Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.
3,110 Comments
Tomi Engdahl says:
The Drug Cartels’ IT Guy
http://motherboard.vice.com/read/radio-silence?trk_source=popular
People vanish, and the vast majority of cases aren’t solved for years, if they’re ever closed at all.
What happened to Felipe Peréz? One theory suggests he was abducted by a sophisticated organized crime syndicate, and then forced into a hacker brigade that builds and services the cartel’s hidden, backcountry communications infrastructure. They’re the Geek Squads to some of the biggest mafia-style organizations in the world.
That’s how Tanya sees it, at least. She looks at the rash of kidnapping cases across Mexico, many of which have taken place in Tamaulipas, targeted specifically at architects, engineers, and other information technology types, and can’t help but think Felipe was one of them. Nearly 40 information technology specialists have disappeared in Mexico since 2008, allegedly nabbed by one of the two dominant gangs in the region, the Cartel del Golfo or Los Zetas.
Both of these cartels make money on diverse portfolios that include drug running, oil theft, extortion, and human trafficking. But we’re talking about decentralized profits on the global black market, so it’s difficult to put even ballpark figures on how many people are employed by these cartels or their yearly earnings. The general consensus is in the billions of dollars annually, and direct expanded networks that each employ in the mid tens of thousands of employees. To keep the wheels turning on such vast scales, the Golfo and Zetas use their own encrypted radio networks to communicate without authorities listening in. Those networks also intercept chatter from cops, the military, and other security forces. And the cartels need experts to build them.
“It’s known that these kind of people get kidnapped,”
“I think they’re keeping him alive because he’s useful”
Why build sprawling, difficult-to-maintain hidden radio networks? The same reason cartels do anything: profits. For the cartels, better communication means more money, said Tristan Reed, a Mexican security analyst with the global intelligence firm Stratfor. Running a profitable crime syndicate is “a business of who you know,” Reed told me. “And being a business of who you know means communication needs to be flawless.”
“You need to be able to communicate in an environment where you’re constantly having rivals trying to kill you, and law enforcement and military officials trying to arrest you,”
It’s not just radio networks, of course. Those are “just one of many ways they’re going to communicate with one another, and it can get very technical, whether it’s satellite phones, cell phones, email, or social media,”
And to build and service these networks, the cartels need engineers.
“I would suggest that enslaving hacker squads would get you in major trouble as a cartel since these innovative, smart individuals would turn the tables on you the first chance they got”
Tomi Engdahl says:
Greg Roumeliotis / Reuters:
Bain Capital to buy network security firm Blue Coat, valuing it at about $2.4B including debt
http://www.reuters.com/article/2015/03/10/us-bluecoat-m-a-bain-idUSKBN0M615V20150310
Tomi Engdahl says:
David Post / Washington Post:
The MPAA and the RIAA pressure ICANN to police the world’s domains for copyright infringement, a practice which would threaten the freedom of the Internet
http://www.washingtonpost.com/news/volokh-conspiracy/wp/2015/03/09/icann-copyright-infringement-and-the-public-interest/
Tomi Engdahl says:
Michael Mimoso / Threatpost:
Microsoft Patches Old Stuxnet Bug, FREAK Vulnerability
https://threatpost.com/microsoft-patches-old-stuxnet-bug-freak-vulnerability/111565
Windows IT shops figure to be in for some scrambling today. Not only was it revealed that a five-year-old patch for a vulnerability exploited by Stuxnet was incomplete and machines have been exposed since 2010, but today is also Patch Tuesday and the updated Stuxnet patch is one of 14 bulletins released by Microsoft.
Five of the bulletins are rated critical by Microsoft, and include another Internet Explorer rollup and a patch for the recently disclosed FREAK attack.
The highest profile bulletin, however, is MS15-020 which resolves some issues left behind by the original Stuxnet patch, CVE-2010-2568, released in August 2010. The bulletin covers two remote code execution vulnerabilities, one addressing how Windows handles loading of DLL files, and the other patches how Windows Text Services improperly handles objects in memory.
The DLL planting vulnerability was used by Stuxnet to attack the Iranian nuclear program in 2009. If a user viewed a folder or directory storing a malicious .LNK file, the exploit would allow the attacker to run code of their choice remotely.
Tomi Engdahl says:
David Gilbert / International Business Times:
Anonymous launches boycott of Daily Dot after it published a review by a hacker who worked with FBI — Anonymous launches Destroy Daily Dot campaign over Sabu reporting role — The online hacktivist group Anonymous has announced a plan to destroy the Daily Dot website as a result of its work with FBI snitch Hector “Sabu” Monsegur.
Anonymous launches Destroy Daily Dot campaign over Sabu reporting role
http://www.ibtimes.co.uk/anonymous-launches-destroy-daily-dot-campaign-over-sabu-reporting-role-1491340
The online hacktivist group Anonymous has announced a plan to destroy the Daily Dot website as a result of its work with FBI snitch Hector “Sabu” Monsegur.
Anonymous has launched Operation Destroy Daily Dot (#OpDDD) after the online newspaper published the latest piece written by Monsegur. The piece was a review of CSI:Cyber which is the latest instalment of the CSI TV series that revolves around the police working with hackers – something Monsegur is almost uniquely positioned to comment on.
Monsegur is a former prominent member of Anonymous, leading the infamous LulzSec offshoot before being caught by the FBI and turning informant, helping to identify his fellow Anonymous members and leading to the arrest and imprisonment of many of them.
Monsegur walked free from a New York courtroom in May 2014 despite pleading guilty to taking part in cyber-attacks on the likes of Sony, Nintendo, Visa and Mastercard. This was down to what the court called Monsegur’s “extraordinarily valuable and productive” cooperation.
While it seems that Anonymous won’t be using its traditional tactic of DDoS attacks to take the Daily Dot website offline, it is encouraging its followers and fellow activists to boycott the companies who advertise on the Daily Dot.
Tomi Engdahl says:
Wikimedia blog:
Wikimedia v. NSA: Wikimedia Foundation files suit against NSA to challenge upstream mass surveillance
http://blog.wikimedia.org/2015/03/10/wikimedia-v-nsa/
Tomi Engdahl says:
Hillary Clinton Says Her Email Was Secure; She Can’t Know
http://www.wired.com/2015/03/hillary-clinton-says-email-secure-cant-know/
Hillary Clinton set up her own private email server because she didn’t want to lug around two mobile phones. We learnt that Tuesday as she addressed the continuing controversy over her use of a `90s style home email server when she was Secretary of State in the first Obama administration.
“I saw it as a matter of convenience,” she said during the 20-minute press conference. She couldn’t do personal email on her government-issued phone, so instead she set up her own server
Email she sent from this server to state department officials at their .gov addresses would be saved on the government servers.
