Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.
3,110 Comments
Tomi Engdahl says:
Authorities Closing In on Hackers Who Stole Data From JPMorgan Chase
http://www.nytimes.com/2015/03/16/business/dealbook/authorities-closing-in-on-hackers-who-stole-data-from-jpmorgan-chase.html
It has become a familiar pattern: The computer system of a big American company is breached, the personal information of tens of millions of customers is stolen and a public outcry ensues. Rarely are the thieves caught.
But last summer’s attack on JPMorgan Chase — which resulted in hackers gaining access to email addresses and phone numbers for 83 million households and small businesses — may break that pattern of investigative dead ends in large corporate breaches.
Federal authorities investigating the attack at JPMorgan are increasingly confident that a criminal case will be filed against the hackers in the coming months, said people briefed on the investigation. Law enforcement officials believe that several of the suspects are “gettable,” meaning that they live in a country with which the United States has an extradition treaty. That would not include countries like Russia.
Although the breach at JPMorgan did not result in the loss of customer money or the theft of personal information, it was one of the largest such attacks against a bank and a warning sign that the American financial system was vulnerable.
The JPMorgan case is advancing quickly partly because the attack was not nearly as sophisticated as initially believed, and law enforcement authorities were able to identify at least some suspects early on, said the people briefed on the matter
“The government has finite resources to deal with cybercrime and as a result tends to look for cases which can create maximum impact,” Mr. Brown said.
The intensifying hunt for the JPMorgan hackers comes as the bank, which has said it spends about $250 million a year on digital security and plans on doubling that in the future, wrestles every day with securing its vast global network.
The internal review also noted that JPMorgan recently increased its requirements for giving people the highest level of access to the bank’s network. It did so, according to the review, to minimize the risk of “catastrophic technical or reputational damage to the firm.” JPMorgan now limits so-called “high security access” to bank employees who must submit to annual credit screenings and criminal background checks. The bank now also conducts a “routine review” to make sure that high security access is justified for a particular person.
Tomi Engdahl says:
Today, service providers such as cloud providers, Web hosting services, Internet Service Providers (ISPs) as well as large enterprises, require an environment that is highly available and secure, as the Internet is the main, if not the only way to channel an organization’s services to its customers. Over the last few years, distributed denial of service (DDoS) attacks have grown dramatically in frequency, size and complexity.
clearly not prepared to address this new breed of DDoS attacks, which leverage large distributed “botnet” networks of compromised “zombie” machines
Source: http://whitepapers.theregister.co.uk/paper/view/3643/network-ddos-protection.pdf
Tomi Engdahl says:
Facebook revamps its takedown guidelines
http://www.bbc.com/news/technology-31890521
Facebook is providing the public with more information about what material is banned on the social network.
Its revamped community standards now include a separate section on “dangerous organisations” and give more details about what types of nudity it allows to be posted.
The US firm said it hoped the new guidelines would provide “clarity”.
One of its safety advisers praised the move but said that it was “frustrating” other steps had not been taken.
The new version of the guidelines runs to nearly 2,500 words, nearly three times as long as before.
The section on nudity, in particular, is much more detailed than the vague talk of “limitations” that featured previously.
Facebook now states that images “focusing in on fully exposed buttocks” are banned, as are “images of female breasts if they include the nipple”.
Other sections with new details include:
Bullying – images altered to “degrade” an individual and videos of physical bullying posted to shame the victim are now expressly forbidden
Hate speech – while the site maintains the same list of banned topics, it now adds that people are allowed to share examples of others’ hate speech in order to raise awareness of the issue, but they must “clearly indicate” that this is their purpose
Criminal activity – the network now states that users are prohibited from celebrating any crimes they have committed, but adds that they are allowed to propose that an illegal activity should be legalised
Self-injury – the site says that it will remove content that identifies victims and targets them for attack, even if done humorously. But it says that it does not consider “body modification” to be a type of self-injury
The changes have been welcomed by the Family Online Safety Institute (Fosi), one of five independent organisations that make up Facebook’s safety advisory board.
https://www.facebook.com/communitystandards
Tomi Engdahl says:
F-Secure’s Hypponen: Web Intelligence must be monitored
“When the citizens of the right to undermine the authority of the people’s privacy, it is their assurance that it achieves something,”
Verkkotiedustelulla to achieve security, but is the price to individuals’ privacy too hard? This issue is reflected on F-Secure’s Chief Research Officer Mikko Hypponen National Kybertalkoot event on Tuesday.
“When the citizens of the right to undermine the authority of the people’s privacy, it is their assurance that it achieves something,” Hypponen said. “We must ask ourselves whether we want that Finland is in general intelligence.”
“It is clear that in 2015, the network may be relevant information. Of intelligence surveillance is, however, very difficult and that very important, “Hypponen says.
He believes that the majority of the welcome it if the Finnish home users’ computers can be avoided by listening to the school shootings or terrorist attacks. In many cases, citizens do with nosing around a result of not getting the most relevant information. How an individual reacts to learn that all his doings online is spied on?
Source: http://summa.talentum.fi/article/tv/uutiset/142999
Tomi Engdahl says:
Edward Snowden’s speech was ruined by a bunch of random people that joined in on his video call
http://uk.businessinsider.com/edward-snowden-interrupted-at-futurefest-conference-in-london-2015-3?r=US
Edward Snowden tried to take part in a panel discussion at a technology conference on Saturday — but was left embarrassed when his video call was repeatedly interrupted.
Google Hangouts allow multiple people take part in online video calls. Snowden was in the video call using a Google profile under the name of “Ben,” but whoever set up the call hadn’t locked down the privacy settings. That meant that anyone could join — and they did.
Snowden explained that governments use long words to describe mass surveillance, which he argues is a trick to make people accept widespread privacy violations. But then someone else joined the video call. They seemed surprised to be there, shouting “holy sh*t!”
“Wanted to see/hear but not be heard,”
Tomi Engdahl says:
GCHQ students protecting virtual Boris Johnson from a cyber kicking right now
Cyber Security Challenge UK is a bit like Pop Idol, but with less drama
http://www.theinquirer.net/inquirer/news/2399638/gchq-students-protecting-virtual-boris-johnson-from-a-cyber-kicking-right-now
UK COMMUNICATIONS VORTEX GCHQ is pushing ahead with its Simon Cowell-inspired Cyber Security Challenge UK and has a collection of the best and brightest students trying to prevent a virtual cyber thwack in London.
The Cyber Security Challenge UK is an ongoing thing for GCHQ in a bid to encourage bright young security sparks into its ranks.
The crown last year went to 19-year-old Will Shackleton, who had an intern role at Facebook.
The 2015 final is taking place today.
“Finalists will be battling against the clock to find out how the fictitious group broke into a simulated network that controls the ship’s guns, and within which the competition developers have placed various realistic vulnerabilities for them to find. Their job will be to wrestle back control of the gun system before it is too late,” said GCHQ.
“Fighting cyber crime is a vital part of safeguarding the security of people and businesses in the UK, and there are increasing opportunities in law enforcement for people with the right technical skills to continue their own development while helping to pursue criminals and protect the public,” said Andy Archibald, deputy director of the National Cyber Crime Unit (NCA).
Tomi Engdahl says:
Dread Pirate Roberts’ first mate Peter Nash faces life behind bars
Silk Road’s main moderator pleads guilty-but-ignorant
http://www.theregister.co.uk/2015/03/16/end_of_the_silk_road_for_peter_nash/
An Australian faces life behind bars in the USA after entering a guilty plea for his role in Ross Ulbricht’s Silk Road operation.
Peter Phillip Nash, who went by the tag “Samesamebutdifferent” on the online drug bazaar, put his hands up to narcotics and money laundering charges.
Nash was arrested in the Australian city of Brisbane in December 2013 and extradited to the USA in November 2014. In his indictment, US authorities alleged he was paid between $US50,000 and $US75,000 a year to act as primary moderator for Silk Road. However, Reuters reports that Nash told the court he only earned $US30,000.
Nash’s identity became known when the US Justice Department named him in the charges against Ulbricht. He was previously a behavioural scientist in prisons.
Tomi Engdahl says:
Joseph Bernstein / BuzzFeed:
A week on the Dark Web: drugs, child pornography, guns, and stolen accounts are everywhere
I Spent A Week With The Scammers, Drug Dealers, And Endearing Dorks Inside The Dark Web
http://www.buzzfeed.com/josephbernstein/if-you-dont-want-to-read-about-the-apple-watch-read-this-gui#.qmzl61nZ
Last month, a federal jury in New York convicted Ross Ulbricht on seven drug and conspiracy charges related to the operation of the now notorious online bazaar the Silk Road. The Silk Road — which at its peak listed 10,000 products for sale, 70% of which were drugs, and did over $200 million in transactions — is, 17 months after its seizure by the FBI, still the only site to have entered the public consciousness from the enormous, complex, and confusing part of the internet known as the Dark Web.
Indeed, in the popular imagination the Silk Road is still, if not a metonym for the Dark Web, the entire thing itself.
