Year 2014 will be a year of cybersecurity after the NSA revelations made in 2013: The headline news is that the NSA has surreptitiously “burrowed its way into nearly all the security architecture” sold by the world’s largest computer networking companies. A lot of people were shocked how NSA monitored and hacked almost everything in Internet. There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration. Android anti-virus apps CAN’T kill nasties on sight like normal AV.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Cloud security could mean how secure your cloud provider is, a service that runs on cloud filtering what comes through it (for example e-mails, web traffic), it could mean to product protecting some service running on cloud, or it could be a traditional anti-virus service that connects to cloud to advance it’s operation (for example update in real-time, verify unknown programs based on data on cloud). Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards. OpenDNS ‘s CTO Dan Hubbard says that “Because of the data and equipment run in the cloud users with the cloud is the best way to protect them.” The Snowden Effect will also bring this year of PRIVATE cloud talk on table for security reasons because U.S. cloud services have been put into question for good reason.
In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.
Late addition: Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it. Sometimes bad guys do not try to steal your money, bit use resources you pay (your own PC, your server capacity, etc.) to generate money for them without you knowing about it. If you plan to use those crypto-currencies be careful to understand what you are doing with them, there is a real possibility that you can loose your money and there is no way that lost money can be recovered.
3,382 Comments
Tomi Engdahl says:
Sony hack may have exposed more than movies: sensitive personal data of employees, too.
http://boingboing.net/2014/12/02/sony-hack-may-have-exposed-mor.html?utm_source=moreatbb&utm_medium=nextpost&utm_campaign=nextpostthumbnails
“The recent hacker break-in at Sony Pictures Entertainment appears to have involved the theft of far more than unreleased motion pictures,” writes Brian Krebs. “According to multiple sources, the intruders also stole more than 25 gigabytes of sensitive data on tens of thousands of Sony employees, including Social Security numbers, medical and salary information.’
Tomi Engdahl says:
Iranian hackers few years of operation left uncovered – “It could affect billions of people”
Iranian suspected hacker group has in the past two years, hacked into the computers of more than 50 organizations and networks. Intrusion victims found in a total of 16 different countries. The hacker group revealed a security company Cylone says that hackers had access to a large number of key locations such as airports systems, industrial sites, government agencies and hospitals.
This is the second major security news within a short time.
The company did not disclose the exact information, but according to the ranks was a big airline, Medical University, specializing in the production of gas in the energy, car manufacturer, a large defense industry subcontracting company and a great description of a military target.
Much of the attacks were carried out according to Cylonen using publicly available malware and burglary tools, but Cylone also found a group of self-developed malware. The group did not make use of so-called zero-day vulnerabilities.
Break-ins, a group could gain access to the University’s research data and students’ private information, such as passports and photos. In industrial plants, for example, the group had access to the plant control systems (Scada), Cylone says in its report.
“Access to their overall: Active Directory domain for hackers were held as well as the entire Cisco Edge routers, switches, and the entire network infrastructure,” explains Cylone
The most serious Cylone to keep the hacker access to the airport security system in South Korea. According to the company to break into the full access to ports, for example, the airport management systems, which would have allowed, for example, access cards counterfeiting.
Despite the wide admission to the hackers do not Cylone information, not make use of access to the system. Cylone, however, believes that the sabotage was the ultimate purpose of the group. Cyclone according to Iran seems poised to attack Western countries critical infrastructure against.
“They do not have to steal credit card information or drawings of integrated circuits, they strengthen its foothold in networks, which paralyze could affect the lives of billions of people,”
Source: http://www.tivi.fi/kaikki_uutiset/iranilaishakkereiden+vuosien+mittainen+jattioperaatio+paljastui++quotvoisi+vaikuttaa+miljardeihin+ihmisiinquot/a1033858
Tomi Engdahl says:
Iranian hackers target global infrastructure sector in Operation Cleaver ‘revenge’ attacks
But authorities blast allegations as ‘baseless’ and ‘unfounded’
http://www.theinquirer.net/inquirer/news/2384703/iranian-hackers-target-global-infrastructure-sector-in-operation-cleaver-revenge-attacks
US SECURITY EXPERTS have uncovered a widespread campaign by hackers from Iran which has already infiltrated transport and energy companies around the world.
The report from Cylance states that companies in the US, Israel, China, Saudi Arabia, India, Germany, France and the UK have been targeted with attacks aimed at infrastructure sectors such as aerospace, universities, energy firms, hospitals and telecoms.
Reuters reported that the campaign comes as Iran seeks revenge for cyber attacks designed to scupper its nuclear ambitions.
Russia, China, Israel and the US are all believed to have made attempts to halt Iran’s nuclear research, most notably in 2010 when the Stuxnet worm crippled the country’s systems.
It is believed that Iran has vastly improved its cyber abilities since that time, leading to the current round of attacks, which are being referred to as Operation Cleaver.
Iranian authorities strongly deny the allegations.
The US Navy’s Marine Corps Intranet was one of the targets of a “serious intrusion” in 2013. A US defence official confirmed that it took four months to “manoeuvre” the intranet after the attack.
A Malwarebytes spokesman told The INQUIRER, “As cyber attacks get ever more advanced and successful at defeating countermeasures, companies and government organisations across the board need to be alert to lengthy, stealthy data breaches. Such threats can sit for quietly for long periods of time, completely unnoticed, secretly stealing everything from personal data to supposedly secure documents and intellectual property.”
Mikko Hyppönen of F-Secure warned at the time that this kind of revenge attack was possible, suggesting that Stuxnet could be turned back on the West.
Iran hackers targeted airlines, energy firms: report
http://www.reuters.com/article/2014/12/02/us-cybersecurity-iran-idUSKCN0JG18I20141202
Tomi Engdahl says:
Critical networks in US, 15 other nations, completely owned, possibly by Iran
Operation Cleaver gets near-complete control of airlines, gas producers, defense.
http://arstechnica.com/security/2014/12/critical-networks-in-us-15-nations-completely-owned-by-iran-backed-hackers/
For more than two years, pro-Iranian hackers have penetrated some of the world’s most sensitive computer networks, including those operated by a US-based airline, auto maker, natural gas producer, defense contractor, and military installation, security researchers said.
In many cases, “Operation Cleaver,” as the sustained hacking campaign is being dubbed, has attained the highest levels of system access of targets located in 16 countries total, according to a report published Tuesday by security firm Cylance. Compromised systems in the ongoing attacks include Active Directory domain controllers that store employee login credentials, servers running Microsoft Windows and Linux, routers, switches, and virtual private networks. With more than 50 victims that include airports, hospitals, telecommunications providers, chemical companies, and governments, the Iranian-backed hackers are reported to have extraordinary control over much of the world’s critical infrastructure
Operation Cleaver
http://www.cylance.com/operation-cleaver/
A new global cyber power has emerged; one that has already compromised some of the world’s most critical infrastructure. The Operation Cleaver report sheds light on the efforts of a coordinated and determined group working to undermine the security of at least 50 companies across 15 industries in 16 countries. Our report unveils the tactics, techniques and procedures used in what it still an ongoing campaign.
Tomi Engdahl says:
New York Times:
Investigation continues into Sony hack, company claims news of North Korea being singled out as culprit is “not accurate”
Sony Pictures and F.B.I. Widen Inquiry Into Hackers’ Attack
http://www.nytimes.com/2014/12/04/business/sony-pictures-and-fbi-investigating-attack-by-hackers.html
Sony Pictures Entertainment and the F.B.I. on Wednesday were seeking more information about an attack that crippled Sony’s computer systems — including whether North Korea, or perhaps a former employee, was responsible.
