Security trends for 2015

Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.

Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.

According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.

Despite the high profile CryptoLocker takedown, ransomware scams remain an all-too-real threat. Crooks are developing more sophisticated encryption schemes to support their fraud.

The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.

There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?

Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.

It seems like year 2014 has almost been “The Year of PoS Breaches.”  Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers.  I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.

Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations.  Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.

Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.

As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.

Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.

Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.

It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.

Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.

Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.

Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.

Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.

There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.

Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.

More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.

Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.

Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.

You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before.  End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.

 

3,110 Comments

  1. Tomi Engdahl says:

    5 New Vulnerabilities Uncovered In SAP
    Onapsis researchers find bugs in SAP BusinessObjects and SAP HANA.
    http://www.darkreading.com/application-security/5-new-vulnerabilities-uncovered–in-sap/d/d-id/1319239

    ERP security researchers at Onapsis have discovered five new vulnerabilities in SAP BusinessObjects and SAP HANA, three of them high-risk. One in particular gives attackers the power to overwrite data within mission-critical systems.

    The three high-risk vulnerabilities are in BusinessObjects, a business intelligence suite used by organizations for complex business performance tracking and analysis. These types of intelligence tools are often wrapped up in enterprises’ most important core business initiatives, containing the most sensitive data about customer behavior, pricing, financial forecasting and business processes. Very often the data directly contributes to competitive differentiation. In short, for many businesses this data is a key ingredient to their “secret sauce.”

    In this case, the three high-risk advisories include vulnerabilities that allow unauthenticated attackers to remotely retrieve business data, access and delete auditing information remotely and touch the system without detection, and to remotely access and overwrite business data.

    “Taking steps to patch these vulnerabilities, or to implement control measures is critical to protecting your SAP systems,”

    Reply
  2. Tomi Engdahl says:

    Sharp fights fraud with old-school landline phones
    http://www.itworld.com/article/2889494/sharp-fights-fraud-with-oldschool-landline-phones.html

    Glowing LEDs and automated recording could help reduce phone fraud, which is on the rise

    Be it telegrams or feature phones, Japan can’t bear to part with yesterday’s technology.

    Now Sharp is launching a pair of old-school landline phones designed to counter a growing form of fraud in Japan that preys upon elderly Japanese.

    The “ore ore” (“it’s me, it’s me”) fraud involves scammers who try to trick seniors into handing over money by calling them up and pretending to be their grandchildren in an emergency and requiring money. Victims are typically convinced to send money via ATM.

    While it may be difficult to imagine being fooled by such a ruse, it has proven very lucrative, netting criminals ¥17.4 billion (US$146 million) in 2014, up from ¥14.5 billion in 2007, according to National Police Agency data.

    Sharp’s new UX-AF90CL fax phone, launching Friday, and JD-AT80CL landline cordless phone, out March 13, are designed to alert seniors to the dangers of unknown callers. When they receive calls from numbers that are not registered in the phone’s internal memory, their LED bars glow red and the phones go into anti-scam mode.

    An automated message then tells the caller that the call is being recorded and asks for the caller to state his or her name before the call is answered. Sharp believes that the threat of recording will scare off many fraudsters.

    Reply
  3. Tomi Engdahl says:

    Encryption is the single most used technology to guarantee privacy because it is effective, secure, and easy to use. But what is really hidden? The answer may surprise you. While the privacy invasion aspects of machine learning and data mining have huge awareness in respect to marketing and social media data, the usage of machine learning and it’s effects on current techniques to hide data such as encryption is relatively unexplored in comparison.

    Recently I wrote a tool called Pacumen that is used to analyze encrypted traffic and infer information about it without decryption. The type of information it can extract is “what application’s are being used over this tunnel?” and in some cases “what websites are being accessed?”. Essentially it is a framework for answering yes/no questions about network traffic that doesn’t require looking at the content of the traffic.

    Source: https://www.blackhat.com/html/webcast/03192015-are-you-hiding.html

    Reply
  4. Tomi Engdahl says:

    Stumbling Upon an Uber Vulnerability
    http://hackaday.com/2015/02/27/stumbling-upon-an-uber-vulnerability/

    [Nathan] is a mobile application developer. He was recently debugging one of his new applications when he stumbled into an interesting security vulnerability while running a program called Charles. Charles is a web proxy that allows you to monitor and analyze the web traffic between your computer and the Internet. The program essentially acts as a man in the middle, allowing you to view all of the request and response data and usually giving you the ability to manipulate it.

    While debugging his app, [Nathan] realized he was going to need a ride soon. After opening up the Uber app, he it occurred to him that he was still inspecting this traffic

    He noticed that within this request, there is a variable called “isAdmin” and it was set to false. [Nathan] used Charles to intercept this request and change the value to true.
    this unlocked some new features normally only accessible to Uber employees.

    How I Accessed Employee Settings On Uber’s App
    http://nathanmock.com/archives/how-i-accessed-employee-settings-on-ubers-app

    Reply
  5. Tomi Engdahl says:

    ChipWhisperer®: Security Research
    ChipWhisperer laughs at your AES-256 implementation. But it laughs with you, not at you.
    http://hackaday.io/project/956-chipwhisperer-security-research

    ChipWhisperer is the first open-source toolchain for embedded hardware security research including side-channel power analysis and glitching. The innovative synchronous capture technology is unmatched by other tools, even from commercial vendors.

    The objective of ChipWhisperer is nothing short of revolutionizing the entire embedded security industry. Every designer who uses encryption in their design should be able to perform a side-channel attack, and understand the ramifications of these attacks on their designs. The open-source nature of the ChipWhisperer makes this possible, and my hope is that it becomes the start of a new era of hardware security research.

    ChipWhisperer Hits Kickstarter
    http://hackaday.com/2015/02/27/chipwhisperer-hits-kickstarter/

    Reply
  6. Tomi Engdahl says:

    Joe Coin:
    Bitcoin, not the Blockchain, is the killer app, because Blockchain tech needs Bitcoin to work

    Crypto 2.0–And Other Misconceptions
    http://www.joecoin.com/2015/02/crypto-20-and-other-misconceptions.html

    “It’s the Blockchain, not Bitcoin that’s the real killer app.”

    I’ve been hearing that more and more from prominent tech visionaries. And it’s so incredibly wrong.

    Let’s break down why it’s actually Bitcoin that allows the Blockchain to “work its magic” and not the other way around.

    First of all, let’s agree that the ideas of Bitcoin as a currency or the Blockchain as a consensus mechanism are revolutionary if and only if each’s decentralized nature is preserved. The moment one becomes centralized, whether due to a flaw in the protocol or the concentration of mining power, it is no better (and probably worse in fact) than fiat money, e-gold, or any other monetary scheme which is vulnerable to capture by a minority, and therefore vulnerable to abusive seigniorage and capital controls.

    Given the crucial requirement to preserve decentralization, the problem Satoshi had to solve while designing Bitcoin was how to incentivize network participants to expend resources transmitting, validating, and storing transactions. The first step in solving that is the simple acknowledgement that it must provide them something of economic value in return.

    The next part was figuring what of economic value could be used.

    After searching around for some pre-existing object of value to use as an incentive, we eventually realize that Satoshi could not have used anything pre-existing. The incentive had to be created and exist entirely within the network itself!

    To put the above more plainly, any instance of a blockchain and its underlying tokens are inextricably bound together.

    So what does that mean for Bitcoin the currency? For blockchain technology in general?

    Not only is it the case that the Bitcoin Blockchain cannot win without Bitcoin as a currency winning too, but if the Bitcoin price languishes, the incentive mechanism backstopping the Blockchain will be weak and therefore unreliable, and Bitcoin as we know it will likely live out its days like video games from 80′s and 90′s, relegated to a corner of the internet where the hipsters of the 2030′s will trade them with one another just to be ironic.

    Reply
  7. Tomi Engdahl says:

    How Superfish’s Security-Compromising Adware Came to Inhabit Lenovo’s PCs
    http://www.nytimes.com/2015/03/02/technology/how-superfishs-security-compromising-adware-came-to-inhabit-lenovos-pcs.html

    Until its advertising software was discovered deep inside Lenovo personal computers two weeks ago, a little company called Superfish had maintained a surprisingly low profile for an outfit once named America’s fastest-growing software start-up.

    In 2013, Superfish revenues had increased more than 26,000 percent over the previous three years to $35.3 million. It had advertising deals with some of the biggest names in e-commerce — Amazon, eBay and Alibaba among them.

    But as the start-up, based in Palo Alto, Calif., searched for new income sources last year, it landed a deal with Lenovo, the world’s largest PC maker, to put its software — often called adware — on several Lenovo consumer PCs.

    That deal has proved disastrous. Not only has it called into question the business practices of both Lenovo and Superfish, it has shined an unflattering light on makers of this sort of advertising technology.

    Superfish’s software, a security researcher revealed, was logging every online movement of the people using those Lenovo machines and hijacking the security system that is supposed to protect online communications and commerce. The Department of Homeland Security even warned Lenovo PC users to remove the software because of the risk it presented.

