Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
Android’s Cyanogenmod open to MitM attacks
Code re-use spells zero day for millions of modders
http://www.theregister.co.uk/2014/10/13/androids_cyanogenmod_open_to_mitm_attacks/
More than 10 million users of the popular Cyanogen build of Android are exposed to man-in-the-middle (MitM) attacks thanks to reuse of vulnerable sample code.
The zero day vulnerability makes it possible to target any browser used on the popular Android distribution.
A security researcher who works for a top-tier vendor, but asked Vulture South not to use his name, said Cyanogenmod developers among many others had taken Oracle’s sample code for Java 1.5 for parsing certificates to obtain hostnames – which is vulnerable to an older bug – and implemented it.
“They just copy-pasted the sample code and that’s what was vulnerable.”
“I checked on GitHub and found out a tonne of others were using it.”
Tomi Engdahl says:
Heistmeisters crack cost of safecrackers with $150 widget
Arduino hack-box brute-forces ATMs, gun safes
http://www.theregister.co.uk/2014/10/13/heistmeisters_crack_cost_of_safecrackers_with_150_widget/
A pair of Melbourne security professionals have developed a $150 auto-dialer safe cracker that replicates a machine worth tens of thousands of dollars and sold only to military customers.
The unit launches automatic brute force attacks against group two combination locks used in high-security environments like ATMs and gun safes.
Current and former penetration testers Luke Janke and Jay Davis created the device using Arduino and 3D printed components.
“They pretty much use group two locks for everything,” Davis said at the Ruxcon security conference in Melbourne.
“A lot of these locks have about 10 default combinations which never ever get changed and they would be the ones you would want to try out first.”
Tomi Engdahl says:
Hackers post ‘at least 100,000′ intercepted Snapchat photos on 4chan
Third-party app SnapSaved allegedly to blame
http://www.theinquirer.net/inquirer/news/2375126/hackers-post-at-least-100-000-intercepted-snapchat-photos-on-4chan
HACKERS HAVE got their hands on “at least 100,000″ Snapchat images sent via non-official third-party apps, and have since posted them on 4Chan.
Making Apple’s iCloud leak seem dull, hackers have boasted on 4chan that they have obtained 13GB of images via a third-party Snapchat application, equating to “at least 100,000 pictures” that their owners will have assumed had been deleted.
It is not yet known what app is the culprit, but speculation is suggesting that Android application SnapSaved was the source of the leak, an app which disappeared several months ago.
This has rung alarm bells at 4chan, which noted that the collection of photos includes a large amount of child pornography. Half of Snapchat’s user base is aged between 13 and 17.
Snapchat said that its servers “were never breached and were not the source of these leaks”.
The company added: “Snapchatters were victimised by their use of third-party apps to send and receive Snaps, a practice that we expressly prohibit in our Terms of Use precisely because they compromise our users’ security.
Mark James, security specialist at ESET said this latest hack once again raises the importance of keeping your data secure.
“This incident again showed that it’s all about perception of what is secure and what is not. The best advice I can offer in this case and the next ‘when it happens’ is do not use your smartphone or tablet to take images of you or your partner if you want them to remain private.”
Tomi Engdahl says:
Just because you’re paranoid doesn’t mean they can’t log your keystrokes
Column Windows 10 privacy scoop has gone on a world tour of missing the point
http://www.theinquirer.net/inquirer/opinion/2375082/just-because-youre-paranoid-doesnt-mean-they-cant-log-your-keystrokes
Microsoft’s Windows 10 Preview has permission to watch your every move
Its ‘privacy’ policy includes permission to use a keylogger
http://www.theinquirer.net/inquirer/news/2373838/microsofts-windows-10-preview-has-permission-to-watch-your-every-move
Tomi Engdahl says:
Large DDoS attack against Tieto in Sweden
Several key systems including health care and education run by consultancy giant Tieto was exposed on Thursday for a comprehensive denial of service attack.
At half past two o’clock yesterday managed to Tieto confirm that the disturbances during the day hit some of its services to local government and the health sector due to a denial of service.
Tieto do not know where the attack came or who is behind. But the result was that all services of the company “Lifecare Cloud Services” could not be accessed by users.
Yesterday and the night, Tieto has worked with its supplier Telia to get to grips with the problem and to ensure that a new denial does not have the same wide-ranging implications for the users.
Source:
Stor ddos-attack mot Tieto
https://computersweden.idg.se/2.2683/1.588679
Tomi Engdahl says:
Mooltipass Installation Process is Now Dead Simple
http://hackaday.com/2014/10/13/mooltipass-installation-process-is-now-dead-simple/
In a few weeks the Hackaday community offline password keeper will reach a crowdfunding platform. This is a necessary step as only a high production volume will allow our $80 early bird perk target.
Thanks to the Chromium development team, a few days ago the Mooltipass installation process became as simple as installing our app & extension. As you may remember, our device is enumerated as composite HID proprietary / HID standard keyboard. This makes it completely driverless for all operating systems and enables standalone operation as the Mooltipass can type logins and passwords selected through its user interface. Management communications are therefore done through the Mooltipass HID proprietary interface, which Chrome 38 now natively supports through its chrome.hid API. The simpler our installation process is, the more likely the final users will appreciate the fruit of our hard labor.
Tomi Engdahl says:
Snapchat servers ‘were never breached,’ but your snaps may still be compromised (update)
http://www.engadget.com/2014/10/10/snapchat-snapsave-alleged-breach/
“We can confirm that Snapchat’s servers were never breached and were not the source of these leaks. Snapchatters were victimized by their use of third-party apps to send and receive Snaps, a practice that we expressly prohibit in our Terms of Use precisely because they compromise our users’ security. We vigilantly monitor the App Store and Google Play for illegal third-party apps and have succeeded in getting many of these removed.”
Snapchat: If Your Nude Snapchat Photos Get Leaked, It’s Not Our Fault
Read more: http://www.businessinsider.com/snapchat-if-your-nude-photos-get-leaked-its-not-our-fault-2014-10#ixzz3G1jqglMV
Tomi Engdahl says:
Pastebin post claims 7M Dropbox accounts compromised, includes “teaser” with hundreds of username/password combos
[Update] Hundreds of Dropbox passwords leaked online but Dropbox denies it was hacked
http://thenextweb.com/apps/2014/10/14/dropbox-passwords-leak-online-alleged-hack/
A thread surfaced on Reddit today that contained links to files containing hundreds of usernames and passwords for Dropbox accounts in plain text, but it’s unclear where they were obtained from.
In four Pastebin files linked to from the site, a few hundred username and password pairs were listed in plain text as “teases” for a full leak from an anonymous user, who asked for Bitcoin donations for continued leaks.
Users in the Reddit thread allegedly confirmed the credentials in the spreadsheet worked at time of writing on multiple accounts listed, however it’s not clear where these credentials actually came from nor how many users were affected.
