Year 2013 will be year of cyber security. CNN expects more cyber wars this year. Cybercrime is on the rise, and last year we saw more and more computer virus attacks. Security company Kaspersky Lab warns of more new cyber-threats against enterprises and mobile devices. Cyber security also relates to mobile.
Security becomes an increasingly important issue. Year 2013 is the year of cyber security. Security company Stonesoft predicts we will face a more targeted launch cyber-attacks, cyber espionage and hactivism. Cyber security is the fastest growing trend in information security and its importance will increase in the future. According to Stonesoft the current security systems are unable to provide adequate protection against targeted attacks: we require proactive cyber protection and willingness to face the unknown threats.
Hacktivism will continue. According to article Anonymous: ‘Expect us 2013′ the hacking group boasted its cyberattacks against the U.S., Syrian, and Israeli governments in 2012. They are also warning people to continue to expect this type of activity.
SCADA security was hit hard in 2012. Some of the big manufacturers hit hard have learned their lessons and test their devices more now. But how are some smaller manufacturers security testing? Metasploit has special category for SCADA
devices. Good idea to test your devices against it.
There is still work to do on Cyber security standards and SCADA standards. For example in very widely used automation security standard IEC 61508 security is addresses only in informative way (NOT MANDATORY. IEC 62443-2-4: A Baseline Security Standard for Industrial Automation Control Systems is a good starting point when thinking on SCADA systems security.
Nowadays you need to think about SCADA system security more then some years ago. Previously, it was thought that it is sufficient to isolate factory process automation system from the office networks and the Internet. This is no longer enough. Nowadays you need to think about information security of production of automation systems. You can’t keep the automation systems isolated from Internet. Accidental connections to Internet from isolated networks happen. Malware can spread through USB memory sticks (Stuxnet did that). And nowadays there are more and more business reasons to connect process automation systems to other networks. So automations system do not anymore live in complete isolation from rest of the world.
Systems with SCADA vulnerabilities have become easier to find. Hackers tap SCADA vuln search engine article tells a search engine that indexes servers and other internet devices is helping hackers to find industrial control systems that are vulnerable to tampering. Search engine Shodan easily pinpoints shoddy industrial controls. Shodan makes it easy to locate internet-facing SCADA, or supervisory control and data acquisition, systems used to control equipment at gasoline refineries, power plants and other industrial facilities. The search engine can also be used to identify systems with known vulnerabilities. Shodan makes networks more vulnerable to brute-force attacks on passwords, many of which may still use factory defaults.
Thousands of SCADA Devices Discovered On the Open Internet article tells that there are all the time news of the continuing poor state of security for industrial control systems. The pair of researchers with found found not only devices used for critical infrastructure such as energy, water and other utilities, but also SCADA devices for HVAC systems, building automation control systems, large mining trucks, traffic control systems, red-light cameras and even crematoriums. Never underestimate what you can do with a healthy list of advanced operator search terms and a beer budget.
Researchers have also found crippling flaws in GPS receivers. Global Positioning System infrastructure critical to the navigation of a host of military and civilian technologies including planes, ships and unmanned drones. GPS system is also used to generate accurate clocks in SCADA system and smart grid devices. Researchers showed that they could permanently de-synchronise the date of Phasor Measurement Units used in smart grid and cause UNIX epoch rollover in a few minutes. The overall landscape of GPS vulnerabilities is startling.
Happy now? Mobiles, cloud, big data now ‘a growing security risk’ article tells that innovations in mobile and cloud computing, social technology and the use of “big data” present an emerging risk to organisations’ IT security, experts have warned. The European Network and Information Security Agency (ENISA), which is an EU advisory body, said that those technologies would increasingly provide the platform for “most of the innovation expected in the area of IT” and warned that with their emergence would come an associated increased cyber threat. ENISA warned that the threat stemming from mobile computing comes from the fact that mobile communications take place over “poorly secured … or unsecured channels”. The most significant threat stems from hackers inserting malicious software in website browser and other software available on mobile devices. Cyber criminals could also use the capabilities of cloud computing for their own gains, such as by storing malware in those systems and using the technology as a platform to launch attacks.
Drive-by downloads attacks against web browsers have become the top web threat. More specifically, attackers are moving into targeting browser plugins such as Java (Java exploits are the major cross-platform threat), Adobe Reader and Adobe Flash. The drive-by download attacks are almost exclusively launched through compromised legitimate websites which are used by attackers to host malicious links and actual malicious code. Exploits are sold for considerable amount of money and quickly included into exploit kits.
Africa’s Coming Cyber-Crime Epidemic article tells that last decade may have just been the first step in a looming African cyber-crime wave. Africa has the world’s fastest-growing middle class, whose members are increasingly tech-savvy and Internet connected and lax law enforcement is a perfect petri dish for increased cybercrime.
European wide cyber police started. EU’s new European Cybercrime Centre (EC3) was just opened few days ago. The facility will act as the “focal point” in the EU’s fight against cybercrime, against both businesses and private citizens. EC3 will act as a hub where crime-fighters can pool expertise and information, support criminal investigations and help develop and spread best practice. It will work with industry to develop threat assessments. It will work closely with the FBI and the US Secret service, in addition to other foreign agencies.
1,930 Comments
Tomi Engdahl says:
Microsoft preps UPDATE ALL THE THINGS security patch batch
Latest turn of the Hamster Wheel of Pain
http://www.theregister.co.uk/2013/03/08/ms_patch_tuesday_pre_alert/
Microsoft plans to issue seven security bulletins for its products next week – four critical and three important – in the March edition of its regular Patch Tuesday software update cycle.
The most troublesome of the critical vulnerabilities carries a remote code execution risk and affects every version of Windows – from XP SP3 up to Windows 8 and Windows RT as well as all versions of Internet Explorer.
A second critical update addresses critical vulnerabilities in Microsoft Silverlight both on Windows and Mac OS X.
Third on the critical list is a vulnerability in Visio and the Microsoft Office Filter Pack.
Tomi Engdahl says:
Airport X-ray machine teardown
http://hackaday.com/2013/03/09/airport-x-ray-machine-teardown/
Tomi Engdahl says:
Meet the men who spy on women through their webcams
http://arstechnica.com/tech-policy/2013/03/rat-breeders-meet-the-men-who-spy-on-women-through-their-webcams/
The Remote Administration Tool is the revolver of the Internet’s Wild West.
