Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.
3,110 Comments
Tomi Engdahl says:
Broadband routers: SOHOpeless and vendors don’t care
The basic internet access device in hundreds of millions of homes is an insult to IT
http://www.theregister.co.uk/2015/03/05/broadband_routers_sohopeless_and_vendors_dont_care/
Feature
“It is far more common to find routers with critical flaws than without” – Craig Young
“It’s sad that end-user education about strong passwords, password safes, and phishing can be undone by something as innocuous as the blinking box in the corner of your room. – Peter Adkins
Introduction
Home and small business router security is terrible. Exploits emerge with depressing regularity, exposing millions of users to criminal activities.
Many of the holes are so simple as to be embarrassing. Hard-coded credentials are so common in small home and office routers, comparatively to other tech kit, that only those with tin-foil hats bother to suggest the flaws are deliberate.
Hacker gang Lizard Squad crystallised the dangers – and opportunities – presented by router vulnerabilities when over the Christmas break they crafted a slick paid denial of service stresser service that operated on hacked boxes.
A year earlier, security boffins at Team Cymru warned that an unknown ganghad popped 300,000 routers in a week, altering the DNS settings to point to malicious web entities.
Arguably the most infamous hack in recent months was Check Point’s so-called Misfortune Cookie discovered in December 2014. This vulnerability was thought to impact a staggering 12 million routers across 200 models from big names such as Linksys, D-Link, TP-Link, ZTE, and Huawei.
In October Rapid7 had chipped in with its own research, warning that Network Address Translation Port Mapping Protocol configurations in 1.2 million routers was sufficiently borked that remote attackers could spy on internal traffic.
Security is ‘abysmal’
“Router security remains abysmal, especially among the cheapest brands,” says John Matherly, founder of the popular Shodan search engine which crawls for internet-connected devices. “Backdoors, no automated patching and default usernames and passwords are just a few of the problems that many SOHO routers continue to face.”
Tomi Engdahl says:
Taking Back the Reigns: Proactive Security Design vs. Reactive Administration
http://www.securityweek.com/taking-back-reigns-proactive-security-design-vs-reactive-administration
I’m probably stating the obvious, but a brief look at security reports that summarize 2014 demonstrates that attackers, again, have the upper hand. The following summary statistics* reveal a very clear picture:
• Number of successful attacks annually has increased by 144%
• The cost of data breach has increased by 96%
• Time it takes to resolve a cyber-attack has increased 221%
(*Based on internal analysis of the results from the 2011-2014 “Cost of Cyber Crime Study” reports from Ponemon Institute and HP)
The market is good at presenting statistics, but usually when analyzing the reasons for these disturbing trends, the market doesn’t do such a good job. Yes, we will see explanations for the trend based on new attack motivations such as hacktivisim, financially motivated attacks, government investments in cyber defense and offense – all this is true but, given the multi-billion dollar investments in cyber security, why are attackers still so successful?
Today’s attacks evade most advanced cyber-attack detection and prevention technologies in a matter of days and sometime even hours. Attackers behind well-organized advanced attack campaigns have the capability to analyze the security products’ capabilities before and during the attack and then to modify their attack tools, create new malware software, change the “route” of attack etc. all in a way that will bypass defense and, eventually, achieve the attack’s goal.
Tomi Engdahl says:
FireEye Integrates With Samsung KNOX-enabled Devices
http://www.securityweek.com/fireeye-integrates-samsung-knox-enabled-devices
FireEye this week announced a new product integration with Samsung to enhance the security of mobile devices running Samsung’s KNOX enterprise security platform.
According to the security firm, the integrated offering is capable of intercepting mobile apps before they are installed on a device by leveraging FireEye’s Mobile Threat Prevention platform. The technology is able to determine risk status, analyze, detect and block high-risk apps, as well as notify users of behaviors consistent with malware activity.
The FireEye and Samsung integrated solution will help discover potentially harmful apps and proactively mitigate risk on Samsung KNOX-enabled devices, FireEye said. The integration leverages Samsung’s secure APIs to enable FireEye to suspend an app from running on supported Samsung devices until it has analyzed the application for security risks.
“Mobile devices in a BYOD environment are the central point where business and personal information is located in one location and includes rich details such as contact, location and calendars to go along with email and files,” Manish Gupta senior vice president of products at FireEye, said in a statement. “This creates a highly valuable target for bad actors and apps are a perfect delivery method as they open the device up to a wide variety of malicious activity.”
Tomi Engdahl says:
Angler Exploit Kit Uses Domain Shadowing to Evade Detection
http://www.securityweek.com/angler-exploit-kit-uses-domain-shadowing-evade-detection
The notorious Angler exploit kit has started leveraging a new technique to ensure that its malicious activities are not interrupted when the domains it uses are blacklisted, researchers at Cisco revealed on Tuesday.
The Angler exploit kit has made numerous headlines over the past few months after cybercriminals integrated Adobe Flash Player zero-days and Internet Explorer exploits. Experts believe Angler is currently one of the most sophisticated and widely used exploits kits.
The new technique spotted by Cisco, dubbed “domain shadowing,” involves compromised domain registration accounts. The attackers hijack these accounts, usually through phishing, and they use them to create subdomains.
Tomi Engdahl says:
Why “Let’s Encrypt” Won’t Make the Internet More Trustworthy
http://www.securityweek.com/why-lets-encrypt-wont-make-internet-more-trustworthy
Tomi Engdahl says:
Taking Back the Reigns: Proactive Security Design vs. Reactive Administration
http://www.securityweek.com/taking-back-reigns-proactive-security-design-vs-reactive-administration
’m probably stating the obvious, but a brief look at security reports that summarize 2014 demonstrates that attackers, again, have the upper hand. The following summary statistics* reveal a very clear picture:
• Number of successful attacks annually has increased by 144%
• The cost of data breach has increased by 96%
• Time it takes to resolve a cyber-attack has increased 221%
(*Based on internal analysis of the results from the 2011-2014 “Cost of Cyber Crime Study” reports from Ponemon Institute and HP)
The market is good at presenting statistics, but usually when analyzing the reasons for these disturbing trends, the market doesn’t do such a good job. Yes, we will see explanations for the trend based on new attack motivations such as hacktivisim, financially motivated attacks, government investments in cyber defense and offense – all this is true but, given the multi-billion dollar investments in cyber security, why are attackers still so successful?
Today’s attacks evade most advanced cyber-attack detection and prevention technologies in a matter of days and sometime even hours. Attackers behind well-organized advanced attack campaigns have the capability to analyze the security products’ capabilities before and during the attack and then to modify their attack tools, create new malware software, change the “route” of attack etc. all in a way that will bypass defense and, eventually, achieve the attack’s goal.
Tomi Engdahl says:
AETs: The Ultimate Stealth Attack?
http://www.securityweek.com/aets-ultimate-stealth-attack
Advanced Evasion Techniques (AETs) – Dynamic and Constantly Evolving Network Threats
There seems to be some confusion regarding what advanced evasion techniques (AETs) are and are not. A recent survey shows that 70 percent of CIOs and security managers claimed knowledge of AETs, but fewer than half could correctly define them. What’s worse, some IT practitioners question the very existence of AETs—a troubling and dangerous mindset, especially for anyone in charge of securing IT systems. These misunderstandings and lack of awareness serve to keep AETs under organizational security radars.
Let’s start by dispelling the fiction. AETs are NOT urban legends or conspiracy theories invented by security vendors. They’re real, and they are used on a global scale by criminals and state-sponsored hackers to inflict real damage on corporations and governmental agencies.
Separating Fact from Fiction: AETs Defined
Advanced evasion techniques disguise malicious payloads by splitting them into smaller pieces and then delivering the pieces simultaneously, or at varying times, across multiple or rarely used network protocols. Once inside networks, the pieces reassemble to unleash malware that, for example, might quietly exfiltrate sensitive or valuable information over weeks, months, or even years.