Dropbox denies hack, says old logins were scraped from third-party services
Read more at http://www.cultofmac.com/299528/millions-dropbox-accounts-allegedly-compromised-massive-hack/#WyYy7tLUdzocoExe.99
Tomi Engdahl says:
Private Donors Supply Spy Gear to Cops
http://www.propublica.org/article/private-donors-supply-spy-gear-to-cops
There’s little public scrutiny when private donors pay to give police controversial technology and weapons. Sometimes, companies are donors to the same foundations that purchase their products for police.
In 2007, as it pushed to build a state-of-the-art surveillance facility, the Los Angeles Police Department cast an acquisitive eye on software being developed by Palantir, a startup funded in part by the Central Intelligence Agency’s venture capital arm.
Originally designed for spy agencies, Palantir’s technology allowed users to track individuals with unprecedented reach, connecting information from conventional sources like crime reports with more controversial data gathered by surveillance cameras and license plate readers that automatically, and indiscriminately, photographed passing cars.
The LAPD could have used a small portion of its multibillion-dollar annual budget to purchase the software, but that would have meant going through a year-long process requiring public meetings, approval from the City Council, and, in some cases, competitive bidding.
There was a quicker, quieter way to get the software: as a gift from the Los Angeles Police Foundation, a private charity.
Tomi Engdahl says:
iSight, Microsoft, announce Windows and Windows Server 0-day
‘SandWorm’ exploit fingered as weapon used in Russian attack on NATO, EU
http://www.theregister.co.uk/2014/10/14/isight_microsoft_announce_windows_and_windows_server_0day/
Threat intelligence firm iSight partners has announced the discovery of a zero-day that impacts desktop and server versions of Windows, from Vista and Server 2008 to current versions.
The firm has dubbed vulnerability CVE-2014-4114 “SandWorm” and this one looks to be as terrible as Shai-Hulud in full cry, as iSight says it was “used in [a] Russian cyber-espionage campaign targeting NATO, European Union, Telecommunications and Energy sectors.”
The zero-day is “An exposed dangerous method vulnerability exists in the OLE package manager in Microsoft Windows and Server” that “allows an attacker to remotely execute arbitrary code.”
“This will cause the referenced files to be downloaded in the case of INF files, to be executed with specific commands”.
“A weaponized PowerPoint document was observed in these attacks.”
Tomi Engdahl says:
Bored hackers flick Shellshock button to OFF as payloads shrink
But beware of complacency, warn Akamai bods
http://www.theregister.co.uk/2014/10/03/shellshock_bored_hackers_giving_up_droves/
Malicious and benign attacks against systems vulnerable to Shellshock had halved by Sunday after peaking three days following the bug’s disclosure, Akamai researchers say.
The variety of payloads targeting vulnerable sites increased dramatically over the same period before tapering off, in a possible sign that hackers were bored with the bug.
The number of unique payloads increased from 43 on day zero to a whopping 10,716 just 24 hours later. It peaked on 27 September at 20,753 before falling off.
The numbers demonstrated the effectiveness of Shellshock as an attack vector, researchers Ezra Caltum, Adi Ludmer and Ory Segal wrote in a co-authored post.
“One of the troubling aspects of the Shellshock vulnerability is the ease of exploitation, which can be seen by the dramatic increase in the number of unique payloads between the first and the second days,” they said.
“The sheer number of creative payloads also demonstrates how effective and deadly this vulnerability can be – most of the scanning and exploitation process is already fully automated.
“With such a low barrier to entry, and the simplicity of writing powerful exploits, we believe that Shellshock-based attacks are going to stay around for months if not years, and will probably top the botnet infection method charts in the near future.”
Almost 300,000 gaming domains made up the vast majority of Shellshock targets, with consumer electronics, email marketing among the less affected industries.
Tomi Engdahl says:
NSA Sentry Eagle placed spies in private companies
Latest docs show firms in Germany, South Korea, China targeted
http://www.theregister.co.uk/2014/10/14/nsa_sentry_eagle_placed_spies_in_private_companies/
The National Security Agency (NSA) has since 2004 sent spies into private companies in a bid to compromise networks from within, according to documents leaked by Edward Snowden.
Agents sent in by the NSA targeted global communications firms under a highly classified ‘core secrets’ program dubbed Sentry Eagle previously known only to a handful of officials.
The documents published by Snowden mouthpiece The Intercept indicate operatives in the core secrets program worked in concert with companies to weaken encryption and spent hundreds of millions of dollars to break security mechanisms.
Tomi Engdahl says:
Tiny Wireless Device Offers Tor Anonymity
http://news.slashdot.org/story/14/10/14/0035226/tiny-wireless-device-offers-tor-anonymity
The Anonabox router project, currently being funded through a Kickstarter campaign, has surpassed its original $7,000 crowdfunding goal by more than 10 times in just one day. The open source router device connects via Wi-Fi or an Ethernet cable making it harder for your IP address to be seen.
Tiny Anonabox to offer online anonymity through Tor
http://www.computerworld.com/article/2825065/tiny-anonabox-to-offer-online-anonymity-through-tor.html
The device is an open-source, plug-and-play wireless router
A startup is offering a tiny wireless router to users who want their anonymity protected by first encrypting and then routing their traffic over the Tor network.
The Anonabox is an open source, Internet networking device designed to run alongside a current home router or modem. Small enough to fit in a shirt or pants pocket, the device directs all your Internet data via Wi-Fi or an Ethernet cable to Tor, where your IP address is hidden from prying eyes.
Tor (The Onion Router) is a free software project that conceals a user’s IP address by bouncing online activity and all data through a random, worldwide network made up of more than 5,000 relays.
Anonabox is not the first Tor-enabled hardware device. The Tor community announced the Torouter Dreamplug hardware project last year.
Also last year, Pogoplug launched Safeplug, a Tor-enabled web privacy device that has ad-blocking software and retails for $49. The Safeplug router, however, is about the same size as a typical home router and doesn’t add data encryption to network traffic as the Anonabox does.
Over the past four years, the new Anonabox has seen four prototypes. The company said that its first generations were “pretty clunky and cost between $200-$400 just for the parts.”
The latest version, however, is smaller than a deck of playing cards.
Tomi Engdahl says:
VeraCrypt Is the New TrueCrypt — and It’s Better
http://it.slashdot.org/story/14/10/13/2234251/veracrypt-is-the-new-truecrypt—-and-its-better
If you’re looking for an alternative to TrueCrypt, you could do worse than VeraCrypt, which adds iterations and corrects weaknesses in TrueCrypt’s API, drivers and parameter checking
VeraCrypt a Worthy TrueCrypt Alternative
http://www.esecurityplanet.com/open-source-security/veracrypt-a-worthy-truecrypt-alternative.html
A fork of TrueCrypt’s code, VeraCrypt strengthens the open source encryption software’s transformation process and addresses other weaknesses.
