Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.
3,110 Comments
Tomi Engdahl says:
Don’t overlook your biggest security flaw — your talent
http://www.cio.com/article/2898733/security0/dont-overlook-your-biggest-security-flaw-your-talent.html
What’s your best line of defense against cybersecurity threats? Skilled, experienced, highly trained IT talent. Don’t skimp on hiring, training and retention, or your business may suffer the consequences.
The IT skills gap isn’t as bad as you think — it’s worse, much worse. Especially in the area of cybersecurity, that skills gap is a major threat to your business.
The skills gap all IT organizations struggle with can be summed up in three words: “not enough people,” according to author and Wall Street Journal columnist Gary J. Beach
But when the skills gap is viewed through the lens of cybersecurity, it becomes much more than an HR struggle to put bodies in seats – it can be dangerous and costly.
security protection defending shield soldier battle warrior
5 Common Wi-Fi Attacks – and How to Defend Against Them
In addition to using strong passwords, you need to prepare your network for these types of attacks.
Read Now
CIOs must take advantage of their unique position in the C-suite to drive increased emphasis on security spending, hiring quality talent and furthering education and training for that talent, or risk catastrophe.
The paradox inherent in enterprise security is that if you’re doing it right, no one can tell, says Mark Weinstein, founder of social media platform Sgrouples, CEO of MeWe.com and a cybersecurity and privacy expert. According to Weinstein, CIOs must be vigilant about explaining the real risks and threats, and be willing to drive the investments necessary to mitigate them.
“One of the major issues here is that if you’re doing security right, you’re not necessarily going to see the results. You’re not going to get the huge breaches, you’re not going to get the highly publicized failures, which you’d assume is a great thing, but that can lead to complacency — and an unwillingness to invest in skilled talent, preventative technology and education and training to keep organizations secure. So it’s all about being able to understand threats, how they’re evolving and why, and be proactive about heading them off before they occur,” says Weinstein.
“If you’re trying to squeeze out a few extra bucks by hiring cheaper talent, slashing software budgets or eliminating training and education, well, in the short-term you might be rewarded. But someone must be asking the question, loudly, ‘Does this increase our risk? At the highest executive level, some CEOs will say, ‘Well, that’s not my issue, I hired a CIO for that,’ but the constant vigilance about security, risk and threats has to be spread across the entire organization, not just on the shoulders of one exec,” says Varelas
Many organizations do understand the need for continuing IT training, especially in the areas of security, compliance and governance skills, but balk when confronted with the costs of such training, according to a survey from Cybrary, a provider of free massive open online courses (MOOCs) for IT and cybersecurity.
Tomi Engdahl says:
Malicious software on your computer? The operator can turn off your internet connection
Finnish Communications Regulatory Authority under the Kyberturvallisuuskeskus makes network operators to cooperate with the network, disrupting eradicate malware.
Kyberturvallisuuskeskuksen on malware activity Autoreporter system . The Agency shall notify the findings of the operators of information on the infected machine owns the customer.
“If the telecommunications operator customers can not be reached or has not been otherwise malicious software removed, the telecommunications company may temporarily restrict or impede the client’s traffic to malicious software to reduce traffic”
The customer is responsible for his apparatus – majority of malware is removed by customers themselves with anti-virus software.
Domestic networks remain clean and safe co-operation with power. Kyberturvallisuuskeskus and telecommunications companies to fight malware, including Autoreporter system.
Finnish Communications Regulatory Authority Kyberturvallisuuskeskuksen Autoreporter system receives information originating from Finland malware traffic almost all over the world. The data is transferred subscriptions that maintain telecommunications companies, who report the findings to their customers. When the user interface has been cleaned of malware infected terminal equipment, he can once again join, without limitation, the network users.
The findings vary a lot. At the beginning of 2015 a typical observation has been about 90 observations per day, which is equivalent to more than 2,500 observations each month and more than 30 000 observations per year.
Autoreporter system obtained by the observation data processing includes a little delay. It is quite possible that, for example, the telecommunications company’s customer is actually detect the malware and removed it. In such a case, when the telecom operator is informed Autoreporter observation, it is already out of date. The problem is, fortunately, positive, and it says would be experienced network users.