Using a real example, the Conficker worm, which emerged in late 2008, was one of the first malware attacks to leverage advanced evasion techniques.
Why Isn’t the News Full of AET-based Breaches?
I’m asked this question all the time: “If advanced evasion techniques are such a big deal, why aren’t they prime-time news like Stuxnet or BlackPOS?”
There are two key points to keep in mind here. First, AETs are not actually malware. Rather, they are clever attack methods used to deliver malware directly through perimeter security defenses. AETs are designed specifically to evade detection by most firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), and even routers that perform deep packet inspection. Given the thousands of ways for attackers to split malicious payloads, along with the hundreds of potential delivery methods, it’s estimated that there are currently more than 800 million viable AET combinations.
Second, the evolving threat landscape and culture of hackers is another major change. AETs aren’t created by the hacker hobbyists of the past who were often trying to outdo each other by causing maximum damage and getting massive publicity. Today’s cyber criminals are typically well-resourced, highly motivated attackers who are often accomplished software engineers working for cybercrime syndicates.
Security is a Journey, not a Destination
However, there are steps you can take today to protect your organization against AETs:
• Identify and prioritize your critical assets.
• Protect your organization.
• Don’t compromise security for performance.
• Deploy and use intelligent, centralized management.
Tomi Engdahl says:
A Holistic View of Risk: Moving Beyond Security Risk Management
http://www.securityweek.com/holistic-view-risk-moving-beyond-security-risk-management
The increasing severity and volume of cyber-attacks has motivated many organizations to improve and pay particular attention to security risk management.
Since business operations and IT teams typically work in separate silos and use different information and tools, this leads to redundant data collection, overlapping processes, and higher costs. To alleviate this inefficiency, many organizations are moving towards integrating operational and security risk management across the enterprise.
Typically, organizations manage operational risk and security risk separately, via two distinct organizations.
Operational risk management is not just focused on assessments and reporting, but rather on a top-down risk data model that drives action-ability to govern business units’ key risk indicators (KRIs). Its primary objective is to fulfill the organization’s obligations to auditors.
While separating both operational and security risk management has been a common practice, dynamic changes in the threat landscape are forcing organizations to integrate the two disciplines to gain a holistic view into risk. The bitter truth is that one can schedule an audit, but one cannot schedule a cyber-attack.
A good example is third-party risk management, which typically was being handled within the operational risk management practice.
The transition from a compliance-driven check-box approach to a risk-based model, enables businesses to centralize the ongoing definition, evaluation, remediation, and analysis of their risk posture in a closed-loop process.
Security Metrics: Presenting Change Over Time
http://www.securityweek.com/security-metrics-presenting-change-over-time
My recommendation is to keep it simple and let your reader’s visual system work its magic.
Try not to confuse your brain while it’s working to interpret your charts. One thing not to do is to present charts together that represent disconnected things, or that don’t vary together. If you’re presenting several things to demonstrate a connection between them, you should have the values on the same scale or you’re defeating the reader’s eye/brain gestalt.
Remember the riddle, “What is the best time to plant an oak tree?” The answer is “50 years ago.” That applies to metrics, too. The best time to have started your metrics program was about 2 years ago, so you’d have a nice run of numbers to work with and to compare against.
Tomi Engdahl says:
China Promises Strict Security Checks on Government IT Suppliers
http://www.infosecurity-magazine.com/news/china-promises-strict-security-checks-on/
The Chinese government has decided to start screening IT kit destined for government departments, ostensibly in a bid to bolster national security but in a move many will see as deliberately aimed at Washington.
The State Internet Information Office claimed the vetting process was designed filter out products and services that illegally gather and store customer information and to close down the risk of IT suppliers controlling or disrupting customers’ systems, according to state-run Xinhua.
Any suppliers that don’t agree to the new checks will be barred from the Middle Kingdom.
Tomi Engdahl says:
A new breed of startups is helping hackers make millions — legally
The bug bounty business is booming
http://www.theverge.com/2015/3/4/8140919/get-paid-for-hacking-bug-bounty-hackerone-synack
Shashank Kumar was in seventh grade when he was introduced to computer hacking. At first he had fun breaking in and defacing web sites, something he says he now regrets, but then he learned that he can get paid for reporting the weaknesses he was exploiting. Under the handle @cyberboyIndia, he says he has earned around $30,000 in so called bug bounties, enough to pay for a good portion of his college education.
hunting for software vulnerabilities on services run by firms like Yahoo, Paypal, and AT&T. On Twitter, Shashank catalogs the rewards he receives for reporting weaknesses, a highlight reel that ranges from a free hat, to a new smartphone, to a $1,500 check. The money is good, although it’s murder on his grades.
Shashank is part of a broader trend sweeping the security industry. Last week, Google announced that it was changing the rules on its bug bounty program, Pwnium. Instead of a respectable $2.7million awarded once a year, the contest will now run year round, with a total prize pool of “∞ million*.” In other words the money never has to stop flowing, although Google’s clever asterisk placement reserves the right to cancel at any time.
But that’s not likely to happen, at least if Google wants to stay competitive. Bug bounty programs used to work with informal rewards: a thank you letter, an online shoutout, a free t-shirt, or perhaps a few hundred dollars. But over the last five years, they have become a bonanza. Almost every major tech company has one running, and they have steadily increased the size and volume of rewards.
Most importantly, a new breed of startups like Crowdcurity, Bugcrowd, Synack, and HackerOne have made it possible for any company to launch its own bug bounty, dramatically expanding the size of the market.
“It’s changed the way we think about security,”
Like most companies, Vimeo had a chicken and egg problem. Building up critical mass of trusted researchers required shelling out big bucks. But it was loath to open up its checkbook for people it didn’t know and trust, especially a disparate and sometimes anonymous mob of teenage hackers.
Bug bounty startups essentially act as market makers, creating trust and liquidity so that smaller companies like Vimeo can tap into the supply of global hackers. “Paying people can be a real pain; they are all over the world, and they don’t have W-9s,” says Pile. HackerOne handles the legal and logistical nightmare, taking care of billing and payment in exchange for a 20 percent commission on top of each bounty.
“There is a huge amount of trust involved,” says Vimeo’s Pile. “They spend a ton of time identifying and documenting these issues, and then the report goes into a black box. I closed out a significant number that were duplicates, and unfortunately we can only pay on a first come first serve basis.”
Interestingly, none of the half dozen researchers from bug bounty leader boards contacted by The Verge were doing this work full time.
Alex Rice, the former head of Facebook security and now CTO of HackerOne, says that most hackers will choose an official program over the black market, even if the prices are not as high. “To sell something on the black market, you have to weaponize it. That can take months. And so you have to empower the majority. They have the software skills but not the malicious intent.”
But some industry experts warn that if not handled properly, this dynamic can have repercussions for the companies running the bounty programs.
He used the example of a hacker who reports a duplicate that has not yet been patched. “Okay, if you’re not interested in what we’ve discovered, we’ll swap our white hat for a grey / black hat and talk to someone else who may well pay us more.”
Some security professionals who were critical of the proliferation in bug bounties a few years ago have since changed their tune. “I was afraid companies would start these programs and people would put up terrible bugs and demand money for them, and companies would waste time on them while real security vulnerabilities didn’t get fixed,” says Dan Kaminsky. “But I’m pleasantly surprised with how well they have worked in the field. There is a serious talent crunch, and programs like this help to maximize a company’s ability to tap all the expertise out there.”