That’s far from the truth. In the aftermath of Ulbricht’s conviction, the vast internet netherworld made famous by the Silk Road is still a frenzied hive of human activity — some of it criminal, some of it fascinating, much of it mundane, all of it deeply foreign to the way most of us experience the web.
Trying to define the Dark Web, variously referred to as the Deep Web and the Deepnet, is difficult, but it’s probably best thought of as a big anonymous subfloor of the internet that you can’t access with a standard browser.
Here’s what I learned.
1. It’s Incredibly Easy To Get In
2. Once You’re in, Finding Your Way Around Is an Adventure
3. Drugs Are Still Everywhere
4. So Is Child Pornography
5. So Are iPhones, Guns, Credit Cards, Hackers, and Passports
6. …and Personal Emails
7. The Hidden Services All Seem to Run on…Trust?
8. It’s Impossible to Tell Who Is Full of Shit…
9. …but Probably Most People Are Full of Shit
10. There Are Some Incredible Gems, if You Know Where to Look
While I initially found the difficulty and unreliability of the Dark Web frustrating, by the end of the week I realized there was something intoxicating and even thrilling about using an internet that is not designed around me.
None of this is to say that the Tor Dark Web is good (or bad!). It is simply to say that the way it grows allows different types of life, bad, good, and weird, to thrive. And that you probably can’t have one type without having them all.
Tomi Engdahl says:
BlackBerry’s Latest Experiment: a $2,300 ‘Secure’ Tablet
http://devices.slashdot.org/story/15/03/15/1420204/blackberrys-latest-experiment-a-2300-secure-tablet
After missing the boat on smartphones, BlackBerry has been throwing everything they can at the wall to see what sticks
Now they’re expanding this strategy to the tablet market with a security-centric tablet that costs $2,300. And they’re not doing it alone — the base device is actually a Samsung Galaxy Tab S 10.5. The tablet runs Samsung Knox boot tech, as well as software from IBM and encryption specialist Secusmart (which BlackBerry recently purchased). The device will be targeted at businesses and organizations who have particular need for secure devices.
BlackBerry launches $2,300 tablet
http://www.pcworld.com/article/2897012/blackberry-teams-with-samsung-and-ibm-to-offer-governments-a-secure-tablet.html
The SecuTablet is a Samsung Galaxy Tab S 10.5 LTE 16GB bundled with some software from IBM and SecuSmart’s special MicroSD card, which combines a number of cryptographic chips to protect data in motion and at rest. Samsung’s Knox secure boot technology ensures that the OS on the tablet has not been tampered with, while IBM’s contribution to the security chain is to “wrap” certain apps in an additional layer of code that intercepts and encrypts key data flows using the Secusmart hardware.
Secusmart managing director Hans-Christoph Quelle hopes that before year-end the German federal IT security agency, BSI, will grant the Knox-Secusmart combination a security rating corresponding to Nato Restricted.
Secusmart will sell the device in Germany, while IBM will sell it elsewhere. Although initially developed for government use, Quelle hopes IBM’s enterprise customers will also be interested.
Naturally, this level of security doesn’t come cheap: An unmodified Samsung Galaxy Tab S 10.5 retails for around $500, but the SecuTablet will cost around €2,250 ($2,380) including the Secusmart MicroSD encryption card, the necessary app-wrapping and management software, and a year’s maintenance contract, he said.
Tomi Engdahl says:
Senator: ‘Plenty’ of Domestic Surveillance We Still Don’t Know About
http://yro.slashdot.org/story/15/03/15/1351239/senator-plenty-of-domestic-surveillance-we-still-dont-know-about
In a recent interview, Senator Ron Wyden (D-OR) has complained about the Obama administration’s failure to shut down the NSA’s bulk collection of phone metadata.
When asked if there were further domestic surveillance programs about which the public knows nothing, Senator Wyden said, “Yeah, there’s plenty of stuff.” The ones he knows about are classified, so he couldn’t elaborate.
Ron Wyden: ‘Plenty’ Of Domestic Surveillance Programs Still Unexposed
from the also:-screw-the-CIA dept
https://www.techdirt.com/articles/20150312/12563530305/ron-wyden-plenty-domestic-surveillance-programs-still-unexposed.shtml
In a few months, we’ll be marking the second anniversary of the first Snowden leak. The outraged responses of citizens and politicians around the world to these revelations has resulted in approximately nothing in those 24 months. There have been bright spots here and there — where governments and their intelligence agencies were painted into corners by multiple leaks and forced to respond — but overall, the supposed debate on the balance between security and privacy has been largely ignored by those on Team National Security.
Here in the US, multiple surveillance reforms were promised. So far, very little has been put into practice.
Tomi Engdahl says:
Australia’s social media censorship law – for the children – all-but passes
Social networks on notice: take complaints seriously, take down rubbish and be responsive
http://www.theregister.co.uk/2015/03/04/australias_social_media_censorship_law_for_the_children_passes/
The Enhancing Online Safety for Children Bill 2014 has passed Australia’s Senate, meaning the nation now has a regime for compelling social networks to remove material deemed to represent bullying of children.
The Bill defines bullying material as “… intended to have an effect on a particular Australian child … likely to have the effect on the Australian child of seriously threatening, seriously intimidating, seriously harassing or seriously humiliating the Australian child.”
Social networks have generally accepted the Bill as the requirements it imposes on them aren’t arduous: to be compliant they need an anti-bullying policy, a complaints scheme and designated staffer to handle complaints.
Tomi Engdahl says:
Yahoo! launches! password! on! demand! service! for! naive! simpletons!
Service likely to be godsend for amnesiacs, spoofers
http://www.theregister.co.uk/2015/03/16/yahoo_on_demand_password/
Yahoo! is trialling a service that removes the need to remember passwords, providing users aren’t so absent-minded they don’t also lose or mislay their phones.
The on-demand password service allows registered users to get a short password sent to their phone. On-demand passwords is an opt-in service, initially only available in the US.
Users would still have the task of typing in a one-time password, they just wouldn’t have to remember it. Anyone who had access to their phone could impersonate a user – a massive risk, particularly when so many social media accounts are linked to webmail accounts for password reset purposes.
Tomi Engdahl says:
Sysadmins: Step away from the Big Mac. No more Heartbleed-style 2am patch dashes
6 steps to a saner patching regime
http://www.theregister.co.uk/2015/03/04/patching_for_sanity/
Patching is a necessary evil for network administrators. Unfortunately, an awful lot of them have been burning not only the midnight oil, but also the weekend oil to keep up with patches such as – but not limited to – Heartbleed and Shellshock.
The bad news is that this is only the start. As software vendors move towards a more appliance-based approach, upgrades become that bit more difficult. Companies will start to proliferate tens of appliance VMs and they are all Linux-based. Black boxes, if you will.
Each company may have a different process to update. Some big players demand you redeploy an entire virtual appliance to patch it, making support that bit more time-consuming. Sometimes the updates don’t even work and you have to jump through several dozen hoops to get your data moved on to a new bug-fixed platform.
Patching costs a lot of resources, time and money. How can you do it efficiently and accurately?
Every site and situation is different, but the differences in how businesses implement patching depends a lot on the size of the company. It is an established fact that the bigger a company gets, the more red tape exists and the slower it moves.
This means the costs of rolling out a patch increase significantly due to the overheads incurred, both technical and non-technical. Each progression on this path from small to large environments increases the cost and complexity of patching exponentially. How can administrators manage this issue and costs at the same time?
Surprisingly, one of the bigger issues with larger vendors is the time scale between vulnerability identification and general patch availability. Without naming names, critical patch timescales have been known to stretch into several weeks for some vendors affected by Heartbleed and similar. Unfortunately, bugging them and escalating on a daily basis (assuming you have the clout) only has so much of an impact. They like to take their own sweet time. Once they arrive, what’s the plan?
Doing it properly
1. Create a good, tested patch process, documenting the how and the where. Document what needs to happen for a patch deployment to be deemed successful. Include any paperwork or representations to change meetings that need to be made.
2. Ask if this patch affects you. This may seem like an obvious question but not all bugs will affect all users. If the bug is in a service you don’t use and isn’t installed, there is little point in installing it.
3. Get the right tools: manual patching doesn’t work anymore. Scaling above a handful of users is when patch management becomes time-consuming and error prone if not done in a managed way. Manually repeating patching on machines allows room for error. There are many patch management products on the market for administrators to use, and some are even free.
4. Some machines are special and hand deployment has a place. Some machines are very critical and patching should be supervised or done manually. Applying the same patches should happen, just not automatically. To give a quick example, in a virtualised environment, there can be many dependencies such as AD, SSO, and similar.
5. Test, test and test your patches before deploying. It may sound obvious, but fixing a bad patch can be very problematic and expensive, especially if deskside intervention is required.