Sometimes part of the findings, repeatedly, when the same network address causes frequent sightings. Either the terminal has not been cleared of the malware, or it may be repeated malware infections.
Autoreporter system is intended to promote in particular the cleanliness of public communications networks. Residential, business, and other local networks and the individual handsets malware detection is based on the users and operators of the responsibility. In the fight against malware is necessary to make use of up to date security products in order to guarantee the coverage and speed.
Sources:
http://www.tivi.fi/Kaikki_uutiset/2015-03-19/Riehuuko-koneellasi-haittaohjelma-Operaattori-voi-katkaista-nettiyhteytesi-3217715.html
https://www.viestintavirasto.fi/tietoturva/tietoturvanyt/2015/03/ttn201503191128.html
Tomi Engdahl says:
Tighten Up SSH
http://www.linuxjournal.com/content/tighten-ssh
SSH is a Swiss Army knife and Hogwart’s magic wand all rolled into one simple command-line tool. As often as we use it, we sometimes forget that even our encrypted friend can be secured more than it is by default.
As an example, one of the first things I do is disable root login via SSH
PermitRootLogin no
Plenty of other security options are available as well.
Disabling the old SSH version 1 protocol is as simple
Tomi Engdahl says:
Microsoft was aware of a security issue in 2010 – but did not do anything
On Tuesday, we reported how a Finnish man came into possession of the Microsoft Live.fi service certificate by creating an email alias address, which he managed to fool certificates dealership Comodoa.Tekniikkasivusto Ars Technica, the Belgian IT working in the field Laurens Vets created Live.be service similar aliases for more than four years ago .
Source: http://summa.talentum.fi/article/tv/uutiset/144398
Microsoft takes 4 years to recover privileged TLS certificate addresses
Addresses allowed holder to acquire certs that enabled man-in-the-middle attacks.
http://arstechnica.com/security/2015/03/microsoft-takes-4-years-to-recover-privileged-tls-certificate-addresses/
On Tuesday, Ars chronicled Microsoft’s four- to six-week delay responding to a Finnish man who had obtained a Windows Live e-mail address that allowed him to register unauthorized transport layer security certificates for the live.fi domain. Today comes the tale of a Belgian IT worker who has waited more than four years to return two similar addresses for the live.be domain.
Microsoft’s delay in securing the addresses such as [email protected] and [email protected] has potential consequences for huge numbers of people. Browser-trusted certificate authorities such as Comodo grant unusually powerful privileges to people with such an address. All the account holders had to do was ask for a domain-validated TLS certificate for live.fi or live.be. Once they clicked a validation link Comodo sent to their e-mail addresses, the certificates were theirs.
It came as a surprise that Microsoft waited until this week to respond to the Finnish man’s report, reportedly from January, that he came into possession of the [email protected] address.
After the Finnish man used his address to obtain a TLS certificate for the live.fi domain, Microsoft warned users it could be used in man-in-the-middle and phishing attacks. To foreclose any chance of abuse, Microsoft advised users to install an update that will prevent Internet Explorer from trusting the unauthorized credential. By leaving similar addresses unsecured, similar risks may have existed for years.
Tomi Engdahl says:
Mike Masnick / Techdirt:
French Government Starts Blocking Websites With Views The Gov’t Doesn’t Like
French Government Starts Blocking Websites With Views The Gov’t Doesn’t Like
from the liberte?-egalite? dept
https://www.techdirt.com/articles/20150318/06273130352/french-government-starts-blocking-websites-with-views-govt-doesnt-like.shtml
Except… it already appears that France is really just censoring websites with messages it doesn’t like. In that first batch was a site called “islamic-news.info.” The owner of that site not only notes that he was never first contacted to “remove” whatever material was deemed terrorist supporting (as required by the law), but that nothing in what he had posted was supporting terrorism.
His site is opinionated, but mostly just against current Syrian leader Bashar al-Assad. In fact, he notes that he specifically avoided topics that might be misinterpreted to suggest that he supported terrorists. He did not share ISIS propaganda or similar content.
But, with no judicial review, no due process at all, the French government declared the site to be a terrorist supporter and now it’s gone.
France’s “motto” is supposedly Liberté, égalité, fraternité. I have difficulty seeing how blatantly censoring websites you disagree with, without any sort of due process, fits with any of those three ideals.
