Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.
3,110 Comments
Tomi Engdahl says:
2015 Could Be the Year of the Hospital Hack
http://it.slashdot.org/story/14/12/29/1257247/2015-could-be-the-year-of-the-hospital-hack
Required by Obamacare to convert all health records into electronic files, those records are now very vulnerable and experts expect hackers to target them in the coming years.
“Along with vast troves of credit card information and celebrity snapshots, hackers stole a record number of medical records from U.S. health-care facilities this year. In 2015, attacks targeting health data will become even more common, according to security researchers….”
2015 Could Be the Year of the Hospital Hack
Health-care organizations often store medical records and other information insecurely.
http://www.technologyreview.com/news/533631/2015-could-be-the-year-of-the-hospital-hack/
Tomi Engdahl says:
If the Supreme Court tackles the NSA in 2015, it’ll be one of these five cases
How a church, terror suspects, and some lawyers are pushing privacy on the legal front.
http://arstechnica.com/tech-policy/2015/01/if-the-supreme-court-tackles-the-nsa-in-2015-itll-be-one-of-these-five-cases/
Roughly a year and a half since the first Snowden disclosures, there’s already been a judicial order to shut down the National Security Agency’s bulk metadata collection program.
“The President has inherent constitutional authority as Commander in Chief and sole organ for the nation in foreign affairs to conduct warrantless surveillance of enemy forces for intelligence purposes to detect and disrupt armed attacks on the United States. Congress does not have the power to restrict the President’s exercise of this authority.”
Tomi Engdahl says:
Hybrid Cloud Adoption Set for a Big Boost in 2015
http://www.cio.com/article/2860846/hybrid-cloud/hybrid-cloud-adoption-set-for-a-big-boost-in-2015.html
Industry analyst firm IDC predicts that the global cloud market, including private, public and hybrid clouds, will hit $118 billion in 2015 and crest at $200 billion by 2018.
The cloud, thanks to users gaining confidence in its security and reliability, is working on some strong momentum.
“I don’t think the security fears go away,” he said. “I think there’s more consideration and availability of services that provide enhanced security and performance. It’s bridging the gap between low-security public cloud service and high-security private clouds.”
Tomi Engdahl says:
Malware infection suspected at ISC, providers of the BIND DNS server software
https://nakedsecurity.sophos.com/2015/01/01/malware-infection-suspected-at-isc/
The Internet Systems Consortium, better known as ISC, thinks it might have had a malware infection.
That’s the organisation responsible for BIND, a DNS server that is very widely used in production, even though it’s officially just a so-called reference implementation.
Interestingly, Paul Vixie, founder of the company that led to the ISC, and chief author of the BIND source code, publicly declared about four years ago that the anti-virus industry was “dud.”
The explanation, such as it is, goes on to blame the parts of ISC’s network that run WordPress, but it doesn’t yet say what went wrong.
What might have happened?
Typical hacking and malware problems with WordPress installs, if you’d like to review your own WordPress setup, include:
Unpatched WordPress software or plugins, leaving known security holes open for attackers.
Poor password hygiene, including weak passwords, shared or re-used passwords, and no two-factor authentication.
Poisoned third-party content such as adverts served from external servers.
Overly-liberal access controls giving too much power to too many users.
Tomi Engdahl says:
Lizard Squad Member Vinnie Omari Arrested After Christmas DDoS Attacks
Is the whole house collapsing?
http://www.craveonline.com/gaming/articles/805559-lizard-squad-member-vinnie-omari-arrested-christmas-ddos-attacks
A 22-year old male that goes by the alias ‘Twickenham’ has just been arrested following a raid on his home in Thames Valley, U.K. Officials claim that he had been stealing funds from PayPal accounts for more than a year.
What makes this arrest particularly interesting is that the name of the arrested individual lines up with one of the names listed on KrebsOnSecurity‘s report including members of the DDoS group Lizard Squad.
Previously, no members of Lizard Squad have been arrested. However, the FBI has confirmed its investigation of the group after costly attacks during the week of Christmas that rendered Xbox Live and PlayStation Network nearly inoperable during the most important days of the year.
Who’s in the Lizard Squad?
http://krebsonsecurity.com/2014/12/whos-in-the-lizard-squad/
Member2, the guy that does most of the talking in the BBC interview, appears to be a 22-year-old from the United Kingdom named Vinnie Omari. Sky News ran an on-camera interview with Omari on Dec. 27, quoting him as a “computer security analyst” as he talks about the attacks by LizardSquad and their supposed feud with a rival hacker gang.
Sources say Kivimäki was arrested by Helsinki police in October 2013 on suspicion of running a huge botnet consisting of more than 60,000 hacked Web servers around the world. Local Finnish media reported on the youth’s arrest, although they didn’t name him. Kivimäki, 16, also was reportedly found in possession of more than 3,000 stolen credit cards.
Tomi Engdahl says:
Anybody can take North Korea offline
http://blog.erratasec.com/2015/01/anybody-can-take-north-korea-offline.html#.VKaCtXt3B-u
A couple days after the FBI blamed the Sony hack on North Korea, that country went offline. Many suspected the U.S. government, but the reality is that anybody can do it — even you
That’s laughably wrong, overestimating the scale of North Korea’s Internet connection, and underestimating the scale of Anonymous’s capabilities.
North Korea has a roughly ~10-gbps link to the Internet for it’s IP addresses. That’s only about ten times what Google fiber provides. In other words, 10 American households can have as much bandwidth as the entire country. Anonymous’s capabilities exceed this, scaling past 1-terabit/second, or a hundred times more than needed to take down North Korea.
Attacks are made easier due to amplifiers on the Internet, which can increase the level of traffic by about 100 times. Thus, in order to overload a 10-gbps link of your target, you only need a 100-mbps link yourself. This is well within the capabilities of a single person.
Such attacks are difficult to do from your home, because your network connection is asymmetric.
You’ll probably need to use web host services that sell high upload speed. You can cheaply get a 100-mbps or even 1-gbps upload connection for about $30 per month in bitcoin.
You need some familiarity with command-line tools. In this age of iPads, the command-line seems like Dark Magic to some people, but it’s something all computer geeks use regularly.
For this attack to work, you’ll need a list of amplifiers. You can find these lists in hacker forums, or you can just find the amplifiers yourself using masscan (after all, that’s what port scanners are supposed to do).
What’s actually astonishing is that since millions of people can so easily DDoS North Korea why it doesn’t happen more often.