Tomi Engdahl says:
Password Security: Why the Horse Battery Staple Is Not Correct
http://it.slashdot.org/story/14/10/13/1923244/password-security-why-the-horse-battery-staple-is-not-correct
By now, everyone who reads Slashdot regularly has seen the XKCD comic discussing how to choose a more secure password, but at least one security researcher rejects that theory, asserting that password managers are the most important technology people can use to keep their accounts safe.
Password Security: Why the horse battery staple is not correct
https://diogomonica.com/posts/password-security-why-the-horse-battery-staple-is-not-correct/
In this post I’m going to make the following arguments:
Choosing a password should be something you do very infrequently.
Our focus should be on protecting passwords against informed statistical attacks and not brute-force attacks.
When you do have to choose a password, one of the most important selection criterion should be how many other people have also chosen that same password.
One of the most impactful things that we can do as a security community is to change password strength meters and disallow the use of common passwords.
Tomi Engdahl says:
Truly scary SSL 3.0 vuln to be revealed soon: sources
So worrying, no one’s breathing a word until patch is out
http://www.theregister.co.uk/2014/10/14/nasty_ssl_30_vulnerability_to_drop_tomorrow/
Gird your loins, sysadmins: The Register has learned that news of yet another major security vulnerability – this time in SSL 3.0 – is probably imminent.
Maintainers have kept quiet about the vulnerability in the lead-up to a patch release expected in in the late European evening, or not far from high noon Pacific Time.
Details of the problem are under wraps due to the severity of the vulnerability.
To that end it is unknown what platforms were impacted, but as SSL is very widely used any flaw will require plenty of urgent attention … and probably be unwelcome news to a tech community already reeling from the recent Shellshock vulnerability in Bash and the Heartbleed flaw.
Tomi Engdahl says:
Cabling experts suggest FAA fire is the tip of the sabotage iceberg
http://www.cablinginstall.com/articles/2014/10/faa-fire-sabotage.html
The September 26 fire at the Federal Aviation Administration’s (FAA) Aurora, IL facility—a sabotage event that wreaked havoc on air travel for days—probably is just the proverbial “tip of the iceberg” as far as the damage that can be done, and is being done, by individuals with access to an organization’s vital and vulnerable IT equipment.
In March 2014 Concert posted an item to its blog, titled “Destroyed in 60 Seconds: Riser Closets Offer Easy Target for Disgruntled Building Tenants to do Damage.” The post asks: “How quickly can a disgruntled building tenant cause major damage to a building’s infrastructure?” It then answers: “The ease with which building sabotage can occur is astounding and only takes seconds. In years past the ability for such catastrophic destruction was fairly limited, but today’s technology offers soft targets, and one of those targets consists of a building’s riser closet and the IT infrastructure within. These assaults result in thousands of dollars of damage and limitless harm to building leadership’s reputation, not to mention the loss of tenant’s vital IT services … It only takes one of your angry tenants or disgruntled employees with access to a riser closet to wipe out service, business, and privacy. Managing access to riser closets is key to preventing a quick cut to operations and building functions.”
Destroyed in 60 Seconds: Riser Closets Offer Easy Target for Disgruntled Building Tenants to do Damage
http://www.concerttech.com/newsblog/?p=395
A tool as common as a utility knife can bring a swift and unseen end to tenants operations and key building functions. A US Dept. of Homeland Security study on network sabotage in business and government found that the majority of the saboteurs were “current or former employees” who exploited access to networks and infrastructure to exact revenge for perceived mistreatment.
Tomi Engdahl says:
Windows Flaw Allowed Hackers To Spy On NATO, Ukraine, Others
http://tech.slashdot.org/story/14/10/14/0449204/windows-flaw-allowed-hackers-to-spy-on-nato-ukraine-others
Reuters reports that a cybersecurity firm has found evidence that a bug in Microsoft’s Windows operating system has allowed hackers located in Russia to spy on computers used by NATO, Ukraine, the European Union, and others for the past five years. Before disclosing the flaw, the firm alerted Microsoft, who plans to roll out a fix on Tuesday.
Russian hackers target NATO, Ukraine and others: iSight
http://www.reuters.com/article/2014/10/14/us-russia-hackers-idUSKCN0I308F20141014
Russian hackers exploited a bug in Microsoft Windows and other software to spy on computers used by NATO, the European Union, Ukraine and companies in the energy and telecommunications sectors, according to cyber intelligence firm iSight Partners.
ISight said it did not know what data had been found by the hackers, though it suspected they were seeking information on the Ukraine crisis, as well as diplomatic, energy and telecom issues, based on the targets and the contents of phishing emails used to infect computers with tainted files.
ISight said it told Microsoft Corp about the bug and held off on disclosing the problem so the software maker had time to fix it.
The iSight research is the latest in a series of private sector security reports that link Moscow to some of the most sophisticated cyber espionage uncovered to date.
Tomi Engdahl says:
Russian ‘Sandworm’ Hack Has Been Spying on Foreign Governments for Years
http://www.wired.com/2014/10/russian-sandworm-hack-isight/
A cyberespionage campaign believed to be based in Russia has been targeting government leaders and institutions for nearly five years, according to researchers with iSight Partners who have examined code used in the attacks.
The campaign, dubbed “Sandworm” is believed to have been running since 2009, and used a wide-reaching zero-day exploit uncovered by the researchers that affects nearly every version of the Windows operating system released since Windows Vista.
Although iSight only has a small view of the number of victims targeted in the campaign, the victims include among others, the North Atlantic Treaty Organization, Ukrainian and European Union governments, energy and telecommunications firms, defense companies, as well as at least one academic in the US who was singled out for his focus on Ukrainian issues.
The researchers dubbed the operation “Sandworm” because the attackers make multiple references to the science fiction series Dune in their code.
Tomi Engdahl says:
Banks harvest callers’ voiceprints to fight fraud
http://hosted.ap.org/dynamic/stories/E/EU_THE_VOICE_HARVESTERS?SITE=AP&SECTION=HOME&TEMPLATE=DEFAULT
“This call may be monitored.”
You hear it every time you phone your bank about a lost credit card or an unexpected charge. You may realize your bank is recording you, but did you know it could be taking your biometric data, too?
An Associated Press investigation has found that two of America’s biggest retail banks – JPMorgan Chase & Co., and Wells Fargo & Co. – are quietly recording the biometric details of some callers’ voices to weed out fraud. The technology, sometimes called voiceprinting
“Reducing fraud is a good thing,” said Jay Stanley, an analyst at the American Civil Liberties Union. But he warned that “we can’t anticipate what bright new uses this database will be put to in the future.”
Mark Lazar, a vice president at Verint Systems Inc., said that when combined with other fraud detection techniques, voice biometric blacklists were effectively blocking the bad guys from banks’ call centers.
The technology is winning converts fast.
Many governments and businesses use voiceprinting openly.
The ACLU’s Stanley said he understood the anti-fraud argument but worried about where the technology could lead.
