to have both.”
Tomi says:
Understanding cyberspace is key to defending against digital attacks
http://www.washingtonpost.com/investigations/understanding-cyberspace-is-key-to-defending-against-digital-attacks/2012/06/02/gJQAsIr19U_story.html
Holes in the system
The words “zero day” strike fear in military, intelligence and corporate leaders. The term is used by hackers and security specialists to describe a flaw discovered for the first time by a hacker that can be exploited to break into a system.
In recent years, there has been one stunning revelation after the next about how such unknown vulnerabilities were used to break into systems that were assumed to be secure.
Now cyberspace is a vital reality that includes billions of people, computers and machines. Almost anything that relies on code and has a link to a network could be a part of cyberspace. That includes smartphones, such as the iPhone and devices running Android, home computers and, of course, the Internet. Growing numbers of other kinds of machines and “smart” devices are also linked in: security cameras, elevators and CT scan machines; global positioning systems and satellites; jet fighters and global banking networks; commuter trains and the computers that control power grids and water systems.
So much of the world’s activity takes place in cyberspace — including military communications and operations — that the Pentagon last year declared it a domain of war.
“We have built our future upon a capability that we have not learned how to protect,” former CIA director George J. Tenet has said.
Researchers and hackers, the good guys and bad, are racing to understand the fundamental nature of cyberspace. For clues about how to improve security — or to mount better attacks — they have turned to physics, mathematics, economics and even agriculture. Some researchers consider cyberspace akin to an organism, its security analogous to a public health issue.
“The truth is that the cyber-universe is complex well beyond anyone’s understanding and exhibits behavior that no one predicted, and sometimes can’t even be explained well,”
Miller attributes that fragility to companies that place sales and novel applications over computer security.
“Companies want to make money,” he said. “They don’t want to sit around and make their software perfect.”
Many of those vulnerabilities are related to errors in code designed to parse, or sort through, data files sent over the Internet. A typical computer has hundreds of parser codes in its operating system. One good example is an image parser. It identifies the information that makes up a digital photo, processes it and then sends the file to the part of the machine designed to display the image.
Miller’s fuzzing program enables him to connect to a variety of computers and keep track of thousands of crashes, including where in the software the crash took place.
“99.999 percent of the time, nothing bad happens,” Miller explained. “But I do it a billion times, and it happens enough times it’s interesting.”
The heart of his program is a function that randomly substitutes data in a targeted software program.
Government agencies that secretly engaged in hacking operations, along with some affected software makers, bought information on zero days from a thriving gray market, according to interviews with hackers and security specialists.
In 2005, a security firm called TippingPoint began offering bounties to researchers.
Since then, more than 1,600 researchers have been paid for reporting almost 5,000 zero days. Starting at hundreds of dollars, the bounties soar into the tens of thousands.
The system seemed ideal, except for one thing: The software makers often failed to heed the warnings. Some vulnerabilities remained for two years or more.
In 2007, TippingPoint, now owned by Hewlett-Packard, decided to underscore the problem by holding a high-profile event. The Pwn2Own contest would require hackers to not only find zero days but to put them into action in what is known as an “exploit” or attack.
Tomi Engdahl says:
LinkedIn: New security enhancements in pipeline
http://www.slashgear.com/linkedin-new-security-enhancements-in-pipeline-09233034/
LinkedIn has promised new security features above and beyond a switch to salting users’ passwords, as it continues to recover from the hack which saw 6.5m encrypted credentials leak from the site. ”We continue to execute on our security roadmap, and we’ll be releasing additional enhancements to better protect our members”
“Thus far, we have no reports of member accounts being breached as a result of the stolen passwords”
Tomi Engdahl says:
LinkedIn Has Neither CIO nor CISO
Failing to Learn Lessons from the RSA, Sony Breaches
http://www.bankinfosecurity.com/blogs/linkedin-has-neither-cio-nor-ciso-p-1289
LinkedIn, the social network that’s investigating the pilfering of what could be more than 6.5 million of its members’ hashed passwords, has neither a chief information officer nor chief information security officer
LinkedIn isn’t the first technology company to experience a breach that has lacked a specific senior executive responsible for assuring the security of its data and systems. Two of the most prominent breaches of 2011 – to security provider RSA and consumer electronics giant Sony – occurred when neither of those companies had a CISO. Both, however, employed a CIO at the time.
Shortly after the RSA and Sony breaches, both companies hired highly regarded IT security experts as their CISOs
It’s hard to imagine that a company with such sophisticated offerings as LinkedIn has neither a CIO nor CISO, especially in the wake of the RSA and Sony breaches. After all, LinkedIn’s primary product is information.
A generation ago, most businesses began to understand they needed a top executive who could relate to the CEO and the rest of the organization the importance of IT for their organizations to function; thus, the role of CIO evolved from a mere manager of data processing.