We’ve already pointed out that this choice was a major security fail, but you can see how Clinton would have gone for it. After all, vice presidential candidate Sarah Palin had just had her Yahoo Mail hacked, thanks to a weakness in Yahoo’s password reset protocol. And that incident was surely fresh in Clinton’s mind when she decided to retain total control of her email system.
On Tuesday, she said that was the right thing to do. “The system… had numerous safeguards,” she said. “It was on property guarded by the Secret Service and there were no security breaches. So I think that the use of that server… certainly proved to be effective and secure.”
A nice thought, but one that Clinton didn’t back up today. The internet protocols we use to zap email about the globe were largely written during the early freewheeling days of the net, and they’re still vulnerable to a wide range of attacks. Emails can be spoofed; they can be read in transit; and servers can be hacked. “Email is one of the least secure services you can run,” says Jonathan Zdziarski, a forensic scientist with viaForensics. “[Clinton’s] people might be very good, but no one who really is at the top of their game is going to try to make the claim that they can catch 100 percent of the attacks.”
And Clinton’s job as Secretary of State would have made her “a target of some the most well-funded adversaries,”
Tomi Engdahl says:
Ad bidding network caught slinging ransomware
Advertisers cry ‘f**k AdBlock’
http://www.theregister.co.uk/2015/03/11/ad_bidding_network_caught_slinging_ransomware/
Attackers are using Flash exploits and foisting ransomware through real time advertising bidding networks, FireEye researchers say.
The attacks link to malicious or compromised advertising sites which participate in real time bidding systems in which ad inventory is sold to and by publishers.
More than 1700 malicious advertising requests have been detected that led to malicious .swf Flash files being downloaded over hundreds of unnamed sites.
“We believe this activity is part of an active malvertising operation,” FireEye Labs researchers say in an advisory.
“These ads can come from ad servers that are part of a legitimate ad network or rogue ad servers controlled by attackers.”
The attacks target a vulnerability (CVE-2014-0569) patched October last year affecting Adobe Flash and Air which was integrated quickly into exploit kits including the popular Angler.
Malvertising is a popular method for infecting web users. Last month some 1800 subdomains linked to GoDaddy accounts were found spreading the Angler exploit kit using a then Flash zero day exploit in a surreptitious malvertising campaign.
Tomi Engdahl says:
Malware uses Windows product IDs to mix mutex
Indicators of compromise dealt a blow
http://www.theregister.co.uk/2015/03/11/malware_mutex/
Malware writers are using Windows unique product numbers to generate mutex values to evade researchers, SANS security boffin Lenny Zeltser says.
Mutex values are used as an accurate reference to determine if multiple identical processes are running. Malware including the infamous BackOff credit card stealer has used mutex for the last few years, providing researchers with a means of determining system infection.
Now a new trojan called “TreasureHunter” has emerged and uses dynamic rather than static mutex values to prevent security bods using the numbers as indicators of compromise.
Zeltser says the use of Windows product IDs to generate the values is unique.
Tomi Engdahl says:
UK ISPs block Pirate Bay proxy sites
http://www.bbc.com/news/technology-31832137
UK internet service providers have begun blocking access to websites that provide a list of Pirate Bay alternatives, as part of the battle against online piracy.
Tomi Engdahl says:
Android SDK nonce flaw lets hackers fiddle with your Dropbox privates
Users of Microsoft Office Mobile, other apps should update
http://www.theregister.co.uk/2015/03/11/dropbox_sdk_flaw_left_microsoft_office_mobile_open_to_attack/
IBM’s security team has found an unsettling flaw that can leave the Dropbox accounts of mobile users wide open to snooping by attackers.
The researchers spotted some sloppy coding in Dropbox’s SDK Version 1.5.4 for Android. Applications that link to Dropbox accounts using the SDK may be vulnerable, owing to a flaw that can allow an attacker to bypass the normal authentication mechanism and gain full access.
Dropbox uses the OAuth protocol to link apps to its accounts. This involves creating a large, random number called a cryptographic nonce that’s used to authorize an app to get data from an account.
Vulnerable apps allow an attacker to steal this nonce and use it to get into the corresponding Dropbox account. At that point, the attacker can capture any new data the owner saves to the account.
Tomi Engdahl says:
Why Israel Could Be the Next Cybersecurity World Power
http://tech.slashdot.org/story/15/03/11/1246230/why-israel-could-be-the-next-cybersecurity-world-power
Security leadership
Why Israel could be the next cybersecurity world power
http://www.itworld.com/article/2894051/why-israel-could-be-the-next-cybersecurity-world-power.html
A well established university program, major industry partners, sponsored research projects and a venture capital partner give Beersheva the makings for becoming a major cybersecurity player
There are plenty of cities in the U.S. that want to lay claim to becoming the “next” Silicon Valley, but a dusty desert town in the south of Israel called Beersheva might actually have a shot at becoming something more modest, and more focused. They want to be the first place you think about when it comes to cybersecurity research, education, and innovation. If things go right there, it may well happen.
srael is a hotbed of tech startups, a self-proclaimed Silicon Wadi. It is ranked near the top of several recent Bloomberg innovation metrics. Particularly when it comes to cybersecurity, you almost have as many firms as there are Starbucks in Seattle – seemingly they are everywhere. In fact, Inc. magazine lists nine different Israeli security startups to watch. And that is just the tip of the iceberg.
Until most recently, most of the tech firms have been located in the Tel Aviv suburbs, which is about an hour or so north of Beersheva and where most of the country’s population and businesses reside.
“A lot of cities in Israel have high tech business parks but we want to make Beersheva special. The basic building blocks are here and we need to play our cards right and take advantage of them.”
Perhaps the biggest future impact for Beersheva is something that the government is working on. There are two elite cybersecurity groups: the 8200 group that is the Israeli equivalent of the NSA that processes signals intelligence as part of the military and one for civilian purposes that is going to be called the National Cyber Bureau. The military group currently employs several thousand soldiers who are housed on a campus in central Israel. The plan is to move both of these units down south and to free up some valuable real estate that could be turned into housing in Israel’s crowded center.
Tomi Engdahl says:
Zack Whittaker / ZDNet:
WSJ: CIA helped develop phone scanning tech for aircraft and shared it with US Marshals Service
CIA secretly helped build phone scanning tech for US operations
http://www.zdnet.com/article/cia-secretly-built-phone-scanning-tech-for-domestic-spy-operations/
Summary:The new report furthers allegations that US law enforcement are increasingly relying on intelligence agencies for help, despite rules protecting domestic intelligence operations.
The US Central Intelligence Agency (CIA) is said to have played a “crucial role” in helping federal agents collect data from thousands of Americans’ cellphones.