“The investigation continues into this very sophisticated cyberattack,”
Sony was hit by hackers on Nov. 24, resulting in a companywide computer shutdown and the leak of corporate information, including the multimillion-dollar pre-bonus salaries of executives and the Social Security numbers of rank-and-file employees. A group calling itself the Guardians of Peace has taken credit for the attacks.
The studio, working with various law enforcement agencies, has been exploring whether the breach was related to one of Sony’s coming movies, “The Interview,” a comedy about two American tabloid TV journalists recruited to assassinate the North Korean leader Kim Jong-un. North Korean officials have been sharply critical of the film.
On Monday evening, the F.B.I. issued a confidential five-page flash warning to security administrators at American corporations about a recently discovered form of destructive malware. The F.B.I. did not name Sony in the warning
Meanwhile, a second American company, Deloitte, the consulting and auditing firm, was victimized on Wednesday after the hackers that hit Sony published confidential Deloitte data on Pastebin, an anonymous posting website. The data included salary information for more than 30,000 of its employees.
It was not clear whether the data was on Sony’s computer networks because of its work with Deloitte — the entertainment company has hired Deloitte in the past — or whether it was carried over by a former Deloitte employee now working at Sony.
Tomi Engdahl says:
Google Can Now Tell You’re Not a Robot With Just One Click
http://www.wired.com/2014/12/google-one-click-recaptcha/
When Alan Turing first conceived of the Turing Test in 1947, he suggested that a computer program’s resemblance to a human mind could be gauged by making it answer a series of questions written by an interrogator in another room. Jump forward about seven decades, and Google says it’s now developed a Turing Test that can spot a bot by requiring it to do something far simpler: Click on a checkbox.
On Wednesday, Google announced that many of its “Captchas”—the squiggled text tests designed to weed out automated spambots—will be reduced to nothing more than a single checkbox next to the statement “I’m not a robot.”
“For most users, this dramatically simplifies the experience,” says Vinay Shet, the product manager for Google’s Captcha team. “They basically get a free pass. You can solve the catptcha without having to solve it.”
Instead of depending upon the traditional distorted word test, Google’s “reCaptcha” examines cues every user unwittingly provides: IP addresses and cookies provide evidence that the user is the same friendly human Google remembers from elsewhere on the Web. And Shet says even the tiny movements a user’s mouse makes as it hovers and approaches a checkbox can help reveal an automated bot.
“All of this gives us a model of how a human behaves,”
In cases where a mere click doesn’t produce a conclusive response, a pop-up window will require users to decipher the same old distorted text. In tests during the past week on sites that use Google’s captcha, however, it’s verified most human users without that backup. About 60 percent of WordPress users and 80 percent of users at video game sales site Humble Bundle got past the captcha with only the checkbox.
Tomi Engdahl says:
Whitelist Helping Identify Industrial Control Malware
http://www.eetimes.com/document.asp?doc_id=1324859&
Cyberattacks on industrial controls systems (ICS) such as SCADA have been increasing, as the discovery of the Blackenergy and Havex malware this year indicates. And the increase has been dramatic. According to a recent report from NSS Labs, reports of ICS cyberattacks have risen 600% since 2010.
Unfortunately, according to Billy Rios, a security specialist and the founder of Laconicly, much of the binary code in ICS systems is not digitally “signed,” making it difficult to determine which code segments have been corrupted or simply do not belong. To ease that determination task, Rios started a personal project to create a whitelist of SCADA installation files that are known good, gathered from original installation media and running systems. He has released that whitelist as a free online service under the name WhiteScope.
The WhiteScope project gives users the ability to compare the file contents in their systems against the files in the whitelist using file hashes. It can be a tedious process,
However, Rios says that WhiteScope is not a fully comprehensive database, so a miss when seeking to compare a file does not necessarily mean that the subject file is invalid.
WhiteScope – An Online ICS/SCADA Whitelist
http://www.icswhitelist.com/static/about.html
WhiteScope is a free service that compares file contents and file hashes with “known good” files from ICS/SCADA installation media.
WhiteScope maintains a database of file hashes, registry changes, processes, and loaded modules for ICS/SCADA software. These artifacts were gathered from installation media and running systems. The whitelists can be used for initial triage during incident response engagements, security assessments, intrusion detection/prevention products.
Tomi Engdahl says:
UK MP Says ISPs Must Take Responsibility For Movie Leaks, Sony Eyes North Korea
http://yro.slashdot.org/story/14/12/04/0117247/uk-mp-says-isps-must-take-responsibility-for-movie-leaks-sony-eyes-north-korea
the recent IP advisor to Prime Minister David Cameron has laid some of the blame for the recent Sony hack at the feet of ISPs.
As the fallout from the Sony hack continues, who is to blame for the leak of movies including Fury, which has been downloaded a million times? According to the UK Prime Minister’s former IP advisor, as ‘facilitators’ web-hosts and ISPs must step up and take some blame.
ISPs Must Take Responsibility For Sony Movie Leaks, MP Says
http://torrentfreak.com/isps-must-take-responsibility-for-sony-movie-leaks-mp-says-141203/
As the fallout from the Sony hack continues, who is to blame for the leak of movies including Fury, which has been downloaded a million times? According to the UK Prime Minister’s former IP advisor, as “facilitators” web-hosts and ISPs must step up and take some blame.
Last week’s massive hack of Sony Pictures could hardly have been more high-profile and if reports thus far are to be believed, damage to the company could be significant.
As first reported here on TF, following the hacks last week several unreleased Sony movies leaked online. Fury, featuring Brad Pitt, was by far the highest profile and today we can confirm that the title has been downloaded by BitTorrent users more than a million times.
Mike Weatherley MP, the recent IP advisor to Prime Minister David Cameron, has published several piracy reports including one earlier in the year examining the advertising revenue on pirate sites. He believes that companies with no direct connection to the hack or subsequent leaks should shoulder some blame.
“Piracy is a huge international problem. The recent cyber-attack on Sony and subsequent release of films to illegal websites is just one high-profile example of how criminals exploit others’ Intellectual Property,”
“Unfortunately, the theft of these films – and their subsequent downloads – has been facilitated by web-hosting companies and, ultimately, ISPs who do have to step-up and take some responsibility.”
Tomi Engdahl says:
Facebook forges partnership with IT security vendor ESET
http://www.zdnet.com/facebook-forges-partnership-with-it-security-vendor-eset-7000036362/
Summary: The goal of the alliance is to prevent malicious links from populating Facebook user News Feeds and Messages.
Facebook is well-known for home grown efforts in building its own data and IT infrastructures, but the social network is getting a little security help from a new friend.
The world’s largest social network has just announced a new partnership with IT security vendor ESET. The goal of the alliance is to prevent malicious links from populating user News Feeds and Facebook Messages.
To achieve this, Facebook will be baking in ESET’s security software onto its platform.
For end users, there might actually be a state of more heightened awareness. The ESET integration entails that if a device being used to access Facebook services starts behaving suspiciously with signs of possible malware infection, a message will appear offering an anti-malware scan.
Users can opt to run the scan, see results, and disable the software. In the spirit of the Facebook Connect single sign-on protocol, users can do all of this without ever logging out of Facebook.
“With the potential to remain undetected on devices for months, malicious code can collect personal information and even spread to other computers in some cases,” Gowda wrote. “Compounding the challenges for defense, most people lack basic anti-malware programs that could protect their devices or clean up infections more quickly.”