Today, the same holds true with information security. Businesses, governments and other types of organizations can not function efficiently in today’s society if they lack a key executive focused on IT security; otherwise, their stakeholders will be at risk. The hashed passwords’ breach shows LinkedIn could use a CIO and CISO, executives who are focused on the strategic importance of information and its security.
Tomi Engdahl says:
Smart meters are ‘massive surveillance’ tech – privacy supremo
Euro watchdog demands data law to protect punters
http://www.theregister.co.uk/2012/06/11/smart_meter_privacy/
The European Data Protection Supervisor has warned that smart meters are a significant privacy threat and wants limits on the retention and use of customer data before it’s too late.
Peter Hustinx, who fills the role with the assistance of Giovanni Buttarelli, admits there are advantages of smart metering, but warns that the technology will “also enable massive collection of personal data which can track what members of a household do within the privacy of their own homes”. He pulls up examples of baby monitors and medical devices, which have identifiable patterns of energy consumption and could therefore be used to monitor what people are doing.
That might sound fanciful, but researchers have already demonstrated that the pattern of energy consumed by a decent flat-screen TV can be used to work out what programme is being watched, and Hustinx is probably right that this isn’t information most of us would wish to share with our electricity providers.
Smart meters need to collect all that data in order to reduce our reliance on power – it’s now an article of faith that once we know how much energy we’re using we’ll magically reduce that consumption, so the EU is committed to mandating smart meters by 2020.
The European Commission is preparing a document on the impact of all this new data, but as planned it’s limited to vague objectives rather than specific requirements
Tomi Engdahl says:
Hello tourist – so you will be monitored
Bank of Estonia, Tartu University and the OU Positium LBS have followed the movement of tourists since 2008.
Monitoring is based on cell phones on their own. The creators of the system assure that records the individual numbers or personal information, but is intended to create and complete statistics on tourism.
Source:
http://www.taloussanomat.fi/tietoliikenne/2012/04/12/hei-turisti-nain-sinua-seurataan/201227195/12
Tomi Engdahl says:
MySQL flaw allows attackers to easily connect to server
http://www.net-security.org/secworld.php?id=13076
A simple but serious MySQL and MariaDB authentication bypass flaw has been revealed by MariaDB security coordinator Sergei Golubchik, and exploits targeting it have already been found in the wild.
“When a user connects to MariaDB/MySQL, a token (SHA over a password and a random scramble string) is calculated and compared with the expected value. Because of incorrect casting, it might’ve happened that the token and the expected value were considered equal, even if the memcmp() returned a non-zero value. In this case MySQL/MariaDB would think that the password is correct, even while it is not. Because the protocol uses random strings, the probability of hitting this bug is about 1/256,” Golubchik explained.
An attacker who knows a correct username (usually the ubiquitous “root”) can easily connect using a random password by repeating connection attempts.
“~300 attempts takes only a fraction of second, so basically account password protection is as good as nonexistent,” wrote Golubchik.
Metaisploit’s HD Moore says that, so far, 64-bit versions of Ubuntu Linux, OpenSuSE 12.1 64-bit, Fedora 16 64-bit and Arch Linux have been found to have vulnerable MySQL releases, while a number of Debian, Gentoo, CentOS and SuSE versions – as well as the official builds from MySQL and MariaDB – seem not to be affected.
“If you are approaching this issue from the perspective of a penetration tester, this will be one of the most useful MySQL tricks for some time to come,” he pointed out. “One feature of Metasploit you should be familiar with is the mysql_hashdump module. This module uses a known username and password to access the master user table of a MySQL server and dump it into a locally-stored ‘loot’ file. This can be easily cracked using a tool like John the Ripper, providing clear-text passwords that may provide further access.”
Tomi Engdahl says:
Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs — too many password failures, seeking for exploits, etc. Generally Fail2Ban then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email, or ejecting CD-ROM tray) could also be configured.
http://www.fail2ban.org/wiki/index.php/Main_Page
Tomi Engdahl says:
Discovery of new “zero-day” exploit links developers of Stuxnet, Flame
http://arstechnica.com/security/2012/06/zero-day-exploit-links-stuxnet-flame/
Security researchers say they’ve found a conclusive link between the Flame espionage malware and Stuxnet, the powerful cyberweapon that US and Israeli officials recently confirmed they designed to sabotage Iran’s nuclear program.
An early version of Stuxnet dating back to 2009 contained executable code that targeted what was then an unknown security flaw in Microsoft Windows, a discovery that brings the number of zero-day vulnerabilities exploited by the malware to at least five, researchers from Kaspersky Lab said Monday morning
Even more significantly, they discovered that a 6MB chunk of code found in the Stuxnet.A (1.0) variant contained the guts of today’s Flame.
