Here is my collection of security trends for 2012 from different sources:
Windows XP will be the biggest security threat in 2012 according to Sean Sullivan, security advisor at F-Secure: “People seem to be adding new systems without necessarily abandoning their old XP machines, which is great news for online criminals, as XP continues to be their favourite target.”
F-Secure also says also that it might not be long before the cyber criminals turn their attentions to tablet devices. Attacks against mobile devices have become more common and I expect this to continue this year as well.
Americans more susceptible to online scams than believed, study finds. A recent survey from The Ponemon Institute and PC Tools dives into this question and reveals a real gap between how aware Americans think they are of scams and how likely they actually are to fall for them.
Fake antivirus scams that have plagued Windows and Mac OSX during the last couple of years and now it seems that such fake antivirus scams have spread to Android. Nearly all new mobile malware in Q3 2011 was targeted at Android.. When antivirus software becomes a universally accepted requirement (the way it is on Windows is the day), has the platform has failed and missed the whole point of being mobile operating system?
Cyber criminals are developing more sophisticated attacks and the police will counterattack.
Mobile phone surveillance will increase and more details of it will surface. Last year’s findings have included Location data collecting smart-phones, Carrier IQ phone spying busted and Police Surveillance system to monitor mobile phones. In USA the Patriot Act lets them investigate anything, anywhere, without a warrant. Now they are on your devices and can monitor everything. Leaked Memo Says Apple Provides Backdoor To Governments: “in exchange for the Indian market presence” mobile device manufacturers, including RIM, Nokia, and Apple (collectively defined in the document as “RINOA”) have agreed to provide backdoor access on their devices.
Geo-location tagging in smartphones to potentially cause major security risks article says that geo-location tagging security issues are likely to be a major issue in 2012—and that many users of smartphones are unaware of the potentially serious security consequences of their use of the technology. When smartphones images to the Internet (to portals such Facebook or Flickr) there’s a strong chance they will also upload the GPS lcoation data as well. This information could be subsequently misused by third parties.
You need to find your balance between freedom and security (
Vapauden ja turvallisuuden tasapaino). Usernames poured out for all to see, passwords and personal identification numbers are published. A knowledge of access management is even more important: who has the right to know when and where the role of functioning? Access, identity and role management are essential for the protection of the whole system. Implementation of such systems is still far from complete.
When designing networked services, the development of safety should taken into account in the planning stage, rather than at the end of execution. Even a secure network and information system can not act as operating a vacuum.
Reliability of the server certificates will face more and more problems. We can see more certificate authority bankruptcies due cyber attacks to them. Certificate attacks that have focused on the PC Web browsers, are now proven to be effective against mobile browsers.
Stonesoft says that advanced evasion techniques (AET) will be a major threat. Stonesoft discovered that with certain evasion techniques (particularly when combined in particular combinations) they could sneak common exploits past many IDS/IPS systems (including their own, at the time last summer). Using the right tool set (including a custom TCP/IP stack) attackers could sneak past our best defenses. This is real and they foresee a not too distant future where things like botnet kits will have this as a checkbox feature.
Rise of Printer Malware is real. Printer malware: print a malicious document, expose your whole LAN says that sending a document to a printer that contained a malicious version of the OS can send your sensitive document anywhere in Internet. Researchers at Columbia University have discovered a new class of security flaws that could allow hackers to remotely control printers over the Internet. Potential scenario: send a resume to HR, wait for them to print it, take over the network and pwn the company. HP does have firmware update software for their printers and HP Refutes Inaccurate Claims; Clarifies on Printer Security. I wonder how many more years until that old chain letter, where some new insidious virus infects everything from your graphics card to your monitor cable, becomes true.
Unauthorized changes in the BIOS could allow or be part of a sophisticated, targeted attack on an organization, allowing an attacker to infiltrate an organization’s systems or disrupt their operations. How Do You Protect PCs from BIOS Attacks? The U.S. National Institute of Standards and Technology (NIST) has drafted a new computer-security publication that provides guidance for computer manufacturers, suppliers, and security professionals who must protect personal computers as they start up “out of the box”: “BIOS Integrity Measurement Guidelines,” NIST Special Publication 800-155.
According to Stonesoft security problems threaten the lives and the year 2012 may be the first time when we lose lives because of security offenses. According to the company does this happen remains to be seen, but the risk is due to industrial SCADA systems attacks against targets such as hospitals or automated drug delivery systems. I already posted around month ago about SCADA systems security issues.
849 Comments
Tomi Engdahl says:
Stuxnet cyberattack by US a ‘destabilizing and dangerous’ course of action, security expert Bruce Schneier says
http://www.networkworld.com/news/2012/061812-schneier-260303.html?hpg1=bn
Tomi Engdahl says:
Is airport screening technology doing the job? Nope
http://www.eetimes.com/electronics-blogs/industrial-control-designline-blog/4375209/Is-airport-screening-technology-doing-the-job–Nope?Ecosystem=communications-design
In 2011 alone, 800 guns were detected on board planes after getting past current detection methods, says a new Frost & Sullivan report: U.S. Airport Screening Technologies Market.
The report indicates that despite the precautions of the TSA, screening capabilities just aren’t enough. In 2011, the TSA distributed approximately $437.1 million for airport screening technologies.
The effectiveness of current advanced imaging technologies and the
cancer risks of backscatter x-ray technologies are under review.
Forget the guns – airport security is theater anyway. Any decent engineer can see the holes.
Tomi Engdahl says:
NSA: It Would Violate Your Privacy to Say if We Spied on You
http://www.wired.com/dangerroom/2012/06/nsa-spied/
The surveillance experts at the National Security Agency won’t tell two powerful United States Senators how many Americans have had their communications picked up by the agency as part of its sweeping new counterterrorism powers. The reason: it would violate your privacy to say so.
