Year 2013 will be year of cyber security. CNN expects more cyber wars this year. Cybercrime is on the rise, and last year we saw more and more computer virus attacks. Security company Kaspersky Lab warns of more new cyber-threats against enterprises and mobile devices. Cyber security also relates to mobile.
Security becomes an increasingly important issue. Year 2013 is the year of cyber security. Security company Stonesoft predicts we will face a more targeted launch cyber-attacks, cyber espionage and hactivism. Cyber security is the fastest growing trend in information security and its importance will increase in the future. According to Stonesoft the current security systems are unable to provide adequate protection against targeted attacks: we require proactive cyber protection and willingness to face the unknown threats.
Hacktivism will continue. According to article Anonymous: ‘Expect us 2013′ the hacking group boasted its cyberattacks against the U.S., Syrian, and Israeli governments in 2012. They are also warning people to continue to expect this type of activity.
SCADA security was hit hard in 2012. Some of the big manufacturers hit hard have learned their lessons and test their devices more now. But how are some smaller manufacturers security testing? Metasploit has special category for SCADA
devices. Good idea to test your devices against it.
There is still work to do on Cyber security standards and SCADA standards. For example in very widely used automation security standard IEC 61508 security is addresses only in informative way (NOT MANDATORY. IEC 62443-2-4: A Baseline Security Standard for Industrial Automation Control Systems is a good starting point when thinking on SCADA systems security.
Nowadays you need to think about SCADA system security more then some years ago. Previously, it was thought that it is sufficient to isolate factory process automation system from the office networks and the Internet. This is no longer enough. Nowadays you need to think about information security of production of automation systems. You can’t keep the automation systems isolated from Internet. Accidental connections to Internet from isolated networks happen. Malware can spread through USB memory sticks (Stuxnet did that). And nowadays there are more and more business reasons to connect process automation systems to other networks. So automations system do not anymore live in complete isolation from rest of the world.
Systems with SCADA vulnerabilities have become easier to find. Hackers tap SCADA vuln search engine article tells a search engine that indexes servers and other internet devices is helping hackers to find industrial control systems that are vulnerable to tampering. Search engine Shodan easily pinpoints shoddy industrial controls. Shodan makes it easy to locate internet-facing SCADA, or supervisory control and data acquisition, systems used to control equipment at gasoline refineries, power plants and other industrial facilities. The search engine can also be used to identify systems with known vulnerabilities. Shodan makes networks more vulnerable to brute-force attacks on passwords, many of which may still use factory defaults.
Thousands of SCADA Devices Discovered On the Open Internet article tells that there are all the time news of the continuing poor state of security for industrial control systems. The pair of researchers with found found not only devices used for critical infrastructure such as energy, water and other utilities, but also SCADA devices for HVAC systems, building automation control systems, large mining trucks, traffic control systems, red-light cameras and even crematoriums. Never underestimate what you can do with a healthy list of advanced operator search terms and a beer budget.
Researchers have also found crippling flaws in GPS receivers. Global Positioning System infrastructure critical to the navigation of a host of military and civilian technologies including planes, ships and unmanned drones. GPS system is also used to generate accurate clocks in SCADA system and smart grid devices. Researchers showed that they could permanently de-synchronise the date of Phasor Measurement Units used in smart grid and cause UNIX epoch rollover in a few minutes. The overall landscape of GPS vulnerabilities is startling.
Happy now? Mobiles, cloud, big data now ‘a growing security risk’ article tells that innovations in mobile and cloud computing, social technology and the use of “big data” present an emerging risk to organisations’ IT security, experts have warned. The European Network and Information Security Agency (ENISA), which is an EU advisory body, said that those technologies would increasingly provide the platform for “most of the innovation expected in the area of IT” and warned that with their emergence would come an associated increased cyber threat. ENISA warned that the threat stemming from mobile computing comes from the fact that mobile communications take place over “poorly secured … or unsecured channels”. The most significant threat stems from hackers inserting malicious software in website browser and other software available on mobile devices. Cyber criminals could also use the capabilities of cloud computing for their own gains, such as by storing malware in those systems and using the technology as a platform to launch attacks.
Drive-by downloads attacks against web browsers have become the top web threat. More specifically, attackers are moving into targeting browser plugins such as Java (Java exploits are the major cross-platform threat), Adobe Reader and Adobe Flash. The drive-by download attacks are almost exclusively launched through compromised legitimate websites which are used by attackers to host malicious links and actual malicious code. Exploits are sold for considerable amount of money and quickly included into exploit kits.
Africa’s Coming Cyber-Crime Epidemic article tells that last decade may have just been the first step in a looming African cyber-crime wave. Africa has the world’s fastest-growing middle class, whose members are increasingly tech-savvy and Internet connected and lax law enforcement is a perfect petri dish for increased cybercrime.
European wide cyber police started. EU’s new European Cybercrime Centre (EC3) was just opened few days ago. The facility will act as the “focal point” in the EU’s fight against cybercrime, against both businesses and private citizens. EC3 will act as a hub where crime-fighters can pool expertise and information, support criminal investigations and help develop and spread best practice. It will work with industry to develop threat assessments. It will work closely with the FBI and the US Secret service, in addition to other foreign agencies.
1,930 Comments
Tomi Engdahl says:
58,000 Security Camera Systems Critically Vulnerable To Attackers
http://it.slashdot.org/story/13/01/29/0111238/58000-security-camera-systems-critically-vulnerable-to-attackers
“Eighteen brands of security camera digital video recorders are vulnerable to an attack that would allow a hacker to remotely gain control of the devices to watch, copy, delete or alter video streams at will, as well as to use the machines as jumping-off points to access other computers behind a company’s firewall, according to tests by two security researchers.”