“The fact that the Flame group shared their source code, their intellectual property, with the Stuxnet group proves that there is an actual link,” Roel Schouwenberg , a senior researcher at Kaspersky Lab, said during an online press conference. “They actually cooperated at least once. That’s, I think, huge news. It confirms our beliefs we’ve had all along, that the Flame operation and the Stuxnet operation were two parallel projects fashioned by the same entities.”
“We firmly believe that the Flame platform predates the Stuxnet platform,” Schouwenberg continued. “It kind of looks like the Flame platform was used as a kick-starter of sorts to get the Stuxnet project going. After 2009, this resource 207 was actually removed from Stuxnet, and the Flame operation and the Stuxnet operation each went their separate ways. Maybe this was because the Stuxnet code was now mature enough to be deployed in the wild.”
Tomi Engdahl says:
Facebook joins Google in warning DNSChanger victims
Warnings follow decision to withdraw safety net on 9 July
http://www.theregister.co.uk/2012/06/10/dnschanger/
Federal authorities will not seek a further extension to a DNSChanger safety net, meaning an estimated 360,00 security laggards will be unable to use the internet normally unless they clean up their systems before a 9 July deadline.
DNSChanger changed the domain name system (DNS) settings of compromised machines to point surfers to rogue servers – which hijacked web searches and redirected victims to dodgy websites as part of a long-running click-fraud and scareware distribution racket. The FBI dismantled the botnet’s command-and-control infrastructure back in November, as part of Operation GhostClick.
In place of the rogue servers, a bank of duplicate machines was set up to resolve internet look-up queries from compromised boxes.
At its peak as many four million computers were infected by DNSChanger. An estimated 360,000 machines are still infected
infected machines needed to be cleaned.
Last week Facebook joined Google and ISPs in notifying DNSChanger victims that they were surfing the net using a compromised machine.
Tomi Engdahl says:
Google Apps cloud fine print may not protect EU biz
Storing private data outside the Eurozone? Welcome to a world of pain
http://www.theregister.co.uk/2012/06/12/google_apps_to_push_out_model_contrac/
EU businesses that provide applications to consumers through the Google Apps platform may require additional mechanisms to the new contract terms offered by Google – in order to legitimately transfer personal data collected from app users overseas, an expert has said.
Google has announced that it will offer “model contract clauses” to app providers as a means for those businesses to lawfully transfer personal data outside of the European Economic Area (EEA).
However, data protection law specialist Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, has said that if it is Google’s intention to store the data collected by app providers in the cloud, then complex contractual arrangements may have to exist to make that activity legitimate.
“If model contract clauses are not correctly implemented and there is a risk that the adequacy requirement will not be met, app providers would need to rely on another mechanism for compliance in order to justify overseas transfers of their users’ data outside of the EEA.
Model contract clauses have been popular with EU businesses looking to transfer personal data to third countries, although other existing frameworks for safeguarding personal data when sent outside of the EEA have also been developed.
The US-EU Safe Harbor scheme is an agreement drawn up between the European Commission and US Department of Commerce that allows for the transfer of personal data from Europe to the US where data protections meet EU standards.
US organisations that conform to the protection requirements in the Safe Harbor scheme are deemed as having met European safety standards outlined in the Data Protection Directive. The Directive sets out standards around the lawfulness of personal data processing as well as for the security of personal data that is held by organisations, among other things.
Google is one of 2,500 US firms accredited under the Safe Harbor scheme.
Tomi Engdahl says:
The Antivirus Era Is Over
http://www.technologyreview.com/news/428166/the-antivirus-era-is-over/
Conventional security software is powerless against sophisticated attacks like Flame, but alternative approaches are only just getting started.
Two weeks ago today, computer security labs in Iran, Russia, and Hungary announced the discovery of Flame, “the most complex malware ever found,” according to Hungary’s CrySyS Lab.
For at least two years, Flame has been copying documents and recording audio, keystrokes, network traffic, and Skype calls, and taking screenshots from infected computers.
Flame is just the latest in a series of incidents that suggest that conventional antivirus software is an outmoded way of protecting computers against malware. “Flame was a failure for the antivirus industry,” Mikko Hypponen, the founder and chief research officer of antivirus firm F-Secure, wrote last week. “We really should have been able to do better. But we didn’t. We were out of our league, in our own game.”
The programs that are the lynchpin of computer security for businesses, governments, and consumers alike operate like the antivirus software on consumer PCs. Threats are detected by comparing the code of software programs and their activity against a database of “signatures” for known malware. Security companies such as F-Secure and McAfee constantly research reports of new malware and update their lists of signatures accordingly. The result is supposed to be an impenetrable wall that keeps the bad guys out.