That claim comes in a short letter sent Monday to civil libertarian Senators Ron Wyden and Mark Udall.
“If no one will even estimate how many Americans have had their communications collected under this law then it is all the more important that Congress act to close the ‘back door searches’ loophole, to keep the government from searching for Americans’ phone calls and emails without a warrant.”
McCullough said the spy agencies wouldn’t tell the senators how many Americans have been spied upon under the new authorities
Tomi Engdahl says:
The Ineffectiveness of TSA Body Scanners – Now With Surveillance Camera Footage
http://yro.slashdot.org/story/12/06/20/2243228/the-ineffectiveness-of-tsa-body-scanners—now-with-surveillance-camera-footage
Watch TSA Nude Body Scanners Get Defeated
http://tsaoutofourpants.wordpress.com/2012/06/20/watch-tsa-nude-body-scaners-get-defeated/
“checkpoint security video showing me wandering past a nude body scanner with undetected objects.”
Tomi Engdahl says:
Nigerian scams are hyper-efficient idiot finders
The bigger the lie, the bigger the pile of cash scammers scoop, says MSFT boffin
http://www.theregister.co.uk/2012/06/21/nigerian_scams_msft_research/
A Microsoft researcher, Cormac Herley, has penned a paper titled “Why do Nigerian Scammers Say They are from Nigeria?” (PDF), and concludes the whoppers the scam includes are actually a very efficient way of finding likely targets.
Herley’s analysis suggests the scam works because it quickly passes BS-detection thresholds in most readers, but those stupid enough to fall for the scam self-select by responding.
“An email with tales of fabulous amounts of money and West African corruption will strike all but the most gullible as bizarre,” he writes. “It will be recognized and ignored by anyone who has been using the Internet long enough to have seen it several times.”
“Those who remain are the scammers ideal targets,” the paper proclaims, as “A less outlandish wording that did not mention Nigeria would almost certainly gather more total responses and more viable responses, but would yield lower overall profit.”
“thinking like an attacker does not end when a hole is found, but must continue (as an attacker would continue) in determining how the hole can be monetized.
Tomi Engdahl says:
Young Employees Say BYOD a “Right” Not “Privilege”
http://www.cio.com/article/708718/Young_Employees_Say_BYOD_a_Right_Not_Privilege_?taxonomyId=3061
A survey that asked thousands of young “20-something” workers their attitudes about bring-your-own-device” policies found slightly more than half view it as their “right” to use their own mobile devices at work, rather than BYOD being just a “privilege.”
Fortinet, which sponsored the survey, says it decided to focus the BYOD-related questions specifically on college-educated employees between the ages of 20 and 29 because this younger segment — the future of the workforce — is digitally savvy, and their first phone may be a smartphone.
1 out of 3 said they would gladly break any anti-BYOD rules and “contravene a company’s security policy that forbids them to use their personal devices at work or for work purposes.
In addition, about 30% of all those surveyed indicated they’d contravene policy on “non-approved applications.” Sixty-nine percent want a “Bring Your Own Application” environment where “users create and use their own custom applications at work.”
Two-thirds of those surveyed believe they, not the company, should be responsible for the security of devices used for work purposes.
“The survey clearly reveals the great challenge faced by organizations to reconcile security and BYOD,” said Patrice Perche, international vice president of international sales and support for Fortinet. “While users want and expect to use their own devices for work, mostly for personal convenience, they do not want to hand over responsibility for security on their devices to the organization.”
Tomi Engdahl says:
U.S. Military Hunts for Safe Smartphones for Soldiers
http://bits.blogs.nytimes.com/2012/06/22/u-s-military-hunts-for-safe-smartphones-for-soldiers/
The military has long needed computers that are tough enough on the outside to withstand the rough and tumble of the battlefield. Now, with the proliferation of smartphones and tablets in the hands of soldiers, those devices also have to be strong on the inside.
They are loaded with contacts, location information and all kinds of military-grade applications, so it can be deadly for a soldier to lose a mobile device or have its data leak out unwittingly.
Darpa, has now assigned Invincea, a company based in Fairfax, Va., to fortify Android-based phones and tablets so they are safe in soldiers’ hands. The $21 million grant to the company is a window into how pervasive networked technologies have become in the military – and the market that has opened up to secure them.
Part of the problem, said Anup Ghosh, a professor at George Mason University and the founder of Invincea, is that soldiers often want to use their mobile devices to communicate with families back home, and to entertain themselves when they can.
The risks can be unexpected. Soldiers playing games on an Army base in Helmand Province, Afghanistan, can easily and unknowingly transmit the names of their friends. A piece of malware can penetrate the operating system and suck out location information.
At the same time, mobile devices are beginning to change the work and lives of soldiers as they have for everyone else, as the Department of Defense acknowledged in a strategy paper earlier this month.
Invincea’s first project for Darpa was to protect soldiers’ smartphones from loss and theft. It developed software that encrypts files in the operating system and fills up the memory of a lost device with random, useless data; on a standard phone, wiping your data can still leave behind enormous amounts of information.
That software is already being used by more than 3,000 soldiers stationed in Afghanistan.
Its next project is to make sure that malware doesn’t get in through an application, and that sensitive data does not get out. It is working on creating a virtual environment in which applications can run.
“By separating untrusted apps and content we are preventing the compromise of the operating system,” Mr. Ghosh said.
Tomi Engdahl says:
DARPA fortifies soldiers’ smartphones against malware
http://news.cnet.com/8301-1009_3-57459562-83/darpa-fortifies-soldiers-smartphones-against-malware/
The U.S. government awards a $21 million grant to a company tasked with shielding soldiers’ Android-based smartphones and tablets from data leaks.
DARPA, has given a $21 million grant to the company Invincea to protect soldiers’ Android-based phones and tablets from cyber threats.