But studies of the Chrome and Firefox bounty programs have found they are cheaper than hiring full-time security researchers. “Organizations are coming to realize that the tools of the past don’t scale to the way they develop applications today,”
https://www.eecs.berkeley.edu/~daw/papers/vrp-use13.pdf
Tomi Engdahl says:
Brazilian Cell Phone to encrypt all traffic
Edward Snowden revelations are actually launched a completely new device type, the maximum security offer smartphones. Brazilian Sikur presents a mobile trade show in Barcelona its own version of the device, where all the data traffic between users is protected.
Endives Granitephone based viriteltyyn version of Android. The trick is to chicory own software, which encrypts calls, text messaging, instant messaging and file on two Granitephonen user.
The market has many software are based security mobile phones. Their shortcoming is often much slower than the normal operation of mobile phones. Sikur promises that the device is completely normal for Android mobile phone way, if the hardware encryption feature is not desired.
Granitephonen security is based on the fact that inside the device has its own protected “sandbox”. It is isolated from the environment in which the safety application and the data stored will be installed. Other applications can not access this insulated compartment.
Currently Sikur looking for their device manufacturing partner. The final device will be the Qualcomm Snapdragon processor
Source: http://www.etn.fi/index.php?option=com_content&view=article&id=2515:brassikannykka-salaa-kaiken-liikenteen&catid=13&Itemid=101
Tomi Engdahl says:
PATCH FREAK NOW: Cloud providers faulted for slow response
Pitting 90s technology against modern hackers is ‘no contest’
http://www.theregister.co.uk/2015/03/05/cloud_patching_freak_out_attack/
Hundreds of cloud providers are still vulnerable to the serious FREAK cryptographic vulnerability.
Skyhigh Networks found that 766 cloud services are still at risk 24 hours after FREAK was made public, based on an analysis of more than 10,000 different services.
The average company is using 122 potentially vulnerable services. The two stats taken together imply that more popular cloud services are disproportionately affected by slow patching against FREAK.
The FREAK (Factoring attack on RSA-Export Keys) vulnerability makes it possible for hackers to force browsers to use old ‘export-grade’ encryption and then decipher it in order to steal passwords and other personal information.
Websites as well as cloud services are potentially at risk. OpenSSL patched the vulnerability in January, while characterising the flaw as “low risk”.
Although there remains no particular evidence of actual attacks this assessment has been revised this week and the vulnerability is now been treated as serious and easy to exploit on vulnerable systems, if not critical.
One in ten (9.7 per cent) of Alexa Top one million domain remain vulnerable (down from 12.2 per cent initially), according to a dedicated tracking site.
“The impact of exploitation of this vulnerability is in the worst case (Java/CyaSSL), where a threat actor is able to perform a Man-in-the-Middle attacks, the ability to impersonate any server and force the connection to clear-text facilitating eaves dropping and content modification.”
FREAK, much like the POODLE SSLv3 security vulnerability before it, underlines the point that many websites and web services allow user to fall back onto cryptographic protocols that are hopelessly insecure.
Hawthorn commented: “The fact that base levels of encryption are still accessible on so many websites is alarming. In theory, these low levels allow any device to communicate with any website using the strongest encryption possible. However, no one is accessing their bank account from an Acorn Computer and FREAK serves as a timely reminder that they should be put out to pasture.”
Tomi Engdahl says:
Facebook rant lands US man in UAE jail
http://www.bbc.com/news/technology-31692914
An expat American has been arrested in the United Arab Emirates for comments he posted on Facebook while in the US.
On returning to Abu Dhabi from Florida, he was arrested for breaking the country’s strict cyber-slander laws.
In the post, Mr Pate called Gal “backstabbers” and warned other contractors about working for the firm. He also complained about life in the UAE and used a racial slur against the region’s people.
He returned to Abu Dhabi in order to resign but soon after arriving he was called by police who told him to report to a nearby police station. On attending he was shown screenshots of the Facebook message and told his employer had filed charges accusing him of breaking wide-ranging Emirates laws that ban slander.
The laws were introduced in late 2012 and make it an offence to use the net to mock or deride organisations and individuals.
line
“I never even entertained the fact that I would wind up in prison out here for something I put on Facebook in the United States,” said Mr Pate.
Tomi Engdahl says:
Symantec: Corporate divorce starts on April Fool’s Day
Unhappy bedfellows split sales team from next month
http://www.channelregister.co.uk/2015/03/05/symantec_veritas_split_april_fools_day/
Symantec is to operate as two separate storage and security organisations from April Fool’s Day, as the deadly serious game of long-term survival begins in earnest.
“We have begun to realign the sales and marketing organisations to support both businesses, starting with two new global sales leaders: Adrian Jones for Symantec and Brett Shrink for Veritas,”
The Veritas brand will cover the Information Management side of the house
Symantec will be legally split by January 2016
Tomi Engdahl says:
“Smart” keyboard knows who’s typing
http://www.edn.com/electronics-blogs/tech-edge/4438776/-Smart–keyboard-knows-who-s-typing?_mc=NL_EDN_EDT_EDN_weekly_20150305&cid=NL_EDN_EDT_EDN_weekly_20150305&elq=d7c65291367b42788fdf3d64ef3858f5&elqCampaignId=21948&elqaid=24642&elqat=1&elqTrackId=ce68bbebe6444640b927d2a1d48b0e96
Researchers from several universities, including the Georgia Institute of Technology, are working on a keyboard that can isolate typing patterns — such as pressure applied to each key and the time spent between strokes — to accurately identify users. Their findings were published in the journal ACS Nano.
Tomi Engdahl says:
Suhasini Raj / New York Times:
Indians Find Ways to Watch Rape Documentary Despite Ban — NEW DELHI — A British-made documentary about a grisly gang rape in India spread throughout social media on Thursday, gaining a wide audience despite a government ban and thwarting official efforts to block it.
http://www.nytimes.com/2015/03/06/world/asia/indias-efforts-to-ban-rape-documentary-spur-greater-interest-online.html?_r=0
Tomi Engdahl says:
FREAKing hell: All Windows versions vulnerable to SSL snoop
Relax! We’ve got a (server-knackering) workaround to sort things out, says Microsoft
http://www.theregister.co.uk/2015/03/06/all_microsoft_windows_versions_vulnerable_to_freak/
Microsoft says its implementation of SSL/TLS in all versions of Windows is vulnerable to the FREAK encryption-downgrade attack.
This means if you’re using Windows, an attacker on your network can potentially force Internet Explorer and other software using the Windows Secure Channel component to use weak encryption over the web.
Intercepted HTTPS connections can be easily cracked, revealing sensitive details such as login cookies and banking information, but only if the website or service at the other end is still supporting 1990s-era cryptography (and millions of sites still are).
“Microsoft is aware of a security feature bypass vulnerability in Secure Channel (Schannel) that affects all supported releases of Microsoft Windows,” Redmond says in an advisory.
“Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system.
The bug (CVE-2015-1637) in Windows’ Secure Channel component is not thought to be under active attack by eavesdroppers at the time of writing.
Microsoft Security Advisory 3046015
https://technet.microsoft.com/en-us/library/security/3046015.aspx
Tomi Engdahl says:
France fingered as source of Syria-spying Babar malware
Crack team of malware boffins think DGSE coded reconware
http://www.theregister.co.uk/2015/03/06/french_spooks_syrians_with_casper_malware/
France’s spy agency has been fingered as the likely author of complex reconnaissance malware, researchers say.
The Casper malware is one of a handful with links to the Babar spy program which leaked NSA documents revealed last month to be the handiwork of France’s Direction Générale de la Sécurité Extérieure (General Directorate for External Security or DGSE).
Barbar emerged in 2009 and has since been used to steal keystrokes, clipboards and listen in on Skype conversations among other feats of interception.
“To attack their targets, Casper’s operators used zero-day exploits in Adobe Flash, and these exploits were – surprisingly – hosted on a Syrian governmental website,” Calvet says.
“Casper is a well-developed reconnaissance tool, making extensive efforts to remain unseen on targeted machines.”