Tomi Engdahl says:
Opera buys a VPN company to make private browsing really private
http://www.geek.com/apps/opera-buys-a-vpn-company-to-make-private-browsing-really-private-1618370/
You may not have given the Opera browser a second look before, but you may want to soon if you care about your online privacy. They’ve just bought a Virtual Private Network (VPN) provider.
Making your browser stand out — particular when you build it on top of the same codebase as Google Chrome — isn’t an easy task.
Opera may have found their angle: privacy. The company they acquired is Canada’s SurfEasy. Currently, they develop VPN apps for Windows, Mac, Android, and iOS, and they also make a secure browser-on-a-stick.
Over the past year, SurfEasy’s business has been booming. They’ve added more than 6 million customers to their zero-logging service in the last twelve months, thanks in part to Edward Snowden’s revelations about the state of online surveillance.
There’s another big reason they’re picking up customers in droves. SurfEasy also tears down geographical content barriers. Loads of non-Americans are using SurfEasy to connect to services like Hulu and Netflix. Adding “VPN in a tab” to Opera would be pretty amazing
For the time being, Opera has no plans to shut down SurfEasy’s existing services.
Tomi Engdahl says:
U.S. Cloud Providers Face Backlash From China’s Censors
Free-speech activists rely on cloud computing to get around China’s Great Firewall
http://www.wsj.com/articles/u-s-cloud-providers-face-backlash-from-chinas-censors-1426541126
We are under attack
https://en.greatfire.org/blog/2015/mar/we-are-under-attack
Likely in response to a recent story in the Wall Street Journal (WSJ), we’ve experienced our first ever distributed denial of service (DDoS) attack. This tactic is used to bring down web pages by flooding them with lots of requests – at the time of writing they number 2.6 billion requests per hour. Websites are not equipped to handle that kind of volume so they usually “break” and go offline.
This kind of attack is aggressive and is an exhibition of censorship by brute force. Attackers resort to tactics like this when they are left with no other options.
We are not equipped to handle a DDoS attack of this magnitude and we need help.
Because of the number of requests we are receiving, our bandwidth costs have shot up to USD $30,000 per day.
We need companies like Amazon to be on our side and, more importantly, on the side of freedom of speech.
Tomi Engdahl says:
Target To Pay $10 Million In Proposed Settlement For 2013 Data Breach
http://it.slashdot.org/story/15/03/20/014259/target-to-pay-10-million-in-proposed-settlement-for-2013-data-breach
Target has agreed to pay $10 million in a proposed settlement to a class-action lawsuit stemming from its massive 2013 data breach, which affected as many as 110 million people. Individual victims could receive up to $10,000.
Target to pay $10 million in proposed settlement for 2013 data breach
http://www.itworld.com/article/2899515/target-to-pay-10-million-in-proposed-settlement-for-2013-data-breach.html
The proposed settlement includes measures to better protect the customer data that Target collects, according to documents filed with the U.S. District Court, District of Minnesota. Target must develop and test a security program for protecting consumer data and implement a process of monitoring and identifying security threats. The company must also provide its employees with security training around keeping consumer data safe. After the settlement’s approval, Target would have five years to implement these measures.
Target has already complied with one of the requirements: it named a chief information security office in June 2014.
Target will alert impacted customers through email and mail in addition to advertising on Facebook and certain magazines and websites. A website and hot line will also be set up for people to obtain information about the settlement.
Target initially said in December 2013 that a data breach that lasted from late November to mid-December compromised 40 million credit and debit card accounts. However, in January, Target reported that an additional 70 million people were impacted by the attack.
Tomi Engdahl says:
Kaspersky Lab hits back at Bloomberg’s Russian spy link hit piece
Founder claims it is retaliation for exposing NSA malware
http://www.theregister.co.uk/2015/03/19/kaspersky_lab_denies_its_handinglove_with_russian_security_services/
Russian computer security biz Kaspersky Lab is working closely with Russia’s intelligence services and gathering information on its customers, it has been claimed.
An exposé, published by Bloomberg, details allegations that since 2012 Kaspersky has been replacing senior management staff with those close to the Russian Federal Security Service of the Russian Federation (FSB). Six current and former employees of Kaspersky said the software firm is providing information to Russian spy hive the FSB to help it in criminal investigations.