    Superfish’s technology, security experts now say, is a particularly aggressive example of the targeted advertising technology that tracks consumers’ online movements without their knowledge.

    What made its adware particularly bad, experts say, is that it fooled Lenovo customers into thinking that private sessions with their email service, or bank — secured with encryption that is often represented by the tiny padlock that appears in their web browser — were private, when Superfish, and potentially hackers, could see everything.

    “The padlock is a means of telling you that who you are talking to is who you think you are talking to. Superfish made that mechanism ineffective,”

    Reply
  8. Tomi Engdahl says:

    BitDefender bit trip slaps ‘valid’ on revoked certs
    Patch for security suites inbound
    http://www.theregister.co.uk/2015/03/01/bitdefender_bit_trip_slaps_valid_on_revoked_certs/

    Bitdefender is set to fix a security flaw in its products that meant revoked certificates for potentially malicious sites could be replaced with legitimate ones.

    The problem, which the security vendor considered a low-level threat, arose when revoked certificates were replaced with a BitDefender certificate for the purpose of scanning HTTPS traffic.

    That meant admins of potentially dodgy sites could be given a means of attacking users.

    The Chief Research Officer of Risk Based Security, Carsten Eiram, reported the flaws in BitDefender’s Antivirus Plus, Internet Security, and Total Security lines which are set to be fixed this week.

    “HTTPS scanning issues are something that a lot of people are focusing on,” Eiram told the IDG News Service.

    Reply
  9. Tomi Engdahl says:

    Seagate NAS owners: hide it behind a firewall. Fast.
    Unpatched software in the OS means root to your stuff won’t be hard, says researcher
    http://www.theregister.co.uk/2015/03/02/seagate_nas_owner_hide_it_behind_a_firewall/

    An Australian security researcher says a bunch of Seagate NAS devices carry serious vulnerabilities and should be kept away from the Internet.

    OJ Reeves of Beyond Binary says the Seagate Business NAS line, up to version 2014.00319, carries old versions of PHP, CodeIgniter and Lighttpd. All of these, the post notes, have remotely exploitable vulnerabilities.

    As well as these, the company’s post says the admin application “contains a number of security-related issues”.

    PHP 5.2.12 is vulnerable to CVE-2006-7243, a file path specification bug; while the Web interface running on Lightppd runs as root, meaning any successful exploitation also runs as root.

    Reply
  10. Tomi Engdahl says:

    As many as 1 million+ WordPress sites imperiled by critical plugin bug
    “Secret” key used by WP-Slimstat can be guessed, enabling SQL-injection attack.
    http://arstechnica.com/security/2015/02/more-than-1-million-wordpress-websites-imperiled-by-critical-plugin-bug/

    More than one million websites that run on the WordPress content management application run the risk of being completely hijacked by attackers exploiting critical vulnerability in most versions of a plugin called WP-Slimstat.

    Versions prior to the recently released Slimstat 3.9.6 contain a readily guessable key that’s used to sign data sent to and from visiting end-user computers, according to a blog post published Tuesday by Web security firm Sucuri. The result is a SQL injection vector that can be used to extract highly sensitive data, including encrypted passwords and the encryption keys used to remotely administer websites.

    “If your website uses a vulnerable version of the plugin, you’re at risk,”

    Reply
  11. Tomi Engdahl says:

    Bad movie: Hackers can raid networks with burnt Blu-Rays
    Movies a distraction for remote plunder
    http://www.theregister.co.uk/2015/03/02/bad_movie_hackers_can_raid_networks_with_burnt_blurays/

    British hacker Stephen Tomkinson has found two Blu-Ray-borne attacks.

    His first exploit relies on a poor Java implementation in a product called PowerDVD from CyberLink. PowerDVD plays DVDs on PCs and creates menus using Java, but the way Oracle’s code has been used allows naughty folk to circumvent Windows security controls.

    The result, the NCC Group consultant says, is that it’s possible to put executables onto Blu-Ray disks and to make those disks run automatically on startup even when Windows is set to stop that outcome.

    Users would have no reason to suspect the whirring of an optical drive indicated unknown software was running, making this a potentially nasty attack.

    “This gives us a working exploit to launch arbitrary executables on the disc from the Blu-Ray’s supposedly limited environment,” Tomkinson says.

    Reply
  12. Tomi Engdahl says:

    Nathan Schneider / The New Republic:
    How Small Bitcoin Miners Lose on the Crypto-Currency Boom-Bust Cycle

    After the Bitcoin Gold Rush
    http://www.newrepublic.com/article/121089/how-small-bitcoin-miners-lose-crypto-currency-boom-bust-cycle

    “Mining” is the engine that keeps the Bitcoin network working, but it has swelled into a resource-hungry, capital-intensive, centralized syndicate. Is the Internet’s native currency worth all the effort?

    At just about a year old, the miner represents a particularly rapid and fateful instance of the obsolescence that awaits every gizmo that alights on the cutting edge. Because of competition from faster, sleeker models now on the network, it can no longer mine enough bitcoins to pay for the electricity it burns. Even the newest miners may no longer break even, as the value of a bitcoin continues its free fall from a high of over $1,100 in late 2013 to less than $250 today; the 25 bitcoins that the network spits out about every 10 minutes may not be worth the trouble it takes to earn them. CoinTerra, the TerraMiner IV’s maker, filed for bankruptcy on January 24. Like a used-up gold mine, the machine lends even the Bitcoin Center’s busiest evenings the sensation of a ghost town.

    Bitcoin was supposed to usher in a new, global economy—gold for the Internet age, managed not by a central authority but by infallible algorithms running on the computers of those who use it. The first converts were tech-savvy utopians, whose bitcoins went from being worth just cents to hundreds of dollars. A substantial industry of magazines and websites appeared in order to simultaneously report on and promote the new currency.

    Mining, especially, was supposed to be an act of democracy. On the P2P Foundation’s online forum, Bitcoin’s pseudonymous creator Satoshi Nakamoto wrote, “The root problem with conventional currency is all the trust that’s required to make it work.”

    This was unquestionably a breakthrough. For the first time, the technology underlying Bitcoin made possible a secure, decentralized, open-source financial network. Users wouldn’t have to trust an agency or authority, just the software. Rather than relying on a single institution’s server, they shared access to the transactions listed on Bitcoin’s digital ledger—the blockchain—which is now more than 50 million transactions long. They mined money out of thin air

    As the value of bitcoins swelled against the dollar over the course of 2013, a mining arms race began. People realized that their computers’ graphics chips were better suited to Bitcoin’s mining algorithms than standard CPUs, so they built specialized machines overloaded with graphics processors, which increased their chances of reaping a reward. Starting in the first months of that year, ASICs arrived—application-specific integrated circuits designed with the sole purpose of mining coins. Before long the lone miner with a regular computer was a lost cause, unable to compete with the new mining syndicates, or “pools,” and multi-million-dollar data centers in places around the world with the most profitable combination of cold weather and cheap electricity—45,000 miners in a Swedish helicopter hangar, for instance, or 20 million watts in the Republic of Georgia.

    “From a technological perspective, the Bitcoin network is unprecedented,” says Dave Hudson, an analyst who blogs about mining at hashingit.com. “As far as I’m aware there’s never been anything as big in the past.” All that computing power, which could be curing cancer or exploring the stars, is locked up in machines that do nothing but process Bitcoin-type transactions.

    The prospects for democracy in the system have grown dimmer still. By the middle of last year, the largest mining pools came within reach of a 50 percent market share—making it possible for them to endanger the whole system by falsifying transactions.

    “Distributed technologies do not necessarily lead to distributed outcomes,” writes Michel Bauwens, the Belgian-born founder of the P2P Foundation, which Satoshi Nakamoto turned to early on to promote his vision. Bauwens points out that the Bitcoin economy is more unequal than the conventional one. Currently, the top 100 users hold at least 20 percent of the wealth.

    Entrusting our money to algorithms, it turns out, is no guarantee of a better result than managing it with flawed institutions and flawed people. Perhaps we should be imagining tools that help us trust each other more, rather than entrusting ourselves to a rush for digital gold. The technology at work in Bitcoin can do this.

    Reply
  13. Tomi Engdahl says:

    Natural Grocers Investigating Card Breach
    http://krebsonsecurity.com/2015/03/natural-grocers-investigating-card-breach/

    Sources in the financial industry tell KrebsOnSecurity they have traced a pattern of fraud on customer credit and debit cards suggesting that hackers have tapped into cash registers at Natural Grocers locations across the country. The grocery chain says it is investigating “a potential data security incident involving an unauthorized intrusion targeting limited customer payment card data.”

    Perhaps they aren’t reporting the fraud to Natural Grocer, but banking sources have told this author about a pattern of card fraud indicating cards stolen from the retailer are already on sale in the cybercrime underground.