A new report by the Wall Street Journal detailed how the intelligence agency and the US Marshals Service, an agency from the Justice Department, worked together to develop “dirtboxes,” a device that can vacuum up vast amounts of cellphone data by mimicking cell towers.
Read this
Meet the shadowy tech brokers that deliver your data to the NSA
Read More
The newspaper reported last year on how the Justice Department flew low-flying light aircraft over US towns and cities in an effort to hunt suspected criminals. In the process, a significant number of Americans’ data was scooped up.
Tomi Engdahl says:
Dutch court suspends metadata surveillance law over privacy
http://tech.eu/news/dutch-court-suspends-data-retention-law/
A Dutch court has moved to scrap a national data retention law requiring telcos and ISPs to store customer metadata for police investigations because it would violate fundamental EU privacy rights.
Tomi Engdahl says:
Information regarding an issue with the signature file in Panda Cloud Office Protection and Retail 2015
http://www.pandasecurity.com/mediacenter/panda-security/information-regarding-issue-with-the-signature-file-pcop-retail-2015/
We inform you that we have had an incident with our signature file that might have affected our Panda Cloud Office Protection and Retail 2015 customers. This issue causes some files to be moved to the quarantine.
The signature file has already been replaced, so this situation should not recur. Nonetheless, we advise our customers not to restart your computer. At Panda Security we are working to restore the situation at the endpoint as soon as possible.
Tomi Engdahl says:
Hardware Bit-Flipping Attack
https://www.schneier.com/blog/archives/2015/03/hardware_bit-fl.html
The Project Zero team at Google has posted details of a new attack that targets a computer’s’ DRAM. It’s called Rowhammer.
Basically:
When run on a machine vulnerable to the rowhammer problem, the process was able to induce bit flips in page table entries (PTEs). It was able to use this to gain write access to its own page table, and hence gain read-write access to all of physical memory.
The cause is simply the super dense packing of chips
Very clever, and yet another example of the security interplay between hardware and software.
This kind of thing is hard to fix, although the Google team gives some mitigation techniques at the end of their analysis.
Comments:
This problem with bit flipping goes back atleast as far as the mid 1980′s and was often seen when people tried to use the “RAS & CAS” lines two quickly by having a shorter time delay line or to much extra going on. Even with contention logic, video generation and DMA with high speed IO but only short length buffers in memory were a real pain for this sort of thing.
“We also tested some desktop machines, but did not see any bit flips on those. That could be because they were all relatively high-end machines with ECC memory. The ECC could be hiding bit flips.”
Tomi Engdahl says:
Spoofing the Boss Turns Thieves a Tidy Profit
http://krebsonsecurity.com/2015/03/spoofing-the-boss-turns-thieves-a-tidy-profit/
Judy came within a whisker of losing $315,000 in cash belonging to her employer, a mid-sized manufacturing company in northeast Ohio. Judy’s boss had emailed her, asking her to wire the money to China to pay for some raw materials.
After Judy sent the wire instructions on to the finance department, something about the email stuck in her head: The message was far more formal-sounding than the tone of voice her boss normally used to express himself via email.
By the time she went back to review the missive and found she’d been scammed by an imposter, it was too late — the employee in charge of initiating wires at her company had already sent it on to the bank. Luckily, Judy’s employer’s bank hadn’t yet processed the wire, and they were able to claw back the funds.
Known variously as “CEO fraud,” and the “business email compromise,” this swindle is a sophisticated and increasingly common one targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. In January 2015, the FBI warned that cyber thieves stole nearly $215 million from businesses in the previous 14 months through such scams, which start when crooks spoof or hijack the email accounts of business executives or employees.
The scam email that nearly cost Judy her job appeared to have come from her company’s chief financial officer, who she said is not usually in the office.
“Turns out the scammers set up the domain and email address that morning, the same day as wire request,”
Tomi Engdahl says:
Apple Pay: Bridging Online and Big Box Fraud
http://krebsonsecurity.com/2015/03/apple-pay-bridging-online-and-big-box-fraud/
Lost amid the media firestorm these past few weeks about fraudsters turning to Apple Pay is this stark and rather unsettling reality: Apple Pay makes it possible for cyber thieves to buy high-priced merchandise from brick-and-mortar stores using stolen credit and debit card numbers that were heretofore only useful for online fraud.
Typically, dumps are stolen via malware planted on point-of-sale devices, as in the breaches at brick-and-mortar stores like Target, Home Depot and countless others over the past year. Dumps buyers encode the data onto new plastic, which they then use “in-store” at retailers and walk out with armloads full of high-priced goods that can be easily resold for cash. The average price of a single dump is between $10-$30, but the payoff in stolen merchandise per card is often many times that amount.
When fraudsters want to order something online using stolen credit cards, they go buy what the crooks call “CVVs” — i.e., card data stolen from hacked online stores. CVV stands for “card verification code,” and refers to the three-digit code on the back of cards that’s required for most online transactions. Fraudsters buying CVVs get the credit card number, the expiration date, the card verification code, as well as the cardholder’s name, address and phone number. Because they’re less versatile than dumps, CVVs cost quite a bit less — typically around $1-$5 per stolen account.
Enter Apple Pay, which potentially erases that limitation of CVVs because it allows users to sign up online for an in-store payment method using little more than a hacked iTunes account and CVVs.
Sure, the banks could pressure Apple Pay to make their users take a picture of their credit cards with the iPhone and upload that data before signing up. That might work for a short while to deter fraud, at least until the people at underground document forgery sites like Scanlab see a new market for their services.
But in the end, most banks coming online with Apple Pay are still using customer call centers to validate new users, leveraging data that can be purchased very cheaply from underground identity theft sites. If any of you doubt how easy it is to buy personal data on just about anyone, check out the story I wrote in December 2014, wherein I was able to find the name, address, Social Security number, previous address and phone number on all current members of the U.S. Senate Commerce Committee.
“The vendors in the mobile user authentication space have consistently answered that they are leaving account provisioning policies to the banks or other consumer service providers provisioning the apps,” Litan wrote. “Well maybe it’s time for them to reconsider and start helping their client banks and service providers by supporting identity proofing solutions built into their apps. Whoever does this well is surely going to win lots of customer support… and revenue.”
Tomi Engdahl says:
Microsoft Fixes Stuxnet Bug, Again
http://krebsonsecurity.com/2015/03/microsoft-fixes-stuxnet-bug-again/
Tomi Engdahl says:
Intel Security Launches New Critical Infrastructure Security Platform
http://www.securityweek.com/intel-security-launches-new-critical-infrastructure-security-platform
Intel Security (fomerly McAfee) has announced a security platform designed to protect both new and legacy infrastructure within the electric power grid.