Tomi Engdahl says:
In 2015, opined Rapid7 Global Security Strategist Trey Ford, companies should:
1) institute strong password policies;
2) use two-factor authentication for all external access;
3) frequently inventory, assess, and test controls to raise confidence that policies are enforced across the network; and
4) deploy account behavior monitoring and intruder detection to catch attackers that slip through.
“The technology needed to improve controls, and to better protect and monitor the use of user and administrative accounts exists today,” he said. “Given the lower barrier to entry for, and the strong economic forces and diverse motivations behind cyber-attacks, we expect attacks against organizations of all sizes and industries to increase in 2015.”
Source: http://www.securityweek.com/top-cybersecurity-headlines-2014
Tomi Engdahl says:
Hello, Finnish bank customer: This two advisory on bank attacks
Services of the bank crash was caused by a denial of service attack, ie the load on the servers, so that they do not respond. Online banking is where the frustratingly slow, or even impossible, and ATMs not give cash as it should be.
Reasons for denial of service attacks can be a myriad of: revenge, teasing, assault on systems or vulnerability testing.
Attacks can also be done by anyone, because they can be ordered from the Internet as easily as pizza. (Generally more easily, because many online pizza retailers usability has problems.)
Denial of Service Attack techniques are expected to develop much more efficient, if the forecasts are to be believed. On the other hand made the estimates of critical services while society is expected to come into harassment and intelligence in. The banking system is one of them.
Attacks, of course, to fight all the time developing systems protections. Immediate help is not yet come. Ordinary people can protect themselves from a couple of ways online attacks.
- keep some cash so you can pay every day things on shop if debit/credit card does not work
- scheduling the payment of the bill earlier than last day
We still don’t live in a world without cash. And not just yet should start.
Source: http://www.iltasanomat.fi/digi/art-1420167319682.html?utm_campaign=tf-IS&utm_medium=tf-desktop&utm_term=2&utm_source=taloussanomat.fi&utm_content=site
Tomi Engdahl says:
Always Answer a Question with a Question
http://www.securityweek.com/always-answer-question-question
People who know me know that I love to ask questions. In fact, people sometimes ask me: “Why do you always answer a question with a question?” To this I reply: “Why not?”
In all seriousness, asking the right questions is one of the most important and fundamental aspects of a successful security program.
There are two oft-used phrases that come to mind and help me to illustrate my point. I’m sure we’ve all heard the phrases “garbage in, garbage out” and “ask a stupid question, get a stupid answer”. These couldn’t be truer in the realm of information security.
Questions empower us to move from the problem to the solution.
Fully grasping the problem is the conception of its solution. From there, we must ask: “What information, technology, knowledge, or otherwise is missing that prevents us from solving this problem?” Understanding the answer to this question subsequently enables us to ask additional, more-detailed questions designed to tease out what we need in order to succeed. As you can see, by asking questions and answering those questions with additional questions, we are working towards solving big problems by breaking them down into smaller, less intractable problems.
Asking the right questions allows us to approach information security analytically and logically. We need to be able to formulate precise, targeted, incisive queries to hone in on the most relevant data while minimizing time spent with data that are irrelevant. That is the only way to progress towards addressing some of today’s biggest security challenges.
Consider these points:
1. Definition. What do we consider critical infrastructure? What do we intend to secure? Casting too narrow a net leaves nation states exposed to unforeseen and unmitigated risks. Casting too wide a net leaves nation states with a never-ending list of assets to secure, many of which may be irrelevant.
2. Inventory. Where are our critical infrastructure assets located? This question is obviously predicated by the answer to the previous question. But beyond that, do we even know where the assets we want to secure are located? In many countries, the answer to this question is, unfortunately, no.
3. Strategic plan. How will we go about securing the assets we enumerate? What mix of policy, legislation, regulation, guidance, and other assistance is the right mix?
4. Implementation. When will we address which issues with what resources (budgetary, technology, expertise, and otherwise)?
Tomi Engdahl says:
The FBI Is Hiring Hackers
http://uk.businessinsider.com/fbi-cyber-special-agents-2014-12?r=US#ixzz3NfdvWTLO
The FBI has launched a new campaign to hire a group of tech experts to join the agency and become “cyber special agents.”
The agency says that it’s looking for people with experience in computer programming, malware analysis, and even ethical hacking.
An ethical hacker is someone hired by the owner of a computer system to try and break into it in order to test its security. Now, the FBI is looking to hire people with hacking skills to become cyber special agents.
Tomi Engdahl says:
WarSting: A Wi-Fi scanning sword for Hobbits.
http://blog.spark.io/2014/12/17/warsting-a-wifi-scanning-sword-for-hobbits/
Sting’s particular magic is that it glows blue whenever orcs or goblins are nearby. This is useful for hobbits, but in today’s day and age, a real Sting would be unfortunately boring.
But what if Sting could detect unsecured Wi-Fi networks?
To celebrate the launch of the new Hobbit flick, we made a version of Sting that turns blue near unsecured Wi-Fi networks. And when you slash the sword, Sting will jump on the network, and publish a message: “{YOUR WI-FI NETWORK} has been vanquished!”
Tomi Engdahl says:
This denial of service attacks, combat – “usually the operator to transmit all packets”
OP Financial Group’s services have suffered since the New Year’s Eve exceptionally serious denial of service attack.
“Yes, this goes to Finland, public information, denial of service attacks on the tip of caste. The international company in the world attacks of course, happens all the time. Even in Finland, these are no longer rare, but not everyone gets as much attention to the ”
He does not know the OP’s case, the details, but stresses that a general power of denial of service attacks, the fight is difficult, unless the matter has been practiced in advance.
“If the operator has not been agreed ready to practice, how the traffic will start to clean up, large quantities of the fight against it is impossible,”
Operator must consider in advance what kind of traffic can be cleaned up. In practice, the operator has the disposal of equipment which can be deemed to filter malicious packets.
In this case, the attacker’s traffic can not get any stage of a burden, for example, a bank or other organization’s own network. Denial of service attacks to combat are not normally offered by operators to their customers with basic services.
“Usually, the operator of all the incoming packets, and can not filter a single package, unless the matter is specifically agreed,”
Denial of service attacks Fraud is usually an optional extra service, which means the operator separately for work and additional equipment to use in order to harmful traffic is detected. The equipment operates by different rules that differentiate between harmful and proper transport.