“By separating untrusted apps and content we are preventing the compromise of the operating system,” founder of Invincea Anup Ghosh told The New York Times.
Tomi Engdahl says:
Fujitsu bigwig: Microsoft’s doing us a favour with Surface either way
http://www.theregister.co.uk/2012/06/25/fujtisu_reger_tablets/
I’m not panicking at all’, says slablet CTO
“Two things can happen. It’s successful, and grabs market share and the market is growing.”
Alternatively, “If it’s not successful, that brings clarity. Then we know the tablet space is a fight between Android and iOS.”
For Fujitsu, what’s important – apart from shifting its own branded kit – is being able to sensibly plug mobile devices into the corporation. The vendor was a big fan of BYOD, Reger said, particularly when the D element was Fujitsu’s own devices.
However, that endorsement was conditional on employees’ devices being “manageable” by the corporation – and enterprise management platforms, tools and services are, unsurprisingly, a major preoccupation of the firm.
“Without that, BYOD is one of the most dangerous things ever,” Reger declared.
He said that while the extremist positions were for companies to supply just one device, or to accept “any device”, the sensible position was for companies to support a reasonable degree of choice among users.
Tomi Engdahl says:
Sonic.net’s CEO On Why ISPs Should Only Keep User Logs Two Weeks
http://yro.slashdot.org/story/12/06/25/0332249/sonicnets-ceo-on-why-isps-should-only-keep-user-logs-two-weeks
“Dane Jasper’s tiny Internet service provider Sonic.net briefly took the national spotlight last October, when it contested a Department of Justice order that it secretly hand over the data of privacy activist and WikiLeaks associate Jacob Appelbaum.”
“For the past eighteen months it’s only kept logs of user data for two weeks before deletion, compared with 18 to 36 months at Verizon, AT&T, Comcast, Time Warner and other ISPs. In a lengthy Q&A, he explains how he came to the decision to limit logging ”
CEO Of Internet Provider Sonic.net: We Delete User Logs After Two Weeks. Your Internet Provider Should, Too.
http://www.forbes.com/sites/andygreenberg/2012/06/22/ceo-of-internet-provider-sonic-net-we-delete-user-logs-after-two-weeks-your-internet-provider-should-too/2/
We were concerned about cases where there’s a kidnapping, a threat to the human life, and the FBI is trying to find the kidnapper who sent a demand email yesterday or a week ago. We felt like two weeks was a good window that would allow us to address some things–both our own needs in the long term and the law enforcement’s dire needs in the mid-term–while omitting any ability to assist in what we felt was like an extortion racket. And so that was another concrete step we took last year, to reduce our logging interval to two weeks.
Tomi Engdahl says:
Analysis: eHarmony had several password security fails
http://news.cnet.com/8301-1009_3-57460253-83/analysis-eharmony-had-several-password-security-fails/
Security expert says password leak analysis illuminates several no-nos on the part of the dating site.
The biggest problem clearly was that the passwords, although encrypted and obscured with a hashing algorithm, were not “salted,”
But there were two other less obvious problems. First, the lowercase characters in passwords were converted to uppercase before hashing
And secondly, during resets the passwords were changed to a five-character password using only letters and digits
99.5 percent of the passwords on the list do not contain a special character
“The eHarmony dump is just further proof that organizations need to not only store passwords in stronger, salted formats than was previously acceptable, but also need to enforce stronger case-sensitive password policies,” the post concludes. “Users, as a whole, still do not understand the need for strong passwords, and will continue to set passwords that meet only the minimum requirements.”
Tomi Engdahl says:
Apple Quietly Pulls Claims of Virus Immunity
http://www.pcworld.com/article/258183/apple_quietly_pulls_claims_of_virus_immunity.html
In the wake of the Flashback botnet which targeted Mac computers, Apple has removed a statement from its messages on its website that Mac operating system X (OS X) isn’t susceptible to viruses.
Apple removed the previous statement “It doesn’t get PC viruses” and replaced it with “It’s built to be safe,” and “Safeguard your data. By doing nothing” with “Safety. Built in.”
According to Sophos U.S. senior technology consultant Graham Cluley, this is a sign that Apple is starting to take security seriously.
In addition to changing its marketing messages, Apple has released a security guide for the iPhone operating system iOS and announced in February that OS X 10.8, or Mountain Lion, would include a new feature called Gatekeeper that would restrict which applications users can install on their devices.
Tomi Engdahl says:
Users still slack about passwords: Trustwave
eHarmony analysis shows people just don’t care
http://www.theregister.co.uk/2012/06/25/people_slack_about_passwords/
Trustwave’s SpiderLabs has completed an analysis of the passwords dumped on the Internet in this month’s eHarmony breach, and reached the depressing conclusion that too few people really seem to care about password strength.
Having recovered 80 percent of the 1.5 million passwords in the dump file, the company says only 0.5 percent contained a “special character”, with 41 percent containing letters only and 57 percent a combination of letters and digits.
The high popularity of purely alphabetical passwords was, the blog post by Trustwave’s Mike Kelly noted, made worse by the weak protection used by eHarmony. Its password storage was case-insensitive, as well as being in an unsalted MD5 format, reducing the time needed to crack the passwords.
As it was, more than 1.2 million passwords were cracked in 72 hours, using three NVIDIA GPUs and the oclHashcat and John the Ripper cracking tools.
Tomi Engdahl says:
AutoCAD Worm Medre.A Stealing Designs, Blueprints
http://it.slashdot.org/story/12/06/25/2323259/autocad-worm-medrea-stealing-designs-blueprints
“The worm, known as ACAD/Medre.A, is spreading through infected AutoCAD templates and is sending tens of thousands of stolen documents to email addresses in China.”