“commands sent to a Swann DVR via port 9000 were accepted without any authentication. ”
” To compound the problem, the DVRs automatically make themselves visible to external connections using a protocol known as Universal Plug And Play, (UPnP)”
Tomi Engdahl says:
More Than A Dozen Brands Of Security Camera Systems Vulnerable To Hacker Hijacking
http://www.forbes.com/sites/andygreenberg/2013/01/28/more-than-a-dozen-brands-of-security-camera-systems-vulnerable-to-hacker-hijacking/
Eighteen brands of security camera digital video recorders (DVRs) are vulnerable to an attack that would allow a hacker to remotely gain control of the devices to watch, copy, delete or alter video streams at wil
security firm Rapid7′s chief security officer H.D. Moore, has discovered that 58,000 of the hackable video boxes, all of which use firmware provided by the Guangdong, China-based firm Ray Sharp, are accessible via the Internet
“The DVR gives you access to all their video, current and archived,” says Moore. “You could look at videos, pause and play, or just turn off the cameras and rob the store.”
To compound the problem, the DVRs automatically make themselves visible to external connections using a protocol known as Universal Plug And Play, (UPNP) which maps the devices’ location to any local router that has UPNP enabled–a common default setting.
Rapid7′s Moore confirmed someLuser’s findings and traced the problem in the Swann machine to the device’s firmware sold by Ray Sharp. He then used the scanning tool NMAP to dig up thousands of vulnerable machines visible on the Internet. “It’s just a boneheaded decision on the part of [Ray Sharp],” says Moore. “Fifty-eight thousand homes and businesses are exposed because of the way these things cut holes in the firewall.”
No simple fix exists for the DVR vulnerability until Ray Sharp or the vendors that use its firmware issue an update, say the researchers. But someLuser suggests owners of the affected DVRs temporarily disable UPNP on their Internet routers to prevent the device from making itself accessible from external connections.
Tomi Engdahl says:
Swann Song – DVR Insecurity
http://console-cowboys.blogspot.fi/2013/01/swann-song-dvr-insecurity.html
Tomi Engdahl says:
WhatsApp is broken, really broken
http://fileperms.org/whatsapp-is-broken-really-broken/
WhatsApp, the extremely popular instant messaging service for smartphones that delivers more than ~1billion messages per day has some serious security problems. I will try to give a detailed analysis on some of the issues.
Until August 2012, messages sent through the WhatsApp service were not encrypted in any way, everything was sent in plaintext.
The authentication is a security nightmare. On Android, the password is a md5 hash of the reversed IMEI number
The username is the users mobile phone number
When WhatsApp starts it will send all numbers from your phones address book to the WhatsApp servers and check which numbers are registered with WhatsApp.
Conclusion
Do not use WhatsApp. Really, don‘t.
Tomi Engdahl says:
Google offers $3.14159 MILLION in prizes for hacking Chrome OS
Third Pwnium contest offers hackers a piece of the pie
http://www.theregister.co.uk/2013/01/29/google_third_pwnium_prizes/
Google has announced the target for its third Pwnium hacking contest, to be held at this year’s CanSecWest security conference, with $3.14159m in prize money for the researchers who can successfully crack its Chrome OS operating system.
Tomi Engdahl says:
The EU-funded plan to stick a “flag this as terrorism” button in your browser
CleanIT has some odd ideas on stopping online extremism.
http://arstechnica.com/tech-policy/2013/01/the-eu-funded-plan-to-stick-a-flag-this-as-terrorism-button-in-your-browser/
Terrorists, beware! The European Union-funded “CleanIT” project has just wrapped up its work, aimed at preventing online terrorist propaganda and recruitment within Europe.
The final report has shed some of its earlier outrageous ideas—such as OS and browser-level monitoring as a condition of selling software products in the EU.
Nevertheless, CleanIT now advocates for increased cooperation between EU member states and argues that governments “should take an active role in reducing terrorist use of the Internet.” In addition, Internet companies should “state clearly in their terms and conditions that they will not tolerate terrorist use of the Internet on their platforms, and how they define terrorism.”
To do this, governments and Web companies will rely in part on users, thanks to a proposed “browser-based reporting mechanism [that] could be developed to allow end users to report terrorist use of the Internet.” Translation: a big “flag this site for terrorist activity” button in your favorite Web browser.
What could go wrong? Well, plenty, especially if the flagging leads to mandatory action as it does in the case of copyright infringement.
And assuming everyone can agree on precisely what is and isn’t a “terrorist website,” what’s to stop such a site from simply moving outside of the 27-nation bloc? Not much, unless the EU wants ISPs to blacklist such sites.
Tomi Engdahl says:
WhatsApp violates privacy laws over phone numbers: report
http://www.reuters.com/article/2013/01/28/us-whatsapp-privacy-idUSBRE90R0T520130128
WhatsApp, one of the most popular apps in the world, contravenes international privacy laws because it forces users to provide access to their entire address book, Canadian and Dutch data protection authorities said.
Tomi says:
US free to grab EU data on American clouds
http://euobserver.com/justice/118857
An obscure section in a US law is said to entitle authorities to access, without a warrant, data stored by any EU citizen on clouds run by American companies.
Although highly controversial for its indirect effects on Americans, the impact of the law appears to have been overlooked by its intended target – everyone else.
Tomi says:
Turn off UPnP now!
http://www.epanorama.net/blog/2013/01/30/turn-off-upnp-now/
U.S. government warns of hack threat to network gear article tells that The Department of Homeland Security urged computer users on Tuesday to to disable a feature known as Universal Plug and Play or UPnP because new security bugs were initially brought to the attention
Researchers find millions of vulnerable Net-facing printers, cams, and routers.
Rapid7 identified 6,900 products sold by 1,500 separate vendors that contained at least one UPnP vulnerability. The company said it discovered between 40 million and 50 million devices that were vulnerable to attack due to three separate sets of problems.
Tomi Engdahl says:
1st computer virus is written, January 30, 1982
http://www.edn.com/electronics-blogs/edn-moments/4406021/1st-computer-virus-is-written–January-30–1982
Tomi Engdahl says:
Chinese Hack New York Times
http://yro.slashdot.org/story/13/01/31/0338206/chinese-hack-new-york-times
“According to a headline article in the New York Times, they admit to being hacked by the Chinese, and covers the efforts of Mandiant to investigate, and then to eradicate their custom Advanced Persistent Threats (APT).”