Tomi Engdahl says:
GoPro cameras’ WiFi security is GoAmateur
Slurp sick sports selfies without getting off your skateboard
http://www.theregister.co.uk/2015/03/06/gopro_have_amateur_wifi_security/
Net nuisances can harvest the cleartext SSIDs and passwords of wireless networks accessed by sports selfie box GoPro.
The GoPro app collects and siphons wireless credentials so it can be used to log on to and manage cameras. Security researcher Ilya Chernyakov says the credentials which give access to the cameras could be mass harvested with a script to change a numerical token value within a generated URL.
“All you need to do, to access someone else’s Wi-Fi settings is to change this number,” Chernyakov says.
“I wrote a small python script that runs on a range of the URLs, extracts the settings from the response and puts them into a csv file.
“There were no complications, nor noticeable shape limiting for downloading so I was able to create a list of 1000 Wi-Fi names and passwords, including my own.”
Tomi Engdahl says:
SSL-busting adware: US cyber-plod open fire on Comodo’s PrivDog
Superfish sequel: I’m looking at the man in the middle
http://www.theregister.co.uk/2015/02/24/comodo_ssl_privdog/
Tomi Engdahl says:
Basware’s payment software is Helsingin Sanomat , the bad security shortcomings.
Security holes utilizing the name of a company can make bogus charges, and the company or bank will notice during the event, nothing special. Only afterwards may be seen that the money is transferred to the wrong account.
Making fraudulent payments requires access to the company’s internal network or an individual workstation: Payment client and the database server is unprotected, so that it is able to read and modify the internal network or workstation.
Finnish Communications Regulatory Authority and its Kyberturvallisuuskeskus have known about the vulnerability of the software for more than half a year, but have not brought the matter to the public. Also, the Financial Supervisory Authority known risk.
The decision was taken not to report, because of the risks posed by the proliferation of information was considered to be too large. Now, the information entered in the public authorities intend to publish a newsletter.
Aalto University School of Networking Technology Professor Jukka Manner acquainted with Helsingin Sanomat acquired data Basware’s three product security shortcomings.
“Document in light of the software is designed and implemented carelessly, causing the apparent large security risk. The connection is not protected, and access is possible to get fairly easily if you have the necessary computer skills. At worst, may have access to the corporate mission critical payment information and probably also the opportunity to make trumped-up charges and even hide the counterfeit payment information. ”
Sized enterprises payment is now largely automated, so they may not even detect bogus charges. Payment to show the software through the present review normal. Bank account balances may look something completely different than how much is actually accounts funds.
Sources:
http://www.tivi.fi/Kaikki_uutiset/2015-03-06/HS-Suomalaissofta-mahdollistaa-huijausmaksut—Toteutettu-huolimattomasti-3216887.html
http://www.hs.fi/paivanlehti/06032015/talous/Paha+tietoturva-aukko+altistaa+yritykset+valemaksuille+/a1425539014674
Tomi Engdahl says:
Mandarin Oriental coughs to credit card breach
Swanky hotel chain left with Michelin-starred egg on face
http://www.theregister.co.uk/2015/03/06/mandarin_oriental_breach_data_credit_card/
Upmarket hotel chain Mandarin Oriental has admitted to a credit card breach.
Investigative journalist Brian Krebs uncovered evidence of a breach before extracting an admission of the problem from the hotel group.
The root cause of the security spill – as well as the number of credit cards exposed – remain unclear, pending the results of a Mandarin Oriental investigation.
Krebs got wind of potential problems at the hotel chain as the result of a tip-off from a source in the financial services industry, who reported an emerging pattern of fraudulent charges on customer cards used to pay for stays at the hotels.
The compromise probably dates back to just before Christmas 2014 and involves stays at US hotels, according to Krebs. The investigative journalist raised the possibility that compromised payment terminals at restaurants and other businesses located inside of these hotels, rather than payment data extracted from hotel front desk systems, may be behind the breach.
Third-party security experts advised Mandarin to focus on keeping on top of the breach notification process in order to keep its wealthy clients on side.
Credit Card Breach at Mandarin Oriental
https://krebsonsecurity.com/2015/03/credit-card-breach-at-mandarian-oriental/
“We can confirm that Mandarin Oriental has been alerted to a potential credit card breach and is currently conducting a thorough investigation to identify and resolve the issue,” the company said in an emailed statement.
The statement continues, indicating that some of the chain’s point-of-sale systems were infected with malware capable of stealing customer card data
Mandarin isn’t saying yet how many of the company’s two-dozen or so locations worldwide may be impacted, but banking industry sources say the breach almost certainly impacted most if not all Mandarin hotels in the United States
It should be interesting to see how much the stolen cards are worth, when and if and they go up for sale in the underground card markets. I’m betting these cards would fetch a pretty penny. This hotel chain is frequented by high rollers who likely have hi- or no-limit credit cards. According to the Forbes Travel Guide, the average price of a basic room in the New York City Mandarin hotel is $850 per night.
Tomi Engdahl says:
Terrorised Twitter advised against ISIS account shutdowns
Social network deals with virtual war fallout
http://www.theinquirer.net/inquirer/news/2397763/twitter-gets-terror-threats-from-islamic-state-calls-in-law-enforcement
MICRO-MESSAGING CAT CATALOGUE Twitter has confirmed that it is taking terror threats against the company and its people very seriously and acting to minimise the risks.
Online reports starting on Sunday suggested that Islamic State had made a number of threats against Twitter people, including co-founder Jack Dorsey who we might as well call Mr Twitter.
“ISIS. We will hunt you, take down your sites, accounts, emails, and expose you,” the group warned. “From now on, no safe place for you online … You will be treated like a virus, and we are the cure.”
The study, called The Isis Twitter Census (PDF), found that in a three month period at the end of last year there were some 46,000 ISIS related accounts in various states of activity.
“From September through December 2014, we estimate that at least 46,000 Twitter accounts were used by ISIS supporters, although not all of them were active at the same time,” it said.
The ISIS Twitter Census
http://www.brookings.edu/~/media/research/files/papers/2015/03/isis-twitter-census-berger-morgan/brookings-analysis-paper_jm-berger_final_web.pdf
Tomi Engdahl says:
Ben Grubb / Sydney Morning Herald:
Australian telco Telstra will offer customers similar access to their private phone metadata that law-enforcement has beginning April 1; prices start at AU$25
Telstra backflips on refusing customer access to metadata
http://www.smh.com.au/digital-life/consumer-security/telstra-backflips-on-refusing-customer-access-to-metadata-20150306-13wv1g.html
Telstra has become the first Australian telco to offer its subscribers similar access that law-enforcement and intelligence agencies have to their private phone metadata, backflipping on its previous position of refusing them access to it.
Starting April 1, Telstra will give their customers access to a limited set of their “metadata” for a fee — information about who they’ve called, the time, location and duration. It does not include the content of a communication, such as the detail of what you said or wrote in an email or SMS.
But the scheme won’t give customers access to information about another party to a communication with them, such as who called them (this information is collected though, and can be handed over to law-enforcement agencies).
Still, the move will provide customers with much more access than they otherwise would’ve had through Telstra’s MyAccount portal or through their monthly bills, with information including “the actual location of the cell tower an outgoing call was connected to when the call was made” being made available.
Tomi Engdahl says:
FREAK: Security Rollback Attack Against SSL
https://www.schneier.com/blog/archives/2015/03/freak_security_.html
From Ars Technica:
In recent days, a scan of more than 14 million websites that support the secure sockets layer or transport layer security protocols found that more than 36 percent of them were vulnerable to the decryption attacks. The exploit takes about seven hours to carry out and costs as little as $100 per site.