AutoCAD Worm Stealing Designs, Blueprints
http://threatpost.com/en_us/blogs/autocad-worm-stealing-designs-blueprints-062512
Security researchers have come across a new worm that is meant specifically to steal blueprints, design documents and other files created with the AutoCAD software. The worm, known as ACAD/Medre.A, is spreading through infected AutoCAD templates and is sending tens of thousands of stolen documents to email addresses in China. However, experts say that the worm’s infection rates are dropping at this point and it doesn’t seem to be part of a targeted attack campaign.
The worm first hit researchers’ radar about six months ago, and when they began digging into the situation, they discovered that not only was the worm highly customized and well-constructed, it seemed to be targeting mostly machines in Peru for some reason.
ACAD/Medre.A was written in AutoLISP, a specialized version of the LISP scripting language that’s used in AutoCAD.
“After some configuration, ACAD/Medre.A will begin sending the different AutoCAD drawings that are opened by e-mail to a recipient with an e-mail account at the Chinese 163.com internet provider. It will try to do this using 22 other accounts at 163.com and 21 accounts at qq.com, another Chinese internet provider.”
Researchers at Kaspersky Lab said that the worm doesn’t seem to be going after any specific kind of company or to be part of a targeted attack campaign.
“I don’t think it’s an APT. It’s kind of an uncontrolled attack,”
Interestingly, although the worm is written in AutoLISP, most of the functions in the ACAD/Madre.A worm are done through the use of VisualBasic scripts.
Tomi Engdahl says:
McAfee discovers $78 million worth of sophisticated cyber attacks against banking systems
http://www.theverge.com/2012/6/26/3118002/mcafee-guardian-analytics-cyber-attacks-banking-systems-europe
Security firms McAfee and Guardian Analytics have published a joint fraud report, dubbed Operation High Roller, on new methods of siphoning money from banking systems. Using a series of highly sophisticated cyber attacks to target high balance accounts, criminals have been able to successfully bypass physical “chip and pin” authentication and use server-based fraudulent transactions to steal money from a number of accounts in Europe.
The attacks originated in Italy, using SpyEye and Zeus malware to transfer funds into fraudulent accounts.
McAfee discovered 426 unknown variants of the typical Zeus or SpyEye malware that were difficult to detect
The company is warning that 60 servers have been processing thousands of attempted thefts from high-value accounts over a period of months, resulting in attempts to steal at least €60 million (US$78 million).
McAfee says that if all the attempted fraud attacks were successful then the total attempted fraud could be as high as €2 billion ($2.49 billion).
Tomi Engdahl says:
MI5 fighting ‘astonishing’ level of cyber-attacks
http://www.bbc.co.uk/news/uk-18586681
MI5 is battling “astonishing” levels of cyber-attacks on UK industry, the intelligence agency’s chief has said.
In his first public speech for two years, Jonathan Evans warned internet “vulnerabilities” were being exploited by criminals as well as states.
Mr Evans also warned the London 2012 Olympics was an “attractive target” for terrorist groups, but said security preparations were well under way.
In the speech on Monday night, Mr Evans spoke of MI5′s efforts to tackle “industrial-scale processes involving many thousands of people lying behind both state sponsored cyber espionage and organised cyber crime”.
“Vulnerabilities in the internet are being exploited aggressively not just by criminals but also by states,” he said.
“The extent of what is going on is astonishing.”
“This is a threat to the integrity, confidentiality and availability of government information but also to business and to academic institutions,” Mr Evans said.
“What is at stake is not just our government secrets but also the safety and security of our infrastructure, the intellectual property that underpins our future prosperity and… commercially sensitive information.”
“We appear to be moving from a period of a deep and focused threat to one where the threat is less monolithic but wider,” he said.
He also said the plan to allow greater collection of communications data – such as from social networks – was a “necessary and proportionate measure” to tackle crimes, including terrorism.
“It would be extraordinary and self defeating if terrorists and criminals were able to adopt new technologies… while the law enforcement and security agencies were not permitted to keep pace with those same technological changes,” he said.
Tomi Engdahl says:
Why Apple wants to spread lies about you (and why that’s a good thing)
http://news.yahoo.com/blogs/technology-blog/why-apple-wants-spread-lies-why-good-thing-030747664.html
It’s becoming harder and harder to maintain any sense of privacy on the internet.
According to a report from InformationWeek, Apple recently scored a patent for a technology that, essentially, creates lies about you.
How does the tech work? In short, it works by way of what’s being called “profile pollution.” As you search and use the internet, Apple would create a number of different online profiles for you. One, of course, would be your real one, filled with data on what you search for, and where you searched. The others would be filled with lies.
The new technology goes as far as to fake actions for the fake versions of you
when Big Brother (or anyone’s brother, for that matter) wants to know
.. well, it’ll have a hard time figuring it out
Tomi Engdahl says:
Civilian drones vulnerable to hackers, can be hijacked, used as missiles
http://blogs.computerworld.com/security/20593/civilian-drones-vulnerable-hackers-can-be-hijacked-used-missiles
it was GPS spoofing by researchers that proved malicious hackers or terrorists could take control of civilian drones.
The University of Texas at Austin’s Radionavigation Laboratory demonstrated hacking a civilian drone, forcing it to change course by sending fake GPS signals, and then, “as if some phantom has given the drone a self-destruct order, it hurtles toward the ground.”
GPS jamming had been the “main problem,” but now with the “right equipment, anyone can take control of a GPS-guided drone and make it do anything they want it to,” Fox reported.
By some reports, there will be about 30,000 of these drones flying and spying overhead in American skies in the next five to ten years.
At the end of 2011, an Iranian engineer claimed to have ‘hijacked’ the “CIA’s ‘lost’ stealth drone to an intact landing inside hostile territory by exploiting a navigational weakness long-known to the US military.” The RQ-170 Sentinel was downed by “electronic ambush,” by attacking the “weakest point” which was said to GPS navigation.