Tomi Engdahl says:
Sharing revenge porn could lead to prison sentence
http://www.wired.co.uk/news/archive/2014-10/13/new-uk-law-makes-revenge-porn-illegal
Vindictive exes engaging in “revenge porn” — the sharing of private sexually explicit images of someone without their consent on and offline with the intention of causing distress — could face up to two years in prison under a new law.
The legislation, which is currently going through Parliament, will see the spreading of revenge porn be made a specific offence in the Criminal Justice and Courts Bill.
Tomi Engdahl says:
Too Much Privacy: Finnish Police Want Big Euro Notes Taken Out of Circulation
http://yro.slashdot.org/story/14/10/14/1324254/too-much-privacy-finnish-police-want-big-euro-notes-taken-out-of-circulation
The Finnish Police are concerned that larger banknotes, namely the €200 and €500 banknotes, encourage criminal activity and should therefore be removed from Finnish cash circulation.
Police request 500 euro banknotes be taken out of circulation
http://yle.fi/uutiset/police_request_500_euro_banknotes_be_taken_out_of_circulation/7527539
The Finnish Police have called for all 500 euro banknotes to be taken out of circulation, saying their existence enables under-the-table grey economy activities and money laundering. The Bank of Finland maintains that the use of larger bank notes in Finland is minimal in normal payment transactions and benefits outweigh the perceived disadvantages.
Tomi Engdahl says:
BLACKENERGY & QUEDAGH
The convergence of crimeware and APT attacks
https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf
BlackEnergy is a toolkit that has been used for years by various
criminal outfits. In the summer of 2014, we noted that certain
samples of BlackEnergy malware began targeting Ukranian
government organizations for information harvesting. These
samples were identified as being the work of one group,
referred to in this document as “Quedagh”, which has a
history of targeting political organizations.
The Quedagh-related customizations to the BlackEnergy
malware include support for proxy servers and use of
techniques to bypass User Account Control and driver
signing features in 64-bit Windows systems
Tomi Engdahl says:
iSIGHT discovers zero-day vulnerability CVE-2014-4114 used in Russian cyber-espionage campaign http://www.isightpartners.com/2014/10/cve-2014-4114/#sthash.xUC96YOI.dpuf
Zero-day impacting all versions of Microsoft Windows – used in Russian cyber-espionage campaign targeting NATO, European Union, Telecommunications and Energy sectors
Coordinated Disclosure
Over the past 5 weeks, iSIGHT Partners worked closely with Microsoft to track and monitor the exploitation of this vulnerability in the wild, share technical information to assist in the analysis of the vulnerability and the development of a patch, and coordinate disclosure to the broader security community.
Although the vulnerability impacts all versions of Microsoft Windows – having the potential to impact an enormous user population – from our tracking it appears that its existence was little known and the exploitation was reserved to the Sandworm team.
- See more at: http://www.isightpartners.com/2014/10/cve-2014-4114/#sthash.xUC96YOI.dpuf
Tomi Engdahl says:
New e-Signature rules: Shouldn’t WE be using it? – Steelie Neelie
eID rules rolled out in Europe, except in EU institutions
http://www.theregister.co.uk/2014/10/14/new_rules_prompt_kroes_to_call_for_wholly_eeu/
After 15 years, the EU is finally updating its e-Signature rules — designed to establish a legal framework for the use of data signatures — although they won’t apply to EU institutions themselves, much to the chagrin of outgoing Digital Agenda Commissioner Steelie Neelie Kroes.
Most of the European Commission’s own processes and procedures are still carried out on paper, and Kroes is having none of it, calling on the new President-elect Jean-Claire Juncker to “practise what we preach”.
The old eID law, set up in 1999, has gaps galore: weak obligations for supervision of service providers, legal and technical cross-border interoperability issues, and it doesn’t even cover mobile or cloud signing at all.
The new eIDAS (Electronic Identification and Trust Services) regulation sets out new rules for trust services that will apply from 1 July 2016, with a mandatory mutual recognition of eIDs between EU countries from mid-2018.
The regulation defines the rules for interoperability, risk management, transparency and technology neutrality on all types of electronic identification services, from electronic signatures to website authentication.
The GSMA welcomed the new regulation, and said it was already on the case: In February, the organisation launched a service called Mobile Connect that creates a single, mobile phone number-based authentication stamp that can manage multiple user names and passwords using a SIM card.
Tomi Engdahl says:
Julian Assange discovers Google’s given MONEY to EFF
Sterling journalism there, mate
http://www.theregister.co.uk/2014/10/14/assange_bollocks_google_eff/
“The EFF is a great group, and they’ve done good things for us, but nonetheless it is significantly funded by Google, or people who work at Google,” says Assange.
“The problem is that a lot of groups that would normally criticize Google, the nonprofits that are involved in the tech sector, are funded directly or indirectly by Google. Or by USAID. Or by Freedom House. Google and its extended network have significant patronage in the very groups that would normally be criticizing it,” says Assange. “It’s the nature of organizations. They don’t like to bite the hand that feeds them.”
Tomi Engdahl says:
Dropbox wasn’t hacked
https://blog.dropbox.com/2014/10/dropbox-wasnt-hacked/
Recent news articles claiming that Dropbox was hacked aren’t true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox.
We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens.
Tomi Engdahl says:
Revealed: ISPs Already Violating Net Neutrality To Block Encryption And Make Everyone Less Safe Online
https://www.techdirt.com/articles/20141012/06344928801/revealed-isps-already-violating-net-neutrality-to-block-encryption-make-everyone-less-safe-online.shtml
One of the most frequent refrains from the big broadband players and their friends who are fighting against net neutrality rules is that there’s no evidence that ISPs have been abusing a lack of net neutrality rules in the past, so why would they start now? That does ignore multiple instances of violations in the past, but in combing through the comments submitted to the FCC concerning net neutrality, we came across one very interesting one that actually makes some rather stunning revelations about the ways in which ISPs are currently violating net neutrality/open internet principles in a way designed to block encryption and thus make everyone a lot less secure. The filing comes from VPN company Golden Frog and discusses “two recent examples that show that users are not receiving the open, neutral, and uninterrupted service to which the Commission says they are entitled.”
Tomi Engdahl says:
VeraCrypt fork of TrueCrypt tips up
Offers enhanced resilience against brute force decryption
http://www.theinquirer.net/inquirer/news/2375599/veracrypt-fork-of-truecrypt-tips-up
A SOFTWARE DEVELOPER IN FRANCE recently released an improved fork of the disk encryption software product TrueCrypt that was abandoned by its developers earlier this year, called VeraCrypt.
VeraCrypt is an alternative to the CipherShed project that aims to replace TrueCrypt.
Developed by IT security consultant Mounir Idrassi at his firm Idrix in France, VeraCrypt has been updated to address vulnerabilities found in APIs, drivers and parameter checking.