This is a general class of attack I call “security rollback” attacks. Basically, the attacker forces the system users to revert to a less secure version of their protocol. Think about the last time you used your credit card. The verification procedure involved the retailer’s computer connecting with the credit card company. What if you snuck around to the back of the building and severed the retailer’s phone lines? Most likely, the retailer would have still accepted your card, but defaulted to making a manual impression of it and maybe looking at your signature. The result: you’ll have a much easier time using a stolen card.
Fixes are coming. Companies like Apple are quickly rolling out patches. But the vulnerability has been around for over a decade, and almost has certainly used by national intelligence agancies and criminals alike.
This is the generic problem with government-mandated back doors, key-escrow, “golden keys,” or whatever you want to call them. We don’t know how to design a third-party access system that checks for morality; once we build in such access, we then have to ensure that only the good guys can do it. And we can’t. Or, to quote The Economist: “…mathematics applies to just and unjust alike; a flaw that can be exploited by Western governments is vulnerable to anyone who finds it.”
Tomi Engdahl says:
How the NSA Threatens National Security
https://www.schneier.com/essays/archives/2014/01/how_the_nsa_threaten.html
Secret NSA eavesdropping is still in the news. Details about once secret programs continue to leak. The Director of National Intelligence has recently declassified additional information, and the President’s Review Group has just released its report and recommendations.
With all this going on, it’s easy to become inured to the breadth and depth of the NSA’s activities. But through the disclosures, we’ve learned an enormous amount about the agency’s capabilities, how it is failing to protect us, and what we need to do to regain security in the Information Age.
First and foremost, the surveillance state is robust. It is robust politically, legally, and technically.
Second, the NSA continues to lie about its capabilities. It hides behind tortured interpretations of words like “collect,” “incidentally,” “target,” and “directed.”
Third, U.S. government surveillance is not just about the NSA.
The NSA’s collect-everything mentality is largely a hold-over from the Cold War, when a voyeuristic interest in the Soviet Union was the norm. Still, it is unclear how effective targeted surveillance against “enemy” countries really is.
Ubiquitous surveillance should have died with the fall of Communism, but it got a new—and even more dangerous—life with the intelligence community’s post-9/11 “never again” terrorism mission.
Not only is ubiquitous surveillance ineffective, it is extraordinarily costly. I don’t mean just the budgets, which will continue to skyrocket. Or the diplomatic costs, as country after country learns of our surveillance programs against their citizens. I’m also talking about the cost to our society. It breaks so much of what our society has built. It breaks our political systems, as Congress is unable to provide any meaningful oversight and citizens are kept in the dark about what government does. It breaks our legal systems, as laws are ignored or reinterpreted, and people are unable to challenge government actions in court. It breaks our commercial systems, as U.S. computer products and services are no longer trusted worldwide. It breaks our technical systems, as the very protocols of the Internet become untrusted. And it breaks our social systems; the loss of privacy, freedom, and liberty is much more damaging to our society than the occasional act of random violence.
And finally, these systems are susceptible to abuse. This is not just a hypothetical problem. Recent history illustrates many episodes where this information was, or would have been, abused: Hoover and his FBI spying, McCarthy, Martin Luther King Jr. and the civil rights movement, anti-war Vietnam protesters, and—more recently—the Occupy movement. Outside the U.S., there are even more extreme examples. Building the surveillance state makes it too easy for people and organizations to slip over the line into abuse.
It’s not just domestic abuse we have to worry about; it’s the rest of the world, too. The more we choose to eavesdrop on the Internet and other communications technologies, the less we are secure from eavesdropping by others.
Fixing this problem is going to be hard.
Securing the Internet requires both laws and technology. It requires Internet technology that secures data wherever it is and however it travels. It requires broad laws that put security ahead of both domestic and international surveillance. It requires additional technology to enforce those laws, and a worldwide enforcement regime to deal with bad actors.
Tomi Engdahl says:
Yet Another Cleaner, Yet Another Stealer
https://blog.malwarebytes.org/fraud-scam/2015/03/yet-another-cleaner-yet-another-stealer/
Recently, we discovered that a relatively popular “anti-malware” product known as “Yet Another Cleaner” or YAC for short, has been claiming to be an affiliate of Malwarebytes in addition to using a lot of our detection names as their own. We looked deeper into their operation and found some pretty amazing and ugly things.
YAC itself is a fairly sleek-looking program and very quick as well. It seems to have the ability to protect users from malicious web sites, cleanup junk files on their system, uninstall applications and even to block advertisements!
To be clear, Malwarebytes is in no way affiliated with Elex. Do you think Kaspersky, BitDefender, Avast, PCTools, iS3, Enigma Software, SUPERAntiSpyware and SurfRight are also affiliates?
To give these guys the benefit of the doubt, we will look deeper by creating a completely new fake malware detection. We built a custom program that does nothing more than show a message box.
Using their latest definition database update, we ran a scan against our fake message box malware to discover that not only do they detect our fake malware but also use the same, unprofessional and misspelled detection name.
Alright, so it looks like Yet Another Cleaner is straight up stealing our detection database and modifying it for their own means.
Tomi Engdahl says:
Risto Siilasmaa believes on cyber security growth
Finnish private equity Inventure has invested in Swedish cyber security company Detectify.
The company was founded because of the mobile devices and applications, penetration has opened up new opportunities for hackers. Detectify offers a SaaS-model Web Sites “security scanning”.
“Banks and financial institutions have struggled with security for many years. Safety testing is becoming more common, and it shows that Detectify services are in demand,”
Source: http://www.tivi.fi/Kaikki_uutiset/2015-03-07/Risto-Siilasmaa-uskoo-kyberturvan-kasvuun-3216950.html
Tomi Engdahl says:
Large Trojans attack on the County Council – hundreds of employees sent home in Sweden
Hundreds of employees have had to leave their computers and stay home from work after a hostage programs crippled parts of the healthcare administrator in Stockholm County Council.
It is the administrative management of health care in Stockholm County Council affected by a data breach.
- Two servers that are located on Södermalm in Stockholm has received a malware, says Anders Nyström, director of strategic IT.
It involves some kind of trojan, probably so called ransomware that locks the files on the servers.
Malware was obviously new type because it got systems unnoticed.
Tightening programs take files on your computer hostage by encrypting them and by providing decryption ransom fee. IT Strategy Officer Anders Nyström commented IDG persons, that the administration has no intention to pay the ransom demanded by the program.
- Since they want to be paid to leave from the encryption key. Our firm stance is that we do not care if it’s much or little money, we do not pay, says Anders Nyström.
As a result of government employees have been collected hundreds of these laptops for security checks, and the workers were sent home. We go through one by one.
Sources:
http://www.digitoday.fi/tietoturva/2015/03/06/idg-kiristysohjelma-iski-tukholmaan–satoja-tyontekijoita-lahetettiin-kotiin/20152924/66?rss=6
http://www.idg.se/2.1085/1.614057/stor-trojanattack-mot-landstinget–hundratals-anstallda-hemskickade
Tomi Engdahl says:
“Smart” keyboard knows who’s typing
http://www.edn.com/electronics-blogs/tech-edge/4438776/-Smart–keyboard-knows-who-s-typing?_mc=NL_EDN_EDT_EDN_funfriday_20150306&cid=NL_EDN_EDT_EDN_funfriday_20150306&elq=963fb01827ae44c4aae8dfe52bf20f28&elqCampaignId=21956&elqaid=24650&elqat=1&elqTrackId=7c1d51872a714c6691e32b6be18e6d40
Tomi Engdahl says:
UK Parliament: Banning Tor Is Unacceptable and Technologically Impossible
http://it.slashdot.org/story/15/03/10/0350232/uk-parliament-banning-tor-is-unacceptable-and-technologically-impossible
Months after UK prime minister David Cameron sought to ban strong encryption, a new parliamentary briefing contradicts that, at least when it comes to Tor. The briefing says, “there is widespread agreement that banning online anonymity systems altogether is not seen as an acceptable policy option in the UK. Even if it were, there would be technical challenges.”