“See! That shit keeps popping up on my fucking computer!” says a blond woman as she leans back on a couch, bottle-feeding a baby on her lap.
The woman is visible from thousands of miles away on a hacker’s computer. The hacker has infected her machine with a remote administration tool (RAT) that gives him access to the woman’s screen, to her webcam, to her files, to her microphone.
RAT operators have nearly complete control over the computers they infect; they can (and do) browse people’s private pictures in search of erotic images to share with each other online.
Women who have this done to them, especially when the spying escalates into blackmail, report feeling paranoia.
How it’s done
RAT tools aren’t new; the hacker group Cult of the Dead Cow famously released an early one called BackOrifice at the Defcon hacker convention in 1998. The lead author, who went by the alias Sir Dystic, called BackOrifice a tool designed for “remote tech support aid and employee monitoring and administering [of a Windows network].” But the Cult of the Dead Cow press release made clear that BackOrifice was meant to expose “Microsoft’s Swiss cheese approach to security.”
Today, a cottage industry exists to build sophisticated RAT tools with names like DarkComet and BlackShades and to install and administer them on dozens or even hundreds of remote computers.
Today, serious ratters seek software that is currently “FUD”—fully undetectable.
Building an army of slaves isn’t particularly complicated; ratters simply need to trick their targets into running a file. This is commonly done by seeding file-sharing networks with infected files
One of the biggest problems ratters face is the increasing prevalence of webcam lights that indicate when the camera is in use.
To combat detection, the RAT controllers have devised various workarounds. One involves compiling lists of laptop models which don’t have webcam lights
I fought the law
RATs can be entirely legitimate. Security companies have used them to help find and retrieve stolen laptops, for instance, and no one objects to similar remote login software such as LogMeIn. The developers behind RAT software generally describe their products as nothing more than tools which can be used for good and ill.
RATs aren’t going away, despite the occasional intervention of the authorities. Too many exist, plenty of them are entirely legal, and source code is in the wild
If you are unlucky enough to have your computer infected with a RAT, prepare to be sold or traded to the kind of person who enters forums to ask, “Can I get some slaves for my rat please?”
Tomi Engdahl says:
Apple finally turns HTTPS on for the App Store, fixing a lot of vulnerabilities
http://elie.im/blog/web/apple-finally-turns-https-on-for-the-app-store-fixing-a-lot-of-vulnerabilities/#.UT3OSFdsUin
Early July 2012, I reported to Apple numerous vulnerabilities related to their App Store iOS app. Last week Apple finally issued a fix for it and turned on HTTPS for the App Store. I am really happy that my spare-time work pushed Apple to finally enabled HTTPS to protect users. This post discuss the vulnerabilities I found. As a bonus, I made several video demos of the attacks described in this post so you can see by yourself how dangerous not having full HTTPS is.
Tomi Engdahl says:
Europol takes down €70,000 cyber gang in co-ordinated sting
http://www.v3.co.uk/v3-uk/news/2253543/europol-takes-down-eur70-000-cyber-gang-in-coordinated-sting?WT.tsrc=Email&WT.mc_id=1194&utm_source=Newsletters&utm_medium=Email&utm_campaign=V3_Daily_Breaking_Technology_News
Europol has taken down an Asian criminal network believed to have stolen roughly 15,000 credit card numbers.
The takedown was part of a co-ordinated operation involving Europol, the European Cybercrime Centre (EC3) and local Finnish law enforcement.
“Finnish law enforcement authorities, working closely with the European Cybercrime Centre (EC3) at Europol, have dismantled an Asian criminal network responsible for illegal internet transactions and purchasing of airline tickets,” Europol’s said.
The gang had reportedly made over €70,000 in Europe by making illegal internet transactions with stolen credit cards
International network of on-line card fraudsters dismantled
https://www.europol.europa.eu/content/international-network-line-card-fraudsters-dismantled
Finnish law enforcement authorities, working closely with the European Cybercrime Centre (EC3) at Europol, have dismantled an Asian criminal network responsible for illegal internet transactions and purchasing of airline tickets.
The criminal network had been misusing credit card details stolen from cardholders worldwide. In Europe alone, over 70 000 euros in losses were sustained by cardholders and banks.
”In this case, the commitment of the Finnish Border Guard and National Police, coupled with the close international cooperation facilitated by Europol’s EC3, has been crucial for investigating this sophisticated scam.”
The European Cybercrime Centre has been established to support EU Member States in combating all forms of cyber and online crime. As part of this, EC3 and Visa Europe recently initiated international cooperation between law enforcement agencies and industry, to specifically reduce the level of fraud cased by illegal internet transactions.
According to Europol’s recent Situation Report, losses caused by payment fraud in Europe are estimated to cost 1.5 billion euros a year.
Tomi says:
Android Malware, believe the hype.
…or “Just how much Android malware is there anyway?”
http://countermeasures.trendmicro.eu/android-malware-believe-the-hype/
The security industry has an embarrassing problem. For several years it became a matter of course for the big names in security to warn annually that ‘next year’ was to be the year of mobile malware. “Look out“, we said, “mobile malware, it’s coming…“; but it never did. It remained elusively over the threat horizon.
In reality, every year since Cabir in 2004 we have saw appearances and developments in mobile malware (originally for Symbian, J2ME and Windows CE) but it simply never reached critical mass or moved beyond the mischievous.
Now that the problem is well and truly here
We have thus far analysed more than 2 million apps
293,091 Apps classified as outright malicious and a further 150,203 classified as high risk.
Of those 293,091 malicious apps, 68,740 were sourced directly from Google Play.
22% of apps were found to inappropriately leak user data, over the network, SMS or telephone.
Tomi Engdahl says:
Electric Grid’s Future: Increased Risk of Attack
http://alum.mit.edu/pages/sliceofmit/2011/12/14/electric-grid%E2%80%99s-future-increased-risk-of-attack/
Despite growing smarter, the U.S. electric grid is expected to become more vulnerable and a prime target for a cyber attacks, according to a new report from the MIT Energy Initiative. The report, “The Future of the Electric Grid,” was published on Dec. 5 and cites weaknesses in oversight, processes, new communication devices, and the grid’s existing physical environment.
From The Future of the Electric Grid:
“This lack of a single operational entity with responsibility for grid cyber-security preparedness as well as response and recovery creates a security vulnerability in a highly interconnected electric power system comprising generation, transmission, and distribution.”