Source: http://summa.talentum.fi/article/tv/uutiset/121938
Tomi Engdahl says:
Ben Lovejoy / 9to5Mac:
Security researcher rewrites Mac firmware over Thunderbolt, says most Intel Thunderbolt Macs vulnerable
http://9to5mac.com/2014/12/30/security-researcher-thunderbolt-macs/
Tomi Engdahl says:
If the Supreme Court tackles the NSA in 2015, it’ll be one of these five cases
How a church, terror suspects, and some lawyers are pushing privacy on the legal front.
http://arstechnica.com/tech-policy/2015/01/if-the-supreme-court-tackles-the-nsa-in-2015-itll-be-one-of-these-five-cases/
Roughly a year and a half since the first Snowden disclosures, there’s already been a judicial order to shut down the National Security Agency’s bulk metadata collection program.
In 2014, a handful of these advanced far enough through the legal system that 2015 is likely to be a big year for privacy policy. One or more could even end up before the Supreme Court.
“I think it’s impossible to tell which case will be the one that does it, but I believe that, ultimately, the Supreme Court will have to step in and decide the constitutionality of some of the NSA’s practices,” Mark Rumold, an attorney with the Electronic Frontier Foundation, told Ars.
Tomi Engdahl says:
Ask Hackaday: A Robot’s Black Market Shopping Spree
http://hackaday.com/2015/01/04/darknet-shopper/
It was bad when kids first started running up cell phone bills with excessive text messaging. Now we’re living in an age where our robots can go off and binge shop on the Silk Road with our hard earned bitcoins. What’s this world coming to? (_sarcasm;)
For their project ‘Random Darknet Shopper’, Swiss artists [Carmen Weisskopf] and [Domagoj Smoljo] developed a computer program that was given 100 dollars in bitcoins and grated permission to lurk on the dark inter-ether and make purchases at its own digression.
As the random items trickled in, they were photographed and put on display as part of their exhibition, ‘The Darknet. From Memes to Onionland’
Though [Weisskopf] and [Smoljo] aren’t worried about being persecuted for illegal activity, as Swiss law protects their right to freely express ideas publicly through art, the implications behind their exhibition did raise some questions along those lines. If your robot goes out and buys a bounty of crack on its own accord and then gives it to its owner, who is liable for having purchased the crack?
Tomi Engdahl says:
Google Engineer Finds Critical Vulnerability in Windows 8.1, Makes It Public
http://news.softpedia.com/news/Google-Engineer-Finds-Critical-Vulnerability-in-Windows-8-1-Makes-It-Public-468730.shtml
Microsoft usually releases security fixes for its software, including the Windows operating system, on Patch Tuesday, but this time the company might have to move a bit faster because of a vulnerability that has been made public by a Google security engineer.
A Google researcher named forshaw found a critical security flaw in Windows 8.1 that would allow an attacker to get administrator privileges on any system, and at this point, there’s absolutely no workaround or patch available to address this issue.
forshaw has also posted a Proof of Concept (https://code.google.com/p/google-security-research/issues/detail?id=118) that demonstrates the vulnerability, pointing out that he’s not sure whether the same bug exists in Windows 7 or any other Windows version.
Microsoft knew about this issue
Even though some criticized forshaw for making this vulnerability public, it’s worth mentioning that Microsoft was contacted by the Google engineer soon after finding it in September 2014 as part of the Google Project Zero research program.
Bug confirmed, fix on its way
In a statement we received this morning, Microsoft confirms the issue and says that it’s already working on a fix.
Tomi Engdahl says:
Gogo Inflight Internet is intentionally issuing fake SSL certificates
http://www.neowin.net/news/gogo-inflight-internet-is-intentionally-issuing-fake-ssl-certificates
SSL/TLS is a protocol that exists to ensure there exists an avenue for secure communication over the Internet. Through the use of cryptography and certificate validation, SSL certificates make man-in-the-middle attacks (where a third party would be able monitor your internet traffic) difficult, so the transmission of things like credit card numbers and user account passwords becomes significantly safer. In this case, performing a man-in-the-middle attack would require the attacker to attack the SSL certificate first before being able to snoop on someone’s traffic.
For whatever reason, however, Gogo Inflight Internet seems to believe that they are justified in performing a man-in-the-middle attack on their users.
This presents itself as an extremely unacceptable action by Gogo which serves in-flight internet to a number of different national and international airlines, including Aeromexico, American Airlines, Air Canada, Japan Airlines and Virgin Atlantic, among many others.
Earlier this year, it was revealed through the FCC that Gogo partnered with government officials to produce “capabilities to accommodate law enforcement interests” that go beyond those outlined under federal law.
Tomi Engdahl says:
Bitcoin caring marketplace Bitstamp has closed all of its operations temporarily. Service Home the inserted data sheet of the hackers may have access to one of Bitstampin active bitcoin wallet. Bitstamp is one of the largest Internet-bitcoin exchanges.
Source: http://www.tivi.fi/kaikki_uutiset/suuri+bitcoinporssi+epailee+murtoa+quotalkaa+siirtako+bitcoinejaquot/a1040060
Bitstamp is apparently broken or hacked. I suggest not depositing coins there till they respond.
http://www.reddit.com/r/Bitcoin/comments/2rd2xe/bitstamp_is_apparently_broken_or_hacked_i_suggest/
Bitstamp Service Temporarily Suspended
http://www.bitstamp.net/
We have reason to believe that one of Bitstamp’s operational wallets was compromised on January 4th, 2015.
As a security precaution against compromises Bitstamp only maintains a small fraction of customer bitcoins in online systems.
Tomi Engdahl says:
Finnish Bank OP Under Persistent DDoS Attack
http://it.slashdot.org/story/15/01/04/2252230/finnish-bank-op-under-persistent-ddos-attack
The Finnish bank OP Pohjola Group has been a target of a dedicated DDoS attack for days. The attack, which investigators said was launched from both Finland and abroad, began on New Year’s Eve. OP was forced to open a helpline for customers unable to confirm payments or transfer money because of jammed systems.
OP’s cyber attack not over, despite earlier claims
http://yle.fi/uutiset/ops_cyber_attack_not_over_despite_earlier_claims/7719209
The Finnish bank said on Sunday morning that the lengthy cyber attack that brought down its online banking services was over. However, on Sunday afternoon further denial of service attacks took place delaying payments and preventing access to banking services for OP Pohjola customers.
Tomi Engdahl says:
Interesting story on ransomware:
Writer: How My Mom Got Hacked
http://it.slashdot.org/story/15/01/04/1842254/writer-how-my-mom-got-hacked
“To get the key to decrypt files you have to pay 500 USD.” If she failed to pay within a week, the price would go up to $1,000.