Tomi Engdahl says:
Hackers in China Attacked The Times for Last 4 Months
http://www.nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-times-computers.html?pagewanted=3&_r=1&
In part to prevent that from happening, The Times allowed hackers to spin a digital web for four months to identify every digital back door the hackers used. It then replaced every compromised computer and set up new defenses in hopes of keeping hackers out.
“Attackers target companies for a reason — even if you kick them out, they will try to get back in,”
Based on a forensic analysis going back months, it appears the hackers broke into The Times computers on Sept. 13, when the reporting for the Wen articles was nearing completion. They set up at least three back doors into users’ machines that they used as a digital base camp. From there they snooped around The Times’s systems for at least two weeks before they identified the domain controller that contains user names and hashed, or scrambled, passwords for every Times employee.
While hashes make hackers’ break-ins more difficult, hashed passwords can easily be cracked using so-called rainbow tables
Investigators found evidence that the attackers cracked the passwords and used them to gain access to a number of computers.
Over the course of three months, attackers installed 45 pieces of custom malware. The Times — which uses antivirus products made by Symantec — found only one instance in which Symantec identified an attacker’s software as malicious and quarantined it, according to Mandiant.
The attackers were particularly active in the period after the Oct. 25 publication of The Times article about Mr. Wen’s relatives
“They could have wreaked havoc on our systems,” said Marc Frons, the Times’s chief information officer. “But that was not what they were after.”
Tomi Engdahl says:
Symantec Gets A Black Eye In Chinese Hack Of The New York Times
http://www.forbes.com/sites/andygreenberg/2013/01/31/symantec-gets-a-black-eye-in-chinese-hack-of-new-york-times/
Having your email hacked and malicious software spread on your servers for months may be embarrassing. But being outed as the antivirus vendor that failed to catch the vast majority of that malware is likely more humiliating still.
One fact, however, will be of particular concern to the world’s largest antivirus firm, Symantec: Out of the 45 different pieces of malware planted on the Times‘ systems over the course of three months, just one of those programs was spotted by the Symantec antivirus software the Times used, according to Mandiant, the data breach response firm hired by the Times. The other 44 were only found in Mandiant’s post-breach investigation months later, according to the Times‘ report.
Symantec, which sells the widely-used Norton Antivirus, declined to comment
It may come as little surprise that antivirus programs largely fail to detect the type of custom-built malware the Times‘ hackers used, as opposed to previously-seen strains of malicious software often re-deployed by less sophisticated cybercriminals. A study by the Times‘ breach response firm, Mandiant, in 2010 found that only 24% of the custom malware it found on its clients’ systems had been detected by antivirus.
Another analysis performed by the security firm Imperva along with the Technion Israeli Institute of Technology found that antivirus managed to detect only 5% of new threats, and that it took an average of four weeks for antivirus firms to identify a new piece of malicious code.
It’s not clear exactly what lesson companies can draw from the Times‘ penetration.
Tomi Engdahl says:
Chinese Hackers Hit U.S. Media
Wall Street Journal, New York Times Are Breached in Campaign That Stretches Back Several Years
http://online.wsj.com/article/SB10001424127887323926104578276202952260718.html?mod=WSJEurope_hpp_LEFTTopStories
Chinese hackers believed to have government links have been conducting wide-ranging electronic surveillance of media companies including The Wall Street Journal, apparently to spy on reporters covering China and other issues, people familiar with the incidents said.
Chinese hackers for years have targeted major U.S. media companies with hacking that has penetrated inside newsgathering systems, several people familiar with the response to the cyberattacks said. Tapping reporters’ computers could allow Beijing to identify sources on articles and information about pending stories. Chinese authorities in the past have penalized Chinese nationals who have passed information to foreign reporters.
Chinese Embassy spokesman Geng Shuang condemned allegations of Chinese cyberspying. “It is irresponsible to make such an allegation without solid proof and evidence,” he said. “The Chinese government prohibits cyberattacks and has done what it can to combat such activities in accordance with Chinese laws.” He said China has been a victim of cyberattacks but didn’t say from where.
The U.S. government has grown increasingly concerned about Chinese spying on the government and U.S. corporations
Google Inc. and EMC Corp. computer-security unit RSA, among others, have said that their systems have been infiltrated. People familiar with those breaches said they were connected to the Chinese government.
The intelligence report discussed the extensive theft of data from global energy companies and proprietary data such as client lists and acquisition plans at other companies.
Cyberspecialists said the goals of hacking can include industrial espionage, insider trading and tracking potentially damaging information.
Tomi Engdahl says:
Cisco Security Reports: Understanding Advanced Cyber Threats
http://www.cisco.com/en/US/prod/vpndevc/annual_security_report.html
Highlights of the Report:
Android malware grows 2577% over 2012; mobile only makes up 0.5% of total web malware encounters.
Online advertisements are 182 times more likely to deliver malicious content than pornographic sites.
Global spam volumes are down 18% overall, with spammers keeping banker’s hours for a 25% drop over the weekend.
Global visibility into where malware and spam encounters occur and much more.
Tomi Engdahl says:
US weighs tougher action over China cyberattacks
http://www.google.com/hostednews/ap/article/ALeqM5hCnYzWnCqYzrWkZZFfkX8a0ZkI_A
High-level talks with the Chinese government to address persistent cyberattacks against U.S. companies and government agencies haven’t worked, so officials say the Obama administration is now considering a range of actions.
China-based hackers have long been an economic and national security concern, but as cybersecurity experts report an increase in attacks, U.S. leaders are looking at ways to better address the threat and analyze its impact.
U.S. cybersecurity worries are not about China alone. Administration officials and cybersecurity experts also routinely point to widespread cyberthreats from Iran and Russia, as well as hacker networks across Eastern Europe and South America
The White House declined comment on whether it will pursue aggressive action on China.
“The United States has substantial and growing concerns about the threats to U.S. economic and national security posed by cyber intrusions, including the theft of commercial information,” said spokesman Caitlin Hayden. “We have repeatedly raised our concerns with senior Chinese officials, including in the military, and we will continue to do so.”