    According to a source with inside knowledge of the breach, the attackers broke in just before Christmas 2014, by attacking weaknesses in the company’s database servers. From there, the attackers moved laterally with Natural Grocers’ internal network, eventually planting card-snooping malware on point-of-sale systems.

    the company has accelerated plans to upgrade the point-of-sale system in all of its store locations with a new PCI-compliant system that provides point-to-point encryption and new PIN pads that accept secure “chip and PIN” cards.

    Reply
  14. Tomi Engdahl says:

    Spam Uses Default Passwords to Hack Routers
    http://krebsonsecurity.com/2015/02/spam-uses-default-passwords-to-hack-routers/

    In case you needed yet another reason to change the default username and password on your wired or wireless Internet router: Phishers are sending out links that, when clicked, quietly alter the settings on vulnerable routers to harvest online banking credentials and other sensitive data from victims.

    Sunnyvale, Calif. based security firm Proofpoint said it recently detected a four-week spam campaign sent to a small number of organizations and targeting primarily Brazilian Internet users.

    If successful, the attacker’s script would modify the domain name system (DNS) settings on the victim’s router, adding the attacker’s own DNS server as the primary server while assigning the secondary DNS server to Google’s public DNS (8.8.8.8). Such a change would allow the attackers to hijack the victim’s traffic to any Web site, redirecting it away from the legitimate site to a look-alike page designed to siphon the victim’s credentials. In the event that the attacker’s DNS server was unresponsive for any reason, the victim’s router would still function normally.

    The real danger of attacks like these is that they bypass antivirus and other security tools, and they are likely to go undetected by the victim for long periods of time.

    “There is virtually no trace of this thing except for an email,”

    Many modern routers have built-in defenses against such attacks (including countermeasures known as CSRF tokens), but new vulnerabilities in existing routers — even recent model routers — are constantly being uncovered.

    “The routers being attacked in our example were not so diligent and so were vulnerable to this attack,”

    If you haven’t changed the default credentials on your router, it’s time to do that. If you don’t know whether you’ve changed the default administrative credentials for your wired or wireless router, you probably haven’t. Pop on over to routerpasswords.com and look up the make and model of your router.

    Reply
  15. Tomi Engdahl says:

    Webnic Registrar Blamed for Hijack of Lenovo, Google Domains
    http://krebsonsecurity.com/2015/02/webnic-registrar-blamed-for-hijack-of-lenovo-google-domains/

    Two days ago, attackers allegedly associated with the fame-seeking group Lizard Squad briefly hijacked Google’s Vietnam domain (google.com.vn). On Wednesday, Lenovo.com was similarly attacked. Sources now tell KrebsOnSecurity that both hijacks were possible because the attackers seized control over Webnic.cc, the Malaysian registrar that serves both domains and 600,000 others.

    On Feb. 23, google.com.vn briefly redirected visitors to a page that read, “Hacked by Lizard Squad, greetz from antichrist, Brian Krebs, sp3c, Komodo, ryan, HTP & Rory Andrew Godfrey (holding it down in Texas).” The message also included a link to the group’s Twitter page and its Lizard Stresser online attacks-for-hire service.

    Reply
  16. Tomi Engdahl says:

    Why “Let’s Encrypt” Won’t Make the Internet More Trustworthy
    http://www.securityweek.com/why-lets-encrypt-wont-make-internet-more-trustworthy

    Internet users have been shaming Lenovo for shipping the SuperFish adware on their flagship ThinkPad laptops. SuperFish was inserting itself into the end-users’ SSL sessions with a certificate whose key has since been discovered (fascinating write-up by @ErrataRob here).

    Clearly the certificate used by SuperFish is untrustworthy now. Browsers and defensive systems like Microsoft Windows Defender are marking it as bad. But for most certificates the status isn’t entirely as clear.

    Observable Internet encryption is largely made up of SSL servers listening on port 443. On the Internet, approximately 40% of these servers have so-called “self-signed” certificates. A “real” certificate (trusted by your browser) is signed by a trusted third party called a certificate authority: VeriSign, Comodo, GlobalSign, GoDaddy are a few of the tier 1 providers. But a server whose certificate is signed with its own key is called self-signed and is considered untrustworthy. It is sort of strange, isn’t it, that there’s all this software that can perform sophisticated encryption on the Internet, yet much of it is junk.

    In mid-2015, the Electronic Frontier Foundation (EFF) will be launching a free, open Certificate Authority called “Let’s Encrypt” with an aim to reducing the stumbling blocks that prevent us from “encrypting the web.”

    If Let’s Encrypt succeeds, will self-signed certificates go extinct?

    I’m guessing no. I’ll explain why, and why I think that’s not necessarily a bad thing.

    There are three reasons certificates are self-signed.

    Cost

    The first and most quantitative reason for self-signing is because real certificates cost real money. A world-class “extended validation” certificate, perhaps used by a global financial institution and trusted by every browser, might cost $1,000 per year. So it’s no wonder that there are over 10 million sites with self-signed certificates, right? These sites would represent $10 billion in subscriptions per year if they all had real certificates.

    there are already bargain certificate vendors who provide no frills, no-questions-asked certificates for $5 per year or even less.

    Apathy

    One of the most common scenarios resulting in a self-signed certificate is when a new device like a router or webcam gets deployed in a small network. The software in the device supports HTTPS (and not HTTP, otherwise it would set off all kinds of compliance alerts) but it is up to the user to get a real certificate (from a certificate authority) and stick it on there. Unless the user is a security professional of some kind, they probably aren’t going to get a certificate for their device, regardless of the price.

    Ignorance

    Ask a penetration tester or DAST vendor, and they’ll tell you that a huge number of devices on the Internet were never meant to be there in the first place.
    To see how often this really happens, you don’t have to look any further than the infamous SHODAN search engine, which can find weird devices on the Internet based on their HTTP headers.
    Will Let’s Encrypt fix all these routers and webcams? No

    I predict that Let’s Encrypt probably won’t make a huge impact on the number of self-signed certificates out there, and maybe that’s not a bad thing.

    Will Let’s Encrypt Succeed?

    Even though Let’s Encrypt has no apparent business model, let’s suppose for a minute that it gets some market share. Over time, vendors might trust its longevity enough to build support into their routers, webcams, and other devices. When their end-user customers set up the device, it would automatically certificate-fetch from Let’s Encrypt. That’s the only world in which self-signed certificates might become a thing of the past. But that world is years away. So like the junk DNA within all of us, I predict that self-signed certificates will live on for at least a few more generations.

    Reply
  17. Tomi Engdahl says:

    Target Data Breach Tally Hits $162 Million in Net Costs
    http://www.securityweek.com/target-data-breach-tally-hits-162-million-net-costs

    The cost of the Target breach keeps on climbing.

    According to the firm’s latest earnings report, the net expense of the breach stands at $162 million.

    The actual total has now reached a gross expense of $191 million. That amount was partially offset by a $46 million insurance receivable in 2014. In 2013, the company’s gross expense related to the breach was $61 million, which was offset by a $44 million insurance payment. That brings the net expense of the breach for the retail giant to $162 million.

    According to the Ponemon Institute’s ninth annual global study on data breach costs released last year, the average total price tag of a breach was $145 for every record stolen or lost – an increase of nine percent compared to the cost noted in the previous report.

    “Invest now or pay later — this is the message from one of the largest data beaches reported to date,” said Steve Hultquist, chief evangelist at RedSeal. “Consider the ROI [return on investment] for even a very significant investment in proactive security analytics and process improvements that could have blocked the beach before it even started.”

    A new report from FireEye’s Mandiant found that organizations generally did better last year in detecting data breaches than in the past. Based on the investigations the firm conducted in 2014, the median number of days attackers were persent on a network before being discovered dropped to 205 from 229 in 2013. Still, only 31 percent actually figured out by themselves that they had been breached, down from 33 percent in 2013 and 37 percent in 2012.

    Reply
  18. Tomi Engdahl says:

    AVG Reveals Invisibility Glasses at Pepcom Barcelona
    http://now.avg.com/avg-reveals-invisibility-glasses-at-pepcom-barcelona/

    This year, AVG will reveal a set of concept invisibility glasses at Pepcom in Barcelona before Mobile World Congress.

    What are invisibility glasses?

    Developed by AVG Innovation Labs, the glasses help protect your visual identity in the digital age.

    Through a mixture of technology and specialist materials, privacy wearables such as invisibility glasses can make it difficult for cameras or other facial recognition technologies to get a clear view of your identity.

    Why would they be useful?

    There are a number of reasons why invisibility glasses could be a valuable privacy tool in the future:

    The increasing use of smartphone cameras in public places means it’s more likely unsolicited images taken of us may end up online.
    Big Data projects such as Google’s StreetView highlight the possibility for our faces and identities to appear in the public domain.
    Advancements in facial-recognition technologies, such as Facebook’s DeepFace, could soon give a private corporations power to not only recognize us, but also cross-reference our faces to other data found online.

    How do they work?