It was pointless to argue with her. She had thought through all of her options; she wanted to pay.
the process of making a cash deposit to the Bitcoin “wallet” provided by her ransomers and she was able to decrypt her files. “From what we can tell, they almost always honor what they say because they want word to get around that they’re trustworthy criminals who’ll give you your files back,” says Chester Wisniewski.
The peddlers of ransomware are clearly businesspeople who have skillfully tested the market with prices as low as $100 and as high as $800,000, which the city of Detroit refused to pay.
Tomi Engdahl says:
Snooker WPA secrets with this Wi-Fi tool
Jammed and canned
http://www.theregister.co.uk/2015/01/05/snooker_wpa_secrets_with_this_wifi_tool/
Crypto geek George Chatzisofroniou has published a WiFi social engineering tool used to steal credentials and credit cards from users of secure wireless networks.
The administrator at the University of Greece developed the WiFiPhisher tool which sought out and then replicated WPA-protected networks, sans password.
The tool, yours for the taking on GitHub, spits deauthorisation packets at a legitimate access point jamming it and prompting users to inspect available networks.
Users will see the malicious network masquerading as their trusted access point.
“WiFiPhisher is a security tool that mounts fast automated phishing attacks against WPA networks in order to obtain the secret passphrase [and] does not include any brute forcing,”
“As soon as the victim requests a page from the internet, WifiPhisher will respond with a realistic fake page that asks for WPA password confirmation due to a router firmware upgrade.”
Users would need to ignore warnings generated by various devices in response to joining the now-unprotected mimicked network.
https://github.com/sophron/wifiphisher
Tomi Engdahl says:
Canadian ISPs and VPNs Now Have to Alert Pirating Customers
on January 2, 2015
http://torrentfreak.com/canadian-isps-vpns-now-alert-pirating-customers-150102/
Breaking
Starting today Canadian Internet providers are required to forward copyright infringement notices to their subscribers. This notification scheme provides a safe harbor for ISPs but is also expected to result in a surge in piracy settlement schemes. The new law further causes trouble for VPN providers, who are now required to log customers for at least six months.
Tomi Engdahl says:
CES 2015: Warning over data grabbed by smart gadgets
http://www.bbc.com/news/technology-30705361
A “deeply personal” picture of every consumer could be grabbed by futuristic smart gadgets, the chair of the US Federal Trade Commission has warned.
Speaking at CES, Edith Ramirez said a future full of smart gadgets that watch what we do posed a threat to privacy.
The collated data could create a false impression if given to employers, universities or companies, she said.
Ms Ramirez urged tech firms to make sure gadgets gathered the minimum data needed to fulfil their function.
The internet of things (IoT), which will populate homes, cars and bodies with devices that use sophisticated sensors to monitor people, could easily build up a “deeply personal and startlingly complete picture” of a person’s lifestyle, said Ms Ramirez.
The data picture would include details about an individuals credit history, health, religious preferences, family, friends and a host of other indicators, she said.
Tomi Engdahl says:
Hackers pilfer $5 MEELLION in BTC from Bitstamp
Exchange promises service – and funny money – will be restored in a day or two
http://www.theregister.co.uk/2015/01/07/hackers_pilfer_5_meelion_from_bitstamp_exchange/
Criminals have made off with a whopping US$5 million after raiding bitcoin exchange Bitstamp.
The attack, in the early hours of Monday, pilfered the site’s online operation wallets used for rapid currency exchange.
Bitcoin exchanges and darkweb drug sites have been repeatedly targeted by hackers or insiders seeking to run off with the valuable anonymous currency.
Tomi Engdahl says:
It’s 2015 and ATMs don’t know when a daughterboard is breaking them
Cash machines pay out after USB module gets a call from a Galaxy S4
http://www.theregister.co.uk/2015/01/07/atm_jackpotted_with_samsung_s4/
Carders have jackpotted an ATM by inserting a circuit board into the USB ports of an ATM, tricking it into spitting out cash.
The technique was thought to have emulated the cash dispenser of the ATM so the brains of the machine thought everything was normal, buying additional time for the brazen crooks to make off with the cash.
A Samsung Galaxy S4 was then used by a remote attacker to issue commands to the dispenser, cybercrime scribe Brian Krebs reported.
NCR global security manager Charlie Harrow said the circuit board gives crime lords control, but the folks who install it are not necessarily the real perps.
“… you have the Mr. Big back at the hideout who’s sending the commands, and the mules are the ones at the ATMs,” Harrow said.
“So the mule who has the black box is unable to activate the attack unless he gets the command from the Mr. Big, and the mobile phone is the best way to do that.”
The amount of cash stolen was not revealed.
The mobile phone component also made it difficult for investigators to piece together how the attackers pushed commands through to the cash dispenser.
Thieves Jackpot ATMs With ‘Black Box’ Attack
http://krebsonsecurity.com/2015/01/thieves-jackpot-atms-with-black-box-attack/
Previous stories on KrebsOnSecurity about ATM skimming attacks have focused on innovative fraud devices made to attach to the outside of compromised ATMs. Security experts are now warning about the emergence of a new class of skimming scams aimed at draining ATM cash deposits via a novel and complex attack.
At issue is a form of ATM fraud known as a “black box” attack. In a black box assault, the crooks gain physical access to the top of the cash machine. From there, the attackers are able to disconnect the ATM’s cash dispenser from the “core” (the computer and brains of the device), and then connect their own computer that can be used to issue commands forcing the dispenser to spit out cash.
NCR says the crooks then attached a smart phone (a virgin, out-of-the-box Samsung Galaxy 4), which they used as a conduit through which to send commands to the cash dispenser remotely. According to Harrow, the mobile phone was set up to relay commands through a dynamic IP service.
“Which meant that the real attacker sending the commands was somewhere remote from the ATM,” Harrow said.
Tomi Engdahl says:
Buffer overflow reported in UEFI EDK1
Firmware patching scramble begins
http://www.theregister.co.uk/2015/01/07/buffer_overflow_reported_in_uefi_edk1/
A pair of security researchers have found a buffer overflow vulnerability within the implementation of the unified extensible firmware interface (UEFI) within the EDK1 project used in firmware development.
Bromium researcher Rafal Wojtczuk and MITRE Corp’s Corey Kallenberg said the bug in the FSVariable.c source file was linked to a variable used to reclaim empty space on SPI flash chips.
Exploitation could be nasty if code is instantiated earlier on when booting was less secure and the SPI Flash with its firmware is accessible.