However, in recent years, high-profile attacks on not just the Iranian government but also the U.S. government have taken place using software that, like Flame, was able to waltz straight past signature-based software.
Some experts and companies now say it’s time to demote antivirus-style protection. “It’s still an integral part [of malware defense], but it’s not going to be the only thing,” says Nicolas Christin, a researcher at Carnegie Mellon University. “We need to move away from trying to build Maginot lines that look bulletproof but are actually easy to get around.”
“The industry has been wrong to focus on the tools of the attackers, the exploits, which are very changeable,”
Antivirus companies have been quick to point out that Flame was no ordinary computer virus. It came from the well-resourced world of international espionage. But such cyberweapons cause collateral damage (the Stuxnet worm targeted at the Iranian nuclear program actually infected an estimated 100,000 computers), and features of their designs are being adopted by criminals and less-resourced groups.
“Never have so many billions of dollars of defense technology flowed into the public domain,” says Agarwal of Shape Security.
Alperovitch says his company will enable victims to fight back, within the bounds of the law, by also identifying the source of attacks. “Hacking back would be illegal, but there are measures you can take against people benefiting from your data that raise the business costs of the attackers,” he says.
Those include asking the government to raise a case with the World Trade Organization, or going public with what happened to shame perpetrators of industrial espionage, he says.
Tomi Engdahl says:
MySQL servers vulnerable to password bypass
Brute force breaks authentication in one second.
http://www.scmagazine.com.au/News/304509,mysql-servers-vulnerable-to-password-bypass.aspx
Security experts have identified some 879,046 servers vulnerable to a brute force flaw that undermines password controls in MySQL and MariaDB systems.
Upon scanning 1.7 million publicly exposed MySQL servers, he found more than half (879,046) vulnerable to the “tragically comedic” flaw.
According to Rapid7 security chief HD Moore, one in every 256 brute force attempts could override authentication controls on the servers and allow any password combination to be accepted.
The flaw has already been exploited.
Moore reported that the flaw (CVE-2012-2122) was already patched for both MySQL and MariaDB, but many MySQL administrators had not fixed the hole in their deployments.
Moore and other security boffins identified vulnerable versions in Ubuntu 64-bit versions 10.04, 10.10, 11.04, 11.10, and 12.04, OpenSUSE 12.1 64-bit MySQL 5.5.23, and Fedora.
Official builds of MariaDB and MySQL were safe, along with Red Hat Enterprise Linux 4, 5 and 6 and some flavours of Debian Linux and Gentoo 64 bit.
CVE-2012-2122: A Tragically Comedic Security Flaw in MySQL
https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql
Tomi Engdahl says:
Microsoft overhauls certificate management in response to Flame PKI hack
A new Windows auto-update will flag certs that are “no longer trustworthy.”
http://arstechnica.com/security/2012/06/microsoft-overhauls-certificate-management-in-response-to-flame-pki-hack/
As part of its monthly “Patch Tuesday” security updates for June, Microsoft announced changes in how Windows manages certificates. These changes include a new automatic updater tool for Windows 7 and Windows Vista that will flag stolen or known forged certificates. This shift will have a huge impact on companies and software vendors who use Microsoft’s implementation of public key infrastructure as part of their authentication and software distribution—especially if they haven’t followed best practices for certificates in the past.
The changes come on the heels of revelations about the recently discovered Flame malware, which used a rogue certificate authority that masqueraded as Microsoft in order to hijack the Windows Update mechanism.
On June 8, Microsoft made changes to its Update service to prevent such attacks in the future. The changes announced on June 11 go even further
Tomi Engdahl says:
All of Europe’s data in US servers? We’re OK with that – EC bod
‘It shouldn’t matter where your files are held’
http://www.theregister.co.uk/2012/06/13/ec_cloud_data_anywhere/
CCWF2012 A European Commission director has said that it shouldn’t really matter where Europe’s data is stored, as long as it’s secure and protected.
Megan Richards, acting deputy director general of Information Society and Media and also part of the Converged Networks and Services directorate, said it wouldn’t necessarily be a problem if European data was held in data centres in the US.
“Theoretically, it shouldn’t matter where data is held as long as our rules apply,” Richards told The Reg at the Cloud Computing World Forum in London. “The legislation in the US is not so different from the legislation we have in the EU.”
Richards was talking about the new data protection legislation currently making its way through the European Parliament, which she is hoping to see implemented in the next two-and-a-half years.
“It usually takes a year to go through Parliament, usually,” she emphasised, “Then, after adoption, it’s supposed to come in in two years.”
The new data protection legislation is important to the European Cloud Computing Strategy because it will mean that all member states have the same rules instead of the current situation, where each country has adapted the less-binding directive in their own way.
“The advantage of legislation is that it applies to everyone,” Richards said.