    While the technology behind invisibility glasses is still in the prototype phase, there are generally two different methods of combatting unwanted facial recognition:

    Infrared Light
    The idea is to place infrared LEDs inserted around the eyes and the nose areas.
    they are only detectable by cameras which are sensitive to the wavelengths of these LEDs. They claim to break face detection when the lights are on.

    Retro-reflective Materials

    While most surfaces reflect light by diffusing or scattering it in all directions, retro-reflective materials are specially designed to reflect light back at the same angle as it arrived.

    If caught in flash photography, retro-reflective materials will send most of the light back to the sensor. This will result in an image that will put the Dynamic Range of the camera sensor to test.

    Reply
  19. Tomi Engdahl says:

    ISIS Threatens Twitter Founder And Employees Over Blocked Accounts
    “Your virtual war on us will cause a real war on you.”
    http://www.buzzfeed.com/davidmack/isis-twitter-threat#.plg5qxvR

    ISIS supporters on Sunday called on jihadis around the world to kill Twitter employees because of the company’s frequent blocking of their social media accounts.

    “Your virtual war on us will cause a real war on you,” reads an online post addressed to Twitter founder Jack Dorsey and shared by ISIS supporters.

    Twitter, like YouTube, often moves quickly to delete posts and suspend accounts that disseminate ISIS videos showing the gruesome executions of hostages.

    Reply
  20. Tomi Engdahl says:

    Would you trust ‘spyproof’ mobes made in Putin’s Russia?
    Android-based securomobe makes play against the West’s Blackphone
    http://www.theregister.co.uk/2015/03/02/russian_blackphone_prototype_taigaphone/

    A Russian firm is developing its own anti-surveillance enterprise smartphone prototype – the TaigaPhone.

    The secure handset from Taiga Systems will bundle security software from sister security firm InfoWatch Group onto a hardened version of Android.

    The smartphone is likely to be positioned against the Blackphone, which has been available since last July, and the recently launched Kaymera smartphone from Israel, which is built from the ground up with security in mind rather than with security apps added as an afterthought.

    “The device is entirely our own – the design, the schematics and circuitry. The phone will be manufactured in China,” Nagorny told Izvestia, as Russia Today reports.

    Details are so far scant but the smartphone will feature the ability to disable or enable select parts such as the camera and location services.

    The device comes with the added privacy of being able to switch off its microphone.

    Switching off phones does not disable built-in GPS functionality, a privacy shortcoming that Taiga Systems reportedly intends to address by partnering with Symantec. End-to-end encryption of voice and data ought to come as standard with secure smartphones worthy of the name but it’s as yet unknown how Taiga Systems intends to approach this challenge.

    Reply
  21. Tomi Engdahl says:

    Police Could Charge Data Center Operators In the Largest Child Porn Bust Ever
    http://yro.slashdot.org/story/15/03/02/2350247/police-could-charge-data-center-operators-in-the-largest-child-porn-bust-ever

    Canadian police say they’ve uncovered a massive online file sharing network for exploitative material that could involve up to 7,500 users in nearly 100 countries worldwide. But unlike past investigations into the distribution of child porn, which typically involve targeting suspects individually, police have instead seized over 1.2 petabytes of data … from a data center responsible for storing the material, and may even attempt to lay criminal charges against its operators, too.

    Police Could Charge a Data Center in the Largest Child Porn Bust Ever
    http://motherboard.vice.com/read/police-could-charge-a-data-center-in-the-largest-child-porn-bust-ever

    It could be the largest child porn investigation ever conducted.

    But unlike past investigations into the distribution of child porn, which typically involve targeting suspects individually, police have instead seized over 1.2 petabytes of data—more than four times the amount of data in the US Library of Co​ngress—from a data center responsible for storing the material, and may even attempt to lay criminal charges against its operators, too.

    “What we are alleging is occurring is that there are individuals and organizations that are profiting from the storage and the exchange of child sexual exploitation material,” Scott Tod, Deputy Commissioner of the Ontario Provincial Police (OPP), told Motherboard at a conference late last month, after speaking to a crowd of defence specialists. “They store it and they provide a secure website that you can log into, much like people do with illegal online gaming sites.”

    According to Tod, targeting data centers and their corporate directors is an “innovative” method that police are considering in the fight to end the sharing of child porn—but charges will likely hinge on the degree to which employees knew such activity was taking place.

    “This is the first investigation of this scale, to my knowledge—in North America, if not worldwide”

    “There’s no proactive obligation to investigate what happens on your service,” said Tamir Israel, a staff lawyer at the Canadian Internet Policy & Public Interest Clinic (CIPPIC). “If you do become aware that something is there, there’s a reporting obligation. But usually data centers aren’t actively looking through their stuff, so it’s reasonable to say that they wouldn’t have come across that.”

    Unsurprisingly, many specifics of the ongoing investigation—including names of the companies involved—remain unclear.

    Experts say that targeting the infrastructure used to distribute child pornography, rather than going after the individuals who download it, is a recent change in tactics for police.

    “What is new is this approach that says, you know what, there’s a web hosting server out there that hosts a lot of child porn. It also hosts other stuff that we’re not interested in, but it hosts a lot of child porn, so we’re going to take down that whole host,” Fakhoury said.

    “I don’t think that our technology is any more significant … or different from what our security partners use”

    In recent years, child pornographers have gone to great lengths to evade capture. Some have taken to the anonymized confines of the darknet to shield themselves.

    That means that the OPP will need specific warrants to analyze and use most of the information contained within the hard drives seized. Under Canadian law, police do not have carte blanche to search and use every piece of data on a hard drive merely because it is in their physical possession, and will need to tread carefully to avoid charges of running an unlawful search.

    “Is this overkill? And what percentage of the data they seized is actually contraband child porn? And what percentage of it contains totally legitimate stuff?”

    And prosecuting those who were in possession of the hard drives—likely, the owner of the data centre—may well spark debate over whether or not is reasonable to hold those who house data liable for what their customers put on those servers, too.

    “Legitimate businesses operating in Canada have the right to assume that their customers are acting lawfully unless they have strong reason to believe otherwise,” said Fraser. “Even then that does not make them complicit in their customers’ activities.”

    Reply
  22. Tomi Engdahl says:

    ICANN switches off dot-word admin portal amid security leak scare
    Companies competing for gTLDs may have peeked at each others’ privates
    http://www.theregister.co.uk/2015/03/02/icann_suffers_another_security_breach/

    Global domain-name overlord ICANN has found another security hole in its systems.

    This time, confidential data on companies vying for new dot-word domains may have been snooped on by rivals logged into ICANN’s catch-all portal – meaning commercially sensitive information as well as important technical details on the internet’s expansion were at risk. The org has since taken the vulnerable web apps offline.

    “Under certain circumstances an authenticated portal user could potentially view data of, or related to, other users,”

    That data includes: technical information on adding new generic top-level domains (gTLDs) to the internet’s root DNS; contact information; commercially sensitive details of dot-word launches; and interactions between the operators of core pieces of the internet’s domain name system and ICANN as its overseer.

    Reply
  23. Tomi Engdahl says:

    Google’s ‘encrypted-by-default’ Android is NOT encrypting by default
    It’s sad that this isn’t really a surprise
    http://www.theregister.co.uk/2015/03/02/google_encrypted_by_default/

    Last year, Google said Android 5, codenamed Lollipop, will encrypt the contents of smartphones and tablets by default. Now it’s had to do some backtracking.

    In short, despite Google’s boasts that Lollipop will encrypt handhelds’ data by default “out of the box,” that simply isn’t being enforced on all devices running Android 5. What happened?

    Apple put the cat among the pigeons in September when it announced that iOS 8 automatically encrypts files stored on iPhones and iPads.

    Only the owners of the hardware are able to unlock their documents – rather than, say, thieves or Apple under pressure from the cops, in theory. And by making it a default, it means less tech savvy people can benefit from the security measure while being blissfully unaware of it.

    Days later, Google said it too would follow suit and enable file encryption by default, adding that full-storage encryption had been an option in Android for some time.

    By September 2014, to keep up with Apple, that rule had been ramped up from an optional feature to an on-by-default.

    And in the present day

    Now the advertising giant has climbed down from that vow, leaving it up to phone and tablet manufacturers to enable encryption-by-default (and some of them aren’t.)

    Some Android Lollipop handhelds, particularly those shown off this week at Mobile World Congress 2015, are simply not automatically encrypting their files by default. That includes the second-generation Moto E and the Samsung Galaxy S6, according to Ars.

    Note that full-disk encryption-by-default is still a “should,” a recommendation, and that only future versions of Android may enforce it.

    Who wins and who loses?

    This whole mess will make Apple fans very smug. Apple has had a separate coprocessor for accelerating encryption for years, and as a result iOS encryption is a much easier process. Apple has total control of its hardware and OS, whereas Google must rely on its hardware friends to play ball.

    Will Google make default encryption the rule, rather than a suggestion as it does today? Almost certainly, but it’ll need some hardware evolution before most Android users get their paws on some serious privacy.