“Perfect protection from cyber-attacks is not possible. It is thus important for the involved government agencies, working with the private sector in a coordinated fashion, to support the research necessary to develop best practices for response to and recovery from cyber-attacks on transmission and distribution systems, so that such practices can be widely deployed.”
Tomi Engdahl says:
Remote reading of electricity meter data security and privacy problems
Foreign studies have shown that remotely read electric meters and smart grids can cause security and privacy-related problems.
A hacker can get blank while the entire city and the single measure of the network can be identified, says the researcher.
- On meter reading data security is almost non-existent, Ahonen says.
According to Ahonen, a hacker attack can be very little effort to get it inoperative tens of thousands or even millions of electric meters.
Meter reading problems also include privacy protection. According to Ahonen, the U.S. consumption data has already been leaked to non-electronic companies, including commercial operators.
In Finland, the electricity sector organization representing the energy industry, the Finnish security provisions, however, differs from the United States clearly. Electricity meter data may be used only electricity company, the seller and the customer, and may not be disclosed to external operators.
Source: http://yle.fi/uutiset/etaluettavissa_sahkomittareissa_tietoturva-_ja_yksityisyysongelmia/6525339
Tomi Engdahl says:
CISPA: Who’s For It And Who’s Against It
http://readwrite.com/2013/03/11/cispa-supporters-opponents-and-you
What if all of your online communication could be monitored and shared without a warrant? That’s what’s at stake if the latest version of CISPA, the controversial Cyber Intelligence Sharing and Protection Act, is approved by Congress.
After CISPA was shot down in 2012, a revised bill has been introduced that would let private companies and the government monitor Americans under the auspices of sharing intelligence about cyber threats. The intentions behind the bill may be noble, but the bill’s language is packed with privacy problems and vague notions that give the government big loopholes through which to watch what people say and do online.
Tomi Engdahl says:
In Wake of Cyberattacks, China Seeks New Rules
http://www.nytimes.com/2013/03/11/world/asia/china-calls-for-global-hacking-rules.html?pagewanted=all&_r=0
SHANGHAI — China has issued a new call for international “rules and cooperation” on Internet espionage issues, while insisting that accusations of Chinese government involvement in recent hacking attacks were part of an international smear campaign.
“Anyone who tries to fabricate or piece together a sensational story to serve a political motive will not be able to blacken the name of others nor whitewash themselves,” he said.
Tomi Engdahl says:
Pirate Bay ‘Advert’ Appears on Hacked Billboard
http://torrentfreak.com/pirate-bay-advert-appears-on-hacked-billboard-130310/?utm_source=dlvr.it&utm_medium=twitter
A group of hackers have managed to gain access to a prominently placed advertising billboard located in the crowded Republic Square in the center of Belgrade, Serbia. For a while the billboard displayed the Pirate Bay logo alongside Ghandi’s quote “first they ignore you, then they laugh at you, then they fight you, then you win.” The people responsible for the stunt claim the hack was done to demonstrate how little attention people pay to IT security.
Dressed in an appropriate “Keep Calm and Seed” shirt, one of the guys used his smartphone to play a game of Space Invaders on the meters-wide screen with a fellow student. After that, they displayed several other messages on the billboard including a “hacking4fun” banner.
Initially the Serbian media attributed the hack to “Anonymous” but the students explain to TorrentFreak that they are in no way affiliated with any known hacker groups.
“In a world where information is freely available, it is easy to learn just about anything, including “how to hack.” We therefore feel that awareness needs to be raised about this general disregard for computer security,” he adds.
The article has a video describing what happened.
Tomi says:
F-Secure gave up the feature: “Windows Firewall is good”
F-Secure Internet Security for consumers 2013 security software is no longer within their own, full firewall.
F-security has moved to a model in which primarily the Windows own firewall protects the user’s computer. F-Secure’s software complements it to some extent.
If you own the Windows firewall turns off, the operating system Security Center warns, however, that the computer is no longer protected.
F-Secure spokesman Johan Jarl justifies the change in Computer Sweden for the fact that the company has chosen to make things easier for your customers.
“Windows Firewall is good,” says Jarl and highlights F-Secure also complement its own product over functionality.
The amendment applies only to F-Secure’s consumer products.
Own firewall software is still there in F-secure products for companies.
Both Kaspersky Labs and McAfee are told that their products would still switch off the Windows Firewall to protect your computer and your own wall.
Source: http://www.tietoviikko.fi/kaikki_uutiset/fsecure+luopui+ominaisuudesta+quotwindowsin+palomuuri+on+hyvaquot/a886104?s=r&wtm=tietoviikko/-12032013&
Tomi says:
The Enemies of Internet
Special Edition : Surveillance
Era of the digital mercenaries
http://surveillance.rsf.org/en/
Online surveillance is a growing danger for journalists, bloggers, citizen-journalists and human rights defenders. The Spyfiles that WikiLeaks released in 2012 showed the extent of the surveillance market, its worth (more than 5 billion dollars) and the sophistication of its products.
Tomi Engdahl says:
Denial-of-service attack takes down JP Morgan Chase sites
http://news.cnet.com/8301-1009_3-57573955-83/denial-of-service-attack-takes-down-jp-morgan-chase-sites/
The Web sites for banking giant JP Morgan Chase are offline this afternoon as the result of a distributed-denial-of-service attack, a representative told CNET.
Hackers have ratcheted up their assaults on financial institutions in recent months, using DDoS attacks to take down Wells Fargo, Bank of America, Chase, Citigroup, HSBC, and others.
In its December report, security company McAfee said that attacks on U.S. financial institutions are only going to increase in 2013. The firm said that this isn’t just a possibility; it’s a “credible threat.” Anonymous has also promised to increase its activity in 2013.
Tomi Engdahl says:
Top Credit Agencies Say Hackers Stole Celebrity Reports
http://www.bloomberg.com/news/2013-03-12/equifax-transunion-say-hackers-stole-celebrity-reports.html
Experian Plc (EXPN), Equifax Inc. (EFX) and TransUnion Corp. (TRUN), the three biggest U.S. credit-reporting companies, said they uncovered cases where hackers gained illegal, unauthorized access to users’ information.
Credit reports, purportedly on famous people ranging from Michelle Obama to Paris Hilton, were posted online.