Tomi Engdahl says:
Sony Got Hacked Hard: What We Know and Don’t Know So Far
http://www.wired.com/2014/12/sony-hack-what-we-know/
Who knew that Sony’s top brass, a line-up of mostly white male executives, earn $1 million and more a year? Or that the company spent half a million this year in severance costs to terminate employees? Now we all do, since about 40 gigabytes of sensitive company data from computers belonging to Sony Pictures Entertainment were stolen and posted online.
As so often happens with breach stories, the more time that passes the more we learn about the nature of the hack, the data that was stolen and, sometimes, even the identity of the culprits behind it. A week into the Sony hack, however, there is a lot of rampant speculation but few solid facts.
A group calling itself GOP, or Guardians of Peace, has taken responsibility. But who they are is unclear.
The focus on North Korea is weak and easily undercut by the facts.
Nation-state attacks don’t usually announce themselves
Nor do such attacks result in posts of stolen data to Pastebin—the unofficial cloud repository of hackers everywhere
How Did the Hack Occur?
This is still unclear. Most hacks like this begin with a phishing attack
How Long Had Sony Been Breached Before Discovery?
It’s unclear when the hack began. One interview with someone claiming to be with Guardians for Peace said they had been siphoning data from Sony for a year.
What was Stolen?
The hackers claim to have stolen a huge trove of sensitive data from Sony, possibly as large as 100 terabytes of data, which they are slowly releasing in batches.
All of these leaks are embarrassing to Sony and harmful and embarrassing to employees.
Was Data Destroyed or Just Stolen?
Initial reports have focused only on the data stolen from Sony. But news of an FBI flash alert released to companies this week suggests that the attack on Sony might have included malware designed to destroy data on whole systems.
The FBI memo lists the names of the malware’s payload files—usbdrv3_32bit.sys and usbdrv3_64bit.sys.
It’s unclear if these files were found on Sony systems.
Tomi Engdahl says:
The Cost of the “S” In HTTPS
http://yro.slashdot.org/story/14/12/04/1513255/the-cost-of-the-s-in-https
Researchers from CMU, Telefonica, and Politecnico di Torino have presented a paper at ACM CoNEXT that quantifies the cost of the “S” in HTTPS. The study shows that today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. This is a nice testament to the feasibility of having a fully encrypted web.
The Cost of the “S” in HTTPS
http://www.cs.cmu.edu/~dnaylor/CostOfTheS.pdf
Increased user concern over security and privacy on the Internet has led to widespread adoption of HTTPS, the secure version of HTTP. HTTPS authenticates the communicating end points and provides confidentiality for the ensuing communication. However, as with any security solution, it does not come for free. HTTPS may introduce overhead in terms of infrastructure costs, communication latency, data usage,
and energy consumption.
Motivated by increased awareness of online privacy, the use of HTTPS has increased in recent years. Our measurements reveal a striking ongoing technology shift, indirectly suggesting that the infrastructural cost of HTTPS is decreasing. However, HTTPS can add direct and noticeable protocol-related performance costs, e.g., significantly increasing latency, critical in mobile networks.More interesting, though more difficult to fully under stand, are the indirect consequences of the HTTPS: most in-network services simply cannot function on encrypted data.
For example, we see that the loss of caching could cost providers an extra 2 TB of upstream data per day and could mean increases in energy consumption upwards of 30% for end users in certain cases. Moreover, many other value-added services, like parental controls or virus scanning, are similarly affected, though the extent of the impact of these \lost opportunities” is not clear.
What is clear is this: the S” is here to stay, and the network community needs to work to mitigate the negative repercussions of ubiquitous encryption. To this end, we see two parallel avenues of future work:
first, low-level protocol enhancements to shrink the performance gap, like Google’s ongoing efforts to achieve -RTT” handshakes.
Second, to restore in-network middlebox functionality to HTTPS sessions, we expect to see trusted proxies become an important part of the Internet ecosystem.
Tomi Engdahl says:
FDA Tackles Security, Software
http://www.eetimes.com/document.asp?doc_id=1324861&
Regulators are playing catchup with the rise of digital health products, working to define and rationalize guidelines in areas such as security and software, a senior policy adviser for the US Food and Drug Administration said at the BioMeDevice event here.
“The world of connected health is evolving very quickly,” said Bakul Patel of the FDA’s Center for Device and Radiological Health. “We believe prevention-based healthcare will lead to better outcomes, and this next healthcare paradigm is emerging right in front of us.”
The FDA published initial guidelines for making security a part of the design process for medtech devices. It also held a workshop recently as a first step toward finding a way to monitor and respond to cyber attacks. “It’s a work in progress,” he said. “We want to get ahead of the problems.”
Separately, the FDA is cooperating with other agencies around the world to set common guidelines for regulating medtech software.
The group also is defining ways to handle health IT software. An initial proposal recommends using industry quality standards, rather than government regulations, for health management programs.
That said, he noted that many companies take their medtech products to European regulators first, due to faster approval times there.
Tomi Engdahl says:
Hacking PayPal Accounts With CSRF
http://hackaday.com/2014/12/04/hacking-paypal-accounts-with-csrf/
The computer security industry has made many positive changes since the early days of computing. One thing that seems to be catching on with bigger tech companies is bug bounty programs. PayPal offers such a program and [Yasser] decided to throw his hat in the ring and see if he could find any juicy vulnerabilities. His curiosity paid off big time.
[Yasser] was responsible with his disclosure, of course. He reported the bug to PayPal and reports that it was fixed promptly.
Hacking PayPal Accounts with one click
http://yasserali.com/hacking-paypal-accounts-with-one-click/
This vulnerability enabled my to completely bypass the CSRF Prevention System implemented by PayPal, The vulnerability is patched very fast and PayPal paid me the maximum bounty they give ;).
The CSRF token “that authenticate every single request made by the user” which can be also found in the request body of every request with the parameter name “Auth” get changed with every request made by user for security measures
We have found out that an Attacker can obtain the CSRF Auth which can be valid for ALL users
it can be reused to reset the security questions up without providing the password
Tomi Engdahl says:
Ryan Gallagher / The Intercept:
Operation AURORAGOLD: How the NSA hacks cellphone networks worldwide and spies on the GSM Association, which includes Verizon, AT&T, Sprint, Facebook, others
Operation Auroragold
How the NSA Hacks Cellphone Networks Worldwide
https://firstlook.org/theintercept/2014/12/04/nsa-auroragold-hack-cellphones/
The documents also reveal how the NSA plans to secretly introduce new flaws into communication systems so that they can be tapped into—a controversial tactic that security experts say could be exposing the general population to criminal hackers.
Codenamed AURORAGOLD, the covert operation has monitored the content of messages sent and received by more than 1,200 email accounts associated with major cellphone network operators, intercepting confidential company planning papers that help the NSA hack into phone networks.
One high-profile surveillance target is the GSM Association, an influential U.K.-headquartered trade group
“Collecting an inventory [like this] on world networks has big ramifications,” Nohl said, because it allows the NSA to track and circumvent upgrades in encryption technology used by cellphone companies to shield calls and texts from eavesdropping.
“Even if you love the NSA and you say you have nothing to hide, you should be against a policy that introduces security vulnerabilities,” Nohl said, “because once NSA introduces a weakness, a vulnerability, it’s not only the NSA that can exploit it.”
Tomi Engdahl says:
Aruna Viswanatha / Reuters:
US Justice Department creating new unit to work with the private sector to prevent online crime and advise on electronic surveillance in cyber investigations
New U.S. cybersecurity prosecutor unit to focus on prevention
http://www.reuters.com/article/2014/12/04/us-cybersecurity-doj-idUSKCN0JI1MN20141204
Tomi Engdahl says:
Sony Hackers Expose Rogen’s Pay Along With Deloitte Salaries
http://www.bloomberg.com/news/2014-12-03/sony-hackers-expose-rogen-s-pay-along-with-salaries-at-deloitte.html
Hackers who took over Sony Pictures computers released the budget for “The Interview,” the Seth Rogen comedy about North Korea, adding to a breach that exposed salaries at Deloitte Touche and studio head Michael Lynton’s credit-card number.