    Reply
  24. Tomi Engdahl says:

    50 shades of grey can turn Adobe Reader into a hot mess
    Greyscale pics are a great place to hide malcode
    http://www.theregister.co.uk/2015/03/03/vxers_use_this_greyscale_pic_trick_to_give_pdf_scanners_the_slip/

    Hackers can duck antivirus programs and execute malware in Adobe Reader by using greyscale images, says Danish security boffin Dénes Óvári.

    Lossy compression is thought to be susceptible to the DCTDecode filter, which should nuke malware woven into images and blunt this form of attack.

    Reply
  25. Tomi Engdahl says:

    Marlinspike brings end-to-end crypto texts to iOS
    Signal 2.0 melts TextSecure, RedPhone for iMessage haters
    http://www.theregister.co.uk/2015/03/03/marlinspike_brings_endtoend_crypto_texts_to_ios/

    Privacy bods can snub Cupertino’s iMessage and instead encrypt their Apple iTexts using Moxie Marlinspike’s Signal 2.0, released for iOS today.

    The latest version from the dreadlocked crypto fancier and Co will slap end-to-end encryption on text messages using the TextSecure protocol sent between Signal 2.0 clients.

    Encrypted phone calls are already supported under Signal version 1.

    Reply
  26. Tomi Engdahl says:

    Blackphone 2 Caters To the Enterprise, the Security-Minded and the Paranoid
    http://yro.slashdot.org/story/15/03/02/1921232/blackphone-2-caters-to-the-enterprise-the-security-minded-and-the-paranoid

    Following on from the security-focused Blackphone, Silent Circle used the Barcelona event to announce the follow-up — the Blackphone 2. The privacy-centric company has been working on the “world’s first enterprise privacy platform” for some time now

    Blackphone 2 has a $600 price tag and will be unleashed in July.

    Blackphone 2 caters to the enterprise, the security-minded and the paranoid
    http://betanews.com/2015/03/02/blackphone-2-caters-to-the-enterprise-the-security-minded-and-the-paranoid/

    While much of the news coming out of MWC 2015 has been dominated by Microsoft’s Lumia 640, the Samsung Galaxy S6 Edge, and tablets from Sony, there’s always room for something a little different. Following on from the security-focused Blackphone, Silent Circle used the Barcelona event to announce the follow-up — the Blackphone 2.

    The privacy-centric company has been working on the “world’s first enterprise privacy platform” for some time now and the second generation Blackphone. As you would expect, there’s a faster processor than before — an 8-core beast — as well as an upgraded 3GB RAM, a larger 5.5 inch screen and a bigger battery than before. Blackphone 2 has a $600 price tag and will be unleashed in July.

    Silent Circle is all about security, but security is about more than just a phone that features encryption. There is an entire ecosystem in place starting with the secure PrivatOS 1.1. The latest upgrade to the operating system introduces a feature called Spaces which allows for OS-level virtualization and the ability to keep work and personal apps and data completely separate from each other. These features are also due to rollout to first generation Blackphones through an upcoming update.

    There’s secure access to the locked down Silent Store, and enterprise admins have an all-important remote lock and wipe option to fall back on.

    Reply
  27. Tomi Engdahl says:

    The Escalating Threat of DDoS Attacks
    http://whitepapers.theregister.co.uk/paper/view/3637/the-escalating-threat-of-ddos-attacks.pdf

    With increasing frequency and scale, some of the world’s largest data center and network operators are suffering from crippling Distributed Denial of Service (DDoS) attacks.

    Virtually every commercial and governmental organization today is largely – if not entirely – reliant on its online services, and service availability is completely at risk from the rising tide of DDoS attacks.

    Reply
  28. Tomi Engdahl says:

    Xen bug latest: Cloudpocalypse averted, says Amazon
    No mass reboot needed after all, despite latest Xen vulns
    http://www.theregister.co.uk/2015/03/02/aws_cloud_reboot_averted/

    Amazon Web Services now says that despite the recent security vulnerabilities discovered in the Xen hypervisor, the vast majority of its Elastic Compute Cloud (EC2) customers won’t need to reboot their virtual machine instances after all.

    Last week, AWS and Rackspace both said that customers should prepare for a mass reboot

    “We’re happy to share that we’ll now be able to live-update ‎the vast majority of our older hardware for this Xen Security Advisory,” the AWS team said in an update to its original security advisory. “This means that over 99.9 per cent of our total EC2 instances will receive the live-update and avoid a reboot.”

    Even prior to the latest patches, AWS said that fewer than 10 per cent of customer EC2 instances were affected by the Xen vulnerabilities.

    Reply
  29. Tomi Engdahl says:

    This should learn Gemalto data breach

    Sim card manufacturer data breach can be seen that the individual, unsuspecting workers are still often attacks the focal point, to point out the security company Check Point.

    Checkpoint has studied Gemalto information burglary backgrounds. One of the leaks of information started with the traditional phishing. Gemalto employee received fake emails with the Annex to the malware got to recharge his computer and through the corporate network.

    In the second case kyberkonna followed by message traffic, which is the individual worker went to the corporate network with an external party.

    Checkpoint points out that people like us work a wide range of bodies, will receive a lot of messages and exchange large amounts of information every day. This provides opportunities for criminals.

    “My staff is the company’s most important asset in terms of security, so the training to detect suspicious approaches is of paramount importance,”

    This according to him, still not enough, because to err is human: “Security should think holistically, and training required in addition to the modern technical solutions. For example, the suspicious e-mail attachments will be opened in a controlled environment, the sandbox where they can not get ahead before the amendment.”

    Source: http://www.tivi.fi/Kaikki_uutiset/2015-03-03/T%C3%A4m%C3%A4-pit%C3%A4isi-oppia-Gemalton-tietomurrosta-3216639.html

    Reply
  30. Tomi Engdahl says:

    How Hackers Abused Tor To Rob Blockchain, Steal Bitcoin, Target Private Email And Get Away With It
    http://www.forbes.com/sites/thomasbrewster/2015/02/24/blockchain-and-darknet-hacks-lead-to-epic-bitcoin-losses/

    Across October and November of last year, some unlucky users of the world’s most popular Bitcoin wallet, Blockchain.info, and one of the better-known exchanges, LocalBitcoins, had their usernames and passwords silently pilfered. They were robbed of significant sums, probably tens of thousands of dollars worth of the virtual currency, possibly more. Security-focused email services, Riseup and Safe-mail were also targeted by the same crew. And according to the man who witnessed the attacks go off last year, Digital Assurance director Greg Jones, it looks like buyers and sellers of dark markets were the targets.

    The attackers used a tried-and-tested method to begin with, setting up a number of malicious exit relays on Tor. Legitimate exit relays act as the final jump from the anonymising Tor network, which loops users through a number of randomly-chosen servers across the world to protect their identity, onto the clear web. But any nefarious type who runs a malicious relay can use an encryption removal technique known as SSL stripping, where connections are no longer protected through the Secure Sockets Layer, which usually shows users are protected with the HTTPS section of a web address. With this they can start to intercept and alter the traffic coming through. Or they can create their own fake SSL certificate for the site to make it seem like the connection is normal, though the attacker would have to rely on a gullible user who’d ignore a Tor browser warning.

    Though the Tor Project, the non-profit tasked with maintaining Tor, and the network’s users are all too familiar with and continually try to block these evil relays, it’s a game of whack-a-mole knocking them out of action. That’s partly why the attackers were able to carry out theft over a two-month period.

    There’s some contention over what Jones claims the criminals did to optimise their attacks. According to Jones, as Blockchain.info and LocalBitcoins rely on the hugely popular CloudFlare service to blacklist and whitelist bad exit nodes, the hackers decided to have the sites block legitimate ones.

    “Of the 1000 or so exit relays , the biggest 100 probably carry 90 per cent of the traffic. The attackers managed to blacklist most of the top 100 exit relays – thus most of the Tor exit capacity – with regard to Blockchain and CloudFlare. Because they were running pretty fast bad exit relays they were able to become the only sizeable exit nodes that weren’t blacklisted.”

    Both Blockchain and LocalBitcoins believe this is likely what happened.

    Yet CloudFlare was unable to say whether or not this occurred.

    Reply
  31. Tomi Engdahl says:

    Spy Research Agency Is Building Psychic Machines to Predict Hacks
    http://www.nextgov.com/cybersecurity/2015/02/spy-research-agency-building-psychic-machines-predict-hacks/105882/

    Imagine if IBM’s Watson — the “Jeopardy!” champion supercomputer — could answer not only trivia questions and forecast the weather, but also predict data breaches days before they occur.

    That is the ambitious, long-term goal of a contest being held by the U.S. intelligence community.

    Academics and industry scientists are teaming up to build software that can analyze publicly available data and a specific organization’s network activity to find patterns suggesting the likelihood of an imminent hack.

    The dream of the future: A White House supercomputer spitting out forecasts on the probability that, say, China will try to intercept situation room video that day, or that Russia will eavesdrop on Secretary of State John Kerry’s phone conversations with German Chancellor Angela Merkel.