The vulnerability of credit-reporting companies, custodians of sensitive personal data from credit card balances to mortgage debts, is gaining greater exposure.
The documents posted online come mostly from Equifax, Experian and TransUnion.
Equifax said credit reports on four celebrities were compromised through its service.
Tomi Engdahl says:
Google rolls out initiative to help hacked sites
http://news.cnet.com/8301-1023_3-57573986-93/google-rolls-out-initiative-to-help-hacked-sites/?part=rss&subj=news&tag=title
With its new informational series, the Web giant aims to answer questions about why a site was hacked, what malware may have been used, and how to wipe the site clean of bugs.
Google launches “Help for Hacked Sites” informational series with articles and videos.
It’s not pretty when a Web site gets a “this site may be compromised” or “this site may harm your computer” status note. Many webmasters and Web site owners can be at a loss of what to do in these situations.
For this reason, Google has launched “Help for Hacked Sites” informational series, which has a dozen articles and videos aimed to help people avoid having their sites hacked and also teach them how to gain back control of compromised sites.
“Every day, cybercriminals compromise thousands of websites. Hacks are often invisible to users, yet remain harmful to anyone viewing the page — including the site owner,”
Tomi Engdahl says:
China wants to cooperate with the US in cyber security
Claims it had nothing to do with hacking US companies
http://www.theinquirer.net/inquirer/news/2254245/china-wants-to-cooperate-with-the-us-in-cyber-security
THE GLORIOUS People’s Republic of China has said it is willing to cooperate with the US in cyber security after the Obama administration called on the country to take “serious steps” to stop such attacks, which could jeopardise trade between the two countries.
“Cyberspace needs rules and cooperation, not wars,” Hua said. “China is willing to have constructive dialogue and cooperation with the global community, including the United States.”
Last month, US security firm Mandiant accused a Chinese military unit of attacking more than 140 mostly American companies.
Mandiant’s report claimed that an advanced persistent threat group called APT1 is in fact a secretive branch of China’s People’s Liberation Army (PLA), codenamed Unit 61398.
Tomi Engdahl says:
Retailer Sues Visa Over $13 Million ‘Fine’ for Being Hacked
http://www.wired.com/threatlevel/2013/03/genesco-sues-visa/
A sports apparel retailer is fighting back against the arbitrary multi-million-dollar penalties that credit card companies impose on banks and merchants for data breaches by filing a first-of-its-kind $13 million lawsuit against Visa.
The suit takes on the payment card industry’s powerful money-making system of punishing merchants and their banks for breaches, even without evidence that card data was stolen. It accuses Visa of levying legally unenforceable penalties that masquerade as fines and unsupported damages and also accuses Visa of breaching its own contracts with the banks, failing to follow its own rules and procedures for levying penalties and engaging in unfair business practices under California law, where Visa is based.
It’s the first known case to challenge card companies over the self-regulated PCI security standards — a system that requires businesses accepting credit and debit card payments to implement a series of technological steps to secure card data. The controversial system, imposed on merchants by credit card companies like Visa and MasterCard, has been called a “near scam” by a spokesman for the National Retail Federation and others who say it’s designed less to secure card data than to profit credit card companies while giving them executive powers of punishment through a mandated compliance system that has no oversight.
Tomi Engdahl says:
Fearmongers miss the point on mobile security
http://www.citeworld.com/security/21569/fearmongers-miss-point-mobile-security
You see, everyone likes to trumpet the claim that mobile is insecure. Now that people are using their smartphones for work, enterprises are in trouble. The apps that people are using are going to let out all of the confidential data that everyone has been storing for decades.
The dirty secret that nobody wants you to find out is that mobile has nothing to do with it.
Mobile is just an amplification of all the insecure practices you and your company have been using for decades.
We have loads of technical debt built up in our legacy apps that drive our organizations and enterprises. We spend so much time focusing on the endpoint that we never take the time to look at the data as it resides at the start point. We should be taking care of our data through its whole lifecycle because you never really know where it’s going to end up or how it’s going to get there.
Let’s start with the basics like encrypting our data while it sits in the data center. Let’s build identification and authentication frameworks on which we can then base access to that data. Let’s develop a system of encryption keys that are based upon identity and can be handed off to apps and devices as needed.
I know — it sounds really difficult. It sounds expensive, too. There wasn’t enough bandwidth, or people couldn’t afford the CPUs needed to do things like encryption. But in this day and age, where everyone is using virtualization and can spin up a new instance in seconds, can we really say we can’t do what’s necessary?
There’s no doubt I’m oversimplifying things, but if you aren’t willing to look at the basics, how can you really sit here and worry about whether the device you are using is FIPS-certified or whether it uses 128-bit or 256-bit AES encryption when you just emailed that data to your Gmail account?
Tomi Engdahl says:
Aggressive Mobility Plans Bring Risks, But the Rewards Are High
http://www.cio.com/article/729902/Aggressive_Mobility_Plans_Bring_Risks_But_the_Rewards_Are_High?page=2&taxonomyId=600003
Companies that are aggressively adopting mobility are experiencing far more incidents than their more cautious counterparts, but they are also reaping far greater rewards thanks to mobile, according to a new study.
Innovators Pay Higher Costs, Reap Greater Rewards
Perhaps unsurprisingly, the innovators are paying a price for their proactive adoption of mobile technologies. Innovators averaged twice as many mobile incidents in 2012—including lost devices and data breaches that led to regulatory fines and lost revenue. Traditionals had a median of 12 mobility incidents in 2012, compared with a median of 25 incidents among innovators. But on the flip side, innovators reported far more benefits from their adoption of mobility, including:
Increased productivity, speed and agility
Improvements in brand value, customer happiness and overall competitiveness
Happier employees and improved recruiting and retention rates
Innovators are also experiencing nearly 50 percent higher revenue growth than traditionals (44 percent vs. 30 percent). As a result, 64 percent of innovators say the benefits of mobility outweigh the risks, while 74 percent of traditionals feel the risks outweigh the benefits.
“Everyone seems to be getting benefits from going mobile,” Duckering says. “We’re really talking about degrees. More aggressive adoption of mobile seems to be resulting in more aggressive results.”
Tomi Engdahl says:
Black Tuesday patchfest: A lot of digits plug security dykes
Adobe joins Redmond in game of vuln Twister
http://www.theregister.co.uk/2013/03/13/march_black_tuesday_update/
Microsoft carried out a fairly comprehensive spring cleaning of vulnerabilities on Tuesday, fixing 20 vulnerabilities with seven bulletins, four of which are rated critical.