Tomi Engdahl says:
Chinese Hackers Hit U.S. Media
Wall Street Journal, New York Times Are Breached in Campaign That Stretches Back Several Years
http://online.wsj.com/article/SB10001424127887323926104578276202952260718.html
Chinese hackers believed to have government links have been conducting wide-ranging electronic surveillance of media companies including The Wall Street Journal, apparently to spy on reporters covering China and other issues, people familiar with the incidents said.
Tomi Engdahl says:
Apple has quietly set the OS X operating system, malware blocker XProtectin combat the Java 7 Update 11.
Here’s how Apple is trying to protect users from security threats, the corresponding Java software Oracle has not been able to manage Java’s shortcomings in order.
Source: http://www.tietoviikko.fi/kaikki_uutiset/apple+sai+tarpeeksi+estaa+javan/a875700?s=r&wtm=tietoviikko/-02022013&
Tomi Engdahl says:
Twitter: Keeping our users secure
http://blog.twitter.com/2013/02/keeping-our-users-secure.html
However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users.
As a precautionary security measure, we have reset passwords and revoked session tokens for these accounts. If your account was one of them, you will have recently received (or will shortly) an email from us at the address associated with your Twitter account notifying you that you will need to create a new password. Your old password will not work when you try to log in to Twitter.
We also echo the advisory from the U.S. Department of Homeland Security and security experts to encourage users to disable Java on their computers in their browsers. For instructions on how to disable Java, read this recent Slate article.
Tomi Engdahl says:
Washington talks cybersecurity after Chinese attacks
http://www.politico.com/story/2013/02/washington-cybersecurity-china-attacks-87087.html
Washington is grappling again with the prying eyes of Chinese hackers.
A string of computer breaches at The New York Times, The Wall Street Journal, The Washington Post and other media organizations has drawn a frustrated response from the White House and galvanized lawmakers who have failed for years to improve the country’s cyberdefenses.
There isn’t much the Obama administration or Congress could have done in advance to stave off the latest series of attacks. But the incidents illuminate the threats emanating from abroad, not to mention the lagging Washington work to protect tech companies, power plants, big banks and now major newspapers from them.
“This is just another reminder of how relentless and sweeping China’s cyberattacks are,”
“Foreign cyberattackers are targeting every aspect of the American economy every day and Congress needs to act with urgency to protect our national security and our economy.”
The Pentagon, however, did not comment for this story. Still, the agency plays a critical role maintaining the country’s cyberdefenses: As it bulks up its military prowess in cyberspace, DoD is in the midst of rewriting its broad rules of engagement, which could specify more clearly when a cyberincident merits an official U.S. military response.
“The revelation of repeated attempts by Chinese hackers to break into The New York Times and Wall Street Journal systems is yet another example of how vulnerable our nation is to cyberattacks,” said Rep. Mike McCaul (R-Texas), the new leader of the House Homeland Security Committee.
“Attacks like this and the recent cyberattacks on U.S. banks are further evidence that we must harden our networks against espionage by enacting comprehensive cybersecurity legislation to bolster our defenses against enemies who seek to steal our intelligence, intellectual property and dismantle our critical infrastructure,” he said.
“These latest reports of yet another sophisticated cyberattack — this time on several U.S. media outlets — underscores the scary reality of how vulnerable we really are to cybercriminals, terrorists and nation-states seeking to use technology to steal from us or do us harm,”
Tomi Engdahl says:
Twitter Got Hacked. Expect More Companies to Follow.
http://allthingsd.com/20130202/twitter-got-hacked-expect-more-companies-to-follow/
The last week of tech headlines reads like some sort of cybersecurity end-of-days scenario. The New York Times hacked. The Wall Street Journal hacked. The Washington Post hacked.
And finally on Friday, Twitter — one of the world’s largest Internet communication services — also hacked.
“Who’s next?” you may be thinking. But the question to ask isn’t “Who’s next?” The question is, “Who will admit it next?”
“This attack was not the work of amateurs, and we do not believe it was an isolated incident,” Director of Information Security Bob Lord wrote in the company blog post. “The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked.”
This shouldn’t be surprising to anyone.
The point is that “high value targets,” such as prominent Web companies, hold massive troves of interesting data, making them obvious and constant targets for outsider attack. It’s simply that we, the public, rarely hear about it.
But here’s the truth: No system is 100 percent safe. No matter how secure a company tries to make its network, there’s still one giant, glaring point of access that hackers will always go after — you, the user.
All it takes is an errant clicked link to exploit massive vulnerabilities in Java, a phishing attempt in a lookalike email.
“Humans are the weakest link in any security strategy,” said Soltani.
Tomi Engdahl says:
FTC issues new privacy guidelines for mobile firms
‘Clean up your act, or Congress may do it for you’
http://www.theregister.co.uk/2013/02/02/ftc_mobile_privacy_guidelines/
Protecting consumers’ privacy on their mobile devices is a complicated business, and platform vendors, app developers, and advertising networks all have their part to play, according to new guidelines from the US Federal Trade Commission (FTC).
Platform vendors must lead the way
In the FTC’s view, that effort must start with the mobile platform vendors, because their unique position within the mobile ecosystem enables them to set privacy disclosure requirements and enforce them on companies further down the food chain.
“Platforms such as Apple, Google, Amazon, Microsoft, and Blackberry are gatekeepers to the app marketplace and possess the greatest ability to effectuate change with respect to improving mobile privacy disclosures,” the report states.
For example, the FTC recommends that platform vendors design the APIs that expose users’ sensitive data so that they display just-in-time notifications to the user whenever an app tries to use them, and that they require the user’s express consent before they actually grant access to the data.
Wanted: a Do Not Track for mobile
Tomi Engdahl says:
Just what the world needs: Android in the rice cooker
http://www.theregister.co.uk/2013/01/10/android_rice_cooker/
Readers will remember some chilling demonstrations during 2012: the vulnerability of pacemakers to outside attack, for example (insulin pumps were already compromised in 2011), while McAfee (the company, not the nominative fugitive) maintained its long campaign to try and anticipate attacks against systems in cars.