6. The users are people too. Users realise that bugs have to be patched, but it helps if you get them on board early.
Working in larger environments and ensuring patch compliance can be very interesting when applied to appliances, both physical and virtual. All major operating systems have some form of patch management rolled into their management tools. However, appliance manufacturers who run CentOS or some other Linux variant will often only support their own patch update channels and provide limited support for other management tools, crying “unsupported configuration” when you broach the subject.
Manually logging into each device several times in order to update it gets really boring, really quickly.
Tomi Engdahl says:
Pew Internet:
Pew survey examines changes in American attitudes about online privacy post-Snowden
Americans’ Privacy Strategies Post-Snowden
http://www.pewinternet.org/2015/03/16/Americans-Privacy-Strategies-Post-Snowden/
It has been nearly two years since the first disclosures of government surveillance programs by former National Security Agency contractor Edward Snowden and Americans are still coming to terms with how they feel about the programs and how to live in light of them.
A new survey by the Pew Research Center asked American adults what they think of the programs, the way they are run and monitored, and whether they have altered their communication habits and online activities since learning about the details of the surveillance. The notable findings in this survey fall into two broad categories: 1) the ways people have personally responded in light of their awareness of the government surveillance programs and 2) their views about the way the programs are run and the people who should be targeted by government surveillance.
Some people have changed their behaviors in response to surveillance
Overall, nearly nine-in-ten respondents say they have heard at least a bit about the government surveillance programs to monitor phone use and internet use. Some 31% say they have heard a lot about the government surveillance programs and another 56% say they had heard a little. Just 6% suggested that they have heard “nothing at all” about the programs. The 87% of those who had heard at least something about the programs were asked follow-up questions about their own behaviors and privacy strategies:
34% of those who are aware of the surveillance programs (30% of all adults) have taken at least one step to hide or shield their information from the government.
25% of those who are aware of the surveillance programs (22% of all adults) say they have changed the patterns of their own use of various technological platforms “a great deal” or “somewhat” since the Snowden revelations.
Many have not considered or are not aware of some of the more commonly available tools that could make their communications and activities more private
Still, notable numbers of citizens say they have not adopted or even considered some of the more commonly available tools that can be used to make online communications and activities more private:
53% have not adopted or considered using a search engine that doesn’t keep track of a user’s search history and another 13% do not know about these tools.
46% have not adopted or considered using email encryption programs such as Pretty Good Privacy (PGP) and another 31% do not know about such programs.
43% have not adopted or considered adding privacy-enhancing browser plug-ins like DoNotTrackMe (now known as Blur) or Privacy Badger and another 31% do not know such plug-ins.
41% have not adopted or considered using proxy servers that can help them avoid surveillance and another 33% do not know about this.
40% have not adopted or considered using anonymity software such as Tor and another 39% do not know about what that is.
Tomi Engdahl says:
French government orders website block
http://www.bbc.com/news/technology-31904542
The French authorities have used new powers to block five websites, which they claim condone terrorism, without a court order.
Internet service providers have 24 hours to comply.
The chairman of European Internet Service Provider OVH tweeted that his firm had not been given any warning.
The new powers apply to sites suspected of commissioning or advocating terrorism or distributing indecent images of children.
The rules were approved along with other counter-terrorism measures by the French parliament last year.
Tomi Engdahl says:
Norway police broke law with fake base stations
http://www.thelocal.no/20150309/norway-police-broke-law-with-fake-mobile-receivers
Norway’s Police Security Service (PST) persistently violated the law as it established a network of fake mobile phone base stations across Oslo last year, Norway’s Aftenposten has revealed.
According to the paper, police and PST deliberately ignored a requirement that they should inform the country’s telecoms authority before setting up ’IMSI catchers’, which mimic mobile base stations, allowing their operators to intercept and eavesdrop on mobile phone calls made nearby.
The newspaper last December identified a series of “fake base stations” outside Norway’s parliament, outside its government headquarters, and outside the residence of the prime minister, using a German CryptoPhone 500 to identify them.
It now appears that many, if not all of the devices, were set up by Norway’s own security services.
Tomi Engdahl says:
She Can Convince You That You Committed a Crime
http://www.ozy.com/fast-forward/will-bidens-law-turn-the-tide-on-ferguson/37567?utm_source=Outbrain&utm_medium=CPC&utm_campaign=INTL%20-%20All%20Clicks%20ALL%20Devices
A majority of students were persuaded: They were criminals.
With a little misinformation, encouragement and three hours, researchers were able to convince
70 percent of participants that they’d committed a crime.
So, how did they plant false memory of a crime in young adults who had never even been in contact with the police? Shaw and Stephen Porter, a forensic psychologist at the University of British Columbia
False memories don’t happen quite like Inception. More like a Wikipedia page that can be edited (by you and others), says Elizabeth Loftus, a cognitive psychologist at the University of California, Irvine. Once people believe something to be true, their imagination kicks in, and they begin to visualize the situation using past experiences from themselves, others, even movies, she says. When the patchwork of memory gets stitched together and internalized, truth and fiction become indistinguishable, Loftus says.
And police use Shaw’s tactics, argues Mark Godsey, co-founder and director of the Ohio Innocence Project, an advocacy group for the wrongly convicted. A really heavy-handed interrogation could consist of all the features of Shaw’s study and worse, criminal consequences.
Tomi Engdahl says:
BlackBerry partners with Samsung, IBM on ultra-secure tablet – but it will cost close to $2,400
http://www.fiercewireless.com/story/blackberry-partners-samsung-ibm-ultra-secure-tablet-it-will-cost-close-2400/2015-03-16?utm_medium=rss&utm_source=rss&utm_campaign=rss
BlackBerry (NASDAQ:BBRY) is teaming up with Samsung Electronics and IBM to offer a highly secure tablet for government and enterprise workers, but it will cost around $2,380.
BlackBerry unit Secusmart is partnering with IBM to release the SecuTablet, a high-security tablet based on the Samsung Galaxy Tab S 10.5. The solution is undergoing certification at the German Federal Office for Information Security for the German VS-NfD (“classified–for official use only”) security rating.
The tablet uses Secusmart’s encryption technology, which is being used by the German and Canadian governments, among others, to guard against eavesdropping. BlackBerry said the tablet can be seamlessly integrated into existing SecuSUITE security systems.
Further, IBM has provided the secure “app wrapping” technology for the tablet to separate business applications from work ones. IBM will also help in implementing the high security solutions from Secusmart within government clients.
BlackBerry’s deal with Samsung continues BlackBerry’s partnership with the smartphone giant. Earlier this month BlackBerry announced it will be bringing new security features to Samsung phones, including the forthcoming Galaxy S6.
Tomi Engdahl says:
You Don’t Need to Start as a Teen to be an Ethical Hacker (Video)
http://it.slashdot.org/story/15/03/16/1911252/you-dont-need-to-start-as-a-teen-to-be-an-ethical-hacker-video
Justin is 40, an age where a lot of people in the IT game worry about being over the hill and unemployable. But Justin’s little video talk should give you hope — whether you’re a mature college student, have a stalled IT career or are thinking about a career change but want to keep working with computers and IT in general. It seems that there are decent IT-related jobs out there even if you’re not a youngster; and even if you didn’t start working with computers until you were in your 20s or 30s.
Tomi Engdahl says:
The new MacBook’s single port comes with a major security risk
http://www.theverge.com/2015/3/16/8226193/new-apple-macbook-usb-type-c-security-risk-badusb
After years of development, USB Type-C is making a very big debut. Last week, Apple announced its new MacBook would come with just a single Type-C plug for both power and data, a move that allowed for the slimmest MacBook ever. A few days later, Google unveiled the new version of its flagship Chromebook Pixel with the same Type-C port. To the extent that hardware components can have a moment, USB Type-C is having one.
But while the new port is powerful, it also comes with serious security problems. For all its versatility, Type-C is still based on the USB standard, which makes it vulnerable to a nasty firmware attack, and researchers are also concerned about other attacks that piggyback on the plug’s direct memory access. None of these vulnerabilities are new, but bundling them together with the power cord in a single universal plug makes them scarier and harder to avoid. On a standard machine, users worried about USB attacks could simply tape over their ports, but power is the one plug you have to use. Turning that plug into an attack vector could have serious security consequences.
The biggest concern is the BadUSB vulnerability, first published last year.
Type-C has a lot of advantages over previous models, but security experts say it does little to fix the core problems of BadUSB. “The additional openness and flexibility of USB Type-C comes with more attack surface,” says Karsten Nohl, one of the researchers who first discovered BadUSB. “No solution for BadUSB is in sight even with this new standard.”
In part, that’s by necessity. USB is an open standard built on backwards compatibility and easy third-party access. You’ll need an adapter to plug in old USB devices to Type-C ports, but the old software protocols still work, leaving open the same vulnerabilities. Even giants like Apple and Google need to abide by the rules of the USB standard, which rule out some of the tough sacrifices necessary to securing the standard overall. The result for users is a major security flaw with no easy fix.