Heading the critical list is an update for Internet Explorer (MS13-021) that tackles nine vulnerabilities, including a zero-day vulnerability in IE 8.
“This bulletin alone composes almost half of the vulnerabilities addressed this month,” said Marc Maiffret, CTO at BeyondTrust. “Every supported version of Internet Explorer (6 through 10) is affected, thus implicitly making all supported Windows platforms (including Windows RT) a target for attackers.”
“It does not appear that the Internet Explorer 10 vulnerabilities exploited by Vupen at Pwn2Own have been addressed in this patch, but we do anticipate seeing them addressed next month,” he says.
Both Mozilla and Google pushed browser updates within hours of their browser software getting turned over during Pwn2Own.
Tuesday also marked the release by Adobe of a new version of Flash player, which addresses four critical vulnerabilities.
“Flash users on Windows, Mac OS X and Android are affected and should update as quickly as possible,” notes Wolfgang Kandek, CTO of Qualys in a blog post. He also offers commentary on the Microsoft updates.
Internet Explorer 10 on Windows 8 enables Flash content to be handled by default, following recent changes by Microsoft, a change that reflects wider changes on the web as much as anything.
Tomi Engdahl says:
Tapping: It’s not just for phones anymore
http://www.cablinginstall.com/articles/print/volume-21/issue-3/features/tapping-its-not-just-for-phones-anymore.html?cmpid=$trackid
Integrated tapping technology allows administrators to monitor data center traffic without disrupting the production environment.
Tomi Engdahl says:
China’s hollow cyberespionage argument
R Colin Johnson
China and the U.S. both engage in cyper-espionage on military targets, but so far only China has been accused of also hacking private companies.
More: http://www.eetimes.com/electronics-blogs/other/4408383/China-s-hollow-cyberespionage-argument?Ecosystem=communications-design
Tomi Engdahl says:
File sharing and storage services, such as Apple’s iCloud, Evernote, and to the discovery of data theft and leakage.
Will cloud security no longer be trusted, a security expert Ari-Matti Husa FICORA Cert-fi unit?
Cloud Service drawback is that the availability and security are not in our own hands. A risk assessment of the trust the greater personal or other security expertise.
Is the security of cloud computing data centers enough?
Most likely, it is better than many home users and businesses.
Can I reduce the security risks for yourself?
The security level can be improved so that it sends only encrypted files into the cloud. It reduces the risk of information leaks.
Cases should relate to the fact that the local environments is more and more serious data leaks. They are not only going to be in the same manner to the public.
Data leaks can never be completely prevented
Consumer Services does not have the same level of security as services designed for corporate users.
Source: http://www.3t.fi/artikkeli/uutiset/teknologia/voiko_pilvipalveluiden_tietoturvaan_luottaa
Tomi Engdahl says:
Our Security Models Will Never Work — No Matter What We Do
Bruce Schneier
http://www.wired.com/opinion/2013/03/security-when-the-bad-guys-have-technology-too-how-do-we-survive/
A core, not side, effect of technology is its ability to magnify power and multiply force — for both attackers and defenders. One side creates ceramic handguns, laser-guided missiles, and new-identity theft techniques, while the other side creates anti-missile defense systems, fingerprint databases, and automatic facial recognition systems.
The problem is that it’s not balanced: Attackers generally benefit from new security technologies before defenders do. They have a first-mover advantage. They’re more nimble and adaptable than defensive institutions like police forces. They’re not limited by bureaucracy, laws, or ethics. They can evolve faster. And entropy is on their side — it’s easier to destroy something than it is to prevent, defend against, or recover from that destruction.
For the most part, though, society still wins. The bad guys simply can’t do enough damage to destroy the underlying social system. The question for us is: can society still maintain security as technology becomes more advanced?
I don’t think it can.
Because the damage attackers can cause becomes greater as technology becomes more powerful.
As the destructive power of individual actors and fringe groups increases, so do the calls for — and society’s acceptance of — increased security.
Tomi Engdahl says:
Cybercrime: Mobile Changes Everything — And No One’s Safe
http://www.wired.com/opinion/2012/10/from-spyware-to-mobile-malware/
We can’t think of a smartphone as just a computer that fits in one’s pocket, because then we assume that approaches for addressing traditional malware can simply be applied to mobile malware. This is a common misconception: Even major anti-virus companies suffer from it, as evidenced by their product offerings.
Because mobile phones aren’t just small computers when it comes to defending against malware: They’re small computers with small batteries, and important updates on them can take weeks. These seemingly minor differences are exactly what makes mobile malware more difficult to address than malware on computers.
The anti-virus system compares each piece of software on a device with the list of signatures to identify unwanted software.
Unfortunately, malware writers check if their code matches any such signatures by running popular anti-virus software, continually making modifications until their code is no longer detected, and only then releasing it.
Smartphones can’t monitor everything going on as computers can, because that requires a lot of computational resources … which devours battery life.
Tomi Engdahl says:
When It Comes to Security, We’re Back to Feudalism
Bruce Schneier
http://www.wired.com/opinion/2012/11/feudal-security/
Some of us have pledged our allegiance to Google: We have Gmail accounts, we use Google Calendar and Google Docs, and we have Android phones. Others have pledged allegiance to Apple: We have Macintosh laptops, iPhones, and iPads; and we let iCloud automatically synchronize and back up everything. Still others of us let Microsoft do it all. Or we buy our music and e-books from Amazon, which keeps records of what we own and allows downloading to a Kindle, computer, or phone. Some of us have pretty much abandoned e-mail altogether … for Facebook.
These vendors are becoming our feudal lords, and we are becoming their vassals. We might refuse to pledge allegiance to all of them – or to a particular one we don’t like. Or we can spread our allegiance around. But either way, it’s becoming increasingly difficult to not pledge allegiance to at least one of them.
Traditional computer security centered around users. Users had to purchase and install anti-virus software and firewalls, ensure their operating system and network were configured properly, update their software, and generally manage their own security.
This model is breaking, largely due to two developments:
New Internet-enabled devices where the vendor maintains more control over the hardware and software than we do – like the iPhone and Kindle; and
Services where the host maintains our data for us – like Flickr and Hotmail.