Dubbed Intel Security Critical Infrastructure Protection (CIP), the solution was developed in collaboration with the Department of Energy-funded Discovery Across Texas smart grid project including deployment at Texas Tech University, and is a joint project of Intel Security and Wind River.
Intel Security CIP works by separating the security management functions of the platform from the operational applications, allowing the operational layer to be secured, monitored and managed, the company explained.
According to Intel Security, the security platform can be applied with little or no changes to business processes or application software, and can be retrofitted onto many existing systems.
Features include protection such as device identity, malware protection, data protection and resiliency.
Intel believes the solution can be leveraged beyond the power grid and could be equally effective for departments of defense, oil and gas firms, medical applications, and other areas.
According to a study sponsored by Intel, “In the Dark: Crucial Industries Confront Cyberattacks,” of the 200 CIP executives surveyed globally, 32% had not adopted special security measures for smart grid controls. Yet 33% anticipated a major cybersecurity incident within 12 months.
“The risk of cyberattacks on critical infrastructure is no longer theoretical, but building security into the grid is challenging due to the amount of legacy infrastructure and the importance of availability of service,” Lorie Wigle, Vice President of Internet of Things Security Solutions for Intel Security, said in a statement. “Traditional security measures such as patching and rebooting are often inappropriate for the grid, so we set out to design something entirely different that could be non-invasive but simultaneously robust
Tomi Engdahl says:
Security Operations: Don’t Forget the Rest of the World
http://www.securityweek.com/security-operations-dont-forget-rest-world
As cliché as the saying is, it is quite true that we live in a global world. It’s not uncommon for a large enterprise to operate in 100 countries or more. Many of us routinely work together with and collaborate with people across several continents. As businesses have gone global, their respective security operations programs need to be global as well.
As obvious as this statement may sound, taking a security operations program global is something deeply challenging for many organizations. More often than not, information security efforts and resources tend to be concentrated more heavily around the organization’s home country and region. Theories abound as to why, but in practice, going global with security involves many intricate and complex details. I’d like to discuss a few points to consider when going global with security operations in this piece.
Whether a business grows organically, through investments, or via mergers and acquisitions (M&A), it can be difficult for the security team to keep up. One of the biggest challenges that comes along with business growth is maintaining proper visibility across the enterprise to support security operations.
People always play an important role in the security operations picture, but particularly in a global world. With people and assets spanning the globe, having the right people, not only within the security team, but also across the various different locales becomes extremely important.
Process is the glue that holds people and technology together within a security operations environment. Process helps to bring order to the chaos and maximize the efficiency of available resources, both human and machine.
Of course, without technology, people and process cannot function effectively. Going global as a business means going global with security technology as well. If there are information technology assets and/or sensitive data in a location, there needs to be security at that location as well.
As we know, people, process, and technology work together and flow directly into the security operations workflow. Globalization can introduce complexities into this workflow that can impede the maturity of a security program.
As with any business function, communication is an integral part of a successful security operations function. Good communication is difficult to achieve on a local or national scale, and on a global scale, it is extremely difficult.
Tomi Engdahl says:
Security, Know Thine Enemy
http://www.securityweek.com/security-know-thine-enemy
Security Professionals Must Know the Categories of Threats an Enterprise Faces and How to Respond to Each
Why the difference matters
The reason security organizations must know their adversaries — the real and not just the perceived — is that resources, capital and tools are finite and limited. In general more advanced adversaries require more advanced tools and technologies to address them, but this comes with a proportionally larger price tag. If an organization has a million dollars to spend on upgrading their defenses, and they spend $750,000 of that on advanced tools to catch APTs, they may run out of capital and implementation resources for the run-of-the-mill malware. But advanced security tools should be effective against less advanced attacks and attackers — right? While this is theoretically true, I think that when the focus is on the boogeyman, the less advanced threats tend to be left to someone else.
The reason you must know the difference is that security isn’t a game to secure everything, perfectly. Rather, it’s a game to provide the most adequate defenses against the most relevant threats in the most effective manner. Sometimes the answer is as scary as outsourcing management of your assets to a third party. And if/when they become compromised they are simply quickly rebuilt and placed back into service. Recovery counts for something. In fact, it counts for quite a lot.
As a security professional you must know the three categories of threats your organization faces, and how to respond to each — and how to expend your resources. This quite literally is the difference between being breached and quickly identifying and recovering and finding out about it six months later from a partner company. Know your business. Know your enemies. Act accordingly.
Tomi Engdahl says:
Japan Tourism Site Hit by Pro-IS Hackers
http://www.securityweek.com/japan-tourism-site-hit-pro-hackers
A Japanese tourism agency said Wednesday its website was hijacked by hackers who displayed a message purportedly from the Islamic State (IS) group
The Nishinomiya Tourism Association, near the major city of Osaka, said its home page started displaying what appeared to be a black-and-white IS logo late Sunday evening.
“Hacked by Islamic State (ISIS). We are everywhere ;),” a message read in English alongside the logo.
The association said it temporarily took the site offline on Monday to fix the problem.
Tomi Engdahl says:
Panda antivirus labels itself as malware, then borks EVERYTHING
Spanish security firm in baffling tail-chasing auto-immune kerfuffle
http://www.theregister.co.uk/2015/03/11/panda_antivirus_update_self_pwn/
Panda users had a bad hair day on Wednesday, after the Spanish security software firm released an update that classified components of its own technology as malign.
As a result, enterprise PCs running the antivirus software tied themselves in something of a knot, leaving some systems either unstable or unable to access the internet. A Panda spokesman confirmed the problem while advising that the issue was well in hand.
“A bad update was published temporarily today [Wednesday] that resulted in some system files being detected by the Panda engine, a replacement update was promptly published removing the error and restoring the wrongly quarantined files,” a Panda representative told El Reg.
“At present we recommend NOT rebooting systems. This will allow us to update the system with the amended update. This update will also restore files previously detected,” he added.
Tomi Engdahl says:
Security needs more than checklist compliance
http://www.edn.com/electronics-blogs/beyond-bits-and-bytes/4438865/Security-needs-more-than-checklist-compliance-?_mc=NL_EDN_EDT_EDN_systemsdesign_20150311&cid=NL_EDN_EDT_EDN_systemsdesign_20150311&elq=6b81474370884005814916324a847564&elqCampaignId=22035&elqaid=24740&elqat=1&elqTrackId=9ed338fb0a4246ee9f91d1f27e191caa
One of the ways to gauge security in an electronic system is determining if a product complies with specific security requirements. Yet often such determination is treated as a checklist of security capabilities that must be incorporated to meet compliance for a particular application. Simply adhering to checklists does not ensure security, though, and can actually create vulnerabilities.
Generally speaking, security is very broad topic that has a different meaning for different applications. Requirements and use-cases can differ drastically from one application to another, implying that the security architecture for one may not work optimally for another. This is especially true when working with general purpose microcontrollers that are designed to support a variety of applications. A “security block” can’t simply be dropped into the design and be completely effective.