In practical terms, that means MacBook and Chromebook Pixel users are now exposed to what you might call a “borrowed charger” attack. The new chargers don’t have the firmware needed to carry the BadUSB virus, but it would be easy for an attacker to install it herself, then spend a day in a coffee shop waiting for some unsuspecting target to plug in.
Fixing the vulnerability at an ecosystem level is surprisingly difficult. No single company can change the way USB works, so the only real fix is to move away from the standard at large. In the past, Apple has built authentication chips into connectors like Lightning — primarily to protect Apple’s lucrative licensing business, but with stronger hardware security as a nice side effect. That’s not possible on an open standard like USB.
The best protection is simple: just avoid any chargers or devices you didn’t buy yourself. But it’s a serious downgrade in device security, set against major upgrades in power transfer and data speed.
Tomi Engdahl says:
Pub O’clock probe finds thousands of repeated 512-bit RSA keys
FREAK-finding expedition finds one key on 28,000 hosts … who sells this rubbish?
http://www.theregister.co.uk/2015/03/17/freakscan_turns_up_thousands_of_repeated_512bit_rsa_keys/
Four researchers, a zmap scan and a Friday afternoon have shown that while sys admins are cleaning the FREAK bug out of their Web servers, broadband routers remain a perpetual feast.
The boffins from Royal Holloway at the University of London – Martin Albrecht, Davide Papini, Kenneth Paterson and Ricardo Villanueva-Polanco – started with a scan of the IPv4 address space using zmap, to see how many TLS-supporting servers could still be asked to dip back to 512-bit ciphers.
“Of 22,730,626 hosts supporting TLS that we discovered, 2,215,504 offered export-grade RSA keys (all at 512 bits) when probed”, their paper states – a vulnerability rate which is lower than that reported when FREAK was first discovered.
That’s a good thing, since it suggests that sysadmins have been turning off support for “export-grade” encryption since FREAK was first discovered.
That’s also where the good news from the study ends, though, because the researchers made the stunning discovery that there are “large clusters of repeated moduli” – in other words, that some 512-bit RSA keys out there are repeated.
In the case of the key that turned up more than 28,000 times, the researchers say it was associated with an unnamed broadband router with an SSL VPN module – in other words, Vulture South guesses, we’re talking about the persistent stupidity among vendors of generating a single key and hard-coding it into the device.
Such vulnerabilities are not surprising to anyone familiar with the security of home-grade equipment – merely depressing.
Broadband routers: SOHOpeless and vendors don’t care
Basic net access device in millions of homes is an insult to IT
http://www.theregister.co.uk/2015/03/05/broadband_routers_sohopeless_and_vendors_dont_care/
Tomi Engdahl says:
A data breach? Do not power off the server
“Hacking is often a sensitive issue”
“We commaned to isolate the equipment from the network, but leave the power on. If the power disconnects, lost in the main memory of the valuable information, ”
Hard disk and main memory were copied, after which the researchers began to process the data and look for unusual activity.
How security threats can then be prepared for? Torkkel has three tips:
Visibility
The administrator must be aware of the network transport by. You have to know what occurs on the server, who in it is and what kind of updates are made. The log information will always concentrate trusted place is by no means leave the monitored device. This ensures that the data is intact and reliable.
Observation Ability
When visibility is good, it is known what is the norm. Normal situation by comparing the researcher is able to detect security incidents.
Active Defense
The organization’s network must have sensors that detect attacks. Almost all attacks begin an inquiry. When an evil eye on who can be a clue for the inquiry stage, the organization does not get caught with his pants down, when the attack begins.
Source: http://www.tivi.fi/Kaikki_uutiset/2015-03-17/Tietomurto-%C3%84l%C3%A4-katkaise-virtaa-palvelimesta-3217294.html
Tomi Engdahl says:
Microsoft blacklists fraudulently issued SSL certificate
http://www.computerworld.com/article/2897815/microsoft-blacklists-fraudulently-issued-ssl-certificate.html
An unauthorized party managed to obtain an SSL certificate for Microsoft’s live.fi domain name
Microsoft released an update to blacklist an SSL certificate for one of its domain names that was issued to an unauthorized third party.
The improperly issued certificate could be used to spoof content, launch phishing attacks, or perform man-in-the-middle HTTPS interception against the live.fi and http://www.live.fi Web properties, Microsoft said in a security advisory Monday.
The certificate was issued by Comodo after an unauthorized party was able to register an email account on the live.fi domain using a “privileged username” and then used the email account to request the certificate, according to Microsoft.
A Comodo support article notes that before a certificate is issued for a particular domain name, the person requesting the certificate must prove ownership or control of that domain. The “domain control validation” can be done in several ways, one of which is through an email sent to one of several generic admin type email addresses: admin@, administrator@, postmaster@, hostmaster@ or webmaster@.
It’s not clear which of those usernames the unauthorized party managed to register on the live.fi domain. However, the incident should serve as a warning to all domain owners that such admin-type addresses should be strictly controlled.
Even if users apply the Microsoft update, it won’t completely mitigate the risk associated with this certificate. That’s because not all applications use the Windows Certificate Trust List to validate website certificates.
The incident highlights yet again that once a SSL certificate is issued erroneously or fraudulently, the action cannot easily be undone. While the issuing certificate authority (CA) can flag the certificate as revoked, the process of checking for such revocations is broken for the most part.
There are two main ways to check if a certificate has been revoked: by checking certificate revocation lists (CRLs) published periodically by certificate authorities or by using the Online Certificate Status Protocol (OCSP), which allows checking a certificate’s revocation status in real time by querying OCSP servers operated by CAs. There are problems with both approaches.
Browsers allow SSL connections to continue if CRL or OCSP checks fail with a network error because such checks can fail for a variety of reasons — for example the CA servers are down or there’s network congestion en route to them. This is known as a soft fail approach.
Tomi Engdahl says:
Anatomy of a Globe-Spanning Google Outage
March 12, 2015 // 03:11 PM EST
http://motherboard.vice.com/read/anatomy-of-a-globe-spanning-google-outage?trk_source=recommended
On Thursday morning, many—perhaps millions—of people around the world, from Brazil to France, faced what could be best described as a modern-day nightmare.
As it turns out, the 20-minute outage was caused by a simple mistake made by an Indian internet service provider that snowballed all over the world and ensconced at least 28 other ISPs, making Google unreachable for “millions” of people, according to Doug Madory, a researcher at internet monitoring firm Dyn.
And, most likely, it was all caused by a human mistake.
“It’s a big internet,” Madory told Motherboard. “There’s a lot of engineers doing a lot of work and it comes down to people typing commands into routers and if they make a mistake, routes leak out and traffic can be misdirected.”
In a blog post, Madory explained that the mistake was a “routing leak,” which happens when a network provider mistakenly sends its internal routing tables to other peered networks, redirecting internet traffic the wrong way.
n this case, Indian ISP Hathway mistakenly published routes to 300 GoogleIP addresses, to its backbone provider Bharti Airtel, which in turn passed these routes to “the rest of the world,” according to Madory. At least 28 ISPs, including major ones like Level 3, Cogent, Orange and Pakistan Telecom, took those routes, in some instances over their direct links to Google, and incorrectly directed traffic through Hathway, creating the outage.
In many cases, these mistakes don’t even get detected if they don’t knock off a giant like Google, Madory said.
Routing Leak briefly takes down Google
http://research.dyn.com/2015/03/routing-leak-briefly-takes-google/
Tomi Engdahl says:
YouTube for Kids: the App Gives Children a Non-Internet Internet
http://motherboard.vice.com/read/youtube-for-kids-the-app-gives-children-a-non-internet-internet?trk_source=recommended
YouTube recently developed a mobile app specifically for kids. Imagine a babyproofed version of YouTube, where the sharp edges have been covered in bubble wrap and all the pills are out of your child’s reach. This may seem like a no-brainer, slam dunk, A+ win for technology and kids alike.
YouTube Kids, in theory, is a sound concept. There is a discrete number of videos accessible and searchable, carefully curated by adults. Playlists include Sesame Street and Thomas the Tank Engine, and there is no ability for kids to upload their own videos.
Children are not ready for the full-fledged power of the internet, and exposure to unlimited YouTube videos could lead to actual, documented cases of Premature Web Exposure Syndrome. But I don’t think this is the way to do it.
People my age, who grew up with the internet, are now making babies of their own. They need to figure out a way to introduce the internet to their child. A kid-safe app lets a parent toss their kid an iPad and leave them alone to explore.
A separate, sheltered app deprives kids of the opportunity to connect and participate in the zeitgeist
This gated-off playpen YouTube is exposing kids to all terrible parts of the internet, with none of the good. Kids will still be exposed to blue light, which can affect sleep patterns and circadian rhythms. The app still fosters antisocial tendencies, if not more so than YouTube, as an adult can leave a child alone with their YouTube Kids app, unsupervised.
As the generations that grew up on the internet begin procreating, there should be a plan. We need to start having this conversation. There needs to be a determination on where the responsibility lies. Is it in the technology itself, like a YouTube Kids App? Or is it still in the human? Is it “Mommy and Me” YouTube classes?