    IBM has even expressed interest in the “Cyber-attack Automated Unconventional Sensor Environment,” or CAUSE, project. Big Blue officials presented a basic approach at a Jan. 21 proposers’ day.

    Reply
  32. Tomi Engdahl says:

    Bypassing Windows Lock Screen via Flash Screensaver
    http://securitycafe.ro/2015/02/23/bypassing-windows-lock-screen-via-flash-screensaver/

    We have recently discovered an easy method to bypass the Windows Lock screen when a flash screensaver is running.

    The method allows an attacker to gain unauthorized access to a user’s Windows session if he has physical access to a locked machine.

    When a user leaves his computer (ex. during a lunch break), he should lock his session in order to prevent other people from doing actions on his behalf.

    Some computers, mostly in corporate environments, are configured to play a flash animation as screensaver while the computer is locked.

    When the flash screensaver is running (played by Adobe Flash Player), the Windows Lock screen can be bypassed by following these three steps:
    Step 1: Right click anywhere on the screen (without moving the mouse)
    Step 2: Click on “Global Settings” -> “Advanced” -> “Trusted Location Settings” –> “Add” –> “Add File”
    Step 3: Right click on any folder -> “Open in new window”

    Now you have a fully functional Explorer window running as the current user.

    How to remediate

    The only method (that we know of) which remediates this vulnerability is to modify the code of the swf file in order to disable the whole right-click context menu.

    Reply
  33. Tomi Engdahl says:

    Craig Timberg / Washington Post:
    Researchers discover “FREAK” flaw, which can force Safari and Android browsers to use weak encryption, enabling MITM attacks

    “FREAK” flaw undermines security for Apple and Google users, researchers discover
    http://www.washingtonpost.com/blogs/the-switch/wp/2015/03/03/freak-flaw-undermines-security-for-apple-and-google-users-researchers-discover/

    Technology companies are scrambling to fix a major security flaw that for more than a decade left users of Apple and Google devices vulnerable to hacking when they visited hundreds of thousands of supposedly secure Web sites, including Whitehouse.gov, NSA.gov and FBI.gov.

    The flaw resulted from a former U.S. government policy that once forbid the export of strong encryption and required that weaker “export-grade” products be shipped to customers in other countries, say the researchers who discovered the problem. These restrictions were lifted in the late 1990s, but the weaker encryption got baked into widely used software that proliferated around the world and back into the United States, apparently unnoticed until this year.

    Researchers discovered in recent weeks that they could force browsers to use the old export-grade encryption then crack it over the course of just a few hours. Once cracked, hackers could steal passwords and other personal information and potentially launch a broader attack on the Web sites themselves by taking over elements on a page, such as a Facebook “Like” button.

    The problem illuminates the danger of unintended security consequences at a time when top U.S. officials, frustrated by increasingly strong forms of encryption on smartphones, have spoken of requiring technology companies to build “doors” into systems to protect the ability of law enforcement and intelligence agencies to conduct surveillance.

    In recent days, FBI.gov and Whitehouse.gov have been fixed, though NSA.gov remains vulnerable, said Green.

    Reply
  34. Tomi Engdahl says:

    Jeff Mason / Reuters:
    Obama criticizes China’s new rules requiring US tech companies to provide backdoor access, says Beijing must change policy if it wants to do business with USA

    Exclusive: Obama sharply criticizes China’s plans for new technology rules
    http://www.reuters.com/article/2015/03/02/us-usa-obama-china-idUSKBN0LY2H520150302

    Reuters) – President Barack Obama on Monday sharply criticized China’s plans for new rules on U.S. tech companies, urging Beijing to change the policy if it wants to do business with the United States and saying he had raised it with President Xi Jinping.

    In an interview with Reuters, Obama said he was concerned about Beijing’s plans for a far-reaching counterterrorism law that would require technology firms to hand over encryption keys, the passcodes that help protect data, and install security “backdoors” in their systems to give Chinese authorities surveillance access.

    Reply
  35. Tomi Engdahl says:

    SSL under attack: Apple, Android gear FREAK out, open up to spies
    OpenSSL, iOS and OS X tricked into using weak 1990s-grade encryption keys
    http://www.theregister.co.uk/2015/03/03/government_crippleware_freaks_out_tlsssl/

    Security researchers are warning of a flaw in OpenSSL and Apple’s SecureTransport that’s a hangover from the days when the US government was twitchy and clueless about technology.

    It’s a flaw that allows an attacker to decrypt your login cookies, and other sensitive information, from your HTTPS connections, if you use a vulnerable browser, such as Safari.

    Apple’s SecureTransport is a library used by applications on iOS and OS X, including Safari for iPhones, iPads and Macs. OpenSSL is open source, and used by Android browsers, and many other things.

    OpenSSL and SecureTransport encrypt connections to online banking, webmail, and other HTTPS websites, and so much else on the internet, to thwart eavesdroppers.

    It turns out the encryption used by OpenSSL and SecureTransport can be crippled by an attacker on your network: apps can be tricked into using weak encryption keys

    “A connection is vulnerable if the server accepts RSA_EXPORT cipher suites and the client either offers an RSA_EXPORT suite or is using a version of OpenSSL that is vulnerable to CVE-2015-0204,” according to freakattack.com, a website explaining the security flaw.

    “Vulnerable clients include many Google and Apple devices (which use unpatched OpenSSL), a large number of embedded systems, and many other software products that use TLS behind the scenes without disabling the vulnerable cryptographic suites.”

    Fast forward to today

    This latest flaw, highlighted today and dubbed FREAK (Factoring RSA Export Keys), is exploited during the moments when a secure connection is established but the encryption has not started.

    A vulnerable client (such as a web browser, smartphone or internet-of-thing gizmo) starts talking to a server (such as the machine behind a HTTPS website), and lists the encryption algorithms and key lengths it supports and those it prefers. Ideally, these are all strong ciphers and long keys.

    An attacker able to intercept traffic between the client and the server can tamper with that message to say the client only wants weak-ass export-grade keys, such as a 512-bit RSA key.

    Due to bugs in OpenSSL and SecureTransport, if the server shrugs its shoulders and replies with a weak key, the client will accept it, and the encryption process begins.

    Now, 512-bit keys used to be considered good enough 20 years ago, but they aren’t that tough to crack these days. $100 on Amazon Web Services, and a couple of hours computing, should crack most keys – allowing the contents of the intercepted TLS/SSL communications to be decrypted.

    Patches for everyone

    In January, OpenSSL released a patch for the bug, CVE-2015-0204, to sort out the issue, which it ranked as “low” severity.

    “There is an important lesson here about the consequences of crypto policy decisions: the NSA’s actions in the ‘90s to weaken exportable cryptography boomeranged on the agency, undermining the security of its own site twenty years later,” said Canadian security expert Professor Ed Felton.

    Tracking the FREAK Attack
    https://freakattack.com/

    Reply
  36. Tomi Engdahl says:

    Psst, hackers. Just go for the known vulnerabilities
    Look for the obvious, not the esoteric, warns HP
    http://www.theregister.co.uk/2015/02/23/hp_hack_vulnerable_threat_study/

    Despite all the publicity about zero-day exploits, a big percentage of breaches (44 per cent) come from vulnerabilities which are two to four years old.

    Server misconfigurations were the number one vulnerability, according to the latest edition of HP’s annual Cyber Risk Report, which concludes that well-known issues posed the biggest threats to online security.

    Server misconfigurations provided adversaries unnecessary access to files which leaves an organisation susceptible to an attack.

    The primary causes of commonly exploited software vulnerabilities turned out to be either defects, bugs, or logic flaws. Most vulnerabilities stem from a relatively small number of common software programming errors.

    Every one of the top ten vulnerabilities exploited in 2014 took advantage of code written years or even decades ago, according to HP, which recorded an increase in the level of mobile malware detected.

    “Many of the biggest security risks are issues we’ve known about for decades, leaving organisations unnecessarily exposed,” said Art Gilliland, senior vice president and general manager, Enterprise Security Products, HP.

    Reply
  37. Tomi Engdahl says:

    D-Link removes fingers from ears, preps mass router patch
    Amnesia strikes as hacker discloses remote code exec flaws
    http://www.theregister.co.uk/2015/03/04/dlink_removes_fingers_from_ears_preps_mass_router_patch/

    Domestic router Daddy D-Link is patching dangerous remote access flaws in several models of its networking gear.

    The patches follow a round of zero-day disclosures by Canadian researcher Peter Adkins early this week, after D-Link allegedly cut communication while he quietly disclosed the flaws.

    The most severe flaw allowed attackers to hijack the devices including changing DNS settings by creating malicious sites which exploit cross-site request forgeries.

    D-Link issued an advisory in which it warns DIR models 626L; 636L; 808L; 810L; 820L; 826L; 830, and 836L are open to remote code execution.

    Other routers may be affected due to the location of ncc and ncc2 binaries Fellow router hackers Stefan Viehböck and Jeremy Richards found further flaws in five TRENDnet offerings since patched, plus another D-Link mess.