U.K. Parliament says banning Tor is unacceptable and impossible
http://www.dailydot.com/politics/uk-briefing-tor-child-abuse-minor-role/
Just months after U.K. Prime Minister David Cameron said he wants to ban encryption and online anonymity, the country’s parliament today released a briefing saying that the such an act is neither acceptable nor technically feasible.
The briefing, issued by the Parliamentary Office of Science and Technology, specifically referenced the Tor anonymity network and its notorious ability to slide right around such censorship schemes.
It’s important to note that briefings from the Parliamentary Office of Science and Technology are not legally binding nor are they necessarily indicative of parliament’s attitudes as a whole. However, the office is an important part of parliament and serves to give independent analysis of public policy issues for politicians. Crucially, this briefing does explicitly state that there is “widespread agreement” banning Tor is not acceptable policy nor is it feasible technologically.
Tor has about 100,000 users at any given moment within the United Kingdom.
“There is widespread agreement that banning online anonymity systems altogether is not seen as an acceptable policy option in the U.K.,” the briefing explained. “Even if it were, there would be technical challenges.”
The briefing cites Tor’s ongoing battle with Chinese censorship and describes “secret entrance nodes to the Tor Network, called ‘bridges’, which are very difficult to block.”
In 2012, U.K. police said the Tor anonymity service was used by “many” pedophiles in order to trade child abuse images. In the same parliamentary briefing, those police have changed their tunes significantly.
Tor “plays only a minor role in the online viewing and distribution of indecent images of children,” according to the briefing, quoting Britain’s Parliament by the Child Exploitation and Online Protection Command (CEOP) of the U.K. National Crime Agency.
Tomi Engdahl says:
Scotland Yard Chief: Put CCTV In Every Home To Help Solve Crimes
http://news.slashdot.org/story/15/03/09/1910202/scotland-yard-chief-put-cctv-in-every-home-to-help-solve-crimes
Homeowners should consider fitting CCTV to trap burglars, the country’s most senior police officer declared yesterday. Sir Bernard Hogan-Howe said police forces needed more crime scene footage to match against their 12 million images of suspects and offenders.
Police chief: ‘Put CCTV in every home’
http://www.telegraph.co.uk/news/uknews/crime/11458153/Police-chief-Put-CCTV-in-every-home.html
Metropolitan Police Commissioner Bernard Hogan Howe says CCTV cameras should be installed by homeowners and businesses to help detectives solve crimes
CCTV cameras should be installed by homeowners and businesses to help detectives solve crimes in the age of austerity, Britain’s most senior policeman has said.
Commissioner Bernard Hogan Howe also said that homeowners must make efforts to install equipment properly to avoid undermining inquiries.
When the Metropolitan Police Commissioner was asked if business and home owners needed to make greater use of CCTV cameras he said yes, adding: “We’ve got a strategy to encourage people, with their cameras, is to move them down to eye level.”
But the Commissioner warned those buying such devices to be sure to position them correctly.
He said: “Over the last year as facial recognition software has got better we can apply the software to the images of burglaries or robberies and we can compare those images with the images we take when we arrest people.”
“What we need to be able to do is to be able to compare that photograph with the images we have of people committing a crime.
“As importantly, you get a whole shot of what happened at the event: What did they steal? Did they use a knife? You get all that. But more relevant today is a face. That’s what we need.
Put CCTV in EVERY home: Householders should help us trap burglars, says Scotland Yard chief
Bernard Hogan Howe said people installed their CCTV cameras too high
This meant only the tops of the criminals’ heads were caught on film
Families should install their own cameras to help catch burglars, he said
The Met chief said Britain needed more cameras to help fight crime
Read more: http://www.dailymail.co.uk/news/article-2985202/Scotland-Yard-chief-Hogan-Howe-calls-DIY-surveillance-help-police.html#ixzz3TyDINwMV
Tomi Engdahl says:
Yes our NAS boxen have a 0day, says Seagate: we’ll fix it in May
Just don’t run it anywhere near the internet, m’kay?
http://www.theregister.co.uk/2015/03/10/seagate_that_remote_0day_aint_so_bad_well_patch_it_in_two_months/
Owners of some Seagate NAS boxen will be exposed to a remote execution zero day flaw until a patch drops in May unless they kill some external services.
The company learned of flaw in its Business Storage 2-bay NAS products on 18 October, 2014. Australian Beyond Binary hacker OJ Reeves alleged the company failed to fix the flaw or establish a reliable bug disclosure process.
“At the time of writing, Shodan reports that there are over 2500 publicly exposed devices on the internet that are likely to be vulnerable,” Reeves wrote of the flaws.
Seagate has since told media it considers the vulnerability “low risk” as it affects Business Storage NAS products used on publicly-accessible networks.
As Vulture South reported versions up to 2014.00319 of the software powering the boxen contain remotely-exploitable versions of PHP (CVE-2006-7243), CodeIgniter and Lighttpd, which permit file path specification attacks and root exploitation
Tomi Engdahl says:
Air gaps: Happy gas for infosec or a noble but inert idea?
Spooks and boffins jump ‘em, but real-world headwinds remain strong
http://www.theregister.co.uk/2015/02/11/air_gap_feature/
Feature Last year Michael Sikorski of FireEye was sent a very unusual piece of malware.
The custom code had jumped an air gap at a defence client and infected what should have been a highly-secure computer. Sikorski’s colleagues from an unnamed company plucked the malware and sent it off to FireEye’s FLARE team for analysis.
“This malware got its remote commands from removable devices,” Sikorski said. “It actually searched for a specific formatted and hidden file that was encrypted, and would then decrypt it to access a series of commands that told it what to do next.”
External network links are the lifeblood of most malware. This sample provided the means for malcode to be implanted on victim machines and served as the command and control link over which stolen data could be shipped off to attackers, allowing additional and further infections.
Tomi Engdahl says:
Attackers targeting Elasticsearch remote code execution hole
Devs ring patch alarm bells, drop shell code
http://www.theregister.co.uk/2015/03/10/elastic_search_vuln/
Attackers are targeting a patched remote code execution vulnerability in Elasticsearch that grants unauthenticated bad guys access through a buggy API.
The flaw (CVE-2015-1427) within the world’s number two enterprise search engine was patched last month.
It relates, for folks at Mitre say, to the Groovy scripting engine in Elasticsearch before versions 1.3.8 and 1.4.3 in which sandbox protections could be bypassed, allowing the execution of arbitrary shell commands with a crafted script.
The fixes disable Groovy sandboxing and dynamic script execution which ElasticSearch developer Clinton Gormley says is a “blow” to Elasticsearch.
“This vulnerability was not heavily advertised, but it is absolutely critical,” Wright says.
“In fact, I had one of my own Elasticsearch instances compromised this way, showing this vulnerability is heavily being exploited in the wild.
“I won’t provide a full proof-of-concept, but all the pieces are here … it is pretty straightforward to run whatever commands you want.”
Tomi Engdahl says:
US air traffic control ‘vulnerable to hackers’ says watchdog
‘Weaknesses preventing and detecting unauthorised access to computers’
http://www.theregister.co.uk/2015/03/09/air_traffic_cyber_security/
US air traffic control systems are potentially vulnerable to hackers, according to an audit by the American government.
The limited-distribution report sees auditors makes 17 general recommendations, along with suggestions for 168 specific actions to harden air traffic control systems. The document also warns that unless “remedial actions are addressed in a timely manner, the weaknesses GAO identified are likely to continue, placing the safe and uninterrupted operation of the nation’s air traffic control system at increased and unnecessary risk.”