Now, we users must trust the security of these hardware manufacturers, software vendors, and cloud providers.
We choose to do it because of the convenience, redundancy, automation, and shareability. We like it when we can access our e-mail anywhere, from any computer. We like it when we can restore our contact lists after we’ve lost our phones.
In this new world of computing, we give up a certain amount of control, and in exchange we trust that our lords will both treat us well and protect us from harm. Not only will our software be continually updated with the newest and coolest functionality, but we trust it will happen without our being overtaxed by fees and required upgrades. We trust that our data and devices won’t be exposed to hackers, criminals, and malware. We trust that governments won’t be allowed to illegally spy on us.
Trust is our only option. In this system, we have no control over the security provided by our feudal lords. We don’t know what sort of security methods they’re using, or how they’re configured. We mostly can’t install our own security products on iPhones or Android phones; we certainly can’t install them on Facebook, Gmail, or Twitter.
Tomi Engdahl says:
Blog Reveals a Chinese Military Hacker’s Life Is One of Boredom and Bitterness
http://it.slashdot.org/story/13/03/13/2225237/blog-reveals-a-chinese-military-hackers-life-is-one-of-boredom-and-bitterness
“People’s Liberation Army hackers: they’re just like us. As noted by IT security firm Mandiant, and detailed in a new article by The Los Angeles Times, a blogger calling themselves ‘Rocy Bird’ had posted several hundred blog entries over a three-year period about life as a Chinese military hacker. It wasn’t the most exciting existence”
Tomi Engdahl says:
Fake fingers fool Brazilian biometrics
Whole new frontier for giving someone the finger
http://www.theregister.co.uk/2013/03/14/brazilian_fake_fingers/
Doctors at Ferraz de Vasconcelos hospital in Sao Paulo, Brazil, have reportedly fabricated fake fingers to fool biometric scanners.
The scam came to light on Globo Television, whose text and video report shows one of the fake digits and a disguised interviewee.
hospital staff use the fake fingers to clock on up to 300 phantom staff.
Tomi Engdahl says:
Facebook unfriends CISPA cybersecurity bill over ‘privacy’
http://news.cnet.com/8301-13578_3-57574381-38/facebook-unfriends-cispa-cybersecurity-bill-over-privacy/
Authors of cybersecurity bill criticized for privacy invasions used Facebook’s enthusiasm to attract political support in D.C. Now the company’s execs have backed away from CISPA.
Facebook no longer supports a controversial federal cybersecurity bill that would let U.S. companies share personal information with government agencies in ways currently prohibited by privacy laws.
The social-networking company had previously applauded the Cyber Intelligence Sharing and Protection Act, or CISPA, which was reintroduced last month.
A Facebook spokeswoman told CNET today that her employer prefers a legislative “balance” that ensures “the privacy of our users”
Tomi Engdahl says:
Cyberattacks Prominent in Obama Call With New Chinese President
http://bits.blogs.nytimes.com/2013/03/14/cyberattacks-prominent-in-obama-call-with-new-chinese-president/
Cyberthreats featured prominently in President Obama’s congratulatory call to the new Chinese president, Xi Jinping, on Thursday.
The president used the occasion to discuss the loss of United States intellectual property from cyberattacks. The mere mention of cyberthreats is a step forward for an administration that has been reluctant to confront Beijing on Chinese military attacks even as billions of dollars’ worth of trade secrets have been stolen.
tomi says:
German telecom company provides real-time map of Cyber attacks
http://www.gsnmagazine.com/node/28720?c=cyber_security
Deutsche Telekom, parent company of T-Mobile, put up what it calls its “Security dashboard” portal on March 6. The map, said the company, is based on attacks on its purpose-built network of decoy “honeypot” systems at 90 locations worldwide
Deutsche Telekom said it launched the online portal at the CeBIT telecommunications trade show in Hanover, Germany, to increase the visibility of advancing electronic threats.
“New cyber attacks on companies and institutions are found every day. Deutsche Telekom alone records up to 450,000 attacks per day on its honeypot systems and the number is rising. We need greater transparency about the threat situation. With its security radar, Deutsche Telekom is helping to achieve this,” said Thomas Kremer, board member responsible for Data Privacy, Legal Affairs and Compliance.
Overview of current cyber attacks (logged by 97 Sensors )
http://www.sicherheitstacho.eu/?lang=en
Tomi Engdahl says:
Stealing cars and ringing doorbells with radio
http://hackaday.com/2013/03/14/stealing-cars-and-ringing-doorbells-with-radio/
The cheap software defined radio platforms that can be built out of a USB TV tuner aren’t getting much love on the Hackaday tip line of late. Thankfully, [Adam] sent in a great guide to cracking sub-GHz wireless protocols wide open, and ringing doorbells, opening cars, and potentially setting houses on fire in the process.
The first wireless hack [Adam] managed to whip up is figuring out how a wireless doorbell transmitter communicates with its receiver.
Doorbells are a low-stakes game, so [Adam] decided to step things up a little and unlock his son’s car by capturing and replaying the signals from a key fob remote. Modern cars use a rolling code for their keyless entry, so that entire endeavour is just a party trick. Other RF-enabled appliances, such as a remote-controlled mains outlet, are a much larger threat to home and office security, but still one [Adam] managed to crack wide open.
Tomi Engdahl says:
The Internet’s Bad Neighborhoods
http://yro.slashdot.org/story/13/03/14/211229/the-internets-bad-neighborhoods
“Of the 42,000 Internet Service Providers (ISPs) surveyed, just 20 were found to be responsible for nearly half of all the spamming IP addresses — and some ISPs have more than 60% of compromised hosts, mostly in Asia. Phishing Bad Neighborhoods, on the other hand, are mostly in the U.S”
Bad Neighbourhoods on the internet are a real nuisance
http://www.utwente.nl/en/archive/2013/03/bad_neighbourhoods_on_the_internet_are_a_real_nuisance.doc/
Tomi says:
Security blogger Brian Krebs suffers simultaneous cyber attack, police raid
http://www.theverge.com/2013/3/15/4109568/cyber-blogger-brian-krebs-ddos-attack-police-raid
Brian Krebs, an influential cyber security blogger previously with The Washington Post who now runs his own blog Krebs on Security, suffered a simultaneous denial of service (DDoS) attack on his website and a misdirected police raid on his house in Annandale, Virginia, on Thursday evening.