Tomi Engdahl says:
With Ultrasonic Fingerprint Sensing, Google’s Security Could Beat Apple’s
http://motherboard.vice.com/read/with-ultrasonic-fingerprint-sensing-googles-security-could-beat-apples?trk_source=recommended
Qualcomm announced an ultrasonic fingerprint scanner for its Snapdragon chip—widely used in Android phones—this morning. The tech promises to both end the struggle of trying to get Apple’s Touch ID to recognize your bare, shivering thumb in subzero temperatures and make transactions more secure on Android Pay, Google’s newly announced payment platform, according to reports.
If the two technologies are meant to go hand-in-hand, it means that the race for supremacy in the device-based transaction market between Apple and Google is on, with biometric security at the center.
Apple Pay is already in front after being the first phone manufacturer to include fingerprint ID tech in its devices
But security flaws in Apple’s Touch ID have been demonstrated by hackers, and ultrasonic fingerprint scanning is considered to be more secure than the kinds of optical scanning
Ultrasonic fingerprint scanning has been of interest to law enforcement and the military for decades longer than the private sector; a testament to how secure the tech is considered to be. The first ultrasonic fingerprint scanner was built in 1996 by Ultra-Scan, a Buffalo, New York-based company. Ultra-Scan’s first government contract for ultrasonic tech in 2001 saw the company developing a PC-based USB ultrasonic scanner for the US Drug Enforcement Agency.
Spoofing ultrasonic fingerprint tech will be a challenge to hackers, no doubt, but not an insurmountable one, Govindaraju explained.
“If you’re willing to spend $15,000 on something, maybe you can spoof it; the bar has gone higher,”
Tomi Engdahl says:
ams and ST Team Up to Secure NFC Mobile Payments
http://www.eetimes.com/document.asp?doc_id=1326056&
There are some potential problems with paying via NFC.
Users of near field communication, especially for making payments and storing credit card information, are understandably concerned about the security their private information. Methods that thieves use in typical security attacks include eavesdropping, data corruption or modification, interception attacks, and physical thefts.
Here are some methods used in NFC technology that usually works to prevent such security breaches from occurring:
Two methods are typically used to prevent eavesdropping.
Since the devices must be fairly close to send signals, the thief will have a limited range to work in for capturing your signals.
When a secure channel is established, the information is encrypted and only an authorized device can decode it.
Data corruption and manipulation is when a criminal is able to corrupt the data being sent to a reader making it useless when it arrives. To prevent this, secure channels have to be used for communication.
http://www.edn.com/electronics-products/electronic-product-reviews/other/4438928/ams-and-STMicroelectronics-team-up-to-create-a-solution-for-secure-NFC-mobile-payments
If your phone or device is stolen or lost, encryption will no longer be useful to you. If a smartphone is stolen, the thief will probably be able to wave the phone over a card reader at a store to make a purchase. To help prevent problems in this case, install a password or other type of lock so it comes up when the smartphone screen is turned on.
Tomi Engdahl says:
Forked Android: Sign of Trouble or Creativity?
http://www.eetimes.com/document.asp?doc_id=1326057&
The electronics industry is acutely aware of the growing fragmentation of Android devices. But what about a forked form of Android OS that appears to be proliferating in China?
On one hand, this shows the ingenuity of Chinese smartphone vendors. They’ve grown more aggressive in creating their own variations on the open-source Android OS. On the other hand, security experts are concerned about safety and security for corporate data as the BYOD (bring your own device) trend expands among employees working at multi-national corporations.
Forked but incompatible
Meanwhile, there is an unmistakable push in China to develop “a forked but incompatible version” of Android OS. A case in point is the Yun OS from Alibaba Group Holding’s subsidiary AliCloud. Reportedly, Alibaba developed the Yun OS in an effort to drive users to Alibaba’s e-commerce applications and other services.
At this point, it’s not known how many Android smartphones developed and made in China are actually passing Google’s compatibility test suite (CTS) and complying with Google’s compatibility definition document (CDD). Security experts caution that without compliance to Google’s CTS or CDD, devices can be shipped with known security vulnerability (prevented in Google certified versions).
According to the original Bluebox report, Xiaomi was shipping the Mi 4 with a rooted ROM and came pre-installed with tampered versions of popular benchmarking apps. It also claimed that Xiaomi’s own identifier app showed that the phone was a legitimate Xiaomi product.
However, Bluebox acknowledged two days later that the initial report was based on a Xiaomi device that was actually counterfeit and “a very good one at that.”
Bluebox believes the whole experience validated several issues. Andrew Blaich, lead security analyst at Bluebox, told EE Times, “First, we can’t trust the device we’re using.” Despite its security expertise, it was not easy for Bluebox to confirm the authenticity of both hardware and software.
Blaich added, “Second, we now know even if it were a legitimate hardware, software could have been easily swapped out.” In other words, whether or not the device was counterfeit, “the fact remains that consumers are buying devices that have compromised ROMs (either in legitimate or counterfeit hardware) that put their data at risk.”
To be clear, Xiaomi takes pride in using what it calls an MIUI operating system on top of Android.
How to confirm authenticity
As Bluebox noted, the amount of effort required to confirm the authenticity of the Xiaomi device that the security firm used for testing “goes way beyond what a normal consumer can be expected to do to be assured their purchase is genuine.”
It’s entirely possible that Chinese handset vendors, in hopes of building their own ecosystems, develop “drop-in services” that connect their branded phones to their own cloud services and app stores, explained Blaich.
Hsu observed, “Some Chinese handset vendors are becoming less dependent on Google, by specifying to us, ‘we want our phone to behave this way.’”
Tomi Engdahl says:
Industrial PLC market actually collapsed in 2012, when economic uncertainty coagulated investments in production facilities. Now the market has returned to a growth path. The logic of the modules, however, need to develop smaller and more efficient investment in order to justify itself.
Frost & Sullivan research institute predicts that in 2018 PLC is sold for 14.6 billion dollars. This covers the services, software and hardware solutions that, in particular the so-called. micro size range of modules is increasing.
Frost & Sullivan to bring security one of the key features of the new logic control system. Mills networks are no longer separate from the Internet, so they must be protected with the same seriousness and care as other business networks.
Source: http://www.etn.fi/index.php?option=com_content&view=article&id=2552:ohjauslogiikoiden-on-pakko-kutistua&catid=13&Itemid=101
Tomi Engdahl says:
Dell security software company for all devices
PC maker Dell is introducing the first device manufacturer of your security software company. Dell Data Protection / Endpoint Security Suite software protects your business all the terminals regardless of where they are manufactured.
Dell, the software facilitates the management of status updates, and the rules on reporting under the enterprises of all sizes. It provides encryption, authentication and encryption of a single management tool, as well as easy to deploy solution.
Dell DDP | ESS solution is available as a separate software for all different devices. Dell’s laptops, desktops and tablets, it may be pre-integrated.
Dell says its easy installation and commissioning. DDP / ESS devices installed in only one installation process. The software provides a virtual device management server using a wizard
Source: http://www.etn.fi/index.php?option=com_content&view=article&id=2551:dellilta-tieturvaohjelmisto-yrityksen-kaikille-laitteille&catid=13&Itemid=101
DELL Data Protection & Encryption
http://www.dell.com/learn/us/en/04/security-data-protection-encryption
Tomi Engdahl says:
Fraud Rampant In Apple Pay
http://apple.slashdot.org/story/15/03/17/1323258/fraud-rampant-in-apple-pay
An industry consultant, Cherian Abraham, put the fraud rate [for Apple Pay] at 6 percent, compared with a traditional credit card fraud rate that is relatively minuscule, 10 cents for every $100 spent. [i.e. one tenth of one percent]. The vulnerability in Apple Pay is in the way that it — and card issuers — “onboard” new credit cards into the system. Because Apple wanted its system to have the simplicity for which it has become famous and wanted to make the sign-up process “frictionless,”
Pointing Fingers in Apple Pay Fraud
http://www.nytimes.com/2015/03/17/business/banks-find-fraud-abounds-in-apple-pay.html
When Apple was planning its Apple Pay electronic payment system last summer for its iPhones, the nation’s banks raced to be included among the first credit card issuers associated with the new technology.
Six months later, some of the nation’s banks are privately complaining that Apple Pay may not be so great after all.
But the banks may largely have themselves to blame.
A raft of headlines over the last week about unusually high fraud rates from thieves using stolen credit numbers on Apple Pay has exposed what many of the banks privately acknowledge they have been trying to fix for months.
An industry consultant, Cherian Abraham, put the fraud rate at 6 percent, compared with a traditional credit card fraud rate that is relatively minuscule, 10 cents for every $100 spent. Mr. Abraham wrote in a blog post, one of the first to spotlight the issue, that the Apple Pay fraud “is growing like a weed, and the bank is unable to tell friend from foe. No one is bold enough to call the emperor naked.”
It is not clear, however, that Apple is the naked emperor. More likely it is at least as much the banks’ fault, if not more.