TrueCrypt uses PBKDF2-RIPEMD160 with 1,000 iterations to encrypt system partitions and at most 2,000 iterations for non-system partitions and standard containers.
VeraCrypt, on the other hand, uses 327,661 iterations of the PBKDF2-RIPEMD160 algorithm for system partitions, and for standard containers and non-system partitions it uses 655,331 iterations of RIPEMD160 and 500,000 iterations of SHA-2 and Whirlpool.
“This enhanced security adds some delay only to the opening of encrypted partitions without any performance impact to the application use phase.”
Tomi Engdahl says:
Is Snapchat’s unofficial API just too easy to hack?
http://www.theverge.com/2014/10/13/6958745/is-snapchats-api-too-easy-to-hack
Developers and security researchers say the company has done little to close the technical loopholes allowing unsecure third-party apps to flourish
Last Friday, tens of thousands of pictures pulled off a third-party Snapchat app began circulating on the internet, raising privacy alarms and drawing new criticism of the supposedly ephemeral nature of the popular photo-sharing app. Snpachat quickly declared that the problem was not their own security. “We can confirm that Snapchat’s servers were never breached and were not the source of these leaks,”
“Snapchatters were victimized by their use of third-party apps to send and receive snaps, a practice that we expressly prohibit”
For many, however, the question has been whether Snapchat did enough to protect its users by securing against unaffiliated apps on a technical level. The biggest issue is that Snapchat has no official API, but its unofficial one is an open secret widely circulated on the web. That means Snapchat is reliant on other companies like Apple and Google to ultimately police which apps are safe and available. Since 2012, security researcher Adam Caudill has been warning that the company’s API had several serious security flaws, something numerous other researchers have seconded.
What protections does Snapchat have in place to prevent that?
Like I previously said, all traffic is https (already better than Instagram, where a friend of mine Stevie Graham found a way to exploit it via a single http endpoint), but they have a binary pattern that is used to generate a unique key for every request. The issue is this binary pattern is stored in the application, and is always the same for every user — also someone had already posted it online
What could Snapchat have done to prevent you from doing this?
In terms of accessing the API, there isn’t much they could have done. Maybe if they moved towards using OAuth, it would have slowed down researchers, but it wouldn’t have stopped them.
Would it have required a fundamentally different architecture from the start?
There are ways Snapchat could clean up their API, definitely. Version it, so they could update the API without breaking previous versions of the application — currently they can only hack on new endpoints / variables. Also, currently every snap, it encrypted with the same AES key — there isn’t much that can be done about this as it would break support for older clients.
Are third-party apps — like the ones allegedly hacked — inherently less secure than the official Snapchat app? If so, why?
Yes, by their very definition. When something isn’t first-party, you have no guarantee that the code you can’t see isn’t doing something malicious. In the case of Snapchat, any third-party application could be saving your account’s authentication token and remotely pulling snaps from your account.
Tomi Engdahl says:
It’s 2014 and you can still own a Windows box using a Word file or font
And Adobe’s software is still riddled with holes. Get the updates – now
http://www.theregister.co.uk/2014/10/14/microsoft_swats_24_bugs_on_october_patch_tuesday/
Microsoft has today patched two dozen CVE-classified security vulnerabilities in its software. People are urged to install them as soon as possible.
The US giant said the October edition of Patch Tuesday includes three critical fixes to address flaws in Internet Explorer, the .NET Framework and Windows kernel-mode driver.
Adobe, meanwhile, has released its own monthly patch update. That patch will include a fix for three remote-code execution flaws in Flash Player for Windows, OS X and Linux.
Tomi Engdahl says:
Millions of Voiceprints Quietly Being Harvested
http://yro.slashdot.org/story/14/10/15/0046256/millions-of-voiceprints-quietly-being-harvested
Businesses and governments around the world increasingly are turning to voice biometrics, or voiceprints, to pay pensions, collect taxes, track criminals and replace passwords. “We sometimes call it the invisible biometric,”
Millions of voiceprints quietly being harvested as latest identification tool
http://www.theguardian.com/technology/2014/oct/13/millions-of-voiceprints-quietly-being-harvested-as-latest-identification-tool
‘Voice biometrics will be the de facto standard in 2-3 years’
More than 65m voiceprints already on databases
Over the telephone, in jail and online, a new digital bounty is being harvested: the human voice.
Businesses and governments around the world increasingly are turning to voice biometrics, or voiceprints, to pay pensions, collect taxes, track criminals and replace passwords.
“We sometimes call it the invisible biometric,” said Mike Goldgof, an executive at Madrid-based AGNITiO, one of about 10 leading companies in the field.
Those companies have helped enter more than 65m voiceprints into corporate and government databases, according to Associated Press interviews with dozens of industry representatives and records requests in the United States, Europe and elsewhere.
“There’s a misconception that the technology we have today is only in the domain of the intelligence services, or the domain of Star Trek,” said Paul Burmester, of London-based ValidSoft, a voice biometric vendor. “The technology is here today, well-proven and commonly available.”
And in high demand.
Tomi Engdahl says:
Google Finds Vulnerability In SSL 3.0 Web Encryption
http://it.slashdot.org/story/14/10/15/000239/google-finds-vulnerability-in-ssl-30-web-encryption
SSL 3.0 is nearly 15 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue.
This POODLE bites: exploiting the SSL 3.0 fallback
http://googleonlinesecurity.blogspot.com.au/2014/10/this-poodle-bites-exploiting-ssl-30.html
Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today. Therefore our recommended response is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.
Google Chrome and our servers have supported TLS_FALLBACK_SCSV since February and thus we have good evidence that it can be used without compatibility problems. Additionally, Google Chrome will begin testing changes today that disable the fallback to SSL 3.0. This change will break some sites and those sites will need to be updated quickly.
Tomi Engdahl says:
Google finds vulnerability in SSL web encryption
http://www.itnews.com.au/News/396783,google-finds-vulnerability-in-ssl-web-encryption.aspx
The version in question, SSL 3.0, is almost 15 years old but is still widely supported by nearly all web browsers.
Significantly, SSL 3.0 also operates as a fallback option for when browsers attempt to work around bugs in HTTPS servers.
Google security researcher Bodo Möller today revealed an attacker can trigger the use of SSL 3.0 and exploit the newfound vulnerability by causing connection failures and forcing browsers to retry connections to older protocol versions.
Content delivery network and domain name server provider CloudFlare quickly announced it had disabled SSLv3 across its network by default for all customers.
Firefox owner Mozilla said SSL 3.0 would be disabled by default in Firefox 34, which is due for release in late November. The company said Firefox currently uses SSL 3.0 for around 0.3 percent of HTTPS connections.