An attacker exploiting early could gain a persistent foothold in systems, Kallenberg said.
Tomi Engdahl says:
Vulnerability Note VU#533140
UEFI EDK1 vulnerable to buffer overflow
http://www.kb.cert.org/vuls/id/533140
The open source EDK1 project provides a reference implementation of the Unified Extensible Firmware Interface (UEFI). Commercial UEFI implementations may incorporate portions of the EDK1 source code.
According to Rafal Wojtczuk and Corey Kallenberg, a buffer overflow vulnerability exists in the Edk1/source/Sample/Universal/Variable/RuntimeDxe/FS/FSVariable.c source file.
Please see the Vendor Information section below to determine if your system may be affected.
“The impact of the vulnerability depends on the earliness at which the vulnerable code can be instantiated. Generally, as the boot up of the platform progresses, the platform becomes more and more locked down.
Tomi Engdahl says:
Report: DHS Failing On Cybersecurity
http://yro.slashdot.org/story/15/01/06/2331223/report-dhs-failing-on-cybersecurity
It’s always interesting to listen to what politicians say on their way out of office
The report, “A Review of the Department of Homeland Security’s Missions and Performance (PDF),” was released on Saturday. In it, the outgoing Senator said that DHS’s strategy and programs “are unlikely to protect us from the adversaries that pose the greatest cybersecurity threat.”
Despite spending $700 million annually on a range of cybersecurity programs, Coburn said it is hard to know whether the Department’s efforts to assist the private sector in identifying, mitigating or remediating cyber incidents provide “significant value” or are worth the expense.
A Review of the Department of Homeland Security’s Missions and Performance (PDF)
http://www.hsgac.senate.gov/download/?id=B92B8382-DBCE-403C-A08A-727F89C2BC9B
Tomi Engdahl says:
Security: a Method, Not a Goal
http://www.linuxjournal.com/content/january-2015-issue-linux-journal-security
It turns out that although I have a fairly wide set of technology skills, I’m not the person you want in charge of securing your network or your systems. By default, Linux is designed with a moderate amount of security in mind. For that, I am incredibly grateful. If you struggle with maintaining security in your environment, this issue hopefully will encourage and educate as opposed to making you feel guilty.
basics of running a secure server in the cloud. EC2 instances are commonplace in almost every company’s infrastructure, but having your server run completely in the open is a dangerous endeavor without a very serious look at security.
One of the biggest problems with securing a network is knowing where to start. It’s a lot easier to figure out that starting point if you know how secure your network right now. Jeramiah Bowling describes the process of doing an internal security review to identify problems.
detecting bogus login attempts and mitigating the threat they represent. Having a good password is key to keeping hackers out, but if they have unlimited guesses, eventually your system might succumb to the attacks.
a banning system to disable logins when someone tries and fails over and over
securing Web traffic with Squid. Every organization has different needs when it comes to a Web policy
Like many things in the Linux world, security isn’t a thing you “do”, it’s a “way” you do things in general. Rather than set up your system and network, and then try to secure it as an afterthought, thinking with a security-focused mindset from the beginning is key. This issue offers some great insight on security matters, and hopefully, it sparks an interest for further change in your network.
Tomi Engdahl says:
Manage security in real time
SIEMs like a good idea
http://whitepapers.theregister.co.uk/paper/view/3440/
You face more, and more dangerous threats every day – drive-by infections, APTs, executive targeted phishing to name three. At the same time, the potential attack surface of IT systems are growing rapidly: your VMs, your cloud, your users’ mobile devices are all at risk. You have probably spent a large part of 2014 developing external-facing web applications. How do you secure them all?
have multiple tools handling security, making it impossible to get an idea of security in real time. Operating best-effort security isn’t enough, but Security Information and event Management (SIEM), touted as the answer to this, has so far been complicated to set up and hard to interpret.
Is SIEM the future of enterprise security and, if so, what will that future look like?
Security information and event management
http://en.wikipedia.org/wiki/Security_information_and_event_management
SIEM : Security information and event management (SIEM) is a term for software products and services combining security information management (SIM) and security event management (SEM). SIEM technology provides real-time analysis of security alerts generated by network hardware and applications. SIEM is sold as software, appliances or managed services, and are also used to log security data and generate reports for compliance purposes.[1]
The acronyms SEM, SIM and SIEM have been sometimes used interchangeably.[2] The segment of security management that deals with real-time monitoring, correlation of events, notifications and console views is commonly known as security event management (SEM). The second area provides long-term storage, analysis and reporting of log data and is known as security information management (SIM).[3] As with many meanings and definitions of capabilities evolving requirements continually shape derivatives of SIEM product categories. The need for voice centric visibility or vSIEM (voice security information and event management) is a recent example of this evolution.
Tomi Engdahl says:
Is this the first leaked Instagram from the Obama family?
The Obama family: they’re just like us!
http://www.theverge.com/tldr/2015/1/5/7495151/malia-obama-instagram-leak
An alleged photo of Malia Obama was published on Instagram, according to multiple news sources.
In a 2013 interview with Barbara Walters on 20/20, First Lady Michelle Obama commented on why Malia had limited access to Facebook, and her younger daughter Sasha wasn’t allowed access at all:
“I still am not a big believer in Facebook for young people … particularly for them, because they’re in the public eye,” the first lady said. “Some of it’s stuff they don’t need to see and be a part of … So we try to protect them from too much of the public voice.”
I never considered how the two Obama children, having zero public social media presence, are so unlike normal children their age.
The Obama family’s absence from the normal people internet makes this otherwise typical teenage photo feel both precious and disorienting.
But consider this: just because the Obama family doesn’t exist publicly on social media doesn’t mean they aren’t still living an otherwise typical digital life. They’re almost certainly still taking family photos and private selfies that live quietly on disconnected hard drives, waiting to be exhumed by themselves, or strangely, some historian that hasn’t been born yet.
Tomi Engdahl says:
In-Flight Service Gogo Uses Fake SSL Certificates To Throttle Streaming
http://it.slashdot.org/story/15/01/07/2030258/in-flight-service-gogo-uses-fake-ssl-certificates-to-throttle-streaming
In-flight internet service Gogo has defended its use of a fake Google SSL certificates as a means of throttling video streaming, adding that it was not invading its customer’s privacy in doing so. The rebuttal comes after Google security researcher Adrienne Porter Felt posted a screenshot of the phoney certificate to Twitter.
Gogo Serving Fake SSL Certificates to Block Streaming Sites
http://www.pcmag.com/article2/0,2817,2474664,00.asp
Mile-high Web provider Gogo appears to be running man-in-the-middle attacks on its own customers.