Apple Pay itself should, in theory, cut down on fraud because it makes stealing credit card information almost impossible. Each time a transaction takes place, Apple generates the equivalent of a new credit card number so the merchant never actually sees a customer’s information.
The vulnerability in Apple Pay is in the way that it — and card issuers — “onboard” new credit cards into the system.
It also appears that banks set up a flawed process to deal with the credit cards that it did flag. Affected users were directed to a customer care phone center, not a fraud prevention center. A customer care center’s mission is to help customers use their cards, leading more fraudulent cards to be approved for use on Apple Pay.
All of this has led to a thriving black market in which thieves enter stolen credit card numbers into iPhones, essentially turning the devices into physical credit cards, which they in turn take to stores and walk out with merchandise. Thieves have even used Apple Pay at Apple Stores.
Tomi Engdahl says:
Researchers find same RSA encryption key used 28,000 timer
http://www.itworld.com/article/2897775/researchers-find-same-rsa-encryption-key-used-28000-times.html
What if the key to your house was shared with 28,000 other homes?
That’s essentially what researchers with Royal Holloway of the University of London discovered last week while scanning the Internet to see how many servers and devices are still vulnerable to the Web security flaw known as “FREAK.”
They found that 9.7 percent of nearly 23 million hosts, or around 2.2 million, are still accepting 512-bit keys, a surprising number considering the seriousness of FREAK and that more than two weeks has passed since it was made public.
In one egregious example, 28,394 routers running a SSL VPN module all use the same 512-bit public RSA key.
That never should have happened.
The process for generating good, random prime numbers for public keys takes some effort, however. Software in devices such as routers need to have a good source of random bits in order to generate unique primes, which they often don’t, Paterson said.
What likely happened is that a manufacturer generated one key and then installed it on many, many devices.
“That’s just laziness on the part of a manufacturer,” Paterson said in a phone interview. “This is cardinal sin. This is just not how cryptography should be done.”
The danger is that an attacker could factor just one, 512-bit key and then potentially decrypt traffic exchanged by more than 28,000 devices that use the same key.
Tomi Engdahl says:
ICS cyber insecurity: Not if, but when
https://www.controleng.com/single-article/ics-cyber-insecurity-not-if-but-when/f11f941274bb5800687445105379a896.html
Think Again: A major cyber security incident will happen to industrial control systems (ICS): not if, but when. Are you and your coworkers ready? Is your organization ready? Do you have the technologies, processes, and procedures ready at every level?
Hackers are knocking at the door daily of facilities with industrial control systems, whether you choose to acknowledge it or not. When someone lets them in, how will you and your organization, customers, partners, and supply chain respond?
Some experts equate today’s cyber security maturity level to where plant floor safety was before OSHA. Ignoring risk will NOT make it go away.
But think again if you consider technology investments enough.
Computer crimes and fraud often enter via social engineering; the weakest points often are the people behind the computers, according to David E. Nelson, FBI special agent with its cyber division. Part of his job is to help companies with intrusion detection testing in person, over the phone, and via computer; 85% of the time he’s successful. It’s hardly as spectacular as “CSI: Cyber.”
In such a test, Nelson often starts with a receptionist, like this: “This is Joe with IT. I just started last week and have been working with Larry Smith. We patched the computers last night, and yours didn’t take for some reason. I’ll send you a patch link where you can enter your username and password so we can get this taken care of right away.” Nelson said while that sounds ridiculously easy, it often works.
Another useful ploy: “I can go anywhere on site as a Verizon employee and am never questioned.” And if he were, a fake ID and believable story would be easy to produce.
Tomi Engdahl says:
Emil Protalinski / VentureBeat:
Windows Hello and Microsoft Passport: Unlock Windows 10 devices and apps with your finger, iris, or face
http://venturebeat.com/2015/03/17/windows-hello-biometric-authentication-will-let-you-unlock-windows-10-devices-with-your-finger-iris-or-face/
Microsoft today announced that biometric authentication is coming to Windows 10. Windows Hello will let you unlock your Windows 10 device, whether it be a PC, tablet, or a smartphone, with your finger, iris, or face. Microsoft Passport will take this further by letting you access apps and online services without a password.
Microsoft describes Windows Hello as “biometric authentication which can provide instant access to your Windows 10 devices.*” That asterisk is no typo. The fine print states that Windows Hello requires specialized hardware, “including fingerprint reader, illuminated IR sensor or other biometric sensors.”
In other words, this is a long-term play. Microsoft is well aware that many Windows 10 devices will be built to be sold for as little as possible, and Windows Hello simply won’t be available.
For both iris and facial recognition, Windows Hello will leverage special hardware (such as Intel’s RealSense 3D cameras) and software to accurately verify your identity. Microsoft promises a picture of your eye or your face won’t work. Infrared technology will ensure that you can be recognized in a variety of lighting conditions.
Windows Hello is an important security feature, as the company says that the functionality is not just more convenient than typing a password. That’s because Windows Hello will support authenticating applications, enterprise content, and “even certain online experiences” without storing a password on the device or a server.
Windows Hello will store your biometric signature locally on the device to be used for just two purposes: unlocking your Windows 10 device and using Passport. In addition to various apps and websites, Microsoft also expects Passport to work with thousands of enterprise Azure Active Directory services at launch.
Tomi Engdahl says:
Is the DNS’ security protocol a waste of everyone’s time and money?
Net experts argue over value of domain hijack protections
http://www.theregister.co.uk/2015/03/18/is_the_dns_security_protocol_a_waste_of_everyones_time_and_money/
Internet security experts are arguing over whether a key protocol for protecting the internet’s naming systems should be killed off.
DNSSEC was developed in 1994 but it wasn’t taken seriously until 2008 when a bug in the domain name system’s software made it possible for someone to imitate any server – from websites or email hosts – though “cache poisoning.”
After a decade of DNSSEC use (and five since it was used to secure the internet’s root), internet experts are now questioning whether we should bother with DNSSEC at all, especially given the difficulty and high cost of rolling it out.
In a blog post at the start of the year, Thomas Ptacek, founder of Matasano Security, laid into the protocol saying it was weak, unsafe, incomplete, unnecessary, expensive and “government controlled.”
“There are better DNS security proposals circulating already,” he argued. “They tend to start at the browser and work their way back to the roots. Support those proposals, and keep DNSSEC code off your servers.”
DNSSEC is designed to ensure that the notoriously insecure domain name system can guarantee some level of authority, i.e. ensure that a server you are communicating with is what it claims to be.
The problem, as Ptacek goes to some lengths to outline in his provocative article, is that DNSSEC only makes attacks a little harder to carry out. It doesn’t solve the issue, and if security is achieved through, for example, digital certificates, not only would that be safer but it would make any DNSSEC additions worthless.
What’s more, DNSSEC uses outdated crypto methods, and could provide a dangerous entry point for government snooping. The answer, Ptacek argues, is to just get rid of DNSSEC, and focus instead on better systems for security such as “key pinning” which pulls trust away from a central authority and leaves it with individual domain operators. “Central authorities can’t solve the Internet trust problem. Central authorities are the Internet trust problem,” he argues.
Eklund-Löwinder dismisses that claim of government surveillance as “more a sudden case of paranoia than the results of a relevant and reasonable analysis,” and seeks to outline the benefits of DNSSEC.
She argues instead that while DNSSEC does not stop security problems, it does make things a little harder and that is a good goal in itself.
Tomi Engdahl says:
Sensitive apps with 6.3 BILLION downloads found open to FREAK
Banking, medical, and privacy apps join shoddy cipher list
http://www.theregister.co.uk/2015/03/18/freaky_apps_litter_top_spots_in_apple_android_app_stores/
Thousands of Android and Apple apps could lose sensitive financial and privacy data through exposure to the FREAK vulnerability, researchers say.
The FREAK (Factoring RSA Export Keys) attack allowed sensitive data to be stolen before encrypted connections are secured by requesting weak export-grade 512-bit RSA keys.
FireEye researchers Yulong Zhang, Hui Xue, Tao Wei, and Zhaofeng Chen crawled the app stores and found 1228 Android offerings vulnerable to FREAK.
The apps had been downloaded 6.3 billion times in total.
“After scanning 10,985 popular Google Play Android apps with more than 1 million downloads each, we found 1228 of them are vulnerable to a FREAK attack because they use a vulnerable OpenSSL library to connect to vulnerable HTTPS servers,” the team wrote in a report.
“An attacker may launch a FREAK attack using man-in-the-middle techniques to intercept and modify the encrypted traffic between the mobile app and backend server.
“The attacker can do this using well-known techniques such as ARP spoofing or DNS hijacking. Without necessarily breaking the encryption in real time, the attacker can record weakly encrypted network traffic, decrypt it and access the sensitive information inside.”
They found 771 popular Apple apps of a pool of 14,079 were vulnerable on iOS versions below 8.2.