Implementing security is very different than integrating a 3rd party Intellectual property (IP) block, such as adding Ethernet to a System-on-chip (SoC) design.
Compare this to security IP, which typically is well spread across the chip.
some of the side band signals between various components within the SoC that are not governed by any standard protocol.
This lack of a standard architecture or interfaces reduces the effectiveness of compliance checklists. Compliance checklists can certainly help define high-level requirements and force usage of certain cryptographic algorithms or random number generators to meet certain entropy requirements, but they often do not dictate implementation. This lack can open up a window to various side channel attacks. If security is not architected correctly a design can be vulnerable even though it may still meet compliance requirements.
So does that mean compliance requirements and standards should also dictate implementation? Can they possibly reduce side channels attacks by doing so, making system more secure?
Opinion may differ, however there can be severe implications if standards enforce certain implementations. Security can become even more of a challenge when there is inflexibility in terms of how certain features get implemented.
For certain applications having tight control over implementation may provide the perception of higher levels of security, but it can also create holes. If there is a hidden vulnerability in the existing implementation, for instance, it gets automatically built into the design when there is no choice of how a particular feature may get implemented.
Being too specific in defining certain features in a compliance requirement can potentially minimize side channel attacks. If, however, that forces a specific implementation (one that is perceived as more secure) to be the only choice, the specific feature may also create severe issues and adversely affect security. Standards therefore should create a good balance by enforcing a particular feature yet keeping the implementation flexible for developers/integrators.
Treating security as a checklist is thus a big mistake. It leads people to claim security on things that are not secure just because they seem to meet certain compliance standards. A compliance checklist may be build on top of most common attack points for a particular application, for instance. But while such a checklist is good to take as a base to avoid most common attacks/vulnerabilities, it cannot guarantee system to be fully secure.
Creating a secure system is always a challenge and one must go beyond checklists to implement what is necessary rather then what is just minimally required to achieve compliance.
Tomi Engdahl says:
California Looking To Make All Bitcoin Businesses Illegal
http://yro.slashdot.org/story/15/03/11/223235/california-looking-to-make-all-bitcoin-businesses-illegal
A new law has been proposed in California that would effectively outlaw all Bitcoin-related businesses that don’t first get “permission.”
California Proposes Bill To Ban All Unlicensed Bitcoin Businesses, Without Even Defining What That Means
from the a-mess-in-the-making dept
https://www.techdirt.com/articles/20150310/15522730277/california-proposes-bill-to-ban-all-unlicensed-bitcoin-businesses-without-even-defining-what-that-means.shtml
California, the state that prides itself as the birthplace of modern technology and whose policies such as the unenforceability of non-competes contributed substantially to the innovation ecosystem, recently proposed a law that requires innovators to get permission from the state, or be banned.
Last week CA’s State Assembly announced AB 1326, a bill that would ban any unlicensed bitcoin or cryptocurrency business activity. It would “prohibit a person from engaging in this state in the business of virtual currency, as defined, in this state unless the person is licensed by the Commissioner of Business Oversight or is exempt from the licensure requirement.” Banks, financial institutions, and governments would be exempted under the law, making it even harder for a startup to compete. Worse yet, the bill doesn’t even define what “the business of virtual currency’” means, making it both overly vague and counter to the very nature of the trustless, permissionless innovation that bitcoin and blockchain technology enable.
Tomi Engdahl says:
Kevin Bocek / Venafi Blog:
Clinton email server not encrypted or authenticated by a digital certificate for first three months of her term at State Department
Digital Certificate Forensics: What Venafi TrustNet Tells Us about the Clinton Email Server
https://www.venafi.com/blog/post/what-venafi-trustnet-tells-us-about-the-clinton-email-server
3-month gap before encryption enabled for browsers, smartphones, and tablets starting in 2009
Digital certificate analysis for clintonemail.com
Tomi Engdahl says:
How cops are finding “grow ops” with AM radios
http://www.edn.com/electronics-blogs/the-emc-blog/4438864/How-cops-are-finding–grow-ops–with-AM-radios?_mc=NL_EDN_EDT_EDN_today_20150312&cid=NL_EDN_EDT_EDN_today_20150312&elq=f4aa85ad09f84e2fbb88fb474036653b&elqCampaignId=22049&elqaid=24754&elqat=1&elqTrackId=75799c71e8e84893ae69c52e23132ded
Graves is a police sergeant in the San Francisco area and he described how police were starting to use AM radios in their vehicles to locate illegal indoor marijuana “farms”. These “grow ops” are using arrays of large 1000W high pressure sodium or metal halide lamps, driven by electronic ballasts. Most of these ballasts are imported from China and the manufacturers of these have apparently made no attempt at complying with FCC emission standards. Consequently, they produce large amounts of radio frequency interference (RFI). This RFI has become a major nuisance to local radio amateurs
Tomi Engdahl says:
Are You Hiding All You Intended? Probably Not.
https://www.blackhat.com/html/webcast/03192015-are-you-hiding.html
Encryption is the single most used technology to guarantee privacy because it is effective, secure, and easy to use. But what is really hidden? The answer may surprise you. While the privacy invasion aspects of machine learning and data mining have huge awareness in respect to marketing and social media data, the usage of machine learning and it’s effects on current techniques to hide data such as encryption is relatively unexplored in comparison.
Recently I wrote a tool called Pacumen that is used to analyze encrypted traffic and infer information about it without decryption. The type of information it can extract is “what application’s are being used over this tunnel?” and in some cases “what websites are being accessed?”. Essentially it is a framework for answering yes/no questions about network traffic that doesn’t require looking at the content of the traffic.
Tomi Engdahl says:
OpenSSL To Undergo Massive Security Audit
http://tech.slashdot.org/story/15/03/12/1928259/openssl-to-undergo-massive-security-audit
Now that its codebase is finally viewed as stable, OpenSSL is getting a good top-to-bottom once-over in the form of a sweeping audit. As part of the Linux Foundation’s Core Infrastructure Initiative, the foundation and the Open Crypto Audit Project are sponsoring and organizing what may arguably be the highest-profile audit of a piece of open-source software in history.
OpenSSL to undergo massive security audit
http://sdtimes.com/openssl-undergo-massive-security-audit/
It’s been close to a year since the Heartbleed bug sent the Internet into a frenzy over security. It spurred the software industry to rally behind OpenSSL—sending in more developers, revamping the security protoco
The audit itself will be conducted by the information assurance organization NCC Group, and its security research arm, Cryptography Services, will carry out the code review.