Isn’t this just peachy news? Privacy experts have warned about drones being used and abused for surveillance. Now if this GPS vulnerability to hack drones isn’t addressed, the drones can create a surveillance society and they could be used as missiles. Humphreys said, “I’m worried about them crashing into other planes. I’m worried about them crashing into buildings.”
Tomi Engdahl says:
Crypto boffins: RSA tokens can be cracked in 13 MINUTES
No practical risk to SecurID 800 users – RSA
http://www.theregister.co.uk/2012/06/27/smartcard_crypto_attack/
Crypto boffins have developed an attack that’s capable of extracting the protected information from hardened security devices such as RSA’s SecurID 800.
The research (PDF), developed by a group of computer scientists who call themselves Team Prosecco – due to be presented at the CRYPTO 2012 conference in August – is a refinement of existing techniques. But the big news is that this attack is capable of extracting information in just 13 minutes, instead of hours.
the attack works against a variety of devices that protect access to computer networks or digitally sign e-mails. The side-channel attack also works against RSA’s SecurID 800 and many other devices that use PKCS #1 v1.5 padding mechanism, including electronic ID cards such as those issued by the government of Estonia as well as smartcards and USB tokens, the reserachers claim.
Aladdin’s eTokenPro, SafeNet’s iKey 2032, Gemalto’s CyberFlex, and Siemens’ CardOS are among the technologies vulnerable to the attack, they write.
RSA downplayed the practical significance of the attack. “While the research is scientifically interesting, it does not demonstrate a new or useful attack against RSA SecurID 800,” a spokesman told El Reg.
Tomi Engdahl says:
Trojan.Milicenso: A Paper Salesman’s Dream Come True
http://www.symantec.com/connect/blogs/trojanmilicenso-paper-salesman-s-dream-come-true
Over the past two weeks, an outbreak of Trojan.Milicenso has resulted in multiple reports of massive print jobs being sent to print servers, printing garbage characters until the printer runs out of paper. Our telemetry data has shown the worst hit regions were the US and India followed by regions in Europe and South America.
Trojan.Milicenso may arrive on a compromised computer by various means, such as malicious email attachments or visiting websites hosting malicious scripts.
We originally encountered Trojan.Milicenso in 2010 and our initial investigation had shown that this was basically a malware delivery vehicle for hire. The payload that is most commonly associated with this latest version is Adware.Eorezo; an adware targeting French speaking users.
Tomi Engdahl says:
Cyber security dangers and threats expand daily
http://www.edn.com/electronics-blogs/looking—electronics/4376169/Cyber-security-dangers-and-threats-expand-daily-?cid=EDNToday
From the 2012 DBIR, Verizon recommends where you should focus Cyber threat mitigation efforts as follows:
In smaller organizations
Implement a firewall or Access Control List (ACL) on remote access services
Change default credentials of Point-Of-Sale (POS) systems to process customer payments and other Internet-facing devices
If a third party vendor is handling the two items above, make sure they’ve actually done them.
In larger organizations
Eliminate unnecessary data; keep tabs on what’s left
Ensure essential controls are met; regularly check that they remain so
Monitor and mine event logs
Evaluate your threat landscape to prioritize your treatment strategy
Refer to the conclusion of this report (Verizon (DBIR)) for indicators and mitigators for the most common threats.
Additional mitigation suggestions can be found at “Center for Internet Security”
http://www.cisecurity.org/
The Center for Internet Security (CIS) is a not-for-profit organization focused on enhancing the cyber security readiness and response of public and private sector entities
Tomi Engdahl says:
Firefox ‘new tab’ feature exposes users’ secured info: Fix promised
http://www.theregister.co.uk/2012/06/22/firefox_new_tab_security_concerns/
Privacy-conscious users have sounded the alarm after it emerged the “New Tab” thumbnail feature in Firefox 13 is “taking snapshots of the user’s HTTPS session content”.
Reg reader Chris discovered the feature after opening a new tab only to be “greeted by my earlier online banking and webmail sessions complete with account numbers, balances, subject lines etc.
“This content is behind a secure login for a reason,” Chris added.
In response to queries on the matter prompted by Chris’s experience, Mozilla acknowledged that the behaviour was undesirable and promised a patch.
“We are aware of the concern and have a fix that will be released in a future version of Firefox.”
Louise Pham says:
Great post! I’ve really learned a lot of good information from your site. I’ve been studying ERP systems for quite some time now, trying to determine which sort of system is best for my business. I’ve actually been putting together a list of pro’s and con’s of a lot of systems on my website http://www.top10erp.info. Definitely check it out for more information!
Nolan Ulmen says:
Imaginative producing capability offers influenced me, a lot of thanks !
Tomi says:
Microsoft urges death of Windows gadgets as researchers plan disclosures
Reacts to upcoming revelations of gadget vulnerabilities at Black Hat by offering tool that kills feature in Vista, Windows 7
http://www.computerworld.com/s/article/print/9228997/Microsoft_urges_death_of_Windows_gadgets_as_researchers_plan_disclosures
The Windows website, which until Tuesday described how to obtain gadgets, now warns users. “Gadgets installed from untrusted sources can harm your computer and can access your computer’s files, show you objectionable content, or change their behavior at any time,” said the site.
Microsoft offered users a “Fixit” — one of its automated configuration tools — that disables the sidebar and all gadgets in Vista and Windows 7. The tool can be found on this page of Microsoft’s support site.
“My first take was that Microsoft was admitting that it’s very difficult for a third-party developer to securely write a gadget,” said Andrew Storms, director of security operations at nCircle Security. “So they’re disabling them all. Thank goodness for that.”