FREAK Out on Mobile
https://www.fireeye.com/blog/threat-research/2015/03/freak_out_on_mobile.html
Recent disclosure of the FREAK attack [1] raises security concerns on TLS implementations once again after Heartbleed [2]. However, freakattack.com devotes client-side security checks to various browsers only. In this blog, we examine iOS and Android apps for their security status against FREAK attacks as clients.
Tomi Engdahl says:
NSA trying to map Rogers, RBC communications traffic, leak shows
http://www.theglobeandmail.com/news/national/nsa-trying-to-map-rogers-rbc-communications-traffic-leak-shows/article23491118/
The U.S. National Security Agency has been trying to map the communications traffic of corporations around the world, and a classified document reveals that at least two of Canada’s largest companies are included.
A 2012 presentation by a U.S. intelligence analyst, a copy of which was obtained by The Globe and Mail, includes a list of corporate networks that names Royal Bank of Canada and Rogers Communications Inc.
Canada’s biggest bank and its largest wireless carrier are on a list of 15 entities that are visible in a drop-down menu on one of the presentation’s 40 pages.
The document does not say what data the NSA has collected about these firms, or spell out the agency’s objective
Tomi Engdahl says:
Cisco posts kit to empty houses to dodge NSA chop shops
Kit sent to SmallCo of Nowheresville to avoid NSA interception profiles
http://www.theregister.co.uk/2015/03/18/want_to_dodge_nsa_supply_chain_taps_ask_cisco_for_a_dead_drop/
Cisco will ship boxes to vacant addresses in a bid to foil the NSA, security chief John Stewart says.
The dead drop shipments help to foil a Snowden-revealed operation whereby the NSA would intercept networking kit and install backdoors before boxen reached customers.
The interception campaign was revealed last May.
“We ship [boxes] to an address that’s has nothing to do with the customer, and then you have no idea who ultimately it is going to,” Stewart says.
“When customers are truly worried … it causes other issues to make [interception] more difficult in that [agencies] don’t quite know where that router is going so its very hard to target – you’d have to target all of them. There is always going to be inherent risk.”
Cisco has poked around its routers for possible spy chips, but to date has not found anything because it necessarily does not know what NSA taps may look like, according to Stewart.
Greenwald alleges NSA tampers with routers to plant backdoors
Snowden’s muse spruiking a book
http://www.theregister.co.uk/2014/05/13/greenwald_alleges_nsa_tampers_with_routers_to_plant_backdoors/
Tomi Engdahl says:
Fatally flawed RC4 should just die, shout angry securobods
It’s the Swiss Cheese of infosec and we’re all gazing through its holes
http://www.theregister.co.uk/2015/03/18/kill_rc4_say_security_researchers/
Security researchers have banged another nail into the coffin of the ageing RC4 encryption algorithm.
The latest password recovery attacks against RC4 in TLS by Christina Garman of Johns Hopkins University, Prof. Kenny Paterson and research student Thyla van der Merwe (both of Royal Holloway, University of London) show that attacks against the scheme are getting better and easier so RC4 “needs to die”, as the researchers themselves put it.
The continued use of RC4 in TLS is “increasingly indefensible”, the researchers conclude in an abstract of their work.
“We obtain good success rates with 2^26 encryptions of the password. By contrast, the previous generation of attacks required around 2^34 encryptions to recover an HTTP session cookie.”
“RC4 must die. Despite, not because of, attacks like the one described here which is extremely impractical,” said Martijn Grooten, editor of Virus Bulletin and occasional security researcher.
RC4, developed in 1987, is a popular stream cipher that’s often used in HTTPS connections to protect sensitive network traffic from eavesdroppers, among other uses.
Potential attacks have been documented for years but they are now decreasing in complexity to the point where using the cipher is risky even before considering the implication of the revelations from NSA whistleblower Edward Snowden.
Microsoft urged Windows developers to ditch the RC4 encryption algorithm and pick something stronger back in November 2013. Cisco also told its customers to “avoid” the cipher around the same time.
The IETF moved towards killing off the venerable-but-vulnerable RC4 cipher with a proposal that net-standard clients and servers need to quit using RC4 in Transport Layer Security (TLS) that surfaced in December 2014.
Tomi Engdahl says:
Security in Three Ds: Detect, Decide and Deny
http://www.linuxjournal.com/content/security-three-ds-detect-decide-and-deny
Whenever a server is accessible via the Internet, it’s a safe bet that hackers will be trying to access it. Just look at the SSH logs for any server you use, and you’ll surely find lots of “authentication failure” lines, originating from IPs that have nothing to do with you or your business. Brute-force attempts (such as “dictionary attacks”) try different passwords over and over to try to get into your box, and there’s always a chance that they eventually will succeed. Thus, it’s a good idea to apply these “three Ds” for your security: detect intruder attempts, decide when they’ve gone “over the top” (past what would be acceptable for honest-to-goodness typing mistakes), and deny them access at least for a (longish!) while.
Several tools manage this kind of monitoring (see the Resources section). In this article, I describe installing, configuring and running DenyHosts. With it, you’ll have a running background dæmon that will check your system continuously for access attempts, decide if they look unsafe, block them and inform you. DenyHosts even can be configured to share information with other servers, so whenever a hacker is detected on one system, it will be blocked on other systems too.
Tomi Engdahl says:
Safari bug saves Web page URLs in Private mode
http://www.macissues.com/2015/03/17/safari-bug-saves-web-page-urls-in-private-mode/
Private Browsing mode should prevent most Web browsers from saving loaded content in any way. Any such information such as that in your browser’s cache, its history, or cookie information should be stored temporarily for the current session, and then discarded when you close your browser window. However, in Safari your pages might be logged by a small but overlooked aspect of how Safari handles Web pages.
Unfortunately, it appears that even when in Private Browsing mode, Safari will store this favicon information. While this is normal behavior and is not at all a security risk, it may be considered a privacy issue as pages you might not want a trace of on your system will be logged to this database, which is a simply SQLite database commonly used in OS X, and which can be opened with a number of SQLite readers (including the built-in “sqlite3″ Terminal utility).
Tomi Engdahl says:
Evolution Market’s Admins Are Gone, Along With $12M In Bitcoin
http://yro.slashdot.org/story/15/03/18/1311240/evolution-markets-admins-are-gone-along-with-12m-in-bitcoin
The Evolution Market, an online black market that sells everything contraband — from marijuana, heroin and ecstasy to stolen identities and malicious hacking services — appears to have vanished in the last 24 hours with little warning.
Mar 15
Dark Web’s ‘Evolution Market’ Vanishes
http://krebsonsecurity.com/2015/03/dark-webs-evolution-market-vanishes/
Much to the chagrin of countless merchants hawking their wares in the underground market, the curators of the project have reportedly absconded with the community’s bitcoins — a stash that some Evolution merchants reckon is worth more than USD $12 million.
Reachable only via the Tor network (a.k.a. the “dark web” or “darknet”), Evolution Market quickly emerged as the go-to online bazaar for buyers and sellers of illicit goods following the shutdown of the infamous Silk Road marketplaces in 2013 and again late last year.
Evolution operates on an escrow system, allowing buyers and sellers to more confidently and successfully consummate sales of dodgy goods. But that means the market’s administrators at any given time have direct access to a tempting amount of virtually untraceable currency.
Denizens of the darkweb community say the moderators in charge of Evolution (known as just “Evo” by vendors and buyers alike) had in the past few days instituted long delays in responding to and processing withdrawal requests from the marketplace’s myriad vendors.
The Evo buyer said he expects that the market value of bitcoins will drop considerably over the next 24 hours as a result of the apparent mass ripoff.
“Bitcoin will take a big hit in its value over the next day or two as more Europeans wake up,” he said.
Tomi Engdahl says:
Darktrace, The Cyber Security Startup Backed By Mike Lynch, Raises Further $18M
http://techcrunch.com/2015/03/17/darktrace/
Calling itself the leader in “Enterprise Immune System technology”,
“Based on the biological principles of the human immune system, Darktrace’s technology is capable of learning ‘self’ – what constitutes the normal pattern of life for the organisation, its users and devices – and detecting subtle deviations from this normal behaviour, which suggest a compromise, breach or cyber-attack,” is how the company explains it.
Or, put more simply, Darktrace offers a box that sits in your network and listens to what’s going on combined with software that makes sense of that traffic and alerts IT managers when there is suspicious behaviour, as well as sending them a regular ‘Threat Intelligence Report’.
“There have been a range of attacks inside the network, e.g. Sony Pictures, Target, JP Morgan. If they had Darktrace, those enterprises wouldn’t have been flying as blind. That’s one of the real drivers of growth as everyone is aware that this is a growing problem,” Hoxton Ventures’ Hussein Kanji tells me.
Tomi Engdahl says:
American Microsemi has launched the second generation of solid-state hard drives, from whom the data is virtually impossible to steal. 64 GB disk is designed for critical embedded applications and for use in harsh conditions.
New SSD is self-encrypting. Data is encrypted with AES-256 XTS encryption.