Richards reckons cloud computing has the potential to deliver €700bn (£564bn) of economic benefit in the five biggest European economies and generate five million new jobs in the five largest member states.
But getting the cloud moving in Europe requires better broadband rollout, more standardised legislation and less fragmentation in markets, she said.
“That’s what cloud providers need,” Richards added
Tomi Engdahl says:
Government CIO frustrated over providers’ security stance
http://www.cloudpro.co.uk/cloud-essentials/3853/government-cio-frustrated-over-providers-security-stance
Cloud vendors hoping to supply services to government departments are being held back by their reluctance to reply to questions about their security. That’s according to government CIO, Andy Nelson who said that no cloud providers had yet been accredited.
“The aim is provide an accreditation service that cloud providers can get stamp of approval. But none have gone through the process yet. It’s something I find very challenging,” admitted Nelson.
He said the questions were no more challenging than other organisation would make before committing to a move to a provider.
Nelson was speaking at the Cloud Computing World Forum where he was speaking about the government’s drive to cloud and about the Cloudstore initiative.
There’s been a willingness to embrace change, he said, IT staff are pleased that the procurement process has been made simpler, even if there were still a few hiccups to iron out. “In the private sector, there’s more of a willingness to embrace compromise,” he said. “If something was about 80 percent right, then a private company would go for it but that’s not always the case in the public sector,” he said.
Tomi Engdahl says:
Linus Torvalds on Windows 8, UEFI, and Fedora
http://www.zdnet.com/blog/open-source/linus-torvalds-on-windows-8-uefi-and-fedora/11187
Summary: Microsoft has made it so that Windows 8 approved PC can only run Windows 8. Fedora Linux has forged a way around it, but not everyone like their approach. Torvalds gives his thoughts on the issue.
All Windows 8 licensed hardware will be shipping with secure boot enabled by default in their replacement for the BIOS, Unfied Extensible Firmware Interface (UEFI). So far, so good, who doesn’t want more security? The fly in the soup is that by default only Windows 8 will run on these systems, so no Linux, no BSD, heck, no Windows XP for that matter.
Fedora Linux, Red Hat’s community distribution, has found a way: sign up with Microsoft, via Verisign to make their own Windows 8 system compatible UEFI secure boot key. A lot of Linux people hate this compromise.
“An alternative was producing some sort of overall Linux key. It turns out that this is also difficult, since it would mean finding an entity who was willing to take responsibility for managing signing or key distribution.”
Torvalds doesn’t think Microsoft’s spin on Windows 8 UEFI secure boot is really going to do for security. “The real problem, I feel, is that clever hackers will bypass the whole key”
Torvalds concluded, “Signing is a tool in the tool-box, but it’s not solving all the security problems, and while I think some people are a bit too concerned about it, it’s true that it can be mis-used.”
Tomi Engdahl says:
The Antivirus Era Is Over
http://www.technologyreview.com/news/428166/the-antivirus-era-is-over/
Conventional security software is powerless against sophisticated attacks like Flame, but alternative approaches are only just getting started.
Flame is just the latest in a series of incidents that suggest that conventional antivirus software is an outmoded way of protecting computers against malware. “Flame was a failure for the antivirus industry,” Mikko Hypponen, the founder and chief research officer of antivirus firm F-Secure, wrote last week. “We really should have been able to do better. But we didn’t. We were out of our league, in our own game.”
“The industry has been wrong to focus on the tools of the attackers, the exploits, which are very changeable,” says Dmitri Alperovitch, chief technology officer and cofounder of CrowdStrike, a startup in California founded by veterans of the antivirus industry that has received $26 million in investment funding. “We need to focus on the shooter, not the gun—the tactics, the human parts of the operation, are the least scalable.”
This type of approach is possible, says Alperovitch, because, although an attacker could easily tweak the code of a virus like Flame to evade antivirus scanners once more, he or she would still have the same goal: to access and extract valuable data. The company says its technology will rest on “big data,” possibly meaning it will analyze large amounts of data related to many traces of activity on a customer’s system to figure out which could be from an infiltrator.
Christin, of Carnegie Mellon, who has recently been investigating the economic motivations and business models of cyber attackers, says that makes sense. “The human costs of these sophisticated attacks are the one of the largest,” he says. Foiling an attack is no longer a matter of neutralizing a chunk of code from a lone genius, but of defeating skilled groups of people. “You need experts in their field that can also collaborate with others, and they are rare,” says Christin. Defense software that can close off the most common tactics makes it even harder for attackers, he says.
Other companies have begun talking in similar terms. “It goes back to that ’80s law enforcement slogan: ‘Crime doesn’t pay,’ ” says Sumit Agarwal, a cofounder of Shape Security, another startup in California that recently came out of stealth mode.