    Reply
  38. Tomi Engdahl says:

    Schneier: Either Everyone Is Cyber-secure Or No One Is
    http://yro.slashdot.org/story/15/03/04/037208/schneier-either-everyone-is-cyber-secure-or-no-one-is

    The Democratization of Cyberattack
    https://www.schneier.com/blog/archives/2015/03/the_democratiza_1.html

    The thing about infrastructure is that everyone uses it. If it’s secure, it’s secure for everyone. And if it’s insecure, it’s insecure for everyone. This forces some hard policy choices.

    When I was working with the Guardian on the Snowden documents, the one top-secret program the NSA desperately did not want us to expose was QUANTUM. This is the NSA’s program for what is called packet injection–basically, a technology that allows the agency to hack into computers.

    Turns out, though, that the NSA was not alone in its use of this technology. The Chinese government uses packet injection to attack computers. The cyberweapons manufacturer Hacking Team sells packet injection technology to any government willing to pay for it. Criminals use it. And there are hacker tools that give the capability to individuals as well.

    This isn’t the only example of once-top-secret US government attack capabilities being used against US government interests. StingRay is a particular brand of IMSI catcher, and is used to intercept cell phone calls and metadata. This technology was once the FBI’s secret, but not anymore.

    Similarly, vulnerabilities in phone switches–SS7 switches, for those who like jargon–have been long used by the NSA to locate cell phones. This same technology is sold by the US company Verint and the UK company Cobham to third-world governments, and hackers have demonstrated the same capabilities at conferences.

    These are the stories you need to keep in mind when thinking about proposals to ensure that all communications systems can be eavesdropped on by government. Both the FBI’s James Comey and UK Prime Minister David Cameron recently proposed limiting secure cryptography in favor of cryptography they can have access to.

    But here’s the problem: technological capabilities cannot distinguish based on morality, nationality, or legality; if the US government is able to use a backdoor in a communications system to spy on its enemies, the Chinese government can use the same backdoor to spy on its dissidents.

    Even worse, modern computer technology is inherently democratizing. Today’s NSA secrets become tomorrow’s PhD theses and the next day’s hacker tools. As long as we’re all using the same computers, phones, social networking platforms, and computer networks, a vulnerability that allows us to spy also allows us to be spied upon.

    We can’t choose a world where the US gets to spy but China doesn’t, or even a world where governments get to spy and criminals don’t. We need to choose, as a matter of policy, communications systems that are secure for all users, or ones that are vulnerable to all attackers. It’s security or surveillance.

    Reply
  39. Tomi Engdahl says:

    The Switch
    ‘FREAK’ flaw undermines security for Apple and Google users, researchers discover
    http://www.washingtonpost.com/blogs/the-switch/wp/2015/03/03/freak-flaw-undermines-security-for-apple-and-google-users-researchers-discover/

    Technology companies are scrambling to fix a major security flaw that for more than a decade left users of Apple and Google devices vulnerable to hacking when they visited millions of supposedly secure Web sites, including Whitehouse.gov, NSA.gov and FBI.gov.

    The flaw resulted from a former U.S. government policy that forbade the export of strong encryption and required that weaker “export-grade” products be shipped to customers in other countries, say the researchers who discovered the problem.

    The export-grade encryption had 512 bits, the maximum allowed under U.S. restrictions designed to limit trade in military technologies in the 1990s

    “We thought of course people stopped using it,”

    For vulnerable sites, Heninger found that she could crack the export-grade encryption key in about seven hours, using computers on Amazon Web services. This would allow hackers to conduct what experts call a “man-in-the-middle” attack to make seemingly encrypted traffic easy to read.

    More than one third of encrypted Web sites – including those bearing the “lock” icon that signifies a connection secured by SSL technology – proved vulnerable to attack in recent tests conducted by University of Michigan computer science researchers J. Alex Halderman and Zakir Durumeric.

    There is no way to know how widely the FREAK flaw has been used to hack Internet users, though “man-in-the-middle attacks” are popular among governments conducting online surveillance, particularly in their own countries, such as Iran and China.

    Google’s Chrome browser is not vulnerable to the FREAK bug, but the browser that comes built into most Android devices is vulnerable.

    Reply
  40. Tomi Engdahl says:

    ‘Security, privacy’ main barrier to ‘government cloud’ rollout in EU
    We don’t think that’s why Gov.uk is not cloudified…
    http://www.theregister.co.uk/2015/03/04/security_and_privacy_issues_main_barrier_to_government_cloud_deployment_in_eu/

    Security and privacy issues are holding back “the cloudification of governmental services” in the EU, according to a new report.

    The European Union Agency for Network and Information Security (ENISA) said concerns about how sensitive data is protected in a cloud computing environment have not been resolved. It said data security and privacy issues were the main reasons that “deployment of governmental cloud computing is in general at a very early stage (click through for 40-page/3.03MB PDF)” in the EU.

    https://www.enisa.europa.eu/activities/Resilience-and-CIIP/cloud-computing/governmental-cloud-security/security-framework-for-govenmental-clouds/security-framework-for-governmental-clouds

    Reply
  41. Tomi Engdahl says:

    Privacy? What privacy? EU’s draft law on your data is useless, say digital rights orgs
    Latest leaked draft demolishes original text
    http://www.theregister.co.uk/2015/03/04/data_protection_what_data_protection_proposed_new_law_is_as_good_as_useless_say_digtal_rights_orgs/

    Reply
  42. Tomi Engdahl says:

    Associated Press:
    Hillary Clinton used her own private email server for official business as secretary of state; emails backed up to Google in 2012

    Clinton ran own computer system for her official emails
    http://bigstory.ap.org/article/b78ba433af3a45209668f745158d994c/clinton-ran-homebrew-computer-system-official-emails

    The highly unusual practice of a Cabinet-level official physically running her own email would have given Clinton, the presumptive Democratic presidential candidate, impressive control over limiting access to her message archives.

    It was unclear whom Clinton hired to set up or maintain her private email server

    In November 2012, without explanation, Clinton’s private email account was reconfigured to use Google’s servers as a backup in case her own personal email server failed, according to Internet records.

    The New York Times reported Monday that Clinton exclusively used a personal email account it did not specify to conduct State Department business.

    Clinton’s private email account surfaced publicly in March 2013 after a convicted Romanian hacker known as Guccifer published emails stolen from former White House adviser Sidney Blumenthal.

    Reply
  43. Tomi Engdahl says:

    New York Times:
    Hillary Clinton’s use of private email helped stonewall FOIA requests by Gawker and the Associated Press

    Using Private Email, Hillary Clinton Thwarted Record Requests
    http://www.nytimes.com/2015/03/04/us/politics/using-private-email-hillary-clinton-thwarted-record-requests.html?_r=0

    In 2012, congressional investigators asked the State Department for a wide range of documents related to the attack on the United States diplomatic compound in Benghazi, Libya. The department eventually responded

    The State Department had not searched the email account of former Secretary of State Hillary Rodham Clinton because she had maintained a private account, which shielded it from such searches, department officials acknowledged on Tuesday.

    It was one of several instances in which records requests sent to the State Department, which had no access to Mrs. Clinton’s emails, came up empty.

    Mrs. Clinton’s exclusive use of personal email for her government business is unusual for a high-level official, archive experts have said. Federal regulations, since 2009, have required that all emails be preserved as part of an agency’s record-keeping system. In Mrs. Clinton’s case, her emails were kept on her personal account and her staff took no steps to have them preserved as part of State Department record.

    Mrs. Clinton’s aides have said her use of private email was not out of the ordinary, pointing to the fact that former Secretary of State Colin Powell also used a personal email account

    Reply
  44. Tomi Engdahl says:

    David Kravets / Ars Technica:
    US air traffic control computer system vulnerable to terrorist hackers
    FAA didn’t always ensure passwords were encrypted “when transmitted or stored.”
    http://arstechnica.com/tech-policy/2015/03/us-air-traffic-control-computer-system-vulnerable-to-terrorist-hackers/

    The US system for guiding airplanes is open to vulnerabilities from outside hackers, the Government Accountability Office said Monday. The weaknesses that threaten the Federal Aviation Administration’s ability to ensure the safety of flights include the failure to patch known three-year-old security holes, the transmission and storage of unencrypted passwords, and the continued use of “end-of-life” key servers.

    The GAO said that deficiencies in the system that monitors some 2,850 flights at a time has positioned the air traffic system into an “increased and unnecessary risk of unauthorized access, use or modification that could disrupt air traffic control operations.”

    The flying public’s safety is in jeopardy until there’s a fix to the system used at some 500 airport control towers

    Reply
  45. Tomi Engdahl says:

    15-year-old bug allows malicious code execution in all versions of Windows
    Windows admins: Patch now, unless you run 2003, in which case you’re out of luck.
    http://arstechnica.com/security/2015/02/15-year-old-bug-allows-malicious-code-execution-in-all-versions-of-windows/

    Microsoft just patched a 15-year-old bug that in some cases allows attackers to take complete control of PCs running all supported versions of Windows. The critical vulnerability will remain unpatched in Windows Server 2003, leaving that version wide open for the remaining five months Microsoft pledged to continue supporting it.