Encryption key management can be done a number of different methods.
If someone tries to hack it, the encryption key can be wiped out in less than 30 milliseconds. The second level of protection can be activated to erase the whole disc data contained in less than 10 seconds.
Source: http://www.etn.fi/index.php?option=com_content&view=article&id=2573:ssd-levy-salaa-tietonsa-varmasti&catid=13&Itemid=101
Tomi Engdahl says:
Anna Irrera / Wall Street Journal:
UK Treasury says it will apply anti-money laundering regulation to digital currency exchanges for the first time
The U.K. Plans to Regulate Bitcoin Exchanges
http://blogs.wsj.com/digits/2015/03/18/u-k-to-regulate-bitcoin-exchanges/
The U.K. government is to regulate digital currency exchanges for the first time, in a bid to support innovation in the nascent technology while preventing criminal use.
In a document released in conjunction with the announcement of UK’s 2015 budget, the Treasury said that intends to apply anti-money laundering regulation to digital currency exchanges in the UK.
The measures will be aimed at creating the right environment for legitimate actors in the space to flourish, while making it “a hostile environment for illicit users of digital currencies,” the government said.
The government’s move comes a month after the Bank of England announced that it would undertake research on central bank-issued digital currencies. This would look into the costs and benefits of a central-bank run system.
The digital currency industry welcomed the government’s announcements.
Tom Robinson, a board member of the lobby group UK Digital Currency Association, said “Today’s announcement is significant in that it brings bitcoin and other block chain technologies closer to mainstream adoption.”
Tomi Engdahl says:
‘All browsing activity should be considered private and sensitive’ says US CIO
Stop laughing about the NSA and read this plan to make HTTPS the .gov standard
http://www.theregister.co.uk/2015/03/18/all_browsing_activity_should_be_considered_private_and_sensitive_says_us_cio/
The CIO of the United States has floated a plan to make HTTPS the standard for all .gov websites.
“The majority of Federal websites use HTTP as the primary protocol to communicate over the public internet,” says the plan, which also states that HTTP “create a privacy vulnerability and expose potentially sensitive information about users of unencrypted Federal websites and services.”
“All browsing activity should be considered private and sensitive,” the proposal continues (cough – NSA – cough) before suggesting “An HTTPS-Only standard will eliminate inconsistent, subjective decision-making regarding which content or browsing activity is sensitive in nature, and create a stronger privacy standard government-wide.”
The proposal acknowledges that “The administrative and financial burden of universal HTTPS adoption on all Federal websites includes development time, the financial cost of procuring a certificate and the administrative burden of maintenance over time” and notes that HTTPS can slow servers and sometimes complicate the browsing experience.
The HTTPS-Only Standard
https://https.cio.gov/
The American people expect government websites to be secure and their interactions with those websites to be private. Hypertext Transfer Protocol Secure (HTTPS) offers the strongest privacy protection available for public web connections with today’s internet technology. The use of HTTPS reduces the risk of interception or modification of user interactions with government online services.
This proposed initiative, “The HTTPS-Only Standard,” would require the use of HTTPS on all publicly accessible Federal websites and web services.
Tomi Engdahl says:
DDoS attacks enabled via vulnerable Google Maps plugin
http://thestack.com/ddos-attacks-vulnerable-google-maps-plugin-020315
An industry warning has been issued to businesses and Software-as-a-Service providers advising that attackers are currently exploiting a vulnerable Google Maps plugin installed on Joomla servers to launch distributed denial of service (DDoS) attacks.
“Vulnerabilities in web applications hosted by Software-as-a-Service providers continue to provide ammunition for criminal entrepreneurs. Now they are preying on a vulnerable Joomla plugin for which they’ve invented a new DDoS attack and DDoS-for-hire tools,” said Stuart Scholly, senior vice president and general manager at the Security Business Unit, Akamai Technologies. “This is one more web application vulnerability in a sea of vulnerabilities.”
The vulnerability found in the Google Maps plugin for Joomla allows the platform to act as a proxy, enabling attackers to process fake requests and return the proxy results to a targeted user in the form of a DDoS attack. The source of the attack remains anonymous as the hack-related traffic appears to come from the Joomla servers.
Joomla, the second most frequently used online content management system after WordPress, had been downloaded over 50 million times.
Joomla Reflection DDoS-for-Hire [High Risk]
http://www.stateoftheinternet.com/resources-web-security-threat-advisories-2015-joomla-reflection-attack-ddos-for-hire.html
Tomi Engdahl says:
UK’s GCHQ Admits To Using Vulnerabilities To Hack Target Systems
http://yro.slashdot.org/story/15/03/19/0421210/uks-gchq-admits-to-using-vulnerabilities-to-hack-target-systems
“Lawyers for the GCHQ have told the Investigatory Powers Tribunal in the UK that the agency carries out the same illegal Computer Network Exploitation (CNE) operations that criminals and hackers do. Except they do it legally.”
UK spies claim broad powers to hack worldwide
http://www.itnews.com.au/News/401848,uk-spies-claim-broad-powers-to-hack-worldwide.aspx
Admit to using vulnerabilities for intelligence gathering.
The British government has defended the surveillance activites of its spy agencies, claiming they have broad powers to spy on any person’s communications and computers around the world in secret, even when the targets are not under suspicion.
While GCHQ won’t acknowledge any one operation in particular as per its “neither confirm nor deny” policy, the agency said it may conduct computer network exploitation (CNE) attacks to obtain intelligence when it believes national interest is at stake.
The open response from GCHQ’s lawyers states the agency could embark upon operations similar to those conducted by criminals and hackers:
“CNE operations vary in complexity. At the lower end of the scale, an individual may use someone’s login credentials to gain access to information,” the response reads.
“More complex operations may involve exploiting vulnerabilities in software in order to gain control of devices or networks to remotely extract information, monitor the user of the device or take control of the device or network.
Wanted communications that are not in the course of their transmission and therefore cannot be intercepted can lead to CNE attacks being used by GCHQ, ditto if there is no communications service provider to serve an interception warrant upon.
Furthermore, CNE operations may be used if “a more comprehensive set of the target’s communications or data of intelligence interest is required than can be obtained through other means,” the open response stated.
Tomi Engdahl says:
Microsoft Blacklists Fake Finnish Certificate
http://yro.slashdot.org/story/15/03/18/2048244/microsoft-blacklists-fake-finnish-certificate
Microsoft has issued a warning that a fraudulent SSL digital certificate has been issued in the name of a Finnish version of its Windows Live service. Although the company says it has revoked the certificate, security experts warn that older software may continue to “trust” the known bad certificate for months or even years, and that attackers could use it to trick users into running malware. “Microsoft is aware of an improperly issued SSL certificate for the domain ‘live.fi’ that could be used in attempts to spoof content, perform phishing attacks or perform man-in-the-middle attacks,”
Microsoft Blacklists Fake Certificate
But Experts Warn Phishing, Malware Risks Continue
http://www.govinfosecurity.com/microsoft-blacklists-fake-certificate-a-8021
Tomi Engdahl says:
Home> Systems-design Design Center > How To Article
Defend encryption systems against side-channel attacks
http://www.edn.com/design/systems-design/4438932/Defend-encryption-systems-against-side-channel-attacks?_mc=NL_EDN_EDT_EDN_systemsdesign_20150318&cid=NL_EDN_EDT_EDN_systemsdesign_20150318&elq=e98b167a64944ea58dd219e59e5cb716&elqCampaignId=22127&elqaid=24855&elqat=1&elqTrackId=75e1e6bc655a4ad3af393f3fc1bc4fba
Strong mathematical guarantees make cryptographic primitives (established, low-level cryptographic algorithms) highly popular as building blocks for securing systems and infrastructure. Encryption is widely deployed to protect confidential data during storage or transmission over insecure networks. Digital signatures are widely used for validating the authenticity and integrity of software, software updates and the data that systems rely upon. Other cryptographic primitives such as message authentication codes, key agreement protocols, and hash functions are also widely deployed for protecting information and systems from attacks.
However, successful attacks on fielded cryptographic systems have also highlighted the pitfalls of relying on purely mathematical guarantees for securing physical systems. It may be infeasible to extract keys mathematically from message traffic, but monitoring message traffic is only one of many possible approaches to breaking encryption.
One common attack vector is exploiting deficiencies in protecting secret cryptographic keying material. Real world systems need to be carefully designed so that secret keys cannot be easily recovered by malicious software or via a simple hardware attack. Unfortunately, incidents where systems get compromised due to poorly protected secret keys are still common.
Another source of problems has been poor communication between the cryptographers, who are mostly mathematicians, and the engineering community that actually develops these systems. If cryptographers do not properly convey all the requirements needed for the mathematical proofs of security – such as the non-reuse of certain parameters or the quality of certain random inputs – to the system designers, the resulting implementations may be vulnerable to a mathematical attack. For example, hackers were able to recover the digital signature key used for signing code for the Sony PlayStation 3 because designers reused a once-per-signature parameter across multiple signatures.