A company with a similar approach is Mykonos Software, which developed technology that helps protect websites by wasting hackers’ time to skew the economics of an attack. Mykonos was bought by networking company Juniper earlier this year.
Antivirus companies have been quick to point out that Flame was no ordinary computer virus. It came from the well-resourced world of international espionage. But such cyberweapons cause collateral damage (the Stuxnet worm targeted at the Iranian nuclear program actually infected an estimated 100,000 computers), and features of their designs are being adopted by criminals and less-resourced groups.
Research by Christin and other academics has shown that chokepoints do exist that could allow relatively simple legal action to neutralize cybercrime operations.
“The most effective intervention against spam would be to shut down those banks, or introduce new regulation,” says Christin. “These complex systems often have concentrated points on which you can focus and make it very expensive to carry out these attacks.”
But Agarwal warns that even retribution within the law can be ill-judged: “Imagine you’re a large company and accidentally swim into the path of the Russian mafia. You can stir up a larger problem than you intended.”
Tomi Engdahl says:
Google, Twitter and Facebook rally to fight “bad ads”, malware and online trust issues
http://thenextweb.com/insider/2012/06/14/google-twitter-and-facebook-rally-to-fight-bad-ads-malware-and-online-trust-issues/
Google, Twitter and Facebook are among the Internet industry giants that are giving their names and efforts to a non-profit campaign aimed at taking action against bad ads, malware and other schemes that abuse trust online.
Non-profit organisation StopBadware has partnered with the industry heavyweights — which also include the Interactive Advertising Bureau (IAB) and AOL — to launch the Ads Integrity Alliance, which will work to educate, tackle and promote awareness of issues in the Internet advertising space.
The alliance members have pledged to pool their collective talents, share best practices and formulate policy recommendations to tackle problems. The initial five will share information about trends and “bad actors” with each other and with/from everyday Web users.
Tomi Engdahl says:
Cyber Security and International Agreements
http://www.wired.com/images_blogs/threatlevel/2012/06/Cyber-Security-and-International-Agreements.pdf
Society has become dependent on cyber systems across the full range of human activities, including commerce, finance, health care, energy, entertainment, communications, and national defense. “The globally-interconnected digital information and communications infrastructure known as ‘cyberspace’ underpins almost every facet of modern society and provides critical support for the U.S. economy, civil infrastructure, public safety, and national security.”1 The U.S. is especially vulnerable to cyber insecurity because it depends on cyber systems more heavily than most other states. But cyber insecurity is a worldwide problem, potentially affecting all cyber systems and their dependent infrastructure.
Virtually all aspects of cyber insecurity have a transnational component, affecting users of cyber systems throughout the world. Nonetheless, current U.S. efforts to deter cyberattacks and exploitation— though formally advocating international cooperation—are based almost exclusively on unilateral measures.
The potential for improving cyber security through international agreements can best be realized through a program that identifies: the activities likely to be subjects of such agreements and those that are not; the measures likely to be used by parties to improve cyber security in each area of activity appropriate for international cooperation; and the form which any international body that may be utilized or established for this purpose should assume, the authority such a body would be assigned, and the basis upon which its activities would be governed
International agreements negotiated on the basis of these practical premises could help to create a more secure cyber environment through measures that go beyond conventional forms of deterrence
Tomi Engdahl says:
Eliminate Vulnerable Code Project (eVc)
Eliminating vulnerable code – one line at a time
https://evc.digitsec.com/
Eliminate Vulnerable Code project is trying to get rid of the security holes containing the source code snippets. The project is backed by the security company Digisec that bad examples are distributed widely in chat rooms, educational materials, and open-source programs.
EVC’s search robot and community of users is looking for unsafe code snippets and send them a notification site owners.
The project is still in its infancy
EVC project, you can not expect all to be able to clean up the source code of all the insecure Internet, but it can help to make it more secure.
Tomi Engdahl says:
Employees Admit They’d Walk Out With Stolen Data If Fired
http://it.slashdot.org/story/12/06/13/224201/employees-admit-theyd-walk-out-with-stolen-data-if-fired
“In a recent survey of IT managers and executives, nearly half of respondents admitted that if they were fired tomorrow they would walk out with proprietary data”
Employees Admit They’d Walk Out With Stolen Data If Fired
http://threatpost.com/en_us/blogs/employees-admit-theyd-walk-out-stolen-data-if-fired-061212
Privileged accounts have become an important attack vector, and if a recent survey of mostly IT managers and executives is any indication that threat will continue to grow.
According to results of ID management provider Cyber-Ark’s sixth annual global “Trust, Security and Passwords Survey,” just under half of 820 respondents admitted if they were fired tomorrow, they’d walk out with proprietary data such as privileged password lists, company databases, R&D plans and financial reports — even though they know they are not entitled to it.