In the Cryptography Services announcement, the audit team stated it will focus primarily on TLS stacks, covering protocol flow, state transitions and memory management, while also taking a look at BIOs, the most prominent cryptographic algorithms, and setting up fuzzers for the ASN.1 and x509 parsers. According to OpenSSL’a Open HUB project page, the implementation currently consists of 447,247 lines of code written in 14 programming languages.
Tomi Engdahl says:
Bulgaria nixes ‘metadata’ law, Paraguay delays
Another one bites the dust …
http://www.theregister.co.uk/2015/03/13/bulgaria_nixes_metadata_law_paraguay_delays/
Another data retention domino has fallen, with Bulgaria striking down its spooks’-charter laws as unconstitutional in a Constitutional Court challenge launched by that country’s ombudsman.
The Sofia Globe reports that the bulk collection mandated by the country’s Electronic Communications Act have been struck down, with the full decision yet to be published.
The challenge to the laws began in April 2014, following the European Court of Justice’s decision to invalidate the 2006 European data retention directive.
Tomi Engdahl says:
PRISM: UK government finds that bulk collection is not mass surveillance
GCHQ is just doing its job, in a way
http://www.theinquirer.net/inquirer/news/2399451/prism-uk-government-finds-that-bulk-collection-is-not-mass-surveillance
THE MUCH ANTICIPATED OFFICIAL government review into GCHQ bulk data collection has found that such activity is fine, and should not be considered mass surveillance. It also acknowledged that some legislative change is needed.
Yup. The Intelligence and Security Committee of Parliament (ISC) has surprised us all by deciding that following “a comprehensive review of the full range of intrusive capabilities available to the UK intelligence Agencies”, it is able to “present a landmark in terms of the openness and transparency surrounding the Agencies’ work, and tell us that fears are unfounded.
“The security and intelligence Agencies have a crucial role protecting UK citizens from threats to their safety.”
“Given the extent of targeting and filtering involved, it is evident that while GCHQ’s bulk interception capability may involve large numbers of emails, it does not equate to blanket surveillance, nor does it equate to indiscriminate surveillance,” it explains.
“GCHQ is not collecting or reading everyone’s emails: they do not have the legal authority, the resources, or the technical capability to do so. We have established that bulk interception cannot be used to search for and examine the communications of an individual in the UK unless GCHQ first obtain specific authorisation.”
“The Committee calls this report a landmark for ‘openness and transparency’ – but how do we trust agencies who have acted unlawfully? No doubt it would be simpler if we went along with the spies’ motto of ‘no scrutiny for us, no privacy for you’ – but what an appalling deal for the British public.”
Tomi Engdahl says:
CISA Cybersecurity Bill Advances Despite Privacy Concerns
http://www.wired.com/2015/03/cisa-cybersecurity-bill-advances-despite-privacy-critiques/
For months, privacy advocates have been pointing to flaws in CISA, the new reincarnation of the cybersecurity bill known as CISPA that Congress has been kicking around since 2013. But today that zombie bill lurched one step closer to becoming law.
The Senate Intelligence Committee passed the Cybersecurity Information Sharing Act, or CISA, by a vote of 14 to one Thursday afternoon. The bill, like the failed Cybersecurity Information Sharing and Protection Act that proceeded it, is designed to encourage the sharing of data between private companies and the government to prevent and respond to cybersecurity threats. But privacy critics have protested that CISA would create a legal framework for companies to more closely monitor internet users and share that data with government agencies.
Tomi Engdahl says:
OpenDNS snags network monitoring service BGPmon
Don’t go messing with my net traffic flows
http://www.theregister.co.uk/2015/03/13/opendns_buys_bgpmon_monitoring/
Cloud security firm OpenDNS is buying network and routing monitoring services outfit BGPmon. Financial terms of the deal, announced on Thursday, were not disclosed.
BGPmon offers services based on the Border Gateway Protocol (BGP), a core network protocol used by every major network and ISP, which maps preferred paths for traffic to flow over the internet.
Messing with BGP tables diverts traffic in bulk, potentially leaving it open to full-take snooping in the process.
Founded in Canada in 2011, BGPmon monitors customer networks from hundreds of vantage points worldwide in order to deliver close to real-time alerts about network instability or policy violations.
Tomi Engdahl says:
SQL Injection Bug Fixed in Popular WordPress SEO Plug-In
https://threatpost.com/sql-injection-bug-fixed-in-popular-wordpress-seo-plug-in/111601
SEO by Yoast, a popular search engine optimization plug-in for WordPress, has fixed a pair of blind SQL injection vulnerabilities that could have allowed an attacker to take complete control of affected sites.
It’s not clear how many WordPress sites have SEO by Yoast installed, but the maker of the popular plugin claims it has been downloaded more than 14 million times.
Vulnerable versions of the service are susceptible to arbitrarily executed SQL queries, in part because it lacks proper cross-site request forgery protections. If the attacker were able to trick an authenticated administrator, editor or author into following a link to a malicious page, the attacker could then create an admin role for himself and totally compromise affected sites.
Tomi Engdahl says:
Technology should be used to create social mobility – not to spy on citizens
http://www.theguardian.com/technology/2015/mar/10/nsa-gchq-technology-create-social-mobility-spy-on-citizens
NSA and GCHQ mass surveillance is more about disrupting political opposition than catching terrorists
Why spy? That’s the several-million pound question, in the wake of the Snowden revelations. Why would the US continue to wiretap its entire population, given that the only “terrorism” they caught with it was a single attempt to send a small amount of money to Al Shabab?
One obvious answer is: because they can. Spying is cheap, and cheaper every day. Many people have compared NSA/GCHQ mass spying to the surveillance programme of East Germany’s notorious Stasi, but the differences between the NSA and the Stasi are more interesting than the similarities.
The most important difference is size. The Stasi employed one snitch for every 50 or 60 people it watched. We can’t be sure of the size of the entire Five Eyes global surveillance workforce, but there are only about 1.4 million Americans with Top Secret clearance, and many of them don’t work at or for the NSA, which means that the number is smaller than that (the other Five Eyes states have much smaller workforces than the US). This million-ish person workforce keeps six or seven billion people under surveillance – a ratio approaching 1:10,000. What’s more, the US has only (“only”!) quadrupled its surveillance budget since the end of the Cold War: tooling up to give the spies their toys wasn’t all that expensive, compared to the number of lives that gear lets them pry into.
IT has been responsible for a 2-3 order of magnitude productivity gain in surveillance efficiency. The Stasi used an army to surveil a nation; the NSA uses a battalion to surveil a planet.
Spying, especially domestic spying, is an aspect of what the Santa Fe Institute economist Samuel Bowles calls guard labour: work that is done to stabilise property relationships, especially the property belonging to the rich.