Based on a report by Google engineer Adrienne Porter Felt, Gogo Inflight Internet is serving SSL certificates from Gogo instead of site providers—a big no-no in online security.
The move could mean that passwords and other sensitive information entered while logged into the Gogo service could have been compromised.
A member of the Google Chrome security team, Porter Felt last week tweeted a screenshot of her computer during a flight.
Tomi Engdahl says:
The number of cyberespionage attacks across the Web rose 15 percent between 2011 and 2013, according to a report by Verizon. The annual cost of a successful cyberattacks increased to $20.8 million in the financial sector, $14.5 million in technology and $12.7 in the communications industry, according to a Heritage Foundation report released just before the attack on Sony. The average cost for hacks at retail stores doubled in just a year to $8.6 million per company.
Most attacks targeting the US come from China and France, in addition to those originating on American soil, according to Internet research firm Norse. State-sponsored hacking is “undeniably on the rise,” said Kurt Stammberger, senior vice president of market development at Norse.
Source: http://www.cnet.com/news/sony-and-the-rise-of-state-sponsored-hacking/
Tomi Engdahl says:
Mike Masnick / Techdirt:
Chrome Security Team Considers Marking All HTTP Pages As ‘Non-Secure’
https://www.techdirt.com/articles/20141213/07112629425/chrome-security-team-considers-marking-all-http-pages-as-non-secure.shtml
Tomi Engdahl says:
Retailers Seem Less Concerned About Data Security
Despite the data disasters at Target and Home Depot, retail CIOs have a below-average interest in upgrading cybersecurity
Overall, 23 percent of CIOs say that increasing cybersecurity will be the most significant reason for IT investments this year.
But for now, the focus is on profits. “Retailers are under enormous strain to keep afloat.”
While many retail CIOs did not place security atop their priority lists, they’re not ignoring it. “I definitely put security near the top, in light of recent events like Home Depot,” says Jack Wood, CIO of Wayfair, a $916 million online retailer. “Anything that touches customer data tends to be a priority for us. Cybersecurity ranks among the highest for those.”
Wood says he’s addressing security by examining Wayfair’s technology stack and making risk assessments to ensure that he has made the right investments.
Source: http://www.cio.com/article/2860697/it-strategy/cios-need-to-snap-out-of-complacency.html?page=3
Tomi Engdahl says:
Cryptowall’s ransomware’s tough layers peeled
Cisco researchers reveal cunning crypto and 64-bit emulation tricks
http://www.theregister.co.uk/2015/01/08/ciscos_eyes_water_as_cryptowalls_tough_layers_peeled/
Cryptowall’s 2.0 incarnation is hidden in a tough shell crafted by developers paranoid about the security research community, technical analysis reveals.
The ransomware has matured much since it emerged last year, encrypting victims’ files and demanding money for the supply of a decryption key. It’s superior design lead to criminals generating an estimated US$1 million profits in six months.
Cisco engineers Andrea Allievi and Earl Carter peeling back the layers of the Cryptowall 2.0 onion found creators had gone to lengths to avoid detection and to ensure successful execution on different platforms.
“Just getting these complex samples to run in a sandbox can be challenging, making analysis more complicated and involved,” the pair wrote in a joint analysis.
Tomi Engdahl says:
Many malware authors had gone to great lengths to avoid the eyes of prying researchers, leading to a cat-and-mouse game of detection and evasion where lessons learnt were built into subsequent iterations of crime ware.
Source: http://www.theregister.co.uk/2015/01/08/ciscos_eyes_water_as_cryptowalls_tough_layers_peeled/
Tomi Engdahl says:
Porn Companies Are Going After GitHub
http://motherboard.vice.com/read/porn-companies-are-going-after-github
Porn production companies are currently engaged in a scorched earth copyright infringement campaign against torrenting sites with URLs containing specific keywords—say, “thrust” or “glob-watcher.” GitHub, a popular site for coders that allows professionals and hobbyists to create open source software together, is getting caught in the crossfire.
Several Digital Millenium Copyright Act (DMCA) complaints filed to Google by companies representing various porn companies in the last month alone have resulted in dozens of legitimate GitHub URLs being removed from the search engine’s results, TorrentFreak first reported.
“an anti-piracy service flagged GitHub after finding pages with links to torrent sites”
Among the offending URLs were GitHub support pages, entire code repositories, and user profile pages.
According to Janczuk, removing GitHub pages from Google’s search results could harm the open source software community by reducing its visibility online.
“Removal of GitHub content or reduction of its visibility would have a substantial impact on companies or individuals participating in the open source model,” Janczuk sad in an email, “since high visibility of [open source software] content is frequently part of a marketing strategy.”
Janczuk also had no clue that his GitHub page was being targeted by DMCA spammers. “I was blissfully unaware of this,” he said. After our conversation, Janczuk told me, he notified Google of its mistake.
Tomi Engdahl says:
Hats Off to Mozilla
http://www.linuxjournal.com/content/hats-mozilla
The first is centralization.
Ten years ago, we still were in what Tantek Çelik calls “the heyday of the independent Web”. Back then, it was easy to homestead on the Net’s frontier with your own domain, site, blog, e-mail and so on.
On mobile devices, we also live inside the castles of carriers, plus every app’s own walled garden inside those castles. This is very different from the personal computing world, where the Net and the Web are the infrastructural contexts. The Net by nature (its base protocols) has no national boundaries, no tariffs, no “roaming” between countries and carrier networks. The Web by nature is all about links. But apps aren’t about links. They are silos by design. Worse, we don’t acquire them in the open marketplace, but through company stores inside Apple, Google and Microsoft.
The second is surveillance.
We are watched constantly on the commercial Net: in our browsers, though our mobile devices and now by our cars as well. Our overlords rationalize surveillance with five assumptions:
People can be better known by machines than by themselves.
People are always looking to buy something.
The best form of advertising is the most personalized.
Secretly following people is good for business, law enforcement, government and other institutional graces of civilization.
Nobody’s stopping us, so it must be okay.
We now have massive data centers devoted to crunching data gathered about us and barfing billions (trillions?) of ads back at us everywhere, whether we like it or not, with utter disregard for collateral damage in the form of ill will and waste levels of 99% and up.