“That’s a small percentage, but due to the size of the web, it still amounts to millions of transactions per day,”
“For users who don’t want to wait till November 25th (when SSLv3 is disabled by default in Firefox 34), we have created the SSL Version Control Firefox extension to disable SSLv3 immediately.”
recommended response is to support TLS_FALLBACK_SCSV
https://www.openssl.org/~bodo/ssl-poodle.pdf
Tomi Engdahl says:
Test for SSL version
http://aruljohn.com/info/sslversion/
Most web servers that run SSL (https) run on SSL version 3 or TLS version 1. There are still some outdated servers running SSL version 2.
Testing for SSL-TLS (OWASP-CM-001)
https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%29
Test for SSL version
http://aruljohn.com/info/sslversion/
Tomi Engdahl says:
Microsoft fixes vulnerability used in ‘Sandworm Team’ attacks
http://www.geekwire.com/2014/patches-must-flow-microsoft-fixes-vulnerability-used-sandworm-team-attacks/
What do NATO, the Ukraine and European telecom companies all have in common? They’ve all been targeted by a hacking group using an undisclosed vulnerability in Windows that Microsoft patched today.
Known as “CVE-2014-4114,” the vulnerability was detected by the iSIGHT security research team last month. It had been used by a group of Russian hackers that the researchers have dubbed the “Sandworm Team.”
The vulnerability lies in Windows and Windows Server’s OLE package manager, and allows an attacker to remotely execute code on a target machine.
Tomi Engdahl says:
Analysis of Linux Backdoor Used In Freenode Hack
http://linux.slashdot.org/story/14/10/14/2142214/analysis-of-linux-backdoor-used-in-freenode-hack
Analysis of the Linux backdoor used in freenode IRC network compromise
https://www.nccgroup.com/en/blog/2014/10/analysis-of-the-linux-backdoor-used-in-freenode-irc-network-compromise/
In this post we discuss a subset of the information we documented about one of the components involved in the compromise, specifically a Linux backdoor with some interesting functionality and features.
One difficulty all attackers face after compromising a system is how to retain control over a long period of time in a stealthy manner.
Backdoor tools which listen for incoming connections can be easily identified by a port scan or by listing open sockets.
Tools which periodically connect outbound to a server are usually limited to a small number of addresses or a predictable domain generation algorithm.
The backdoor discussed in this post avoids these issues by using a novel method for recognising specially generated incoming packets, bypassing most typical host firewalls and enabling the attacker to change IP address without losing access.
The backdoor has a number of components which provide the attacker root shell functionality or remote access to any file. However, the most interesting feature is that it is triggered by “magic” TCP packets which contain a certain combination of header values.
The overall backdoor package found on the server consists of:
A kernel module, which listens for “magic” packets and triggers the user-mode helper.
A user-mode helper, which connects outbound from the server and contains code for remote shell or file access functionality.
A script, ensuring everything is loaded at boot.
A second user-mode binary, responsible for various housekeeping activities.
Tomi Engdahl says:
Forget passwords, let’s use SELFIES, says Obama’s cyber tsar
Michael Daniel wants to kill passwords dead
http://www.theregister.co.uk/2014/10/15/forget_passwords_lets_use_selfies_says_obamas_cyber_tsar/
US cyber security tsar Michael Daniel wants passwords to die in a fire and be replaced by other mechanisms, including selfies.
In an interview with the Christian Science Monitor Daniel said the death of passwords could signal a useful purpose for the much-beleaguered selfie.
“Frankly I would really love to kill the password dead (sic) as a primary security method because it is terrible,” Daniel said.
“It has to be replaced with something that is easy to use.
“Some may be biometric related … you could use the camera on cell phones which are now ubiquitous so that the selfies are actually used for something besides posting on Facebook.”
Multi factor authentication would form part of an ecosystem that would signal the end of conventional passwords with additional security being layers on more critical services, he said.
organisations should re-engineer systems to be “disposable”.
“Rather than fix static gateways, static routes, static endpoints that never move, we would have virtualised moving gateways, ad-hoc networks, and single-use private endpoints,”
“This system would be controlled by network defenders, so rather than spend their time reacting, and chasing and climbing up that mountain of data, they would spend their time proactively re-configuring these systems so that they are very hard [for attackers] to understand and breach.”
Tomi Engdahl says:
Kill SSL 3.0 now: HTTPS ripped apart in vicious POODLE byte attack
Tear support for insecure protocol out of your servers, browsers, world+dog urged
http://www.theregister.co.uk/2014/10/14/google_drops_ssl_30_poodle_vulnerability/
As warned by The Register, security researchers have discovered a vulnerability in SSL 3.0 that allows attackers to decrypt encrypted connections to websites.
Miscreants can exploit a weakness in the protocol’s design to grab victims’ session cookies, which are used for logging into webmail and other online accounts over HTTPS.
The attack is, we’re told, easy to perform, and can be done on-the-fly using JavaScript – provided you can intercept the victim’s packets, perhaps by setting up a malicious Wi-Fi point in a cafe or bar.
Google revealed details of the design flaw on Tuesday, and dubbed it POODLE – short for Padding Oracle On Downgraded Legacy Encryption.
Google security bod Bodo Möller explains that snoopers can trigger network faults to push web browsers into using SSL 3.0, an 18-year-old protocol that should have been binned long ago.
One simple solution is to stop using SSL 3.0 and instead use TLS only. This applies to web browsers and websites.
Google’s response to the flaw is to scrub SSL 3.0 support from its flagship Chrome browser. Websites and other browsers are also expected to end support for SSL v3 as it’s now considered insecure by design, and instead enforce the use of TLS for HTTPS connections.
Tomi Engdahl says:
Edward Snowden is hampering the war on cybercrime, says Europol
Believes there are just 100 mastermind hackers in the world
http://www.theinquirer.net/inquirer/news/2375279/there-are-just-100-mastermind-hackers-in-the-world-says-europol
EDWARD SNOWDEN and the subsequent rise of encryption are making cybercrime investigations more challenging, the head of Interpol’s European Cybercrime Centre, Troels Oerting has said.
Speaking in an interview with BBC’s Tech Tent radio show, Oerting declared that people have confused privacy with anonymity since Edward Snowden began making his PRISM revelations, and that the criminals have an advantage because of this confusion and have been given a pass by the “good guys of the internet”.
Oerting also suggested that the security agencies should have the right to access anonymous accounts, but that this should happen only with some judicial oversight.
He added that the increased use of encryption is making it “difficult” for everybody, including the police.
Joining his opinions about Snowden, the cyber security head also revealed his beliefs that there are just 100 cybercrime masterminds in the world at present.
He said that, while the “rather limited group of good programmers” is small at the moment, it will grow, as will the number of targets and victims and there is a desperate need to tackle them.
“We roughly know who they are. If we can take them out of the equation the rest will fall down,”
“Criminals no longer come to our countries. They commit their crimes from a distance”
Tomi Engdahl says:
Who’s Watching Your WebEx?
http://krebsonsecurity.com/2014/10/whos-watching-your-webex/#more-28042
KrebsOnSecurity spent a good part of the past week working with Cisco to alert more than four dozen companies — many of them household names — about regular corporate WebEx conference meetings that lack passwords and are thus open to anyone who wants to listen in.