Given that admission, it’s no surprise 71 percent believe the insider threat is the priority security concern and poses the most significant business risk. As such enterprise executives says they are rethinking their security strategy, especially after last year’s well publicized attacks on RSA and Global Payments and the like, which they believe involved exploited privilege account access.
That said, despite growing awareness of the need to better monitor privileged accounts, only 57 percent say they actively do so.
“These privileged accounts are often protected by weak or default passwords, which are seldom replaced,” according to a report on survey results released today. “Businesses that are not securing and managing these high-value targets are failing to uphold their responsibility for securing customer and similar sensitive information.”
“Whether it’s a malicious insider looking to steal information, or an external attacker seeking to exploit privileged accounts to gain access to the network and sensitive information, it’s clear that privileged access points have emerged as the priority target of enterprise cyber-assaults. This pattern has been demonstrated in some of the most high-profile attacks including Global Payments, Utah Department of Health, and even with the recent Flame virus,” said Udi Mokady, founder and CEO of Newton, Mass.-based Cyber-Ark, in a prepared statement.
Of course you noticed that the study was done by a firm that has a major interest in getting companies to invest in thier software and services – right?
Tomi Engdahl says:
FEMA trains for zero day attack on US infrastructure by ‘The Void’ hacktivists
http://blogs.computerworld.com/cybercrime-and-hacking/20525/fema-test-void-hacktivists-attack-us-infrastructure-zero-day
This is a test. This is only a test in a FEMA cybersecurity exercise.
We’ve heard a great deal about America’s infrastructure being vulnerable both before Flame and after the New York Times said the USA and Israel created Stuxnet and cyberattacked Iran. Every year the Federal Emergency Management Agency (FEMA), under the DHS umbrella, sponsors a NLE that is a “congressionally mandated preparedness exercises designed to educate and prepare participants for potential catastrophic events.” Usually those nightmare catastrophic scenarios include some horrific natural disasters that affect the entire USA like a tsunami and earthquake. This year, however, for the first time the recent FEMA NLE was cyber-centric focused.
America’s fictional cyberattack scenario gets much darker to equal a catastrophic cyber version of getting hit with a tsunami and earthquake.
You can download the “National Level Exercise Self-directed Tabletop 2012 – Cyber” at FEMA. It includes a PowerPoint presentation, facilitator notes, the “script” of the cyber nightmare scenario and three “VNN” videos. I encourage you to watch all the videos and to see what you, your company, our nation would do in such a cybersecurity emergency situation. You might also consider the “hot wash” discussion.
Public Intelligence had said, “The exercise will occur amidst a growing climate of panic in Washington regarding the state of U.S. cybersecurity.” That climate includes former FBI cybersecurity guru Shawn Henry saying American is losing the cyberwar and China has hacked every major US company.
Tomi Engdahl says:
PGP founder, Navy SEALs uncloak encrypted comms biz
Claim total security for phone, text, email, and more
http://www.theregister.co.uk/2012/06/14/pgp_seal_encrypted_communications/
Phil Zimmermann and some of the original PGP team have joined up with former US Navy SEALs to build an encrypted communications platform that should be proof against any surveillance.
The company, called Silent Circle, will launch later this year, when $20 a month will buy you encrypted email, text messages, phone calls, and videoconferencing in a package that looks to be strong enough to have the NSA seriously worried. Zimmermann says that surveillance by the state and others has increased vastly over the last few years, and privacy improvement are again needed.
“At the very least I want people, as part of their right in a free society to be able to communicate securely,” he said in a promotional video (below). “I should be able to whisper in your ear, even if your ear is a thousand miles away.”
The Silent Circle package comes with downloadable applications for smartphones and computers that allows secure communication with other users.
While software can handle most of the work, there still needs to be a small backend of servers to handle traffic. The company surveyed the state of privacy laws around the world and found that the top three choices were Switzerland, Iceland, and Canada, so they went for the one within driving distance.
Tomi Engdahl says:
Hacked Companies Fight Back With Controversial Steps
http://it.slashdot.org/story/12/06/18/0010227/hacked-companies-fight-back-with-controversial-step
Known in the cyber security industry as “active defense” or “strike-back” technology, the reprisals range from modest steps to distract and delay a hacker to more controversial measures. Security experts say they even know of some cases where companies have taken action that could violate laws in the United States or other countries, such as hiring contractors to hack the assailant’s own systems.
Hacked companies fight back with controversial steps
http://www.reuters.com/assets/print?aid=USBRE85G07S20120617
Henry and CrowdStrike co-founder Dmitri Alperovich do not recommend that companies try to breach their opponent’s computers, but they say the private sector does need to fight back more boldly against cyber espionage.
It is commonplace for law firms to have their emails read during negotiations for ventures in China
But if a company knows its lawyers will be hacked, it can plant false information and get the upper hand.