    The flaw, which took Microsoft more than 12 months to fix, affects all users who connect to business, corporate, or government networks using the Active Directory service.

    Reply
  46. Tomi Engdahl says:

    “Cyber Armageddon” not likely to wipe out US, intelligence director says
    Cyber threats “are increasing in frequency, scale, sophistication, and severity.”
    http://arstechnica.com/tech-policy/2015/02/cyber-armageddon-not-likely-to-wipe-out-us-intelligence-director-says/

    The likelihood that the US will suffer from a “catastrophic” cyber attack is unlikely, the nation’s top intelligence officer said Thursday. Instead, the country will be peppered with “low-to-moderate level cyber attacks,” James Clapper, the director of national intelligence, told the Senate Armed Services Committee on Thursday.

    “Cyber threats to US national and economic security are increasing in frequency, scale, sophistication, and severity of impact,” according to the “Worldwide Threat Assessment of the US Intelligence Community”

    Listing cyber attacks as the leading threat to national security over terrorism, the report said the government’s “unclassified” IT systems supporting military, commercial, and social activities “remain vulnerable to espionage and/or disruption.” The top nation-states where the threats are coming from include China, Iran, North Korea, and Russia, the report said.

    The report noted that Russia, like the US, is establishing cyber offensive capabilities that include “propaganda operations and inserting malware into enemy command and control systems.”

    http://cdn.arstechnica.net/wp-content/uploads/2015/02/Clapper_02-26-15.pdf

    Reply
  47. Tomi Engdahl says:

    Is this claim trure?

    Dropbox Accesses All The Files in Your PC (Not Just Sync Folder) and Steals Everything
    http://www.e-siber.com/guvenlik/dropbox-accesses-all-the-files-in-your-pc-not-just-sync-folder-and-steals-everything/

    I’ve heard a lot about Dropbox until now. They were not so interesting but a little controversial. But now, I have discovered something quite striking. Dropbox syncs not only its own folder but also everything in local drive (C:) without any user consent or permission. I caught it red-handed while working with my DLP (data loss prevention) endpoint agent that I adjust DLP system to work properly on production environment.

    All the firewall logs showed Dropbox movements. The logs also showed me a number of Amazon AWS destinations. But I was not sure whether they belonged to Dropbox services.

    All the things I have explained up to here shows us that Dropbox moves through your computer illegally. And it never limits itself to the original sync folder. All these is a proof of an untrustworthy or fraudulent way/behaviour.

    Comments:
    TLDR: Windows Explorer asks Dropbox whether it should display a green or blue icon for a file. It does this for all files, including those outside of the Dropbox folder.

    His claims do not prove that Dropbox are not accessing/stealing your files

    What happens here is that Windows Explorer asks Dropbox whether it should display a green or blue icon for a file. It does this for all files, including those outside of the Dropbox folder.
    So no, Dropbox is not stealing your files.

    No, Dropbox is not stealing your files
    https://medium.com/@razvanh/no-dropbox-is-not-stealing-your-files-24ecd443b5ac

    TLDR: Windows Explorer asks Dropbox whether it should display a green or blue icon for a file. It does this for all files, including those outside of the Dropbox folder.

    Reply
  48. Tomi Engdahl says:

    Micah Singleton / The Verge:
    Reports of Apple Pay fraud are due to a loophole in banks’ verification procedures, not a breach of Apple’s encryption

    Does Apple Pay really have a fraud problem?
    The fraud is happening through the banks, not through Apple Pay
    http://www.theverge.com/2015/3/4/8149663/apple-pay-credit-card-fraud-banks

    Apple Pay is being used for fraudulent activities by criminals with stolen identities and credit cards, as first reported by The Guardian. While Apple Pay encryption has not been breached, the mobile payments system has seen an increase in fraud as criminals exploit a hole in the verification process when you add a new card to Apple Pay, allowing them to add stolen credit cards to their iPhones, according to sources familiar with the situation.

    To add a new card to Apple Pay, it must be provisioned, or verified by the issuing bank. The first step in this process is called “green path” authentication. With green path, Apple sends the encrypted data from your card, along with information like the name of your device, its current location, and whether or not you have an extensive transaction history with iTunes to your bank. All banks have the ability to add another verification step to the process, like a text message, email or using their app, but many do not.

    Issues stem from customer service call centers with lackluster verification methods

    Apple Pay: a new frontier for scammers
    http://www.theguardian.com/technology/2015/mar/02/apple-pay-mobile-payment-system-scammers

    Apple’s mobile payment system has provided a method for US criminals to make fraudulent transactions – and banks are rushing to stem the tide

    Reply
  49. Tomi Engdahl says:

    Why Clinton’s Private Email Server Was Such a Security Fail
    https://www.wired.com/2015/03/clintons-email-server-vulnerable/

    For a secretary of state, running your own email server might be a clever—if controversial—way to keep your conversations hidden from journalists and their pesky Freedom of Information Act requests. But ask a few security experts, and the consensus is that it’s not a very smart way to keep those conversations hidden from hackers.

    On Monday, the New York Times revealed that former secretary of state and future presidential candidate Hillary Clinton used a private email account rather than her official State.gov email address while serving in the State Department. And this was no Gmail or Yahoo! Mail account: On Wednesday the AP reported that Clinton actually ran a private mail server in her home during her entire tenure leading the State Department, hosting her email at the domain Clintonemail.com.

    Much of the criticism of that in-house email strategy has centered on its violation of the federal government’s record-keeping and transparency rules. But as the controversy continues to swirl, the security community is focused on a different issue: the possibility that an unofficial, unprotected server held the communications of America’s top foreign affairs official for four years, leaving all of it potentially vulnerable to state-sponsored hackers.

    “Although the American people didn’t know about this, it’s almost certain that foreign intelligence agencies did, just as the NSA knows which Indian and Spanish officials use Gmail and Yahoo accounts,” says Chris Soghoian, the lead technologist for the American Civil Liberties Union. “She’s not the first official to use private email and not the last. But there are serious security issue associated with these kinds of services…When you build your house outside the security fence, you’re on your own, and that’s what seems to have happened here.”

    The most obvious security issue with Clinton running her own email server, says Soghoian, is the lack of manpower overseeing it compared with the State Department’s official email system. The federal agency’s own IT security team monitors State Department servers for possible vulnerabilities and breaches, and those computers fall under the NSA’s protection, too.

    Clinton’s email wouldn’t have the benefit of any of that expensive government security. If she had hosted her email with Google or even Yahoo! or Microsoft, there might be an argument that those private companies’ security teams are just as competent as the those of the feds. But instead, according to the Associated Press, Clinton ran her server from her own home. Any protection it had there—aside from the physical protection of the Secret Service—would have been limited to the Clintons’ own personal resources.

    A more specific threat to Clinton’s private email relates to its domain name. Unlike the State Department’s State.gov domain, Clinton’s Clintonemail.com is currently registered with a private domain registrar, Network Solutions, as a simple Whois search reveals. The domain Clintonemail.com (and thus its registrar) was certainly known to at least one hacker: The notorious celebrity hacker Guccifer first revealed it in 2013 when he spilled the emails of Clinton associate Sydney Blumenthal.

    Anyone who hacked Network Solutions would be able to quietly hijack the Clintonemail.com domain, intercepting, redirecting, and even spoofing email from Clinton’s account. And Network Solutions is far from the Internet’s hardest target: Hundreds of its domains were hacked in 2010, a year into Clinton’s tenure at the head of the State Department.

    Even if Clinton used the account only for personal messages rather than those of international importance (say, something along the lines of: “Let’s go ahead and drop those bombs, Bibi”) the notion that they could be both intercepted and spoofed through a common hacking vector is particularly troubling. “Even the most mundane of communications can be interesting to an intelligence service,”

    Reply
  50. Tomi Engdahl says:

    Choc Factory splatters 51 bugs, Mozilla bumps cert checker
    Bad certs now killed faster
    http://www.theregister.co.uk/2015/03/05/choc_factory_splatters_51_bugs_mozilla_bumps_cert_checker/

    Google and Firefox have upgraded their flagship browsers, crushing bugs and cracking down on bad certificates along the way.

    The Choc Factory’s Chrome 41 swats 51 bugs of which at least 13 are classified as high severity and six considered medium risks.

    Google engineer Penny MacNeil thanked security researchers for the effort to identify the bugs.

    Mozilla’s updates Firefox version 37 include a revocation feature to bolster the killing of bad intermediate certificates.

    The OneCRL replaces the Online Certificate Status Protocol which is less effective because it relies on third parties to keep updated registries of their valid and revoked certificates. Certificates were often accepted as soft-fails when the status could not be determined due to some technical or connectivity failure.

    Mozilla’s new list operates in the browser and is populated by issuers who push certificate status instead of the browser having to do the fetching.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*