And they’ll remember 2012 for a procession of Android bugs and vulnerabilities
However: with CES on the go, appliance makers pursue their belief that the world’s Jetsons-like future is best reached by turning formerly harmless devices into Android monsters – as noted in this Bloomberg BusinessWeek piece, all the way down to the rice cooker.
“Panasonic’s Android-controlled SR-SX2 rice cooker”
Now, keep in mind that this is a rice cooker: one of the simplest appliances possible
And a rice-cooker is a product designed to operate a heating element, unattended.
What could possibly go wrong?
Tomi Engdahl says:
Google clue reveals public HP printers may spawn serious network threat
http://www.cablinginstall.com/articles/2013/january/google-printers-vulnerable.html
A simple, strategic Google search has revealed that over 86, 000 public HP printers could allow cyber-criminals to successfully penetrate corporate networks and/or steal sensitive documents.
U.K-based mobile app developer named Andrew Howard recently took to the public blogosphere to raise the issue of printer security, by demonstrating that a “quick, well-crafted Google search” could yield as many as 86,800 results for publicly accessible Hewlett-Packard printers.
“There are security concerns here, as many printer models have known exploits, which can be used as an entry point to a private network.”
Tomi Engdahl says:
Hackers hit U.S. Department of Energy
http://news.cnet.com/8301-1009_3-57567581-83/hackers-hit-u.s-department-of-energy/?part=rss&subj=news&tag=title
During a cyberattack on the agency’s computers and servers, the personal data of employees and contractors is stolen, but, reportedly, no classified data is leaked.
“The Department of Energy has just confirmed a recent cyber incident that occurred in mid-January which targeted the Headquarters’ network and resulted in the unauthorized disclosure of employee and contractor Personally Identifiable Information,”
The head of Homeland Security Janet Napolitano recently announced that she believes a wave of cyberattacks on U.S. infrastructure is a serious possibility. Dubbing such an event a “cyber 9/11,” Napolitano warned that cyberterrorists could take down the nation’s power grid, water infrastructure, transportation networks, and financial networks.
While it doesn’t seem like the January cyberattack on the Department of Energy compromised any data or infrastructure, it does show that hackers were able to breach the government’s computer systems. In the e-mail, the agency said it is working to fortify itself against future attacks.
Tomi Engdahl says:
Wireless Carriers Put on Notice About Providing Regular Android Security Updates
https://threatpost.com/en_us/blogs/wireless-carriers-put-notice-about-providing-regular-android-security-updates-020413
Activist Chris Soghoian, whom in the past has targeted zero-day brokers with his work, has turned his attention toward wireless carriers and their reluctance to provide regular device updates to Android mobile devices.
The lack of updates leaves millions of Android users sometimes upwards of two revs behind in not only feature updates, but patches for security vulnerabilities. Today during a session at the Kaspersky Lab Security Analyst Summit, Soghoian made a call for legislators to get involved in calling AT&T, Verizon, TMobile and Sprint on the carpet for their practices, or cede control to Google for providing regular updates to devices.
“With AndroidChris Soghoian, the situation is worse than a joke, it’s a crisis,” said Soghoian, principal technologies and senior policy analyst with the American Civil Liberties Union. “With Android, you get updates when the carrier and hardware manufacturers want them to go out. Usually, that’s not often because the hardware vendor has thin [profit] margins. Whenever Google updates Android, engineers have to modify it for each phone, chip, radio card that relies on the OS. Hardware vendors must make a unique version for each device and they have scarce resources. Engineers are usually focused on the current version, and devices that are coming out in the next year.”
Tomi Engdahl says:
“The animal watering hole” – a new weapon for corporate espionage
F-Secure says a new trend in the security report
F-Secure explains that in the past, mainly for enterprise systems hacked files. Often used as a tool for a credible custom e-mail message, which was accompanied by a document containing the attack. The attack struck the one used in the office of the security slot.
Watering hole technology (the name refers to the common drinking place where different animals congregate) contaminate a common website where employees go.
One example of this was the U.S. Council of Foreign Relations
F-Secure recommends that companies consider the new kinds of security techniques, such as “white lists” dns servers.
Source: http://www.tietokone.fi/uutiset/elainten_juomapaikka_yritysvakoilun_uusi_ase
Tomi Engdahl says:
Trade group wants U.S.-China action on cyber security threats
http://www.reuters.com/article/2013/02/04/us-usa-china-trade-idUSBRE9130Y220130204
(Reuters) – U.S. companies want the U.S. and Chinese governments to work together to address the growing problem of cyber attacks that threaten to undermine trade between the world’s two largest economies, a U.S. business leader said on Monday.
Tomi Engdahl says:
‘Chinese still hacking us,’ says Wall Street Journal owner
http://news.cnet.com/8301-1009_3-57567831-83/chinese-still-hacking-us-says-wall-street-journal-owner/
Rupert Murdock takes to Twitter to say that his newspaper’s computer system is still under cyberattack.
Several U.S. media outlets experienced a massive wave of cyberattacks allegedly coming from the Chinese military over the last few months. While some newspapers have claimed that their networks are now safe, the Wall Street Journal may still be a victim of the online onslaught.
The newspaper’s owner Rupert Murdock tweeted today, “Chinese still hacking us, or were over weekend.”
Tomi Engdahl says:
Broad Powers Seen for Obama in Cyberstrikes
http://www.nytimes.com/2013/02/04/us/broad-powers-seen-for-obama-in-cyberstrikes.html?_r=2&
A secret legal review on the use of America’s growing arsenal of cyberweapons has concluded that President Obama has the broad power to order a pre-emptive strike if the United States detects credible evidence of a major digital attack looming from abroad, according to officials involved in the review.
That decision is among several reached in recent months as the administration moves, in the next few weeks, to approve the nation’s first rules for how the military can defend, or retaliate, against a major cyberattack.
New policies will also govern how the intelligence agencies can carry out searches of faraway computer networks for signs of potential attacks on the United States and, if the president approves, attack adversaries by injecting them with destructive code — even if there is no declared war.
The rules will be highly classified, just as those governing drone strikes have been closely held.