“Deception plays an enormous role,” Alperovich said.
Other security experts say a more aggressive posture is unlikely to have a significant impact in the near term in the overall fight against cybercriminals and Internet espionage
“There’s nothing you can do” to keep determined and well-financed hackers out, said Rodney Joffe, senior technologist at Internet infrastructure company Neustar Inc and an advisor to the White House on cyber security.
The security industry’s shortcomings were underscored most recently by the discovery of the Flame spying virus in the Middle Eas
“These are examples how we are failing” as an industry, Hypponen said. “Consumer-grade antivirus you buy from the store does not work too well trying to detect stuff created by the nation-states with nation-state budgets.”
Tomi Engdahl says:
New Grad Looking For a Job? Pentagon Contractors Post Openings For Black-Hat Hackers
http://www.forbes.com/sites/andygreenberg/2012/06/15/new-grad-looking-for-a-job-pentagon-contractors-post-openings-for-black-hat-hackers-2/
Hypponen says the job searches he began out of curiosity show a marked uptick in these self-described offensive hacker jobs for U.S. government contractors. “I think this is new,” he says. “The arms race has started, and this proves it. It’s a clear sign of the demand to stockpile cyber weapons and expand the operations underway.”
But rocketing demand and a lagging supply of skilled hackers is boosting salaries and driving the defense industry’s war for talent into the open, says Alan Paller, the director of research at the cybersecurity education-focused SANS Institute. He cites SANS’ statistics that highly skilled cybersecurity staffers were paid as much as $175,000 in 2011, up 25 to 30 percent from two years before
“We don’t have the people, and we don’t have a way to make them yet,” says Paller. “We’ve got a really good core of people, but it’s tiny. We’re not even in the game. We can’t field a team.”
Cybersecurity job openings as a whole are taking off: According to business research group the Conference Board, 15,901 jobs in cybersecurity were posted online in May of this year. That’s up 18% from the 13,477 in the previous May, and nearly double the 8,731 cybersecurity jobs posted in May five years ago.
Just how many of the cybersecurity positions will focus on offensive, or “black-hat” hacking, rather than defensive, or “white-hat” hacking, is tough to measure. But Paller says the military’s demand for hackers who can break into systems or write malware is already enormous and growing. “Every single control system an adversary has, if there’s a way to take it over, you want to be able to take it over,”
Tomi Engdahl says:
Hoaxes comes for mobile phones
Finnish mobile phones has started to receive foreign scam text messages.
The phenomenon is familiar to e-mail spoofing.
F-Secure’s Chief Research Officer Mikko Hyppönen that money attracts more and more criminal side of the phone.
- It is difficult to take a credit card number from a computer, buy the stuff, sell it and get the money for yourself. If they (criminals) will also get you your cell phone to call their own maksunumeroonsa, then no further. It is an easy way to make money.
- The best protection is that you do not do anything. Such text messages should not and must not be answered.
Source: http://www.iltalehti.fi/digi/2012061815723466_du.shtml
Tomi Engdahl says:
BYOD Exposes the Perils of Cloud Storage
http://www.cio.com/article/708593/BYOD_Exposes_the_Perils_of_Cloud_Storage
As more and more companies adopt BYOD policies, IT managers are taking steps to prevent employees from using cloud-based consumer storage services with their personal devices.
The dangers of using consumer cloud storage systems became clearer earlier this month, when a hacker claimed that he accessed presidential candidate Mitt Romney’s Dropbox storage and email accounts using an easily cracked password.
The apparent hack of Romney’s accounts came on the heels of IBM’s rollout of a bring-your-own-device (BYOD) policy that bans the use of Dropbox due to concerns that hackers could easily access sensitive information stored there.
“IBM has the world’s biggest BYOD program, and they just locked down Evernote and Dropbox because they discovered their future product plans and all sorts of really sensitive data was being beamed automatically out to these services,” said Dion Hinchcliffe, an executive vice president at IT consulting firm Dachis Group.
“Cloud data centers are becoming high-value targets” of data thieves, said Hinchcliffe, raising the possibility that “someone inside the company with the keys to the castle” could be bribed to share data with hackers. “There’s a lot of temptation,” he added.
Hyatt’s BYOD policy requires employees to register mobile devices, and it prohibits the storage of confidential data outside the corporate firewall. The company also makes no bones about the fact that it remotely wipes all data from lost or stolen devices.
Nonetheless, “we’re not naive enough to believe that a policy alone is the answer, and that we don’t need technology” to help people follow the rules, said Malcom. “We want our employees to do the right things, but we know there may be times that they don’t have the tools.”
“If we can find someone like a Box.net that we can enter into an enterprise agreement with and help reduce some liability, we’d like to offer [that] to our user community,” he said.