The latest documents, including Rogen’s $8.4 million-plus compensation, were posted on the file-sharing site Pastebi
“That’s really, really sensitive stuff, particularly for high-profile people,” said Zachary K. Goldman, executive director of the Center on Law and Security at New York University’s School of Law. “Think of all the mayhem you could cause with that.”
The hackers put five Sony films online for free at file-sharing websites and released employee reviews.
The attack went beyond theft to a level security experts have long dreaded. It used a so-called wiper virus that erases data, can bring down networks with thousands of computers and prevent companies from being able to conduct business, according to two people with knowledge of the situation.
Korean-language coding and similarities to past attacks have led security experts to point to North Korea. A foreign ministry spokesman told the state-run Korean Central News Agency in June the country would pursue “a strong and merciless countermeasure” if “The Interview” were released.
The film’s co-producer, Evan Goldberg, told the Los Angeles Times a week before the attack that they were warned by security experts of possible retaliation.
“They were like, ‘You might want to change your bank passwords. We’re not joking,’” Goldberg told the newspaper.
Tomi Engdahl says:
Sony Pictures leak shows employees used worst passwords ever
http://mashable.com/2014/12/02/sony-hack-passwords/
Everyone is bad at passwords; that’s nothing new. But if you’re working at a high-profile studio like Sony, perhaps you should choose a better password than “s0ny123″ or “password.”
Days after the massive hack against Sony, a group of hackers calling themselves “GOP”(Guardian of Peace) dumped online a trove of files that appear to be from the internal computers of Sony Pictures Entertainment.
Among the hacked trove is also a folder called, simply, “passwords.”
It’s still unclear how the hacker gained access to Sony’s computer systems, and how they were able to siphon out thousands of files. But judging from the use of terrible passwords and the practice of putting passwords in folders right next to the files they’re supposed to protect, Sony’s security practices might deserve some blame.
This isn’t the first time Sony has been caught using bad security and password practices.
Movie leaks are just the beginning of Sony’s security woes
http://mashable.com/2014/12/02/sony-pictures-security-leak/
More than 27GB of documents that appear to be from internal Sony Pictures Entertainment (SPE) file servers have already been leaked. Mashable has reviewed some of those documents and the cache of information is absolutely stunning.
To the common user, the data isn’t very interesting. Much of the data, some of which dates back to 2002 and 2003, is related to internal procedures and sales reports.
When major motion pictures leak online before their theatrical release, there is almost always a negative impact on the film’s box office take. For that reason, it makes sense that much of the immediate focus has been on leaked screeners of Fury, Annie and other films.
Still, we can’t help but think that the gigabytes of sales documents and marketing plans could potentially be more problematic for SPE down the line.
For example, if a rival studio had access to the syndication agreements for specific shows on specific network affiliates, it could be used for negotiations for competitive time slots. Moreover, the affiliates themselves could see how their fees compare to other markets for the same programs.
Security, what security?
This is not the first time SPE has been hacked. More than three years ago, 37,000 user accounts were hacked from the SPE website. An individual associated with the hacking group LulzSec was sentenced to a year in prison in conjunction with that attack.
LulzSec was able to hack into SPE in 2011 using a fairly basic SQL injection. That allowed the attackers to access usernames and passwords of registered users on SPE’s site with relative ease.
Three and a half years later, it would appear that SPE’s internal security practices have not improved.
One folder Mashable examined was titled “Passwords” and contained login passwords for internal email systems as well as corporate credit card numbers.
What kind of IT policy allows this sort of behavior to take place?
It’s worth asking the question that if SPE’s internal policies for its own data are so weak, how does it treat customer and client data?
For now, the motive behind this leak is unclear.
The breadth of the data breach has led some to question whether or not this was an inside job. Although it is very possible that an internal source helped the attackers gain access to parts of the internal web server, the way the information has been leaked as well as the way the leakers are communicating with the press suggests at least some involvement from an outside group.
Tomi Engdahl says:
NORKS: We might be aggressive but we didn’t hack Sony!
Quiet Mandiant mops blood amid din of spin
http://www.theregister.co.uk/2014/12/05/sony_blueprints_leaked_north_korea_denial/
North Korea has denied it is the entity behind the epic hack of Sony Pictures Entertainment.
“Linking the DPRK (North Korea) to the Sony hacking is another fabrication targeting the country,” the anonymous official told the publication.
North Korea’s Unit 121 hacker unit was thought by some quarters to be behind the attack and may be capable given its skills in creating the wiper malware used in the Dark Seoul attacks two years ago.
Tomi Engdahl says:
The Sony Pictures Hack Was Even Worse Than Everyone Thought
http://it.slashdot.org/story/14/12/04/2330259/the-sony-pictures-hack-was-even-worse-than-everyone-thought
“It’s time to take a moment of silence for Sony Pictures, because more startling revelations about leaked information just came out and employees are starting to panic. BuzzFeed raked through some 40 gigabytes of data and found everything from medical records to unreleased scripts.
The Sony Pictures Hack Was Even Worse Than Everyone Thought
http://gizmodo.com/the-sony-pictures-hack-exposed-budgets-layoffs-and-3-1665739357/1666122168/+ace
Tomi Engdahl says:
A Look Through The Sony Pictures Data Hack: This Is As Bad As It Gets
http://www.buzzfeed.com/tomgara/sony-hack
From details of named employees’ medical histories to an unreleased pilot script written by the creator of Breaking Bad, the unprecedented leak of Sony Pictures data will reverberate for a long time to come.
After sifting through almost 40GB of leaked internal data, one thing is clear: Sony Pictures appears to have suffered the most embarrassing and all-encompassing hack of internal corporate data ever made public.
The data dump, which was reviewed extensively by BuzzFeed News, includes employee criminal background checks, salary negotiations, and doctors’ letters explaining the medical rationale for leaves of absence. There are spreadsheets containing the salaries of 6,800 global employees, along with Social Security numbers for 3,500 U.S. staff. And there is extensive documentation of the company’s operations, ranging from the script for an unreleased pilot written by Breaking Bad creator Vince Gilligan to the results of sales meetings with local TV executives.
Tomi Engdahl says:
Snowden files show NSA’s AURORAGOLD pwned 70% of world’s mobile networks
Brits and Yanks snoop on security standards bods
http://www.theregister.co.uk/2014/12/04/snowden_files_show_nsas_auroragold_pwned_70_of_worlds_mobile_networks/
The NSA, and its British counterpart GCHQ, spied on innocent telco employees and standards bodies to tap into mobile phone networks worldwide, according to the latest leak from the Edward Snowden archive.
The mobile tapping system, dubbed AURORAGOLD, successfully cracked 701 of an estimated 985 cellular networks worldwide, according to the leaked NSA presentation released by The Intercept.
This was done by snooping on the private communications of key workers within the industry to capture technical documentation and encryption keys that allowed the agency access to mobile calls. Between November 2011 to April 2012, computers used by somewhere between 363 and 1,354 staff were infiltrated to get the data the NSA required.
The encryption is supposed to prevent eavesdroppers from listening to private phone conversations. It was assumed intelligence agencies can break the widely used A5/1 algorithm; now we know GCHQ and the NSA have been working on cracking the supposedly stronger A5/3 used in 3G. For that, the Brits needed a £4m system to attack the cipher by 2012.