Cyberweaponry is the newest and perhaps most complex arms race under way. The Pentagon has created a new Cyber Command, and computer network warfare is one of the few parts of the military budget that is expected to grow.
Tomi Engdahl says:
Enterprises websites are targets. WhiteHat raises $31M to extend website security lead
http://pandodaily.com/2013/02/05/whitehat-raises-31m-to-extend-enterprise-website-security-lead/
“Every company has a founding story,” WhiteHat Founder and CTO Jeremiah Grossman says. “WhiteHat’s takes place a bit over 10 years ago, when I was asked to hack every website that Yahoo had before the bad guys could.”
WhiteHat Sentinel is a cloud website vulnerability management platform that delivers actionable insights to enterprise and small and medium sized enterprise (SME) security engineers. The company recently added mobile platform and pre-deployment application source code testing in its Sentinel Mobile and Sentinel Source products.
“Web application vulnerabilities are rising at an alarming rate in recent years and can have a dramatic impact on a company’s business and reputation,” JMI Equity General Partner Peter Arrowsmith says. “WhiteHat’s holistic approach to security throughout the software development lifecycle – from source code through completed production application – provides an advantage that few security providers can achieve.”
WhiteHat is the undisputed leader of the application security market, which is projected to reach $1 billion by 2014, according to 451 Group research, while the subset dynamic application security testing (DAST) market is predicted to reach $453 million.
The company has no direct peer. Companies either choose its technology, costly consultants, or desktop scanning software that don’t solve the problem at scale.
“The most common misconception in our space is that your websites are protected because you have firewalls, and anti-virus and anti-intrusion software in place,” Grossman says. “Sony and everyone else hacked publicly in the last few years had these. Once you leave the door open, all bets are off.”
Tomi Engdahl says:
Fed says internal site breached by hackers, no critical functions affected
http://www.reuters.com/article/2013/02/06/net-us-usa-fed-hackers-idUSBRE91501920130206
The admission, which raises questions about cyber security at the Fed, follows a claim that hackers linked to the activist group Anonymous had struck the Fed on Sunday, accessing personal information of more than 4,000 U.S. bank executives, which it published on the Web.
“The Federal Reserve system is aware that information was obtained by exploiting a temporary vulnerability in a website vendor product,” a Fed spokeswoman said.
“Exposure was fixed shortly after discovery and is no longer an issue. This incident did not affect critical operations of the Federal Reserve system,”
Tomi Engdahl says:
embedded world 2013: focus on safety and security
“The embedded world Conference is Europe’s top gathering for all embedded system developers.
“The main themes this year are ‘Safety and Security of Embedded Systems’ and ‘Development of Ultra Low Power Applications’, both key themes that currently concern the sector and will become real challenges particularly in the future.
More information: http://www.embedded-world.eu/
Tomi Engdahl says:
From cars to smartphones to the factory floor, security threats are an unavoidable side effect of the connectivity powering the Internet of Things. With pervasiveness comes multiple points of network entry, so OEMs and the enterprise can no longer afford to have security be a post deployment afterthought. Careful design planning and judicious solution selection are becoming increasingly critical at all stages of the device lifecycle.
Source: http://www.techonline.com/electrical-engineers/education-training/webinars/4405642/Securing-Intelligent-Systems
Tomi Engdahl says:
China is world’s most malware-ridden nation
http://www.theregister.co.uk/2013/02/07/panda_china_most_infected_pcs/
Some 55 per cent of Chinese computers are infected with malware, the highest of any country worldwide, according to the latest Annual Security Report from Panda Security.
It said around one third of the PCs it scanned globally were infected, with Trojans accounting for three-quarters of new threats.
The Spanish security vendor’s Panda Labs research team reported 27 million new strains of malware in 2012, bringing the total in its database to 125m.
The stats may lend some credence to the Chinese government’s oft-heard refrain that it is a victim, not a perpetrator, of cyber crime.
Several major APT-style threats over the years, from Operation Aurora to Night Dragon and Shady RAT, have been pinned pretty conclusively on Chinese perpetrators.
China certainly recognises the problem of cyber criminality
Tomi Engdahl says:
Microsoft goes after Google with attack on Gmail privacy
http://news.cnet.com/8301-1023_3-57568101-93/microsoft-goes-after-google-with-attack-on-gmail-privacy/
Campaign titled “Don’t get scroogled by Gmail” encourages users of Google’s free e-mail service to dump it for Microsoft’s Outlook.com.
In its national campaign titled “Don’t get scroogled by Gmail,” Microsoft dredges up an old issue with Google’s free e-mail service: Google scans users’ e-mails to determine relevant advertisements to place alongside the messages.
The anti-Gmail effort is Redmond’s latest salvo at Google.
Tomi Engdahl says:
EU proposes new cybercrime reporting rules
http://www.bbc.co.uk/news/technology-21366366
Over 40,000 firms, including energy providers, banks and hospitals could be required to report cyber-break-ins under new rules proposed by the EU.
It is part of a move to intensify global efforts to fight cybercrime.
Digital agenda commissioner Neelie Kroes said that Europe needed to improve how it dealt with cybersecurity.
But firms are concerned that reporting online attacks and security breaches might damage their reputations.
Tomi Engdahl says:
Experts warn on wire-tapping of the cloud
http://www.bbc.co.uk/news/technology-21263321
Leading privacy expert Caspar Bowden has warned Europeans using US cloud services that their data could be snooped on.
In a report, he highlights how the Foreign Intelligence Surveillance Act Amendment Act (FISAAA) allows US authorities to spy on cloud data.
This includes services such as Amazon Cloud Drive, Apple iCloud and Google Drive.
He told the BBC this heralded a new era of “cloud surveillance”.
Tomi Engdahl says:
EU’s New Cybersecurity Directive Orders States To Set Up Emergency Response Teams, Better Risk Mgmt For Verticals
http://techcrunch.com/2013/02/07/eus-new-cybersecurity-directive-orders-states-to-set-up-emergency-response-teams-better-risk-mgmt-for-verticals/
With hacking and malware on the rise, Europe is cracking down on cybersecurity: today the European Commission, working with the High Representative of the Union for Foreign Affairs and Security Policy, is launching a new cybersecurity strategy along with a proposed directive on how to implement it
Among other things, the directive calls for each member state of the EU to set up “CERT”s — Computer Emergency Response Teams — to deal with hacking and malware crises, along with plans for how to deal with major incidents; and it wants also to put more pressure on private companies in different vertical sectors like banking to be more forthcoming in reporting major breaches.