This was not the first time that Microsoft has reacted to security problems in gadgets.
Adele says:
i want to thank you for the pleasure of reading this great post.
how does mobile advertising work says:
Amazing! Its actually amazing post, I have got much clear idea regarding from this paragraph.
Tomi says:
Yahoo! Voices Website Breached 400,000+ Compromised
https://www.trustedsec.com/july-2012/yahoo-voice-website-breached-400000-compromised/
The most alarming part to the entire story was the fact that the passwords were stored completely unencrypted and the full 400,000+ usernames and passwords are now public. The method for the compromise was apparently a SQL Injection attack to extract the sensitive information from the database.
Users of Yahoo are advised to change their passwords IMMEDIATELY.
Arnetta Blyzes says:
I truly like studying tactics fascinating freelance writers. TWO MEN AND A TRUCK
Benito Poland says:
I’ll be again as you up-date.
Cia Kopen says:
I thought I knew everything there is to know about this stuff, but seems we are never to old to learn..;)
Tomi says:
NSA director finally greets Defcon hackers
http://news.cnet.com/8301-1009_3-57481689-83/nsa-director-finally-greets-defcon-hackers/
Over the past two decades, hackers at Defcon and the feds have been circling each other suspiciously. The nation’s top “spook” — National Security Agency Director Gen. Keith Alexander — giving a keynote at the hacker confab, shows just how much tensions have mellowed.
National Security Agency Director Gen. Keith Alexander calls Defcon the “world’s best cybersecurity community” and asks for their help.
Now, Defcon is “the world’s best cybersecurity community,” Alexander said. “This community, better than anyone, understand(s) what we need to do” to address these problems.
“From my perspective, what you’re doing to figure out vulnerabilities in systems” is great.
Tomi says:
Veltin indicate that up to 40 per cent of those attending races will keep up with events up to date with two or more of the device.
Multi-device users, half of the tablets are viewing video over the Internet, either live or deferred coverage.
Acme Packet expects that all the video packages for an aggregate of the world’s mobile traffic will increase 211 per cent of the normal level of the London Games a little over two weeks.
Enterprise Strategy Group analyst Jon Olstik advises companies to take precautions to ensure that its information networks congestion at the Olympic traffic during peak periods.
U.S. security authorities are warning businesses of various phishing and malware penetration in the next few weeks.
“The best defense against a conventional monitor the amount of information flows. If it exceeded all of a sudden brisk, network managers can react quickly to change,” McCain said.
Data Networks of capacity limits, evidence was found on Sunday, when Olympic games organizers urged the public to avoid unnecessary text messaging is a network of community services and the use of mobile phones. Reuters reported that the mobile phone network congestion hampered television.
Source: http://m.tietoviikko.fi/Uutiset/Lontoo+venytt%C3%A4%C3%A4+tietoverkkokapasiteetin+%C3%A4%C3%A4rirajoille
Tomi says:
Korea’s second largest mobile operator KT joined the long list of companies that have suffered a serious security breach. Customer information such as names and phone numbers of 8.7 million customers were exported. Breakers were selling the information for telemarketing for profit.
Korea suffered an even greater intrusion in November last year: 13 million customer data from gaming company Nexon.
Korea’s leading mobile operator SK Comms lost the web site for breaking earlier last year: 35 million customers
Source: http://www.itviikko.fi/uutiset/2012/07/30/operaattori-murrettiin-9-miljoonaa-uhria/201234556/7?rss=8
Tomi says:
Hacking against the major parties have become more common.
Although the parties themselves are the victims, they are often criticized by angry customers.
Many companies have recently confronted with an action for damages.
Source: http://www.itviikko.fi/uutiset/2012/06/28/murrettu-stratfor-karistaa-joukkokanteen-harteiltaan/201232415/7
Tomi says:
Expert: Huawei routers are riddled with vulnerabilities
http://news.cnet.com/8301-1009_3-57482813-83/expert-huawei-routers-are-riddled-with-vulnerabilities/?part=rss&subj=news&tag=title
German security researcher says the Chinese government doesn’t need to demand back doors on Huawei routers because there are already major holes in their firmware.
A German security researcher says he has uncovered several security holes in routers made by China-based Huawei that are used by many Internet service providers — vulnerabilities that could allow attackers to take control of the devices and snoop on peoples’ traffic.
Huawei routers are mostly used in Asia, Africa and the Middle East. Because they’re cheap, though, they’re increasingly turning up in other parts of the world
The problem is due to the use of “1990s-style code” in the firmware of some Huawei VRP routers, he said.
With a known exploit, an attacker could get access to the systems, log in as administrator, change the admin passwords and reconfigure the systems, which would allow for interception of all the traffic running through the routers
The research is scary for not only the ISPs using the vulnerable routers, but also for millions of their customers who don’t realize that their communications could be spied on, said Dan Kaminsky, security expert and chief scientist at DKH.
“It’s a big deal for routers to get broken into,” especially those made by the fastest growing router manufacturer
Pearly Oday says:
Cool thread, helped with my homework!! God bless for that.
Tomi says:
Microsoft Releases Attack Surface Analyzer Tool
http://developers.slashdot.org/story/12/08/06/1311224/microsoft-releases-attack-surface-analyzer-tool
“Microsoft has released the public version of Attack Surface Analyzer, a tool designed to help software developers and independent software vendors assess the attack surface of an application or software platform. The tool was pushed out of beta with Version 1.0 released on Thursday. Since ASA doesn’t require the original source code, managers and executives can also use the tool to determine how a new application or software being considered would affect the organization’s overall security before deploying it. “
Jaqueline Oak says:
A person essentially assist to make significantly posts I might state. That is the very first time I frequented your web page and thus far? I surprised with the analysis you made to create this particular post amazing. Wonderful process!