Tomi Engdahl says:
German minister photo fingerprint ‘theft’ seemed far too EASY, wail securobods
Security industry fear after apparent digit sig nickery
http://www.theregister.co.uk/2014/12/30/hacking_fingerprints_get_a_hires_pic_and_commercial_software/
Claims that fingerprints can be cloned from pictures are being taken seriously by security experts, who argue that any possible hack underlines the fragility of the biometric technique.
Hacker Jan “Starbug” Krisller cloned the thumbprint of the German Defence Minister Ursula von der Leyen after photographing her hand at a press conference.
During a presentation at the annual Chaos Computer Club hacker conference in Hamburg, Krisller explained how he used commercial fingerprint software from Verifinger to map out the contours of the minister’s thumbprint from the hi-res image taken using a telephoto lens.
Krisller previous credits include successfully defeating Apple’s TouchID fingerprint lock.
He applied the same technique of taking reversed images of digital photographs before using flexible materials, and laser printers to create false fingerprints.
Using a “raised ink” printing process, it’s possible to print an image on a very thin plastic surface, such as the skin of a balloon. By wearing the balloon skin over a finger, anyone can then assume the identity associated with the lifted fingerprint.
Tomi Engdahl says:
North Korea boosted ‘cyber forces’ to 6,000 troops, South says
http://www.reuters.com/article/2015/01/07/us-northkorea-southkorea-idUSKBN0KF1CD20150107
North Korean military’s “cyber army” has boosted its numbers to 6,000 troops, the South Korean Defence Ministry said on Tuesday, double Seoul’s estimate for the force in 2013, and is working to cause “physical and psychological paralysis” in the South.
Tomi Engdahl says:
Cyberattack in Germany Shuts Down Official Sites
By ALISON SMALEJAN. 7, 2015
http://www.nytimes.com/2015/01/08/world/europe/german-government-websites-shut-down-and-ukraine-group-claims-responsibility.html?_r=0
At least three official German websites, including Chancellor Angela Merkel’s page, were inaccessible on Wednesday after an apparent cyberattack.
A group demanding that Germany sever ties with Ukraine and halt financial and political support for the government in the capital, Kiev, claimed responsibility for shutting down at least two sites, the chancellor’s and the website of the Bundestag, or lower house of Parliament.
A Foreign Ministry official later said that the ministry’s site was also inaccessible.
Tomi Engdahl says:
A Photograph Can Help Fool Your Phone’s Fingerprint Sensor
Well, several photographs, really
http://www.popsci.com/photograph-can-help-fool-your-phones-fingerprint-sensor
We already knew it was possible to trick a fingerprint sensor — such as the Touch ID system on the iPhone — into believing that you’re the owner of said phone. Now, a German hacker has shown that it’s possible to acquire a fingerprint simply from a photograph of the digit in question.
However, if you’re rushing off to disable the fingerprint authentication on your smartphone, you might want to wait just a moment. Despite the impressive nature of Krissler’s feat, there are a few caveats. For one thing, reconstructing the whole fingerprint took several photographs of Von der Leyen from different angles.
For another, the chances of this vulnerability affecting the average user is pretty low; this is more of a risk for high profile people who are being actively targeted. And while Krissler suggested that his research might prompt politicians and public figures to wear gloves when making appearances—shades of the Victorian era!—this hardly presents a clear and present danger to biometric security.
Tomi Engdahl says:
What Is Going To Happen
http://avc.com/2015/01/what-is-going-to-happen/
8/ The horrible year that bitcoin had in 2014 will be a wakeup call for all stakeholders.
9/ the enterprise/saas sector will shine in 2015 with dozens of emerging important new companies taking advantage of the cloud and mobile to redefine what work and workflow looks like in the enterprise.
10/ cybersecurity budgets will explode in 2015 as every company, institution, and government attempts to avoid being Sony’d.
11/ the health care sector will start to feel the pressure of real patient centered healthcare brought on by the trifecta of the smartphone
What Just Happened?
http://avc.com/2014/12/what-just-happened/
Tomi Engdahl says:
Security, and cyber attacks were different from last year’s hottest topics. Industry has been on the surface of this year, when the Lizard Squad under the name of well-known group raised himself on Christmas to world paralyzing denial of service attack on Sony and Microsoft consoles network services.
This year, news headlines and it has been possible to read the banks’ operations hardship flood attack. At least the OP Bank and Nordea have told us that he had been a denial of service attacks on the subject. Furthermore, Danske Bank log-in had problems
So far, the attackers have not resulted in any damage which the bank managed to cause yourself.
Cyber security reason to talk about a lot. Electronic element is an integral part of our lives. Often, services are so integral to our lives that their role appears to be only when they do not work.
Successful cyber attack against the bank, causing serious problems. Companies, and especially financial institutions use a lot of resources and energy hedging, but the man-made systems audits and careful testing, despite always have the option slots. Without these services may be obtained by denial of service attacks are so clogged that the inhibition of the function, at least temporarily.
Cyber security point of view, a lot of talk about the attack, but the preparations for the problems have not seen big headlines. At least a temporary problem with the bank to a very simple preparing actions: a suitable amount of cash transactions also allows for a situation in which your bank card does not work as expected.
A small amount of cash at home to give a little leeway is also likely for the crisis: it works as a small reserve to meet unexpected expenses.
Source: http://www.tivi.fi/blogit/uutiskommentti/kybervarautuminen+on+kyberturvallisuutta/a1040288
Tomi Engdahl says:
New Emotet Variant Targets Banking Credentials of German Speakers
http://www.securityweek.com/new-emotet-variant-targets-banking-credentials-german-speakers
Researchers at Microsoft have spotted a new variant of the Emotet Trojan, a threat used by cybercriminals to collect banking credentials.
The malware variant, detected by Microsoft as Trojan:Win32/Emotet.C, was first seen in November, when malicious actors were distributing it with the aid of spam emails related to phone bills and invoices.
The campaign, which peaked in November, mainly targeted German speakers. In the last 30 days, the largest number of victims were identified in Germany (44.33%), Austria (11.64%), and Switzerland (3.66%). Infections were also seen in Hungary, Poland, the Netherlands, Slovenia, the Czech Republic, Denmark and the Slovak Republic, Microsoft said.
The spam emails contain links that point to websites set up to serve a .zip archive containing an executable file. To avoid raising suspicion, the attackers use PDF document icons and long names that make the file extension more difficult to notice.
“Emotet’s spam module (detected as Spammer:Win32/Cetsiol.A) logs into email services using the stolen account name and passwords to send the spam. This means traditional anti-spam techniques, such as callback verification, won’t be applicable because the email is sent from a vetted or legitimate email address,” HeungSoo (David) Kang of Microsoft’s Malware Protection Center wrote in a blog post on Tuesday.