Hackers and pranksters have in recent years perpetrated similar hoax emergency calls on celebrities
a practice known as “SWATting”
“This type of individual prank puts peoples’ lives at risk, wastes huge amounts of taxpayer dollars, and draws otherwise scarce resources away from real emergencies,”
Krebs wrote that he believes the DDoS attack and the phony emergency call were perpetrated by the same people or person
Tomi says:
Crooks Spy on Casino Card Games With Hacked Security Cameras, Win $33M
http://www.wired.com/threatlevel/2013/03/hackers-game-casino/
A high-roller and hacker accomplices made off with about $33 million after they gamed a casino in Australia by hacking its surveillance cameras and gaining an advantage in several rounds of high-stakes card games.
The Ocean’s Eleven-style heist played out over eight hands of cards before the gambler was caught, though not before the money was gone, according to the Herald Sun.
According to authorities, accomplices gained remote access to the casino’s state-of-the-art, high-resolution cameras to spy on card hands being played by the house and other guests in the casino’s VIP high-roller’s room, and fed the gambler signals based on the cards his opponents held.
“It’s very easy to intercept a signal from many casinos that don’t take precautions,”
Tomi says:
Crown casino hi-tech scam nets $32 million
http://www.heraldsun.com.au/news/law-order/crown-casino-hi-tech-scam-nets-32-million/story-fnat79vb-1226597666337
A foreign high roller who was staying at Crown has been implicated in the rip-off, in which the venue’s security cameras were used to spy for him.
A staff member has also been entangled in the colossal Ocean’s 11-style rort.
The Herald Sun understands remote access to the venue’s security system was given to an unauthorised person.
Images relayed from cameras were then used to spy on a top-level gaming area where the high roller was playing.
Signals were given to him on how he should bet based on the advice of someone viewing the camera feeds.
The cameras at Crown are state-of-the-art, high-resolution technology.
Tomi Engdahl says:
Hacking Las Vegas
THE INSIDE STORY OF THE MIT BLACKJACK TEAM’S CONQUEST OF THE CASINOS.
http://www.wired.com/wired/archive/10.09/vegas.html
Tomi Engdahl says:
Popular Surveillance Cameras Open to Hackers, Researcher Says
http://www.wired.com/threatlevel/2012/05/cctv-hack/
In a world where security cameras are nearly as ubiquitous as light fixtures, someone is always watching you.
But the watcher might not always be who you think it is.
Three of the most popular brands of closed-circuit surveillance cameras are sold with remote internet access enabled by default, and with weak password security — a classic recipe for security failure that could allow hackers to remotely tap into the video feeds, according to new research.
Tomi Engdahl says:
States have reached an arms race in cyber world: “Constantly attack ‘
When the physical world military cooperation has progressed into concrete actions, kybermaailmassa genuine cooperation is firmly speech rate.
Launch cyber-attacks to destabilize the state such as critical infrastructure, such as transport, charge transport and energy networks.
Doctor of Military Science and the security company Stonesoft kyberturvallisuusjohtaja Jarno Limnell says that the secrecy and nationalism, underscoring the importance of a clear cause.
- Cyber world has not been taken over yet, so there exists confusion and rules of construction space. States are reluctant to share their talents among the allies, even within the military alliance.
Security company F-Secure research director Mikko Hyppönen
- It is useless to talk about any kind of co-operation between the States, when it comes to spying network or network warfare, because the states are doing it for yourself.
“All are developing offensive capabilities”
Computer network defense sector leader Catharina Candolin the Defence Staff, says that confidential information does not preclude international cooperation
- In general, anything that is related to performance, not usually shared with other states
Limnell says that without the ability to attack is difficult to build a credible defense.
- All develop a variety of offensive abilities. In order to develop its own defense against a constant attack, so that vulnerabilities can be taken off.
Limnell estimates that the cover-up will continue in the coming years, but the emanation increases.
Source: http://www.iltasanomat.fi/digi/art-1288549103571.html
Tomi Engdahl says:
The most serious threats to the Windows can be found from the non-Microsoft products
Windows-threatening vulnerabilities increased last year by five per cent, the data security company Secunia recent report says.
86 per cent of the weaknesses bothered, however, other than Microsoft’s own products.
Hole program at the forefront of Google’s Chrome browser, which was found in the period 2011-2012 a total of 291 vulnerabilities. Second came the Mozilla Firefox web browser and the third with Apple’s iTunes.
Secunia Vulnerability Review 2013
http://i1-news.softpedia-static.com/images/extra/SECURITY/Secunia%20Vulnerability%20Review%202013REPORT_FINAL031313.pdf
Tomi Engdahl says:
Flooding market with cheap antivirus kit isn’t going to help ANYONE
Not the reseller, not the vendor and especially not the user
http://www.channelregister.co.uk/2013/03/18/tim_ayling_on_commodity_av/
There has been a lot of talk in information security circles over the past few weeks about the revelations of advanced persistent cyber attacks on several big name US newspapers including the Wall Street Journal and The New York Times.
The truth is that these kinds of attacks are becoming an increasingly common sight on the global stage. The worry for organisations is that they’re no longer being launched by nation states alone. Once a victim has been chosen and the trap set, it can be extremely difficult to protect against that initial network infection – which often comes in the form of a zero day threat – and most firms’ security systems are simply not advanced enough to spot the silent cyber insurgent lifting data from right under their noses.
The New York Times claimed that software from its security provider Symantec detected only one out of 45 pieces of malware used by its attackers. This in turn provoked a robust response from the vendor, which maintained that customers relying on basic, signature-based antivirus products cannot possibly hope to defend themselves against this kind of advanced threat.
Signature AV has been the bread-and-butter of the security industry for years and will still protect against 99 per cent of threats. The problem is that the one per cent that cause an organisation real damage, like the targeted attacks above, are not covered.
the reseller race to the bottom has spawned a market flooded with cheap AV kit. The fact is that resellers are missing a trick here by failing to offer those tools which are designed to defend against targeted threats.
Basic AV and advanced protection against targeted threats have become polarised during the wide-ranging debate on where the threat landscape is headed, but they need to come under the same roof to provide truly effective protection.