Tomi Engdahl says:
My Opinion On Hacking on the Factory Floor
http://www.designnews.com/author.asp?section_id=1386&doc_id=248251&cid=Newsletters+-+DN+Daily
At first glance, I asked myself, “Why would someone want to hack into somebody’s network on a factory floor?” The simple answer is: because they can. The less simple and more disturbing answer is: because they want to disrupt someone’s business. You’d hate to think that a competitor would initiate something like that, but you never know.
One of the more eye-opening presentations on this topic was delivered by Chuck Tommey, of A&E Engineering. Tommey is a senior controls systems engineer with 18 years of experience in the field. His presentation was titled, “How Hackers View Your Control System & What You Can Do About It.” The quote that got my attention was, “I’m scared silly. Very few plants are even close to thinking seriously about cybersecurity.”
It’s certainly no surprise that the “networked plant” has arrived and is here to stay. You could easily argue that the “networked world” is here to stay. What I learned at these presentations is that cybersecurity is not keeping pace, not by a long shot.
It’s to the point that our government is taking notice and is quite concerned about the issue. In fact, one prominent government blogger recently wrote about how Senators Joe Lieberman and Susan Collins, along with the Department of Homeland Security, hosted a cybersecurity demonstration. The purpose was to highlight some of the hackers’ methods and show how to protect against them.
As evidenced regularly by our own Black Hat developers, no network is 100 percent bulletproof. But the harder you can make it, the more likely that the perpetrators will simply go looking elsewhere for a network to break into. Make sure you’re not that “other network” that gets hacked.
Tomi Engdahl says:
Cyber-war on terrorism
http://www.edn.com/electronics-blogs/anablog/4391295/Cyber-war-on-terrorism?cid=EDNToday
According to a NY Times reporter, President Obama secretly ordered cyber-attacks to disrupt computer systems at Iran’s main nuclear enrichment facilities. The code names for the “worms” are Stuxnet and Flame. These are accelerated attacks begun in the Bush administration code-named Olympic Games.
NATO Cooperative Cyber Defence Centre of Excellence (CCD COE), based in Tallinn, Estonia, is the sponsor of the Manual on International Law Applicable to Cyber Warfare, written by a group of world-class international law and law of armed conflict experts.
Tomi Engdahl says:
The future of connected device security
http://www.edn.com/design/systems-design/4391466/The-future-of-connected-device-security?cid=EDNToday
The electronics world is seeing rapid growth in sophistication, driven by M2M intelligence, multimedia capability, Internet connectivity, and high value financial transactions. These capabilities imply juicy attack vectors (the network) as well as a more attractive target for hackers, generating new security requirements that electronics designers must learn and embrace.
This article discusses some of the important emerging security requirements, and practical implementation guidance, for designers. Topics include hardware and software roots of trust, data storage protection, and secure network connectivity.
Tomi Engdahl says:
Do smartphones really need antivirus software?
http://www.edn.com/electronics-blogs/beyond-bits-and-bytes/4376747/Do-smartphones-really-need-antivirus-software-?cid=EDNToday
Today smartphones are no longer used just as phones. They are highly sophisticated and complex devices with advanced capabilities like email, GPS navigation, Internet and many other applications like VPN to be able to connect to corporate firewalls.
The sandbox typically provides a tightly-controlled set of resources for guest programs to run in, such as scratch space on disk and memory. In this sense, sandboxes are a specific example of virtualization as if you are running every single application in its own virtual machine.
This means that no malicious software can do much harm by simply being installed.
This simply means that any antivirus software that one installs would not be able to scan other apps, or data used by other apps.
Apart from sandboxing, most modern smartphone operating systems includes a “kill switch” feature – a feature that can remotely delete software and edit code without the user’s permission.
Since the apps are sandboxed, antivirus software would not have the ability to scan other malware apps. And the fact that apps can be remotely removed by the vendor with a “kill switch” feature just makes antivirus on smartphones completely useless. I would like to still hear from others if they think otherwise?
Tomi Engdahl says:
Google Exec, Others Advise Tight Web Security After Writer Hack
http://slashdot.org/topic/cloud/google-exec-others-advise-tight-web-security-after-writer-hack/
Google, Facebook, Amazon, Apple and other companies are advising tighter security or adjusting their security policies after a high-profile hack.
Earlier in August, a cyber-attack on Wired writer Mat Honan’s digital life attracted a good deal of media attention, much of it driven by his lengthy article on how the attackers gained access to his Google, Apple, Amazon, and Twitter accounts.
Those attackers obtained the last four digits of Honan’s credit card number by engaging in a little social engineering with Amazon tech support. Armed with that bit of information, as well as the credit card’s billing address, they convinced AppleCare to issue a temporary password to Honan’s Apple ID. From there, wiped his MacBook, seized control of his Gmail and other identities, and humiliated him on Twitter.
In the wake of that assault, Apple reviewed its process for resetting passwords.
Amazon also reportedly plugged its security hole, removing customers’ ability to change account settings such as email addresses over the phone.
Even as those companies’ teams moved to patch the holes, others moved to offer security tips.
Although users can bolster their online security with two-factor authentication, strong passwords, and decoupling their accounts from the same email addresses, those methods also make online life more inconvenient. But that inconvenience may pale compared to the costs associated with a cyber-attack.
Tomi Engdahl says:
How Apple and Amazon Security Flaws Led to My Epic Hacking
http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/
In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.
In many ways, this was all my fault. My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened, because their ultimate goal was always to take over my Twitter account and wreak havoc. Lulz.
Those security lapses are my fault, and I deeply, deeply regret them.
But what happened to me exposes vital security flaws in several customer service systems, most notably Apple’s and Amazon’s. Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information.