At issue are recurring video- and audio conference-based meetings that companies make available to their employees via WebEx, a set of online conferencing tools run by Cisco. These services allow customers to password-protect meetings, but it was trivial to find dozens of major companies that do not follow this basic best practice and allow virtually anyone to join daily meetings about apparently internal discussions and planning sessions.
Some of the more interesting, non-password-protected recurring meetings I found include those from Charles Schwab, CSC, CBS, CVS, The U.S. Department of Energy, Fannie Mae, Jones Day, Orbitz, Paychex Services, and Union Pacific. Some entities even also allowed access to archived event recordings.
Tomi Engdahl says:
Confidence Shaken In Open Source Security Idealism
http://news.slashdot.org/story/14/10/14/1738224/confidence-shaken-in-open-source-security-idealism
According to a few news articles, the general public has taken notice of all the recent security breaches in open source software.
Several high-profile attacks in recent months exploited security flaws found in the “open-source” software created by volunteers collaborating online
While it’s true that open source means you can review the actual code to ensure there’s no data-theft, loggers, or glaring security holes, that idealism doesn’t really help out most people who simply don’t have time, or the knowledge, to do it.
Hackers Shake Confidence in 1980s Free Software Idealism
http://www.bloomberg.com/news/2014-10-14/hackers-shake-confidence-in-1980s-free-software-idealism.html
Hackers have shaken the free-software movement that once symbolized the Web’s idealism.
Several high-profile attacks in recent months exploited security flaws found in the “open-source” software created by volunteers collaborating online, building off each other’s work.
Heartbleed and Shellshock have some programmers suggesting that corporations or even the U.S. government should provide more money or programing help. That idea doesn’t go over easily among grass-roots developers who want to remain true to the ideals of a do-it-yourself movement.
“It’s going to be a wake-up call for a lot of people to understand why we aren’t auditing this software better,” said Greg Martin, founder and chief technology officer of Threat Stream Inc., a cybersecurity company based in Redwood City, California. “Everybody’s been scratching their heads and saying,‘How could we miss this?’”
Open-source advocates say their programming code is more secure than proprietary software because developers are constantly fixing flaws found by users. Critics say the open nature of the software leaves it vulnerable to hackers because the programing flaws are out in the open for all to see.
In either case, some say the fix should come from the companies that build products off the free software.
Technology companies such as Yahoo! Inc. (YHOO), Facebook Inc. (FB) and Google Inc. (GOOG) “are saving huge amounts of money using open-source and they should invest much more money in trying to secure these systems,” said Jaime Blasco, director of labs for AlienVaul
Linux, a popular open-source operating system developed in the 1990’s, is now used in millions of smartphones, global stock exchanges such as the Nasdaq, and 92 percent of the world’s supercomputers, said Jim Zemlin, executive director of the Linux Foundation.
“Open source is the coal and steel of the Internet but it ain’t owned by the Carnegies,” he said. “It’s owned by all of us.”
The financial industry is aware of the importance of finding bugs in open-source software, although hasn’t agreed on the best method, said John Carlson, a vice president with the Financial Services Roundtable, a banking lobby in Washington.
The National Security Agency already contributes to open-source projects, including adding security features to Google’s Android mobile operating system.
U.S. financial regulators urged banks on Sept. 26 to address the Shellshock flaw because of “the pervasive use” of Bash, the program it targets. Shellshock was publicly disclosed in September after being undetected for two decades.
The most notable attack traced to Heartbleed was on Community Health Systems Inc. (CYH), in which hackers stole data on 4.5 million patients.
“We are seeing more occurrences of open-source vulnerabilities in the wild,” said Michael Roytman, a data scientist with Risk I/O. Shellshock and Heartbleed were “such big deals” because “they affect targets of huge opportunity.”
Using open-source software without additional controls can expose valuable data to risk, said Chase Cunningham, threat intelligence lead for cloud-computing company FireHost Inc.
“It’s like going and buying a safe that a million people have been able to use for the last five years,” he said. “I guarantee at least two or three of them will have figured out how to crack the safe.”
“What’s needed is for corporations that are commercially using open-source code to take on their responsibility to collaborate with the community,” Phipps said.
Tomi Engdahl says:
YouTube Ads Lead To Exploit Kits, Hit US Victims
http://blog.trendmicro.com/trendlabs-security-intelligence/youtube-ads-lead-to-exploit-kits-hit-us-victims/
Malicious ads are a common method of sending users to sites that contain malicious code. Recently, however, these ads have showed up on a new attack platform: YouTube.
Over the past few months, we have been monitoring a malicious campaign that used malicious ads to direct users to various malicious sites. Users in the United States have been affected almost exclusively, with more than 113,000 victims in the United States alone over a 30-day period.
Recently, we saw that this campaign was showing up in ads via YouTube as well. This was a worrying development: not only were malicious ads showing up on YouTube, they were on videos with more than 11 million views – in particular, a music video uploaded by a high-profile record label.
The ads we’ve observed do not directly lead to malicious sites from YouTube. Instead, the traffic passes through two advertising sites, suggesting that the cybercriminals behind this campaign bought their traffic from legitimate ad providers.
In order to make their activity look legitimate, the attackers used the modified DNS information of a Polish government site. The attackers did not compromise the actual site; instead they were able to change the DNS information by adding subdomains that lead to their own servers. (How they were able to do this is unclear.)
Tomi Engdahl says:
Malicious worm seeks vulnerable home data stores
http://www.bbc.com/news/technology-29595219
A malicious worm that can roam the net seeking data stored on insecure hardware has been created by a security researcher.
The proof-of-concept worm was written to illustrate how vulnerable such data stores are to malicious attack.
The worm can exploit the many bugs researcher Jacob Holcomb found in popular home data storage systems.
Already, he said, there was evidence cybercriminals had noticed how easy it was to exploit these data stores.
Many people connect these devices to a home router to give family members a place to put important files such as photos and films or to act as a back-up for other gadgets.
Mr Holcomb’s investigation revealed 30 separate undocumented vulnerabilities in the NAS devices. Many of these, if exploited, would give an attacker complete control over a device
If an address gives an appropriate response, it sends a series of data requests to “fingerprint” that device so it knows which vulnerabilities to try against it.
“Once these devices are exposed to the internet, it’s pretty much game over because most vulnerabilities can be exploited using authentication bypass techniques or with no authentication at all,” he told the BBC.
In early 2014, a malicious program called TheMoon targeted hardware made by Linksys and in early October a malicious campaign was launched against NAS boxes made by Qnap.
“These attacks are definitely becoming more widespread,” said Mr Holcomb.