Tomi Engdahl says:
Sony Pictures MEGAHACK: Securobods pull out probes, analyse badness
Experts start dissecting HDD-busting nasty
http://www.theregister.co.uk/2014/12/04/sony_hack_wiper_malware/
Security experts have been able to obtain and analyse samples of the malware linked to the Sony Pictures breach.
An FBI advisory issued on Monday, leaked to Reuters, warned US businesses to be vigilant about a new strain of “destructive” malware.
The link between the Sony breach and the malware described by the FBI is yet to be verified but the timing and behaviour of the malware match those from reports of the Sony Pictures network-hobbler.
Tomi Engdahl says:
How the NSA Is Spying On Everyone: More Revelations
http://yro.slashdot.org/story/14/12/04/1823255/how-the-nsa-is-spying-on-everyone-more-revelations
The Intercept has published today a story detailing documents that “reveal how the NSA plans to secretly introduce new flaws into communication systems so that they can be tapped into—a controversial tactic that security experts say could be exposing the general population to criminal hackers.
Operation Auroragold
How the NSA Hacks Cellphone Networks Worldwide
https://firstlook.org/theintercept/2014/12/04/nsa-auroragold-hack-cellphones/
In March 2011, two weeks before the Western intervention in Libya, a secret message was delivered to the National Security Agency. An intelligence unit within the U.S. military’s Africa Command needed help to hack into Libya’s cellphone networks and monitor text messages.
For the NSA, the task was easy. The agency had already obtained technical information about the cellphone carriers’ internal systems by spying on documents sent among company employees, and these details would provide the perfect blueprint to help the military break into the networks.
The NSA’s assistance in the Libya operation, however, was not an isolated case. It was part of a much larger surveillance program—global in its scope and ramifications—targeted not just at hostile countries.
Karsten Nohl, a leading cellphone security expert and cryptographer who was consulted by The Intercept about details contained in the AURORAGOLD documents, said that the broad scope of information swept up in the operation appears aimed at ensuring virtually every cellphone network in the world is NSA accessible.
Tomi Engdahl says:
Soon, almost every network has IoT-hacking
In 2020, the world of 20 billion networked device so-called Internet of Things. Or 50 billion depends on the teller. IDC predicts that in two years from 90 per cent of the global IT networks have been IoT data theft.
The figure is strikingly high. At the same time, it shows how important element of security is the future IoT networks.
IDC also predicts that after five years 90 percent of all IoT devices from collecting the data is located in the cloud services.
Source: http://www.etn.fi/index.php?option=com_content&view=article&id=2166:pian-lahes-joka-verkossa-iot-tietomurto&catid=13&Itemid=101
Tomi Engdahl says:
Spotting terrorist behaviour online is harder than finding child abuse images
http://www.theguardian.com/technology/2014/dec/04/terrorist-communications-internet-companies-isc-child-abuse-images-different-technical-undertakings
The ISC suggests internet companies can detect terrorist communications in the same way as search engines find child abuse images. But these are very different technical undertakings
Why are we outraged by the suggestion that Facebook users’ messages should be screened for potential terrorist threats yet we accept that airline passengers are screened for terrorist threats before boarding a plane? What’s the difference between moving people or information around the world? This is the question raised by the UK parliament’s intelligence and security committee when it suggests Facebook and other internet platforms should “take responsibility” for detecting terrorist activity online.
There are a number of reasons why requiring Facebook and other websites to become partners in state surveillance threatens free expression and privacy, but before considering this radical step, let us examine whether it makes technical sense.
Tomi Engdahl says:
SpoofedMe Attack Steals Accounts by Exploiting Social Login Mechanisms
http://hackaday.com/2014/12/05/spoofedme-attack-steals-accounts-by-exploiting-social-login-mechanisms/
We’ve all seen the social logon pop up boxes. You try to log into some website only to be presented with that pop up box that says, “Log in with Facebook/Twitter/Google”. It’s a nice idea in theory. You can log into many websites by using just one credential. It sounds convenient, but IBM X-Force researchers have recently shown how this can be bad for the security of your accounts. And what’s worse is you are more vulnerable if the service is offered and you are NOT using it. The researcher’s have called their new exploit SpoofedMe. It’s aptly named, considering it allows an attacker to spoof a user of a vulnerable website and log in under that user’s account.
SpoofedMe Social Login Attack Discovered by IBM X-Force Researchers
http://securityintelligence.com/spoofedme-social-login-attack-discovered-by-ibm-x-force-researchers/#.VIMuQcmQstx
IBM X-Force’s Application Security Research Team has devised a logical attack that allows a malicious user to intrude into user accounts on a relying website — a website that relies on authentication assertions passed to it by the identity provider — by abusing the social login mechanism.
A specific instance of this attack allowed an attacker to intrude into a Slashdot.org user account by using the “Sign In With LinkedIn” service. It should be noted that LinkedIn responded quickly and fixed this vulnerability after the attack was disclosed. Once logged in, the attacker has complete access to the victim’s account. For example, the attacker could access the victim’s private information and impersonate him or her by posting spam messages.
As previously mentioned, social login is an authentication mechanism that allows a user to use a single account within an identity provider (such as Facebook, Google+ or LinkedIn) for signing in to various third-party websites. In recent years, the concept of social login has increased in popularity and is commonly seen in websites’ login pages in the form of a sign-in button. Today, most social login implementations are based on the OAuth 1.0 and 2.0 authorization protocols, extended to support authentication.
Tomi Engdahl says:
Retailer Bebe Confirms Payment Card Data Breach
http://techcrunch.com/2014/12/05/retailer-bebe-confirms-payment-card-data-breach/
Another day, another payment card data breach. In what’s now becoming routine news, this morning retailer Bebe is confirming a security incident that took place over the busy holiday shopping period in November which saw attackers stealing customer’s names, account numbers, expiration dates and verification codes from cards swiped in stores. The breach occurred during the dates of November 8, 2014 and November 26, 2014, and affected those shopping in the retailer’s stores located in the U.S., Puerto Rico, and the U.S. Virgin Islands.
The hack was first reported by the Krebs on Security blog on Thursday
Like other hacks which took place at major retailers including Target, Neiman Marcus and Michael’s, it’s likely that the thieves took advantage of security holes in Bebe’s cash register systems. Typically, thieves hack into these systems and plant malware that records mag stripe data when cards are swiped through machines, explains security expert Brian Krebs.
Bebe has not yet said how many consumers were affected by this data breach
Tomi Engdahl says:
Sony hack reveals movie studio kept passwords in folder named ‘Passwords’
http://rt.com/usa/211903-sony-hack-password-folder/
The recent hacking of Sony Pictures is proving to be more embarrassing than first imagined: among the files pilfered from the Hollywood giant are documents containing dozens of login credentials and passwords in plain text.
On Thursday, writers at Buzzfeed noticed that within a trove of stolen Sony files being shared online in the wake of the recent high-profile hack of the company’s network is a folder named “Password” containing, predictably, dozens of documents purported to allow access to dozens of accounts used by the movie studio.
One screenshot of the folder’s contents shared on Buzzfeed includes 139 documents like Microsoft Excel and Word files with names such as “website passwords.xls” and “UPS Login & Passwords.xls,” each containing a cache of sensitive info.
“One file BuzzFeed News found included hundreds of clearly labeled Facebook, MySpace, YouTube and Twitter usernames and passwords for major motion picture social accounts,” the website reported.
The Wall Street Journal has noted that a preliminary analysis undertaken by data-security firm Identity Finder LLC of 33,000 Sony documents taken during the hack suggests much of the data is not password-protected and can be accessed by anyone who has downloaded it from the web.