Tomi Engdahl says:
The road to safer, more stable, and flashier Flash
http://blog.chromium.org/2012/08/the-road-to-safer-more-stable-and.html
A little more than two years ago, engineers on the Chrome team began a very ambitious project. In coordination with Adobe, we started porting Flash from the aging NPAPI architecture to our sandboxed PPAPI platform.
At its core, NPAPI is a thin layer of glue between the web browser and a native application. In the early days of the Web this provided a tremendous advantage, because it allowed third-party plug-ins to evolve rapidly and implement new capabilities, moving the whole web forward. Unfortunately, as the web evolved, the past benefits of NPAPI became liabilities.
With last week’s Chrome Stable release, we were finally able to ship PPAPI Flash to all Windows Chrome users, so they can now experience dramatically improved security and stability as well as improved performance down the line.
Windows Flash is now inside a sandbox that’s as strong as Chrome’s native sandbox, and dramatically more robust than anything else available. And for the first time ever, Windows XP users (specifically, over 100 million Chrome users) have a sandboxed Flash—which is critical given the absence of OS support for security features like ASLR and integrity levels.
Beyond the security benefits, PPAPI has allowed us to move plug-ins forward in numerous other ways. By eliminating the complexity and legacy code associated with NPAPI, we’ve reduced Flash crashes by about 20%.
Moving forward, we’re finishing off the PPAPI Flash port for Mac OS X and hope to ship it soon. And Linux users have already been benefiting from PPAPI Flash since Chrome 20, along with Chrome OS users who have been running it for almost a year.
Tomi Engdahl says:
The Dark Side of Mobility
http://www.controleng.com/home/single-article/the-dark-side-of-mobility/4e35e850e685db095fbde54edf9a331a.html
Sure, the idea of “iPhone as HMI” is convenient, but it opens a whole new range of cyber vulnerabilities. Is the functionality worth the risk? Many users are already deploying the technology without sufficient safeguards.
HMIs, maintenance interfaces, and remote administration functions that were once proprietary can now be installed and programmed in Apple’s iOS and Google’s Android operating systems. Human beings are excellent at making work simpler; however, how does one address the additional cyber risk that our traditional five senses do not manage?
Google Android and Apple iOS devices serve the purposes of all three of the control system vulnerability gateways: They are wireless, support remote access, and are portable user-following devices. Over the past year, Android and iOS control system applications have become available for purchase or even free download.
however, any application using these devices requires IEEE 802.11 wireless access to be existent or added to the control system environment. Why? Most Apple iOS and Google Android devices simply do not have the option to use physical network cabling. This fact led to the Cybati IEEE 802.11 wireless node study.
we had no trouble finding a few control system components on protected wireless networks and on unprotected ones as well.
Here are some questions you should ask yourself and the business before allowing remote access, wireless, and user-controlled portable devices on the control network.
• Operations: Who will use it? Where will it be used? When will it be used? How will it increase productivity?
• Personnel: How should current safety and security operations be altered to accommodate this mobile application?
• Security: Recognizing that security is a state of mind, what additional controls will be put in place now that a highly portable device can gain access to the control network using a local wireless network and/or an international telecommunication provider?
Ultimately you have to ask yourself whether the new mobile application is still valuable after considering these points.
Tomi Engdahl says:
Stonesoft: Stuxnet, Duqu, Flame, and Gauss’s all from the United States
Stonesoft cyber security manager Jarno Limnell believes that the Gaussian is designed to monitor the cash flows in the Middle East. Two-thirds of the infections have so far been found in Lebanon, which is the political and military Hezbollah’s nest.
It is possible that the findings are part of cyber-war between the United States and Russia. Russia exposes American cyber-weapons. The Russian company Kaspersky has made most of the recent major discoveries of malware.
Source: http://www.tietoviikko.fi/kaikki_uutiset/stonesoft+stuxnet+duqu+flame+ja+gauss+kaikki+peraisin+yhdysvalloista/a828393?s=r&wtm=tietoviikko/-14082012&
Tomi Engdahl says:
BYOD exposes the perils of cloud storage
http://www.computerworld.com/s/article/9228147/BYOD_exposes_the_perils_of_cloud_storage
The dangers of using consumer cloud storage systems became clearer earlier this month, when a hacker claimed that he accessed presidential candidate Mitt Romney’s Dropbox storage and email accounts using an easily cracked password.
The apparent hack of Romney’s accounts came on the heels of IBM’s rollout of a bring-your-own-device (BYOD) policy that bans the use of Dropbox due to concerns that hackers could easily access sensitive information stored there.
“IBM has the world’s biggest BYOD program, and they just locked down Evernote and Dropbox because they discovered their future product plans and all sorts of really sensitive data was being beamed automatically out to these services,” said Dion Hinchcliffe, an executive vice president at IT consulting firm Dachis Group.
Though companies are increasingly tightening their BYOD policies, most have yet to address the use of consumer apps and services such as cloud storage on mobile devices.
“Cloud data centers are becoming high-value targets” of data thieves, said Hinchcliffe, raising the possibility that “someone inside the company with the keys to the castle” could be bribed to share data with hackers. “There’s a lot of temptation,” he added.
If a cloud storage app has been downloaded, “there’s probably a corresponding machine they’re placing documents on that we don’t own,” Malcom said. “We’re starting to get in front of it [and] we’re trying to provide a corporately blessed service.”
Malcom said that he hopes to start pushing employees toward using a corporate SharePoint system for content-sharing, though he acknowledges that it’s not user-friendly on an iPad.
“If we can find someone like a Box.net that we can enter into an enterprise agreement with and help reduce some liability, we’d like to offer [that] to our user community,” he said.
Tomi says:
Mac App Store Security Breach Issue
http://vimeo.com/47320867
A video demonstrating of the issue found with Apple’s App Stores and iTunes Store. The bug allows you to download any software for free (until it is fixed).