Tomi Engdahl says:
OpenSSL audit kicks off for post-Heartbleed strengthening program
We can rebuild him. We have the technology. We can make him better…stronger…faster
http://www.theregister.co.uk/2015/03/10/openssl_audit/
A major audit of the ubiquitous OpenSSL web security protocol is set to commence under a US$1.2 million industry commitment to harden open source technologies.
OpenSSL is first off the rank under the Linux Foundation’s Core Infrastructure Initiative given its popularity and lack of in-depth security review.
“OpenSSL has been reviewed and improved by the academic community, commercial static analyser companies, validation organisations, and individual review over the years but this audit may be the largest effort to review it, and is definitely the most public,” says security outfit Cryptography Services in post announcing their involvement in the audit.
“Serious flaws in OpenSSL cause the whole Internet to upgrade, and in the case of flaws like Heartbleed and EarlyCCS, upgrade in a rush.
“We know that with what may be the highest profile audit conducted on an open source piece of software, the internet is watching.”
The audit organised by the Open Crypto Audit Project will first focus on TLS stacks examining protocol flow, state transitions, high-profile cryptographic algorithms, and memory management, the company says.
It will cover a sufficient amount of the codebase to be a “useful component” in the wider effort to secure OpenSSL.
First results of the audit are expected around July. The audit begins on the back of OpenSSL code reviews completed last month launched engineer Matt Caswell says on the realisation that coding was “very unusual”, “inconsistently applied” and not formally defined.
Tomi Engdahl says:
We have no self-control: America’s most powerful men explain why they’re scared of email
Hillary Clinton email-gate gives Senators Luddite, Graham and McCain enough rope
http://www.theregister.co.uk/2015/03/09/we_have_no_selfcontrol_us_most_powerful_men_explain_why_theyre_scared_of_email/
Two of the most powerful men in the United States have revealed they don’t use email – because they’re scared of what they might say.
“I don’t email. You can have every email I’ve ever sent. I’ve never sent one,” Senator Lindsey Graham told NBC’s Meet the Press yesterday. Graham’s statement follows a similar admission by Senator John McCain late last week who confirmed he also doesn’t email, telling MSNBC: “I’d rather use the phone, I’d rather use tweets.”
Even more bizarre is the reason both Senators give for not using email: they lack the necessary self-control not to say something stupid.
Graham told a confused Bloomberg News: “I’ve tried not to have a system where I can just say the first dumb thing that comes to my mind. I’ve always been concerned. I can get texts, and I call you back, if I want.”
McCain meanwhile said this: “I’m afraid that if I was emailing, given my solid, always calm temperament that I might email something that I might regret. You could send out an email that you would regret later on and would be maybe taken out of context.”
But while the original Luddites took to smashing up the machinery of the 19th century, Graham and McCain are happy to do something much more dangerous: allow internet technologies to be abused by the government agencies they are supposed to be overseeing.
The solution to vast intrusions into privacy, in the senior lawmakers’ eyes, is seemingly not to protect citizens from those carrying out surveillance but to simply opt out of using technology altogether.
And that is far more disturbing that the use of personal email by a former secretary of state.
Tomi Engdahl says:
The Intercept:
New Snowden leaks show a multi-year CIA effort to break the security of Apple’s iPhone and iPads
iSpy
The CIA Campaign to Steal Apple’s Secrets
https://firstlook.org/theintercept/2015/03/10/ispy-cia-campaign-steal-apples-secrets/
RESEARCHERS WORKING with the Central Intelligence Agency have conducted a multi-year, sustained effort to break the security of Apple’s iPhones and iPads, according to top-secret documents obtained by The Intercept.
The security researchers presented their latest tactics and achievements at a secret annual gathering, called the “Jamboree,” where attendees discussed strategies for exploiting security flaws in household and commercial electronics. The conferences have spanned nearly a decade, with the first CIA-sponsored meeting taking place a year before the first iPhone was released.
By targeting essential security keys used to encrypt data stored on Apple’s devices, the researchers have sought to thwart the company’s attempts to provide mobile security to hundreds of millions of Apple customers across the globe. Studying both “physical” and “non-invasive” techniques, U.S. government-sponsored research has been aimed at discovering ways to decrypt and ultimately penetrate Apple’s encrypted firmware. This could enable spies to plant malicious code on Apple devices and seek out potential vulnerabilities in other parts of the iPhone and iPad currently masked by encryption.
The CIA declined to comment for this story.
Tomi Engdahl says:
Wikimedia blog:
Wikimedia v. NSA: Wikimedia Foundation files suit against NSA to challenge upstream mass surveillance
http://blog.wikimedia.org/2015/03/10/wikimedia-v-nsa/
Tomi Engdahl says:
Susannah Nesmith / Columbia Journalism Review:
With more police wearing cameras, fight over privacy vs. public records law begins in Florida; who gets access and at what cost
http://www.cjr.org/united_states_project/florida_police_body_cameras.php
Tomi Engdahl says:
Patrick Howell O’Neill / The Daily Dot:
Tor developers discuss setting a goal of 50% non-US government funding by 2016, plan crowdfunding campaign in May
http://www.dailydot.com/politics/tor-funding-us-government/
Tomi Engdahl says:
PayPal to pay $60m for Israeli security startup CyActive
http://www.zdnet.com/article/paypal-to-pay-60m-for-israeli-security-startup-cyactive/
Summary:CyActive’s predictive cyber-defense system is the US firm’s second acquisition in Israel.
Tomi Engdahl says:
Adi Robertson / The Verge:
Automattic awarded $25K from Straight Pride UK for sending bogus DMCA takedown notices
WordPress wins against ‘straight pride’ group in copyright censorship case
http://www.theverge.com/2015/3/9/8175491/wordpress-automattic-wins-dmca-takedown-straight-pride-uk-case
Automattic, the company behind blogging site WordPress.com, has won a symbolic but important victory against censorship under the guise of copyright enforcement. Last week, a California court ordered defunct political group Straight Pride UK to pay around $25,000 for telling WordPress.com to take down an interview with a student journalist, falsely claiming to hold a copyright on the material. While the group has apparently all but disappeared, it’s a strike against an unfortunately common tactic: abusing automated takedown systems in order to make bad press go away.
Because of the volume of posted material and takedown requests, most major platforms (like WordPress, YouTube, or Google Search) use either automated systems or ones with minimal oversight. This makes DMCA notices a tempting way to suppress criticism or unflattering details — it’s particularly identified with the Church of Scientology, which is thought to have sent thousands of takedown notices for YouTube videos and accounts. Users can challenge takedowns and have content reinstated or go to court, but Hotham wrote that he didn’t have the time or money to deal with a potential legal fight.
Automattic, though, says it’s a signal that there are real legal consequences for taking advantage of the copyright enforcement system. “It’s important here that the court held that we could recover attorneys’ fees and costs of suit, which were by far the biggest piece of damages,” said general counsel Paul Sieminski in a statement. “This case also sets the precedent that Automattic will stand up for our users, and fight back against DMCA abuse. Hopefully that, along with the rule that victims can collect damages (especially costly attorney’s fees) may cause future DMCA abusers to think twice before they pull the same stunt.”
Tomi Engdahl says:
Stick a PUF to Your Board
A foil hat for your PCB?
http://www.eetimes.com/document.asp?doc_id=1325947&
PARIS — The Fraunhofer Institute for Applied and Integrated Security (AISEC) is developing a very versatile and flexible form of Physically Unclonable Function (PUF), one that can wrap an entire circuit board to secure it from physical attacks.
The foil-based solution consists of patterned metal electrodes embedded into a polymer film with a self-adhesive backing. The electrodes are connected to the board to be protected and special read-out software IP running on the board’s controller can extract the PUF from the film as is has been wrapped around or stuck to the board.
Try to remove the PUF sticker, pinch it to probe through it, scratch it or unseal it and the PUF will be altered. By detecting that change, the circuit board will be able to take any counter-measure it will have been programmed for, for example sending an alert message and disabling itself at run-time, or wiping out all of its embedded software.