Tomi Engdahl says:
If Your Cloud Vendor Goes Out of Business, Are You Ready?
http://hardware.slashdot.org/story/14/10/15/0321203/if-your-cloud-vendor-goes-out-of-business-are-you-ready
With Amazon Web Services losing an estimated $2 billion a year, it’s not inconceivable that the cloud industry could go the way of storage service providers (remember them?). So any plan for cloud services must include a way to retrieve your data quickly in case your cloud service provider goes belly up without much notice (think Nirvanix).
recovering your data from the cloud quickly is a lot harder than you might think.
One possible solution: a failover agreement with a second cloud provider – and make sure it’s legally binding.
The Day the Cloud Died: Planning for Cloud Failure
http://www.enterprisestorageforum.com/backup-recovery/the-day-the-cloud-died-planning-for-cloud-failure-1.html
Reports that even Amazon Web Services is bleeding cash should be enough to make cloud users worry. We all know that Amazon is a cash machine, but from the analysis, Steve Brazier of Canalys estimates that “Amazon Web Services lost $2 billion in the last four quarters, and the parent is forecasting losses of between $410m and $810m this quarter.”
So let’s assume that these estimates are true, and let’s also assume that since Google and Microsoft do not break down cloud services that it is also true for them. If a company was making money when everyone else wasn’t, they’d be sure to let us know. This, by the way, is no different than what happened to the storage service provider revolution of the late 1990s, but this time was supposed to be different.
Who own the rights to your data? Who has the decryption keys? Just some food for thought as you start to think about what to do and what not to do.
One obvious answer is to put some requirements into your contract for getting your data out via a network, disk, tape archive or something. This of course doesn’t matter if the company goes out of business or files for protection from creditors, nor does requiring the company to keep networks running for X amount of days so you can get your data out.
For example the time to read a 6 TB disk drive is about 9 hours and 40 minutes (6TB / 172 MB/sec read rate). That is a long time. Do you have on your end enough bandwidth and the capacity to handle all of your data that you have uploaded over the years?
What is the critical data needed to keep your business up and running?
The key here is you need a plan. It would be great if the plan could include at least the following:
1. A prioritization of your data so you can download it to your own systems: What is more important and what is least important, and the reasons why. You are likely going to have to prioritize your data movement so that the highest-priority business-critical data gets moved first.
2. A plan B that you can execute against – having another cloud vendor move your data out of the failing cloud. If your cloud provider fails, who do you go to for secondary access and who do you contract within that organization to move your data? This is well known method in the backup world as organizations can buy services that provide recovery and operational environments.
Cloud vendors do this all of the time with multiple locations, so it is likely that if enough people ask cloud vendor Y to support failover from cloud vendor X, you can buy an insurance policy. Just make sure that that policy is legally binding with penalties and meets your business requirements.
it is highly unlikely that you are going to procure and install hardware and upgrade your network in time to get your data out.
Alternatives
There are two obvious choices: ignore the issue and don’t worry about it, or at the other end of the spectrum, do not use clouds. Neither is a likely a good idea, so what is the alternative?
Having a copy of your business critical data somewhere else where you can get it and use it, and depending on your business this might be something that is done in real time if the data changes often. For some businesses, the data might not change often so this would likely work. What about using multiple providers so that you would not get caught in the failure of a single provider?
Tomi Engdahl says:
German business software giant SAP is annoyed Edward Snowden NSA revelations of the effects of the business – it was expensive.
SAP boss Kyle Garman, the revelations of data centers, as well as the construction of the centers for operating the associated costs have increased “exponentially”.
Garman comments associated with SAP and IBM signed the cooperation agreement , which will start to offer SAP, among other things, the center from memory Hanaa IBM’s data centers.
Sources:
http://www.tivi.fi/kaikki_uutiset/snowden+kavi+meille+kalliiksi+harmittelee+sap/a1020003
http://www.news-sap.com/marriage-made-cloud/
Tomi Engdahl says:
Drupal Fixes Highly Critical SQL Injection Flaw
http://it.slashdot.org/story/14/10/15/2048218/drupal-fixes-highly-critical-sql-injection-flaw
Drupal has patched a critical SQL injection vulnerability in version 7.x of the content management system that can allow arbitrary code execution. The flaw lies in an API that is specifically designed to help prevent against SQL injection attacks.
Tomi Engdahl says:
Anonabox Accused of Lying About Its Product Being Open-Source On Kickstarter
http://yro.slashdot.org/story/14/10/15/2256212/anonabox-accused-of-lying-about-its-product-being-open-source-on-kickstarter
The “anonabox” has raised more than $550,000 on Kickstarter in only three days. But some believe the company’s claims that the router-like device, which is said to automatically route users’ Internet traffic through Tor, is entirely open-source are false.
Wildly successful crowdfunded ‘anonabox’ router accused of lying to customers
http://www.dailydot.com/politics/anonabox-accusations/
The inventors of the anonabox—the crowdfunded privacy-centric Internet router that’s raised almost half a million dollars—have been accused of lying to their customers and drastically misrepresenting the nature of their product.
Anonabox bills itself as “an open source embedded networking device designed specifically to run Tor,” and promises to allow its users to quickly and easily navigate the Internet anonymously. After months of ongoing global debate about government surveillance and privacy, the product could not have come at a more perfect time, and quickly blew past its funding goals on Kickstarter.
Because despite positive press coverage from the Guardian, TechCrunch, WIRED, ReadWrite and beyond, serious concerns have since been raised about the product, and it now looks likely that Kickstarter will suspend the crowdfunding campaign.
Tomi Engdahl says:
“anonabox” seems to have security issues:
kickstarter.com/projects/augustgermar/anonabox-a-tor-hardware-router … “No more backdoors!” yet their current release literally has a backdoor root pw, open wifi, and an sshd. @anonabox
Source: https://twitter.com/justinsteven/status/522165101390876672
Tomi Engdahl says:
Adobe CSO offers Oracle security lesson: click-to-play is the way to go
Pots and kettles seen in heated argument at Australian security conference
http://www.theregister.co.uk/2014/10/16/adobe_clicktoplay_would_have_avoided_java_zeroday_masscare/
Oracle could have saved mountains of cash and bad press if Click-to-Play was enabled before Java was hosed by an armada of zero day vulnerabilities, Adobe security boss Brad Arkin says.
The simple fix introduced into browsers over the last year stopped the then zero day blitzkrieg in its tracks by forcing users to click a button to enable Java.
The chief security officer told the Australian Information Security Association conference the tool cost little and was very effective at driving up the cost of exploitation.
“Click to Play is very cheap and it may break usability, but given the pain they were experiencing and that what they were doing (patching) wasn’t working,” Arkin told delegates in Melbourne today.
“Since they introduced this change there hasn’t been a single zero day against Java … if they (Oracle) had done this a couple of years earlier it would have saved them a lot of pain and heartache.
“Finding and fixing bugs isn’t the way to go, it’s … making it harder and more expensive for [attackers] to achieve an outcome.”
That strategy has iced much of the zero-day attacks against Adobe Reader and Flash