Tomi Engdahl says:
The downsides of cloud
http://www.cloudpro.co.uk/cloud-essentials/cloud-security/4737/the-downsides-of-cloud
The benefits of cloud are well-documented, but there are some drawbacks that cannot be ignored
There’s been an inexorable rise in cloud use this past year, and we’re getting to the stage where something like three-quarters of companies are now moving off-premise, with many others expected to follow suit.
Now cloud is universally accepted as the way forward, are there still any sceptics out there? Consultant Mike Cadden, a former CIO, says there are still issues with cloud, but security isn’t one of them.
“Security is a big issue for everybody, it’s not just a problem with cloud,” he says. “In fact, reasonable cloud providers will provide better security than most companies have for themselves. Cloud providers live and die by the security systems they provide.”
For Cadden, there’s another, more pressing issue. He says, with cloud, there’s a lot more leg-work to do before taking up a cloud service, which is not something a customer can skimp on. “Taking a cloud service will save money in the long run but only if you put in the hard yards upfront.”
For Laurent Lachal, an analyst at Ovum, one of the major downsides of cloud implementation is what he terms “Frankencloud”, a concept that can’t be defined too precisely but relates to the lack of standardisation around the notion of cloud. Not only do the cloud providers package and define their cloud offerings in different ways but there’s “a lack of integration between the various elements of some cloud solutions,” he says.
For Cadden, even successful cloud projects can have their downsides. “There can be a lack of control with cloud”,
Another common issue with cloud is unexpected costs. This could be because of business departments buying software without recourse to IT.
Or it could be due to a lack of understanding of cloud.
While many organisations continue their move to cloud, it’s not always the case that it will be best way forward. Potential customers will have to put in the effort to ensure that they’re not going to be paying over the odds or left high and dry after a dispute. The technical arguments may have been won but there are still legal battles ahead.
Tomi Engdahl says:
When Responsible Disclosure Isn’t Enough
http://hackaday.com/2015/01/08/when-responsible-disclosure-isnt-enough/
Moonpig is a well-known greeting card company in the UK. You can use their services to send personalized greeting cards to your friends and family. [Paul] decided to do some digging around and discovered a few security vulnerabilities between the Moonpig Android app and their API.
First of all, [Paul] noticed that the system was using basic authentication. This is not ideal, but the company was at least using SSL encryption to protect the customer credentials.
[Paul] created a new account and found that the credentials were the same.
GetCreditCardDetails method. [Paul] gave it a shot, and sure enough the system dumped out credit card details
[Paul] disclosed the vulnerability responsibly to Moonpig in August 2013.
On January 5, 2015, the vulnerability was still not resolved.
[Paul] decided that enough was enough, and he might as well just publish his findings online to help press the issue. It seems to have worked.
Moonpig vulnerability
05 January 2015
http://www.ifc0nfig.com/moonpig-vulnerability/
Moonpig are one of the most well known companies that sell personalised greeting cards in the UK. In 2007 they had a 90% market share and shipped nearly 6 million cards. In July 2011 they were bought by PhotoBox.
Tomi Engdahl says:
Writers living in ‘free’ democracies are self-censoring
http://www.wired.co.uk/news/archive/2015-01/08/pen-survey-government-censorship
The chilling effects of government mass surveillance that Tim Berners-Lee predicted would follow in the wake of the Snowden leaks, appear to have materialised. At least among the writers of the world.
An opinion survey of 772 writers living in 50 countries, including those across Western Europe, was carried out by literary association the PEN American Centre between August 18 and October 15, 2014. It found that writers living in democratic countries classed as “Free” — in terms of self-expression and related liberties — are self-censoring public and private language at levels nearing those of repressed nations.
As you might expect, the team behind the study calls for government reforms around mass surveillance.
The PEN survey, which asked the writers to think about a series of questions specifically in context of government surveillance, used a measure developed by a non-governmental US democracy watchdog to class countries as “Free”, “Partly Free”, or “Not Free”. The results are fairly staggering, with 42 percent of respondents in “Free” countries admitting they have “curtailed or avoided activities on social media, or seriously considered it, due to fear of government surveillance”, versus 53 percent in those countries deemed “Not Free”.
Twenty-six percent of writers in “Free” nations admitted to refraining from conducting internet searches or visiting sites on controversial topics, or seriously considering such behaviour, while the figure is exactly the same for those living in “Not Free” countries.
“Free” nation stats that are just as worrying, though still around 30 percent below the levels of “Not Free” nations, include the admission that 34 percent have avoided writing or speaking on a particular topic, or have seriously considered it, while 31 percent have avoided conversations on phone or email, or seriously considered it.
At a time where journalists are being killed in Europe by extremists, for their ideas, and writers are self-censoring for fear of government intrusion, the future of free speech in the apparently “free” world, looks to be a murky one if left unchallenged.
Tomi Engdahl says:
How the FBI traced ‘sloppy’ Sony hackers
http://www.wired.co.uk/news/archive/2015-01/08/fbi-director-north-korean-hackers
The Obama administration has been tightlipped about its controversial naming of the North Korean government as the definitive source of the hack that eviscerated Sony Pictures Entertainment late last year. But FBI director James Comey is standing by the bureau’s conclusion, and has offered up a few tiny breadcrumbs of the evidence that led to it. Those crumbs include the claim that Sony hackers sometimes failed to use the proxy servers that masked the origin of their attack, revealing IP addresses that the FBI says were used exclusively by North Korea.
“In nearly every case, [the Sony hackers known as the Guardians of Peace] used proxy servers to disguise where they were coming from in sending these emails and posting these statements. But several times they got sloppy,” Comey said. “Several times, either because they forgot or because of a technical problem, they connected directly and we could see that the IPs they were using…were exclusively used by the North Koreans.”
“They shut it off very quickly once they saw the mistake,” he added. “But not before we saw where it was coming from.”
Comey’s brief and cryptic remarks — with no opportunity for followup questions from reporters — respond to skepticism and calls for more evidence from cyber-security experts unsatisfied with the FBI’s vague statements tying the hack to North Korean government.
Following those elliptical statements, the cyber-security community demanded more information be released to prove North Korea’s involvement.
Comey also hinted that the intelligence community, seemingly including the NSA, agreed with the FBI’s analysis. “There is not much in this life that I have high confidence about,” he said. “I have very high confidence in this attribution, as does the entire intelligence community.”
That pseudo-explanation will likely do little to quell the security community’s doubts.