“Sometimes companies want to avoid [publicity on breaches],” admitted Neelie Kroes, European Commission Vice-President for the Digital Agenda, today. “But you can’t say that it is unique when you have a breach, it is normal, so no reason you should not be mentioning it and learning from it.”
“The goal is to support Member States to get better at cybersecurity, not dictate the exact methods for achieving this outcome,” a spokesperson noted in an email on the directive.
Tomi Engdahl says:
This news is not so much on the information security but more on the reliability of Internet services:
Strange Facebook bug caused chaos online
When users tried yesterday to go to the large online services, sites, abducted them immediately to Facebook error page. Strange error pulled people out, for example CNN, Washington Post, NBC and countless other services website up to one hour. Facebook admits that the strange situation was the cause.
The case has attracted a lot of attention, because Facebook’s systems have been a mistake managed to mess up a large part of the internet.
Facebook messed up already online access
Facebook says that the problem was due to the company’s failure enrollment. Many web pages have features that join the Facebook service functions. These features are enabled, if a user is logged in to Facebook.
These enrollment problem caused the strange situation. Instead of on-site activities would only remain out of operation, users of Facebook thrown into an error page.
Browsing sites became impossible. The only way to continue to use these online services had to log off Facebook account.
The case is a good reminder of the dangers of the Internet connection technologies. Web pages often contain many different types of connections to other web services. One mistake in this whole can cause major problems.
Source: http://www.tietokone.fi/uutiset/outo_facebook_virhe_aiheutti_kaaosta_netissa
Tomi Engdahl says:
Adobe issues emergency Flash update for attacks on Windows, Mac users
Company also issues patches for users of Linux and Android.
http://arstechnica.com/security/2013/02/adobe-issues-emergency-flash-update-for-attacks-on-windows-mac-users/
Adobe Systems has released a patch for two Flash player vulnerabilities that are being actively exploited online to surreptitiously install malware, one in attacks that target users of Apple’s Macintosh platform.
While Flash versions for OS X and Windows are the only ones reported to be under attack, Thursday’s unscheduled release is available for Linux and Android devices as well. Users of all affected operating systems should install the update as soon as possible.
Adobe’s advisory came the same day the company announced plans to provide new protections designed to make it harder to target Flash contained in Microsoft Office files.
Tomi Engdahl says:
Security updates available for Adobe Flash Player (APSB13-04)
http://blogs.adobe.com/psirt/2013/02/security-updates-available-for-adobe-flash-player-apsb13-04.html
Today, a Security Bulletin (APSB13-04) has been posted to address security issues in Adobe Flash Player 11.5.502.146 and earlier versions for Windows and Macintosh
Adobe recommends users apply the updates for their product installations.
Tomi Engdahl says:
Viruses, Trojans, and worms, oh my: The basics on malware
Mobile malware may be trendy, but PC malware is still the big problem.
http://arstechnica.com/security/2013/02/viruses-trojans-and-worms-oh-my-the-basics-on-malware/
Some say we’re living in a “post-PC” world, but malware on PCs is still a major problem for home computer users and businesses.
The examples are everywhere: In November, we reported that malware was used to steal information about one of Japan’s newest rockets and upload it to computers controlled by hackers. Critical systems at two US power plants were recently found infected with malware spread by USB drives. Malware known as “Dexter” stole credit card data from point-of-sale terminals at businesses. And espionage-motivated computer threats are getting more sophisticated and versatile all the time.
“Almost all viruses are attached to an executable file, which means the virus may exist on a system but will not be active or able to spread until a user runs or opens the malicious host file or program,”
Trojans do not replicate themselves, unlike viruses and worms.
Certain types of attacks combine attributes of viruses, worms, and Trojans into “blended threats” that may spread more effectively and be harder to defend against.
In addition to viruses, worms, and Trojans, malware can be divided further into sub-categories such as backdoors, remote access Trojans, information stealers, and ransomware.
Tomi Engdahl says:
Securing your website: A tough job, but someone’s got to do it
Website breaches can be devastating to your business—here’s how to prevent them.
http://arstechnica.com/security/2013/02/securing-your-website-a-tough-job-but-someones-got-to-do-it/
Web application security experts have long cautioned such bugs can cost businesses dearly, yet those warnings largely fall on deaf ears. But in the wake of the Heartland breach there was no denying the damage they can cause. In addition to the millions of dollars the SQL injection flaw cost Heartland, the company also paid with its loss of reputation among customers and investors.
The incident was hardly an anomaly. In the years that followed, a crop of other websites big and small have fallen victim to attacks that exploit SQL injection bugs, cross-site scripting flaws, and a series of other vulnerabilities. These small openings allow attackers to inject malicious code into an end user’s browser or hijack a Web server altogether. Last month, the website for Reporters without Borders was commandeered so attackers could surreptitiously install malware on the computers of visitors. Attacks who exploit website flaws so the perpetrators can infect their visitors have grown so common they’ve given rise to the term watering hole attacks. The name comes because the hackers are like hunters who camp out at ponds in wait of thirsty prey in need of something to drink.
What all of this means is that unless you’ve recently had a professional security team audit your website, chances are it’s susceptible to a host of vulnerabilities.
According to the most recent ranking of the top 10 vulnerabilities by the Open Web Application Security Project, the most common website threats include…
Tomi Engdahl says:
I read about two articles per day that suggests disabling SELinux if I want to install this-or-that. I think it’s a very bad practice. SELinux is good for you. It’s not a coincidence that more and more vendors enable it by default.
On SELINUX. You should never DISABLE it.
/etc/selinux/config
SELINUX=permissive
Will keep the SELINUX configuration and file permissions in place but it will only chuck out warning messages. If you set SELINUX to disabled then you are killing off your opportunity to enable it in the future.