Tomi Engdahl says:
Damian Paletta / Wall Street Journal:
Senate panel approves CISA, which encourages companies to share information about cyberattacks with each other and the federal government, in 14-1 vote
http://www.wsj.com/article_email/senate-panel-easily-passes-cybersecurity-bill-1426197297-lMyQjAxMTE1MDEyMjMxODI1Wj
Tomi Engdahl says:
NBC News:
DARPA’s new Brandeis program aims to improve privacy by securing the data users voluntary share over the Internet with third parties
http://www.nbcnews.com/tech/security/darpa-unexpectedly-announces-program-improve-online-piracy-n322601
Tomi Engdahl says:
Andrea Peterson / Washington Post:
Yahoo demos plug-in for end-to-end email encryption, to launch by end of year; rolls out single-use password via SMS feature — Yahoo’s plan to get Mail users to encrypt their e-mail: Make it simple — Keeping your e-mail messages super private can be a pain.
Yahoo’s plan to get Mail users to encrypt their e-mail: Make it simple
http://www.washingtonpost.com/blogs/the-switch/wp/2015/03/15/yahoos-plan-to-get-mail-users-to-encrypt-their-e-mail-make-it-simple/
Keeping your e-mail messages super private can be a pain. Most free e-mail providers automatically provide SSL encryption for Web mail users — meaning data can be seen by the service, as well as the senders and recipients of messages. But end-to-end encryption, a feature which locks up message contents so that only the sender and receiver can read them, can be a much more cumbersome process for e-mail, often involving specialized software and looking up encryption keys.
The whole thing can be so tricky that very few people actually use it — or if they do, it’s used only for the most sensitive of messages.
But in the wake of reports from Edward Snowden about the National Security Agency’s access to data held by tech giants, many of those companies have pursued technological solutions to shore up customers trust, including an expansion of end-to-end encryption. Google announced in June that it was working on a Chrome plug-in to provide end-to-end for Gmail users. Yahoo, too, is working on end-to-end.
In August, Yahoo information security chief Alex Stamos announced that the company would release its own version of the plug-in for all Yahoo Mail users in 2015 — and it will work with Google’s plug-in, which matters because both sides of an exchange need to be on board for end-to-end to work.
Tomi Engdahl says:
DARPA Says It Wants to Help Protect Your Online Privacy
http://www.nbcnews.com/tech/security/darpa-unexpectedly-announces-program-improve-online-piracy-n322601
“The goal of the Brandeis program is to break the tension between maintaining privacy and being able to tap into the huge value of data,” explained program manager John Launchbury in a press release. “Rather than having to balance these public goods, Brandeis aims to build a third option, enabling safe and predictable sharing of data while reliably preserving privacy.”
What exactly the agency intends to build, be it a piece of software, a new form of encryption or a legal framework for protecting the right to privacy, isn’t exactly clear. It likely depends on what research proposals gain traction as the project progresses
Tomi Engdahl says:
Kelly Weill / Capital New York:
Twitter bot based on open-source code will track Wikipedia edits made from NY police department IP addresses
Twitter account to track NYPD’s Wikipedia edits in real time
http://www.capitalnewyork.com/article/city-hall/2015/03/8564038/twitter-account-track-nypds-wikipedia-edits-real-time
A new Twitter account will automatically track the NYPD’s anonymous edits to Wikipedia.
“Simply put, I hope it will continue to shine a light on NYPD edits in real time – particularly anonymous edits,” Emerson told Capital.
The account was created Friday morning, after a Capital New York report detailed extensive Wikipedia edits by NYPD IP addresses to Wikipedia articles. Capital found multiple instances of users on the NYPD network editing and attempting to delete entries on victims of NYPD altercations
“The NYPD certainly has a right to tell its interpretation of events, but editing Wikipedia anonymously is misleading,” Emerson said. “To put it politely.”
Tomi Engdahl says:
Your mother’s maiden name has been a ‘security question’ since 1882
http://fusion.net/story/62076/mothers-maiden-name-security-question/
It’s well-established that passwords are a flawed security system. Attackers can guess them, steal them from a database, or watch you type them in. But until we can get our smartphones to take our DNA to confirm our identities, we’re stuck with them.
The processes that let you recover your password if you forget it, though, can be much worse than passwords themselves.
Companies that take security seriously will ask you to authenticate your identity with a “second factor,” such as a code they send to a device they know you own. Companies that don’t care are more casual about your privacy will ask you to answer “security questions” — which are typically questions that anyone could guess after a thorough stalking of your Facebook account: Oh, there’s a photo of you with your high school best friend. Oh, there’s a status update with your “porn star name,” combining your first pet’s name with the first street you lived on. (It’s possible the NSA invented that game.) And oh, there’s your mom commenting on everything you upload, and look, she’s divorced and using her maiden name. Pwned.
Tomi Engdahl says:
‘There is NO SUCH THING as a safe site anymore’ – security bod
http://www.theregister.co.uk/2015/03/15/quotw_ending_13_march/
Sticking to the, er, kitchen theme, celeb chef Jamie Oliver was this week accused of slinging more than hash. The mockney cook’s site was found to be serving up hearty portions of steaming malware. Over to Malwarebytes researcher Jérôme Segura for this chilling turkey twizzler:
There is no such thing as a ‘safe’ site anymore. We have documented time and time again on this blog malicious advertisements as well as site hacks that affect well-known brands just the same as smaller sites.
Tomi Engdahl says:
Passwords are always in danger of being outsiders. When others strengthen the security of a two-step authentication, Yahoo completely divest its personal passwords.
The company calls its technology “on-demand password” under the name. The user requests a service to send the phone password, which then acts as authentication.
A New, Simple Way to Log In
http://yahoo.tumblr.com/post/113708272894/a-new-simple-way-to-log-in?soc_src=mail&soc_trk=ma
We’ve all been there…you’re logging into your email and you panic because you’ve forgotten your password. After racking your brain for what feels like hours, it finally comes to you. Phew!
Today, we’re hoping to make that process lessanxiety-inducing by introducing on-demand passwords, which are texted to your mobile phone when you need them. You no longer have to memorize a difficult password to sign in to your account – what a relief!
We’ve made the steps easy to follow
On-demand passwords is now available for U.S. users.
Tomi Engdahl says:
Yahoo shows off password-free logins and new encrypted email technology
http://www.theverge.com/2015/3/15/8219529/yahoo-on-demand-passwords-and-end-to-end-email-sxsw-2015
Passwords are terrible: they’re inefficient and they’re often insecure, too. Many leading tech companies have embraced two-factor authentication as a more secure option, but they’re optional and only those particularly concerned about their digital identities take the time to set it up.