Tomi Engdahl says:
Security reporter tells Ars about hacked 911 call that sent SWAT team to his house (Updated)
Brian Krebs may be first journalist to suffer vicious hack known as swatting.
http://arstechnica.com/security/2013/03/security-reporter-tells-ars-about-hacked-911-call-that-sent-swat-team-to-his-house/
Update: Krebs has now written about his experience in some detail. The same people responsible for the DDoS attack carried out yesterday on Krebs’ site launched a similar attack on Ars Technica this morning.
Tomi Engdahl says:
Multi-Dimensional Behavioral Analytics
http://www.youtube.com/watch?v=5vpxDsLg5jo&feature=youtu.be
LogRhythm introduces big data security analytics platform with the industry’s first multi-dimensional behavioral analytics.
patent-pending behavioral whitelisting as well as advanced statistical and heuristic behavioral analysis
detect breaches and the most sophisticated cyber threats
Tomi Engdahl says:
Researcher: Hackers Can Jam Traffic By Manipulating Real-Time Traffic Data
http://tech.slashdot.org/story/13/03/18/1650208/researcher-hackers-can-jam-traffic-by-manipulating-real-time-traffic-data
“Hackers can influence real-time traffic-flow-analysis systems to make people drive into traffic jams or to keep roads clear in areas where a lot of people use Google or Waze navigation systems, a German researcher demonstrated at BlackHat Europe.”
“An attacker does not have to drive a route to manipulate data, because Google also accepts data from phones without information from surrounding access points, thus enabling an attacker to influence traffic data worldwide,”
Tomi Engdahl says:
Bug in EA’s Origin game platform allows attackers to hijack player PCs
http://arstechnica.com/security/2013/03/bug-on-eas-origin-game-platform-allows-attackers-to-hijack-player-pcs/
Millions could be at risk of exploits that use Origin to execute malicious code.
More than 40 million people could be affected by a vulnerability researchers uncovered in EA’s Origin online game platform allowing attackers to remotely execute malicious code on players’ computers.
The attack, demonstrated on Friday at the Black Hat security conference in Amsterdam, takes just seconds to execute. In some cases, it requires no interaction by victims, researchers from Malta-based ReVuln (@revuln) told Ars. It works by manipulating the uniform resource identifiers EA’s site uses to automatically start games on an end user’s machine.
“Our team is constantly investigating hypotheticals like this one as we continually update our security infrastructure,” an EA spokesman wrote in an e-mail to Ars.
Tomi Engdahl says:
FinFisher spyware goes global, mobile and undercover
Report claims to have found C&C servers in 25 countries
http://www.theregister.co.uk/2013/03/19/finfisher_spyware_apac_countries/
Security researchers have warned that the controversial FinFisher spyware has been updated to evade detection and has now been discovered in 25 countries across the globe, many of them in APAC.
FinFisher, also known as FinSpy, is produced by Anglo/German firm Gamma International and marketed as a “lawful interception” suite designed for law enforcers to monitor suspected criminals.
Now, researchers at Toronto University’s Munk School of Global Affairs, who have been tracking the use of this surveillance-ware for over a year, say they’ve found 36 new command and control servers, 30 of which are new, in 19 countries.
This brings the total number of countries where the spyware has been found to 25, they said.
Gamma International has repeatedly denied any links to the spyware and servers revealed by Munk School researchers.
However, it was named on a recent report from Reporters Without Borders as one of five corporate “enemies of the internet” which has produced technology “which has repeatedly been discovered in countries who mistreat journalists”.
Tomi says:
Massive bot network is draining $6 million a month from online ad industry, says report
http://paidcontent.org/2013/03/19/massive-bot-network-is-draining-6-million-a-month-from-online-ad-industry-says-report/
An analytics firm has uncovered a network of more than 200 sites that appears aimed at defrauding the online ad industry. The network tricks marketers into serving billions of “targeted” ads to bots every month.
The findings were announced on Tuesday by Spider.io, a firm that specializes in detecting abnormal internet traffic. Spider says it has identified at least 202 websites where the vast majority of visitors are bots rather than normal human visitors, and that that every major brand engaged in automated ad buying has been paying to shows ads to the bots; a visit to one of the affected sites Tuesday morning showed ads from brands like Crest and Bank of America.
The world of “ad tech,” where companies use automated platforms to buy and sell ads in real time, is highly complex. It involves massive online exchanges in which publishers invite marketers to bid on their web real estate; the publishers — and various middlemen — get paid whenever an ad is seen or, in some cases, clicked upon.
While the exchanges create a more efficient market, they also make it easier for dishonest participants to enter the ad stream. Since marketers buy millions or billions of ad impressions at a time, it can be hard to verify if the ads appear before real people or in front of bots.
Spider said the “click-through” rates for ads on the 202 sites was 0.02%, which is a normal figure for ad industry; it said the low click-through rate appeared intended to avoid drawing attention to the scam.
Tomi says:
Meet the Most Suspect Publishers on the Web
The rise of ghost sites, where traffic is huge but humans are few
http://www.adweek.com/news/technology/meet-most-suspect-publishers-web-148032
Indeed, while the Web has never been short of tricksters, scam artists and crooks, a new breed of cheat is fast becoming a plague in the exchange world: the ghost publisher. Increasingly, digital agencies and buy-side technology firms are seeing massive traffic and audience spikes from groups of Web publishers few people have ever heard of. These sites—billed as legitimate media properties—are built to look authentic on the surface, with generic, nonalarm-sounding content. But after digging deeper, it becomes evident that very little of these sites’ audiences are real people. Yet big name advertisers are spending millions trying to reach engaged users on these properties.
“These sites have hundreds of millions of bogus impressions, and those illegitimate sites are regularly in the top 10 by volume for major SSP’s,” said one buyer.
“This used to be a big problem in search, but not so much in display,”
But others worry that this sort of constant dicey behavior in the online ad realm is a big problem—one that goes well beyond the millions lost to cheaters. They worry that all this noise gives brands more reason to just stay offline.
Tomi Engdahl says:
BlackBerry software ruled not safe enough for essential government work
http://www.guardian.co.uk/technology/2013/mar/19/blackberry-software-not-safe-enough-government-work
CESG rejects BB10 software in new Z10 handset, dealing blow to Canadian firm in key market
BlackBerry’s new BB10 software has been rejected by the British government as not secure enough for essential work, the Guardian can reveal.
The previous BlackBerry version, 7.1, was cleared by the UK’s Communications-Electronics Security Group (CESG) in December 2012 for classifications up to “Restricted” – two levels below “Secret”.