So far authorities have yet to determine who exactly is responsible for hacking into SPE.
Tomi Engdahl says:
Sony employees receive email claiming to be from hackers
http://www.cnbc.com/id/102244942#.
The FBI, one of the U.S. government agencies probing the hacking, “is aware of threatening emails that have been received by some employees at Sony Pictures Entertainment,” FBI spokesman Joshua Campbell said in a statement.
The emails could be from copycats purporting to be the hackers who had obtained the addresses of Sony employees from the gigabytes of data leaked over the Internet
Sony has hired security firm FireEye and its Mandiant forensics unit to investigate the hacking.
North Korea is a principal suspect in the attack, a U.S. national security source told Reuters on Thursday. A North Korean diplomat denied that Pyongyang was behind the hack.
Tomi Engdahl says:
Banks’ Lawsuits Against Target for Losses Related to Hacking Can Continue
http://bits.blogs.nytimes.com/2014/12/04/banks-lawsuits-against-target-for-losses-related-to-hacking-can-continue/?_r=0
A federal judge on Tuesday handed an early victory to banks in their effort to recoup losses from a major breach last year at Target. More than 40 million credit cards were compromised in the incident.
In the past, banks were often left with the financial burden of a hacking and were responsible for replacing stolen cards. The cost of replacing stolen cards from Target’s breach alone is roughly $400 million — and the Secret Service has estimated that some 1,000 American merchants may have suffered from similar attacks.
The Target ruling makes clear that banks have a right to go after merchants if they can provide evidence that the merchant may have been negligent in securing its systems.
While the lawsuit continues, lawyers say this early ruling could have widespread impact in the onslaught of data breach cases this year. The judge ruled that charges that Target ignored security software alerts and disabled some of its security features was enough for the banks to pursue a claim of negligence.
“The allocation of risk in any data breach is a hot-button issue,” said Craig Newman, managing partner of Richards Kibbe & Orbe. “What this ruling means is that the banks won’t necessarily be left holding the bag if the merchant was negligent in the way it maintained and safeguarded customer information.”
Tomi Engdahl says:
To Get Off Russia’s Blacklist, GitHub Has Blocked Access To Pages That Highlight Suicide
http://techcrunch.com/2014/12/05/to-get-off-russias-blacklist-github-has-blocked-access-to-pages-that-highlight-suicide/
GitHub is slowly navigating the tricky waters of Internet censorship in Russia, using its own platform to track how it’s doing it in an effort to remain transparent, but also agreeing to block pages that the regulator says offend content regulations.
“We have since blocked access within the Russian Federation to the specific content which was flagged as prohibited by law within the Russian Federation, and are working to get GitHub reinstated,” the company says. It cites its Terms of Service section A8 to further elaborate: “You may not use the Service for any illegal or unauthorized purpose. You must not, in the use of the Service, violate any laws in your jurisdiction (including but not limited to copyright or trademark laws).”
Blocking specific pages is the same route that sites like YouTube — which was also blocked over suicide-related content — have taken in order to remain online overall in Russia.
Important to note that GitHub’s compliance comes with some resistance.
The concern with Russia’s censorship laws, which were first brought into force in 2012, is that they not only violate freedom of speech, but that they can be abused to effectively silence people who are speaking out against the state.
Tomi Engdahl says:
The worst part of censorship is #### ##########.
Sigh. Censorship societies- they just don’t know what they’re missing.
“and opinions deemed ‘extremist’ by the government”
Chaos Computer Club (and Hackaday) Blocked By British Porn Filters
http://hackaday.com/2014/12/06/chaos-computer-club-and-hackaday-blocked-by-british-porn-filters/
Originally envisioned as a porn filter, and recently updated with list of banned sexual acts including spanking, aggressive whipping, role-playing as non-adults, and humiliation, the British Internet filter has seen more esoteric content blocked from British shores. Objectionable material such as, “anorexia and eating disorder websites,” “web forums,” “web blocking circumvention tools”, and the oddly categorized, “esoteric material” are also included in the filter.
A site built by the Open Rights Group is currently tracking which ISPs blocking which domains.
Tomi Engdahl says:
Reuters:
North Korea’s cyber war cell Bureau 121 employs 1800 hackers who are considered military elite — In North Korea, hackers are a handpicked, pampered elite — (Reuters)
In North Korea, hackers are a handpicked, pampered elite
http://www.reuters.com/article/2014/12/05/us-sony-cybersecurity-northkorea-idUSKCN0JJ08B20141205
Despite its poverty and isolation, North Korea has poured resources into a sophisticated cyber-warfare cell called Bureau 121, defectors from the secretive state said as Pyongyang came under the microscope for a crippling hack into computers at Sony Pictures Entertainment.
Defectors from the North have said Bureau 121, staffed by some of the most talented computer experts in the insular state, is part of the General Bureau of Reconnaissance, an elite spy agency run by the military.
Military hackers are among the most talented, and rewarded, people in North Korea, handpicked and trained from as young as 17
The technology news site Re/code reported on Wednesday that Sony intends to name North Korea as the source of the attack.
Sony Pictures, a unit of Japan’s Sony Corp, is the distributor of “The Interview,” a forthcoming comedy featuring a plot to assassinate North Korean leader Kim Jong Un. North Korea has described the film as an “act of war”.
Some security experts have cast doubt on North Korean involvement in the attack on Sony, citing the publicity-seeking hacktivist style of the attacks.
Tomi Engdahl says:
The World Cracks Down on the Internet
http://www.newyorker.com/tech/elements/world-cracks-internet
In September of last year, Chinese authorities announced an unorthodox standard to help them decide whether to punish people for posting online comments that are false, defamatory, or otherwise harmful
Chinese government has become, in recent years, in restricting Internet communication—going well beyond crude measures like restricting access to particular Web sites or censoring online comments that use certain keywords.
the approach: “strategic, timely censorship.” She told me, “It’s about allowing a surprising amount of open discussion, as long as you’re not the kind of person who can really use that discussion to organize people.”
On Thursday, Freedom House published its fifth annual report on Internet freedom around the world. As in years past, China is again near the bottom of the rankings, which include sixty-five countries. Only Syria and Iran got worse scores, while Iceland and Estonia fared the best.
China’s place in the rankings won’t come as a surprise to many people. The notable part is that the report suggests that, when it comes to Internet freedom, the rest of the world is gradually becoming more like China and less like Iceland.
The researchers found that Internet freedom declined in thirty-six of the sixty-five countries they studied, continuing a trajectory they have noticed since they began publishing the reports in 2010.
China, the U.S., and their copycats aren’t the only offenders, of course.
What’s behind the decline in Internet freedom throughout the world?
governments that restrict freedom offline—particularly authoritarian regimes—are only beginning to do the same online, too.
“There is definitely a sense that the Internet offered this real alternative to traditional media—and then government started playing catch-up a little bit,”
Tomi Engdahl says:
Cyber Security: Hackers work to turn holiday shopping boom into boon for data thieves
http://invensyscybersecurity.blogspot.fi/2014/11/cyber-security-hackers-work-to-turn.html
Hackers work to turn holiday shopping boom into boon for data thieves
http://krqe.com/2014/11/21/hackers-work-to-turn-holiday-shopping-boom-into-boon-for-data-thieves/
Massive data breaches have forced stores like Home Depot and Target into the spotlight. This fall, hackers wormed their way into Home Depot’s system and installed malware that swiped payment information from point-of-sale terminals. That exposed more than 50 million cards to people who seek to sell that data on the black market.
During the holiday season last year, more than 40 million credit and debit cards were exposed after a breach at Target.