Source: http://www.linuxjournal.com/content/introducing-grive?page=0,2
Tomi says:
Security Firm Bit9 Hacked, Used to Spread Malware
http://krebsonsecurity.com/2013/02/security-firm-bit9-hacked-used-to-spread-malware/
Bit9, a company that provides software and network security services to the U.S. government and at least 30 Fortune 100 firms, has suffered an electronic compromise that cuts to the core of its business: helping clients distinguish known “safe” files from computer viruses and other malicious software.
Bit9 is a leading provider of “application whitelisting” services, a security technology that turns the traditional approach to fighting malware on its head.
Bit9 specializes in helping companies develop custom lists of software that they want to allow employees to run, and to treat all other applications as potentially unknown and dangerous.
According to the source, Bit9 said they’d received reports that some customers had discovered malware inside of their own Bit9-protected networks, malware that was digitally signed by Bit9′s own encryption keys.
“Due to an operational oversight within Bit9, we failed to install our own product on a handful of computers within our network,”
The potential impact of this breach — both within Bit9 customer networks and on the company’s future — is quite broad. According to a recent press release, Bit9′s global customers come from a wide variety of industries, including e-commerce, financial services, government, healthcare, retail, technology and utilities.
“One of the things I’ve stressed to security companies I’ve done work for is that everything they do is based on trust in their brand and product, and that getting hacked is a fundamental attack on that trust structure,” Spafford said. “That’s an object lesson, but it may also say something if they aren’t eating their own dog food, so to speak.”
Tomi says:
House panel to reintroduce controversial cyber bill, setting up White House fight
The bill that Rogers and Ruppersberger plan to introduce next week will be identical to the version of CISPA that passed the House last spring.
The White House issued a veto threat against CISPA before it was taken up on the House floor last year
Last year CISPA enjoyed support from a range of industry groups and companies, including Facebook, AT&T and Oracle. But civil-liberties groups and privacy advocates rallied hard against CISPA last year, arguing that the measure lacked sufficient privacy protections and would increase the pool of people’s electronic communications flowing to the military and secretive National Security Agency.
Read more: http://thehill.com/blogs/hillicon-valley/technology/281963-house-intelligence-committee-leaders-to-re-introduce-cispa-next-week-#ixzz2KRVhmw1A
Follow us: @thehill on Twitter | TheHill on Facebook
Tomi says:
The Need for Privileged Identity Management
http://www.centrify.com/blogs/tomkemp/privileged_identity_management.asp?ls=304-001-TechMemeSaaSBlog
The recent revelation that Barracuda Networks had numerous privileged “backdoor” user accounts with weak passwords once again draws attention to not only the need to have strong passwords but also the need for privileged identity management.
We are all familiar with the concept of weak passwords, but what is privileged identity management? It has to do with the fact that most mission-critical systems, applications, databases and network gear (such as Barracuda’s appliances) have an administrative username and password (i.e. a privileged account) to enable installation, configuration, administration and management of those platforms. And it turns out that most large IT organizations have hundreds of people that need to administer Windows or UNIX systems (“the sys admins”), their databases (“the DBAs”), their networks (“the network admins”) as well as multiple personnel who either develop applications (“the developers”) and/or administer applications (“the app admins”).
These are in effect the “superusers” in one’s IT organization. And it means that the more privileged users an organization has, the more people that have “keys” (i.e. administrative access) to these “kingdoms” (i.e. systems and applications) and the valuable information that reside behind the kingdom doors. The point is that it is not the average end user who can cause a major insider breach, as their accounts tend to have limited access to critical data; it is the “superuser” who has the keys to the proverbial kingdom who can potentially do the real damage.
So where is an IT organization to start? From my perspective the first step is to avoid handing out shared privileged accounts and instead get IT staff to use personal accounts, i.e. have IT users always login as themselves vs. share the “root” account. This can lead to better accountability and traceability of actions. And the more an IT organization can consolidate identities into an authoritative identity store the better, making it even easier to de-provision the accounts of a terminated employee or contractor.
The next step is to implement the concept of “least privilege,” i.e. put into place the ability to limit what privileged users can access (i.e. reduce the number of keys) and once they have been securely given a key (i.e. access to a system), grant in a granular manner the privileges required for them to perform their duties.
Finally, IT organizations need to consider adding software that can monitor all activity taken by privileged users.
Tomi Engdahl says:
How To Sneak Into the Super Bowl With Social Engineering
http://it.slashdot.org/story/13/02/11/0720248/how-to-sneak-into-the-super-bowl-with-social-engineering
How many hundreds of millions did Homeland spend to “secure” the super bowl again? Of all the things they’ve been accused of, fewest of the charges have been competence. When a couple college kids carrying a box can sneak past every security check point, without either them or their box being inspected, it becomes painfully obvious that the security provided is just a show… not unlike the one they’re “protecting”.
Tomi Engdahl says:
Threat report reveals pre-teen children developing malicious code
http://blogs.avg.com/news-threats/kids-writing-trojans-show-computer-skills-friends/
Would you honestly consider that your 11-year-old could be writing malware? I doubt it. Most parents know that our kids could be up to no-good on the odd occasion, but would writing malware ever cross our minds.
Perhaps it should. AVG’s Virus Labs team has discovered evidence that kids as young as 11-year-olds are writing malicious code, often for pranks and what would once have been known as youthful “high-jinks”.
But these “high-jinks” can have a more serious side.
Mostly kids writing malware are doing it to show off to their peers, by demonstrating “hacking” ability. It could be stealing someone’s game logins. This might seem trivial at first, but online gaming accounts are often connected to credit card details to enable in-game purchases, and these may also have virtual currency accounts amounting to hundreds of dollars.
Should we be surprised that young children are writing malware? Probably not. Kids are getting far more sophisticated in their technical development, particularly as most schools and homes now have PCs with internet connections. AVG’s Digital Diaries studies have pointed to kids of all ages becoming technically savvy at ages earlier than we expected, but while writing malware is surprising, technically the code, while harmful, is not that sophisticated.