That’s why Yahoo is taking a new approach, called “on demand” passwords. Like two-step authentication, you’ll be sent a unique time-sensitive code through an app or a text message to your phone when you want to log in. But there’s a key step missing: you won’t have to type in your primary password first. That’s right, with “on demand” passwords, you won’t have a permanent password tied to your account that’s required every time you log in. Some might even call it “one-step” authentication. When you try to sign in, you’ll see a “send my password” button instead of a traditional password text box if you enable the system. The new sign-on method is available now.
Yahoo VP Dylan Casey called the feature “the first step to eliminating passwords,” according to CNET.
This isn’t the first time a company has looked into eliminating the password. The world’s largest tech companies are working to find the successor to the dated password — and many are turning to biometric readers like fingerprint or eye scanners for a solution.
Yahoo wants to let you forget your Yahoo password
http://www.cnet.com/uk/news/yahoo-wants-to-let-you-forget-your-yahoo-password/
The Internet giant launches a service that sends a short password to your phone. Think two-factor authentication, without the first factor.
Turns out nobody can remember their Yahoo passwords. Now the company wants to make it so no one has to.
Yahoo on Sunday launched a new service called “on-demand” passwords, which lets someone log into a Yahoo account using a short password the company texts to their phone instead of having to remember their own password.
“This is the first step to eliminating passwords,”
The process feels like a common process for logging into websites called two-factor authentication, where you first enter your own password, then enter a second password the company sends to your phones. (Many popular services including Google’s Gmail do this). Think of Yahoo’s process like two-factor authentication, minus the first factor.
Cyber security has become a top issue for the technology industry. Several of the world’s most well-known companies, including Sony and Apple, have fought high-profile security vulnerabilities. Many companies have also tried to tackle the problem of their users having weak passwords. Password managers, like LastPass, also tries to take the burden off users to remember passwords.
“I don’t think we as an industry has done a good enough job of putting ourselves in the shoes of the people using our products,”
Tomi Engdahl says:
Authy 2FA app popped by simple, secret, code
The patch has arrived and the horse has bolted
http://www.theregister.co.uk/2015/03/16/auth_bypass/
Attackers could bypass the Authy two factor authentication (2FA) system by typing a phrase in a token field.
Authy’s apps make it possible for punters to log in to services like Gmail, Dropbox and Facebook, or even Amazon Web Services, with a one-time password sourced from an app. But prior to the advent of a patch issued 8 February, attackers could type ‘../sms’ into the two factor code field to bypass authentication.
“It turns out even URL encoding was futile – path_traversal module in rack-protection was decoding %2f back to slashes,” Homakov says.
“This literally affects every API running Sinatra and reading parameters from the path. This is also a great example how libraries or features that aim to add security actually introduce security vulnerabilities.”
Tomi Engdahl says:
And the buggiest OS provider award goes to … APPLE?
Count of 2014′s flaws finds more nasties in Mac OS and iOS than in Windows or Linux
http://www.theregister.co.uk/2015/02/26/windows_beats_apple_linux_with_fewest_bugs_for_2014/
Apple’s operating systems and Linux racked up more vulnerability reports than Windows during 2014, according to research from security outfit GFI.
Cupertino’s OS X and iOS platforms topped the 2014 bug charts with 147 and 127 holes disclosed in each, nudging out the Linux Kernel with 119 flagged flaws, the National Vulnerability database statistics show.
Apple also has the most high-risk holes with 64 reported in OS X, and is just nudged out by Linux in the medium-severity stakes which clocked 74 flaws to iOS’ 72.
Windows platforms were far behind with 68 total reported bugs and 20 medium-severity flaws reported. Surveyed Windows releases included Windows 8, 8.1, 7, Vista, and RT, along with Server 2012 and 2008. All had between 30 and 38 vulnerabilities.
Crucially, up to 80 percent of the reported bugs concerned third party applications, and only 13 percent related to the operating systems in question.
Tomi Engdahl says:
Princeton boffins sniff Tor users’ IDs from TCP ACKs and server sweat
The onion’s getting more transparent by the day
http://www.theregister.co.uk/2015/03/16/raptor_another_way_to_snoop_on_tor_users/
Tor is regularly recommended as a vital privacy protection technology, and just as regularly, researchers discover ways to de-anonymise users, and the latest of these has just hit Arxiv.
The research, led by boffins from Princeton, demonstrates ways to de-anonymise Tor users with access to just one end of a communication path, at the Autonomous System (AS) level.
The attack suite, which the researchers call Raptor, differs from previous attacks against anonymity, most of which need to observe traffic flows at different points of the Tor network, and need to capture symmetric flows.
Instead, the Princeton crew proposes an asymmetric model which they call a “form of end-to-end timing analysis that allows AS-level adversaries to compromise the anonymity of Tor users … as long as the adversary is able to observe any direction of the traffic at both ends of the communication”.
In their experimental results, the researchers reckon they achieved “detection accuracy of 95 per cent”, with other techniques available to increase this further.
Their ability to correlate the two ends of the communication using only sequence number and ACK number ran between 94 and 96 per cent, the researchers claim.
The researchers say attacks can be mitigated in two ways: the Tor network needs to monitor the routing control plane and data plane to try to detect attacks; and with a variety of preventative measures.
Preventative measures include writing Tor clients to favour guard relays that have the shortest AS path to the client; the implementation of secure inter-domain routing (which unfortunately requires a bunch of providers to agree to deploy it); and to get Tor relays advertising /24 prefixes.
Tomi Engdahl says:
e-Threats Automated Malware Testing
Review by Enex TestLab
http://www.cso.com.au/article/398860/ethreatz_automated_malware_testing/
Every month we will be publishing the results of our Enex TestLab eThreatz comparative real world test of eight anti-malware products marketed for the SME sector of business.
Tomi Engdahl says:
A Police Gadget Tracks Phones? Shhh! It’s Secret
http://www.nytimes.com/2015/03/16/business/a-police-gadget-tracks-phones-shhh-its-secret.html
A powerful new surveillance tool being adopted by police departments across the country comes with an unusual requirement: To buy it, law enforcement officials must sign a nondisclosure agreement preventing them from saying almost anything about the technology.
Any disclosure about the technology, which tracks cellphones and is often called StingRay, could allow criminals and terrorists to circumvent it, the F.B.I. has said in an affidavit. But the tool is adopted in such secrecy that communities are not always sure what they are buying or whether the technology could raise serious privacy concerns.
The confidentiality has elevated the stakes in a longstanding debate about the public disclosure of government practices versus law enforcement’s desire to keep its methods confidential. While companies routinely require nondisclosure agreements for technical products, legal experts say these agreements raise questions and are unusual given the privacy and even constitutional issues at stake.
“It might be a totally legitimate business interest, or maybe they’re trying to keep people from realizing there are bigger privacy problems,” said Orin S. Kerr, a privacy law expert at George Washington University. “What’s the secret that they’re trying to hide?”