Experts say online shoppers using debit cards are the most vulnerable. Gas stations, restaurants and hotels are other spots were using a debit card subjects people to the advances of hackers. Credit cards, the experts say, offer more protection against fraudulent charges.
Businesses aren’t alone in their need to fend off hackers. Every day, every hour — seemingly every moment — someone is trying to steal data from the government, too.
A recent Associated Press analysis of federal data showed a 70% increase in cyber incidents from 2009 to 2013, when there were 46,605 such attacks on federal networks.
“We are all very, very vulnerable,” Phyllis Schneck, cybersecurity chief for the Department of Homeland Security,
Tomi Engdahl says:
What CIOs Can Learn From the Biggest Data Breaches
http://www.cio.com/article/2845618/data-breach/what-cios-can-learn-from-the-biggest-data-breaches.html
Credit: Thinkstock
A postmortem analysis of some of the biggest recent data breaches offers IT leaders several pieces of advice for staying a step ahead of hackers.
Lesson From Adobe: Build Better Systems
Lessons From eBay: Encrypt Data, Educate Employees
Lesson From JP Morgan Chase: Invest in Intrusion Detection
Lesson From Target: Find the Most Critical Vulnerabilities
Lesson From Home Depot: Well-Configured Firewalls
Tomi Engdahl says:
Matt Novak / Gizmodo:
FCC: smartphone theft a problem with 3.1M stolen in 2013, but new security measures helped
59% of robberies in San Francisco involve the theft of a smartphone
http://factually.gizmodo.com/59-of-robberies-in-san-francisco-involve-the-theft-of-1667240618
Thefts involving smartphones are on the rise according to a new FCC study. In 2013, 3.1 million Americans had their smartphones stolen. That was up from 1.6 million thefts in 2012.
Some interesting facts from the new report:
22 percent of smartphone users installed software that can locate their phone
34 percent of smartphone users don’t take any security measures
36 percent of users set a screen lock with a 4-digit pin
46 percent of robberies in New York in 2013 involved a smartphone
59 percent of robberies in San Francisco in 2013 involved a smartphone
Thieves have all kinds of options for their ill-gotten phones, including selling them online, selling them to recycling companies, and sometimes just using them outright for themselves. Some of the more organized criminal outfits steal large numbers of phones and ship them overseas.
But it’s not all bad news. At least not for Apple users. Apple’s new security measures (including tech like Find My iPhone and Activation Lock) have been credited with actually decreasing thefts of Apple devices.
Tomi Engdahl says:
Vauhini Vara / New Yorker:
Freedom House report: Internet freedom declined in 36 of 65 countries studied this year
http://www.techmeme.com/
December 4, 2014
The World Cracks Down on the Internet
http://www.newyorker.com/tech/elements/world-cracks-internet
Tomi Engdahl says:
Bad Code Results in Useless Passwords
http://hackaday.com/2014/12/07/bad-code-results-in-useless-passwords/
[HeadlessZeke] was excited to try out his new AT&T wireless cable box, but was quickly dismayed by the required wireless access point that came bundled with it. Apparently in order to use the cable box, you also need to have this access point enabled.
The wireless access point was an Arris VAP2500. At first glance, things seemed pretty good. It used WPA2 encryption with a long and seemingly random key. Some more digging revealed a host of security problems, however.
There existed a plain text file in the root of the web server called “admin.conf”. It contained a list of usernames and hashed passwords. That was strike one for this device.
He pulled the source code out of the firmware and looked at the authentication mechanism. The system checks the username and password and then sets a cookie to let the system know the user is authenticated. It sounds fine, but upon further inspection it turned out that the data in the cookie was simply an MD5 hash of the username.
Now that [HeadlessZeke] was logged into the administration site, he was able to gain access to more functions.
Tomi Engdahl says:
How to protect yourself from ‘SpoofedMe,’ a social login attack
http://fortune.com/2014/12/07/spoofedme-social-login-attack/
A new website vulnerability allows attackers to masquerade as victims on sites that support social media logins. Here’s what to do about it.
If the attacker selects the just-created but not verified account and the victim already has a profile on the site in question—both associated with the same email address—vulnerable sites will authenticate the attacker, enabling him or her to assume the victim’s identity.
And that’s where the real trouble starts. An attacker could masquerade as a public-company executive on Nasdaq.com and comment on stocks, impacting the company’s stock performance. An attacker could post malicious links on the site under the assumed identity, subjecting anyone inquisitive enough to click to a phishing attack that allows the hacker to obtain sensitive information (that could quickly cascade into many more compromises).
“That’s a huge gaping security hole,” says Marla Hay, a senior product manager at Janrain, a company that connects websites to identity providers with social logins.
Hay recommends that companies with websites incorporating social login—so-called relying websites—take several measures. First, they should make sure to set up a field requesting a verified email address—not just any old unverified email address. Second, they should bar users from authenticating without first having verified email addresses. Lastly, they should consider accepting only identity providers that require users to verify email addresses before enabling validation through social login.
Tomi Engdahl says:
Anna Fifield / Washington Post:
North Korea denies hacking Sony but calls the breach a ‘righteous deed’
http://www.washingtonpost.com/world/north-korea-denies-hacking-sony-but-calls-the-breach-a-righteous-deed/2014/12/07/508d6991-c242-419c-b71c-59a3d1173766_story.html
North Korea has denied hacking Sony Pictures’ computer systems in retaliation for its movie “The Interview,” which revolves around a plot to assassinate North Korea’s leader, Kim Jong Un. But the secretive state has called the crippling cyberattack a “righteous deed” and has suggested that its “supporters and sympathizers” might be taking revenge on its behalf.
The statement, issued Sunday by the official Korean Central News Agency, comes as investigators home in on the source of the attack, which brought Sony, one of Hollywood’s biggest studios, to a near-standstill just before Thanksgiving.
At least five new movies from Sony Pictures, including the musical “Annie” and the Brad Pitt World War II movie “Fury,” were posted to copyright-infringing file-sharing hubs soon after the attack. But there was no proof that those postings were related to the hack.
Tomi Engdahl says:
Sony PSN hacked AGAIN. It just hasn’t been their decade, really
Lizard Squad: We did that, we did that!
http://www.theregister.co.uk/2014/12/08/sony_playstation_hacked_by_lizard_squad/
Sony has been battling yet another hack of its PlayStation Network: the PlayStation store went titsup in the early hours of this morning UK time.
Hacktivist group the Lizard Squad claimed responsibility for the latest security breach of Sony’s network.
The timing of the hack comes after Sony celebrated its game console’s 20th anniversary at the weekend.
Sony has also been struggling to get its movie studio back up and running, after a monster attack on that network.
In that instance, malefactors hacked into Sony Pictures’ systems, before leaking the personal information of 47,000 people, including their staff security numbers, home addresses, salary details and emails. Unreleased films and scripts were also nabbed by the miscreants.
Tomi Engdahl says:
Kaspersky drops deets on Sony hacker malware
Looks like Shamoon, quacks like Dark Seoul
http://www.theregister.co.uk/2014/12/08/kaspersky_deets_on_sony_malware/
Kaspersky bod Kurt Baumgartner has released more details into the Sony-plundering malware and links it to attacks on Saudi Aramco and South Korea.
Research conducted in the wake of the epic Sony breach last month had connected those behind the attack known as the Guardians of Peace (GOP) with the 2012 hacking of Saudi Aramco by ‘WhoIs Team’ that hit 30,000 computers with the Shamoon malware at a time when tensions were high between Saudi Arabia and Iran.
The malware served to Sony disabled or destroyed corporate machines forcing the firm to enter an IT lock-down. It was dubbed BKDR_WIPALL by Trend Micro and Destover by Kaspersky.