Showing a demo at Embedded World, Fraunhofer AISEC’s head researcher on the so-called PEP project (Protecting Electronic Products, maybe with a pun intended on Polyethylene Plastics), Sven Plaga didn’t want to say too much about the internals of the film.
Tomi Engdahl says:
Exploiting the DRAM Rowhammer Bug To Gain Kernel Privileges
http://it.slashdot.org/story/15/03/10/0021231/exploiting-the-dram-rowhammer-bug-to-gain-kernel-privileges
‘Rowhammer’ is a problem with some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows. We tested a selection of laptops and found that a subset of them exhibited the problem. We built two working privilege escalation exploits that use this effect. One exploit uses rowhammer-induced bit flips to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process
Project Zero
Exploiting the DRAM rowhammer bug to gain kernel privileges
http://googleprojectzero.blogspot.fi/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
Overview
“Rowhammer” is a problem with some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows. We tested a selection of laptops and found that a subset of them exhibited the problem. We built two working privilege escalation exploits that use this effect. One exploit uses rowhammer-induced bit flips to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process. When run on a machine vulnerable to the rowhammer problem, the process was able to induce bit flips in page table entries (PTEs). It was able to use this to gain write access to its own page table, and hence gain read-write access to all of physical memory.
We don’t know for sure how many machines are vulnerable to this attack, or how many existing vulnerable machines are fixable. Our exploit uses the x86 CLFLUSH instruction to generate many accesses to the underlying DRAM, but other techniques might work on non-x86 systems too.
We expect our PTE-based exploit could be made to work on other operating systems; it is not inherently Linux-specific. Causing bit flips in PTEs is just one avenue of exploitation; other avenues for exploiting bit flips can be practical too. Our other exploit demonstrates this by escaping from the Native Client sandbox.
This works because DRAM cells have been getting smaller and closer together. As DRAM manufacturing scales down chip features to smaller physical dimensions, to fit more memory capacity onto a chip, it has become harder to prevent DRAM cells from interacting electrically with each other. As a result, accessing one location in memory can disturb neighbouring locations, causing charge to leak into or out of neighbouring cells. With enough accesses, this can change a cell’s value from 1 to 0 or vice versa.
Exploiting rowhammer bit flips
Yoongu Kim et al say that “With some engineering effort, we believe we can develop Code 1a into a disturbance attack that … hijacks control of the system”, but say that they leave this research task for the future. We took on this task!
We found various machines that exhibit bit flips (see the experimental results below). Having done that, we wrote two exploits:
The first runs as a Native Client (NaCl) program and escalates privilege to escape from NaCl’s x86-64 sandbox, acquiring the ability to call the host OS’s syscalls directly. We have mitigated this by changing NaCl to disallow the CLFLUSH instruction. (I picked NaCl as the first exploit target because I work on NaCl and have written proof-of-concept NaCl sandbox escapes before.)
The second runs as a normal x86-64 process on Linux and escalates privilege to gain access to all of physical memory. This is harder to mitigate on existing machines.
Tomi Engdahl says:
Kali Linux On a Raspberry Pi (A/B+/2) With LUKS Disk Encryption
http://linux.slashdot.org/story/15/03/09/1850235/kali-linux-on-a-raspberry-pi-ab2-with-luks-disk-encryption
https://www.offensive-security.com/kali-linux/raspberry-pi-luks-disk-encryption/
Tomi Engdahl says:
Point-of-Sale Vendor NEXTEP Probes Breach
http://krebsonsecurity.com/2015/03/point-of-sale-vendor-nextep-probes-breach/
NEXTEP Systems, a Troy, Mich.-based vendor of point-of-sale solutions for restaurants, corporate cafeterias, casinos, airports and other food service venues, was recently notified by law enforcement that some of its customer locations have been compromised in a potentially wide-ranging credit card breach, KrebsOnSecurity has learned.
The acknowledgement came in response to reports by sources in the financial industry who spotted a pattern of fraud on credit cards all recently used at one of NEXTEP’S biggest customers: Zoup
“NEXTEP was recently notified by law enforcement that the security of the systems at some of our customer locations may have been compromised,”
A breach at a point-of-sale vendor can impact a large number of organizations, and historically the chief victims of POS vendor breaches have been food service establishments. Last year, a pattern of credit card fraud at hundreds of Jimmy Johns sandwich shops across the country was traced back to security weaknesses that fraudsters were exploiting in point-of-sale systems produced by POS vendor Signature Systems Inc. Signature later disclosed that the breach also impacted at least 100 other independent restaurants that use its products.
It seems quite likely that we’ll hear about additional breaches at POS vendors in the weeks ahead. KrebsOnSecurity is currently in the process of tracking down the common thread behind what appear to be breached POS vendors tied to three different major cities around the country.
Tomi Engdahl says:
Why you can’t trust password strength meters
http://www.it-wire.nu/members/sop98/attachments/Password-Article.pdf
Passwords are a weak link in the computer security chain because they rely on us being good at something we find extremely difficult.
And while we aren’t getting any better at choosing strong passwords, password cracking hardware and software continues to improve relentlessly.
Website owners can employ a range of measures to help users choose better, stronger passwords and one of the most popular techniques is to include a password strength meter.
The meters are designed to help users understand if their password choices will resist attempts to crack them. The trouble is, they don’t quite do that.
Simple password meters check the length and entropy of the password and have checklists for the kinds of things that users are advised to include in their passwords; mixtures of upper and lower case letters, numbers and special characters, for example. That helps determine a password’s ability to withstand a brute force attack (an attacker making guesses at random), but being resistant to brute force attacks is only useful if that’s what an attacker is going to do, and it probably isn’t.
I downloaded a list of the 10,000 most common passwords and quickly chose five that had characteristics I thought password strength meters might overrate:
abc123 ‐ number 14 on the list, first to mix letters and numbers
trustno1 ‐ number 29, second to mix letters and numbers
ncc1701 ‐ number 158, registration number of the USS Enterprise
iloveyou! ‐ number 8778, first with non‐alphanumeric character
primetime21 ‐ number 8280, longest with letters and numbers
Be in no doubt, these passwords are dreadful and offer no useful protection
I measured how long it takes to crack them using a password cracking program, John the Ripper, with an out‐of‐the‐box configuration running on a normal, two‐year‐old laptop.
They were all cracked instantly, before the first second was up
A password strength meter that doesn’t reject all five out of hand is not up to the job of measuring password strength. They all failed.
Tomi Engdahl says:
Unlock a Smartphone With Your Eyes, Thanks to Fujitsu’s Iris Recognition Tech
http://techfrag.com/2015/03/09/unlock-smartphone-eyes-thanks-fujitsus-iris-recognition-tech/
Just when we were getting accustomed to fingerprint ID’s to unlock our devices, a new and even better technology has emerged. Get this, users will be able to unlock smartphones with their eyes.
Fujitsu has developed a new Iris Recognition technology that’ll make this happen. So is time to say good bye to Touch ID? We’ll have to wait and see how well Iris Recognition is implemented by the company.
The new technology was shown during the recently held Mobile World Conference in Barcelona. Fujitsu is set to introduce this tech in one of its current range of smartphones and plans to fully commercialize it by the end of 2015.
Fujitsu’s new biometric identification technology uses infrared camera and LED to scan one or both of your eyes. The technology can be used to unlock smartphones, tablets or just an app if it contains personal information.
Iris pattern is unique like a fingerprint and can provide a higher-level of security.
Sensitive company data, bank lockers, safes can benefit from this method of security too.
You will have to hold the phone up, about 20cm away from your eyes for 8-10 seconds. Too long? Don’t worry as it is just a one-time process, once your iris pattern is registered with the device, it will take just a second to unlock.