Baumgartner’s work added further weight to claims the malware used in both attacks and the 2013 Dark Seoul hacks were deployed by the same actors.
“In all three cases: Shamoon, Dark Seoul and Destover, the groups claiming credit for their destructive impact across entire large networks had no history or real identity of their own,”
“Images from the Dark Seoul Whois and Destover GOP groups included a ‘hacked by’ claim, accompanied by a ‘warning’ and threats regarding stolen data. Both threatened that this was only the beginning and that the group will be back.”
A further point linking the Sony and South Korea attacks was in the styling of the defacements used, which used skulls and the same colours.
There were technological similarities too. Shamoon and Wiper used off-the-shelf EldoS RawDisk drivers maintained in the dropper’s resource section
Tomi Engdahl says:
Mighty Blighty filter tilter causes communications chaos
No way to Hack a Day
http://www.theregister.co.uk/2014/12/08/blightys_great_wall_blocks_chaos_computer_club/
The Great Firewall of Britain, aka the content filters operated by telcos Vodafone and Three, has blocked access to German hacker party the Chaos Communications Congress (CCC) ahead of its annual confab.
The block presumably made in error prevented punters from accessing the website, buying tickets and perusing the conference talks made public last week.
Vodafone also blocked access to the CCC’s radio and monthly podcast site.
The privacy pundits chastised Blighty for the blunder.
Tomi Engdahl says:
FilterBypass.me
https://www.filterbypass.me/
FilterBypass is a free anonymous web proxy which allows people all over the world to bypass internet filters and enjoy unrestricted browsing.Unlike other web proxies we support all major streaming portals such as Youtube and Dailymotion.Enjoy being able to unblock your favorite social networks such as Facebook or Twitter with a simple click.
You tell us which website you want to unblock , then we fetch it for you using our server.
Tomi Engdahl says:
AdNauseam
http://dhowe.github.io/AdNauseam/
As online advertising is becoming more automatic, universal and unsanctioned, AdNauseam works to complete the cycle by automating all ad-clicks universally and blindly on behalf of the target audience. Working in coordination with Ad Block Plus, AdNauseam quietly clicks every blocked ad, registering a visit on the ad networks databases. As the data gathered shows an omnivorous click-stream, user profiling, targeting and surveillance becomes futile
AdNauseam is a browser extension designed to obfuscate browsing data and protect users from surveillance and tracking by advertising networks. Simultaneously, AdNauseam serves as a means of amplifying users’ discontent with advertising networks that disregard privacy and facilitate bulk surveillance agendas.
Tomi Engdahl says:
Sony’s PlayStation hit by hack attack
http://www.bbc.com/news/technology-30373686
A hacker group has claimed responsibility for attacking Sony’s online PlayStation store, which is down on Monday.
A group called “Lizard Squad” has taken credit for the outage, posting “PSN Login #offline #LizardSquad” as their Twitter status.
The outage is the most recent in a series of attacks on tech giant Sony.
Meanwhile, the outage on the PlayStation network follows one on Microsoft Xbox network, which was down for at least a day last week.
Lizard Squad also claimed it was behind the attack.
The Xbox network was hit with a DDOS, or a distributed denial of service attack, which overloaded the system, stopping users from getting online.
Tomi Engdahl says:
Sony Hackers Knew Details of Sony’s Entire IT Infrastructure
http://www.eetimes.com/author.asp?section_id=36&doc_id=1324876&
While trying to simultaneously recover from a data breach and a wiper attack, Sony watches attackers publish maps and credentials for everything from production servers to iTunes accounts.
Whoever they are, the attackers who breached Sony used wiper malware to destroy Sony’s systems, and are slowly disclosing stacks of stolen Sony confidential data and intellectual property. And they knew everything there was to know about Sony’s IT infrastructure.
Security researchers have discovered that the wiper malware — called Destover by some, WIPALL by others — contained hardcoded names of servers inside Sony’s network and the credentials to access them. Further, the attackers themselves released a new set of 11,000 files the night of Dec. 3 that include, as one reporter explained it, “everything needed to manage the day-to-day [IT] operations at Sony.”
Sony has been trying to recover from the wiper attacks since they began Nov. 24
True to their word, the attackers began uploading sensitive Sony data to Pastebin. The leaked files contained both corporate data — including employee salaries, Social Security Numbers, performance reviews, criminal background checks — and intellectual property — including full copies of Sony movies that have not yet been released and a script for a new TV pilot by the creator of “Breaking Bad.” The attackers have hinted that they have terabytes of data yet to share.
Tomi Engdahl says:
Sony Hackers Knew Details Of Sony’s Entire IT Infrastructure
http://www.darkreading.com/sony-hackers-knew-details-of-sonys-entire-it-infrastructure-/d/d-id/1317898
While trying to simultaneously recover from a data breach and a wiper attack, Sony watches attackers publish maps and credentials for everything from production servers to iTunes accounts.
the attackers themselves released a new set of 11,000 files last night that include, as one reporter explained it, “everything needed to manage the day-to-day [IT] operations at Sony.”
True to their word, the attackers began uploading sensitive Sony data to Pastebin. The leaked files contained both corporate data and intellectual property.
Meanwhile, the wiper software began destroying all Sony’s internal systems. The FBI released a flash alert this week, which did not explicitly mention Sony, but warned of a wiper malware that “has the capability to overwrite a victim host’s master boot record (MBR) and all data files. The overwriting of the data files will make it extremely difficult and costly, if not impossible, to recover the data using standard forensic methods.”
Recovering from a data breach and a large-scale system destruction at the same time is exceptionally complex. Complicating matters further is that the treasure trove of data leaked yesterday includes everything attackers would need to compromise Sony all over again, in the manner of their choosing. The data includes RSA SecurID tokens, global network maps detailing databases and enterprise servers, and access credentials/files for QA servers, staging servers, production servers, routers, switches, load balancers, FTP servers, email accounts, and third-party applications — including UPS, FedEx, McAfee, Google Analytics, iTunes, Sprint, and Verizon.
So, how does a company recover? Burn whatever’s left and build something entirely new and different?
“Shut it all down,” says Jody Brazil of FireMon. He says that throwing away the entire company isn’t a solution. But for now, he recommends shutting down all external communications and all Web access entirely (and bringing it back slowly and carefully), resetting all passwords, instituting change control, doing a massive assessment of all systems, and aiming to get business running appropriately again in weeks, not days. “It’s a very drastic approach,” he says, “but the right one.”
“They’re in a really bad situation,” says Jaime Blasco of AlienVault, which has examined the wiper.
the wiper was customized for Sony’s environment after the attackers obtained all the detailed information about the Sony IT infrastructure.
How did they obtain that information? Either they conducted a staged attack — compromising the network, poking around, obtaining credentials, escalating privileges, etc. — or they were given the information by an insider.
According to Blasco, “The malware samples we have found talk to IP addresses in Italy, Singapore, Poland, the US, Thailand, Bolivia, and Cyprus — probably hacked systems or VPN/proxies that the attackers use to hide the origin. We also found the attackers were using the Korean language in the systems they used to compile some of the pieces of malware we have found.”
The use of Korean in the compiler, says Blasco, is “the only technical indicator” of a North Korean-based attack, “and that info can be faked.”
Tomi Engdahl says:
Home Wi-Fi security’s just as good as ’90s PC security! Wait, what?
http://www.theregister.co.uk/2014/12/08/wi_fi_security_lax_survey/
Security software firm Avast found that more than half of all routers are poorly protected by default
The survey of 2,000 UK households also found that an additional 23 per cent of consumers use their address, name, phone number, street name, or other easily guessed terms as their passwords.