In a statement to El Reg, Kaspersky Lab points out that it works with law enforcement around the world, so long as requests are legal under local and international laws. It also said users can opt out of sending information back to the company if they wish.
Tomi Engdahl says:
CLOUD-to-CLOUD backup: A chasm-Spanning leap
It’s gonna boom as public cloud use for apps grows
http://www.theregister.co.uk/2014/12/23/cloud_to_cloud_backup_a_chasm_crossing_leap_to_safety/
Cloud storage company Spanning’s story is simple enough; you back up your apps and on-premises data, don’t you? (everyone say “yes”…) You should back up your public cloud apps and their in-cloud data, shouldn’t you? (let me hear you say “yeah!”) Your existing backup software won’t work there, will it? (everyone look down and quietly say “no”). Ours will, and it runs in the cloud, too.
Basically, you’d best assume you are on your own in the public cloud and need to make the same backup arrangements as you would in your own data centre. If you are subject to compliance regulated data protection then running your apps in the cloud doesn’t get you off that hook, sorry.
Spanning Backup is “a secure, automated, daily backup solution that keeps a copy of SaaS data in a secure, private cloud … [and] lets you get your data back the way it was in a matter of clicks,” Erramouspe said.
Tomi Engdahl says:
OpenSSL patch has 14 fixes including two biggies, but no Heartbleed
But quick patching is still essential
http://www.theinquirer.net/inquirer/news/2400597/openssl-gets-patch-for-mysterious-high-severity-issue
DETAILS ARE STARTING to emerge about the scope of vulnerability updates in the latest patch for the OpenSSL protocol, released without notice or details yesterday, despite some vulnerabilities being marked as “high severity”.
The first (CVE-2015-0291) could allow a denial-of-service attack to take place, said OpenSSL.
“If a client connects to an OpenSSL 1.0.2 server and renegotiates with an invalid signature algorithms extension a NULL pointer dereference will occur. This can be exploited in a DoS attack against the server,” it said.
The second (CVE-2015-0204) relates to the FREAK flaw that has recently been doing the rounds. Originally it had been classed as low, but then it was decided that “recent studies have shown that RSA export cipher suites support is far more common”.
OpenSSL (Secure Socket Layer) is a widely used standard for encrypting traffic between websites and servers.
Fixes for OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf will be released today
Tomi Engdahl says:
Leaked Document Reveals Upcoming Biometric Experiments At US Customs
http://news.slashdot.org/story/15/03/20/0115202/leaked-document-reveals-upcoming-biometric-experiments-at-us-customs
“The facial recognition pilot program launched last week by U.S. Customs and Border Protection, which civil liberties advocates say could lead to new potentially privacy-invading programs, is just the first of three biometric experiments that the feds are getting ready to launch.”
US Customs Quietly Launches Facial Recognition Experiment at DC Airport
http://motherboard.vice.com/read/us-customs-quietly-launches-facial-recognition-experiment-at-dc-airport
The next time you come back from overseas and flash your American passport at Washington, DC’s Dulles airport, customs officers might take a picture of you and use facial recognition technology to figure out if you really are who you say you are.
The goal of the pilot program, called “1:1 Facial Recognition Air Entry Pilot,” is to figure out if facial recognition can be a useful tool in catching these imposters, but civil liberties activists worry this is the first step to create a database of law-abiding Americans’ mugshots, which could create unforeseen privacy risks.
“Why are they doing that in the first place? Do they feel that border agents aren’t good at spotting imposters?”
Tomi Engdahl says:
Breaking Dridex Malware with Excel Macro Password Exploit
http://hackaday.com/2015/03/20/breaking-dridex-malware-with-excel-macro-password-exploit/
This time the culprit was an infected Excel spreadsheet file. The .xls file was attached to a phishing email claiming to be related to a tax rebate. With tax season in full swing, this type of phishing message would be likely to be opened by an inexperienced user.
[Ronnie] saved the file to a virtual machine to prevent his real workstation from getting infected. He then opened it up in Excel and noticed that it immediately attempted to run macros.
[Ronnie] used the alt + F11 shortcut to view the macros. Unfortunately the attackers had password protected them. [Ronnie] wouldn’t be able to view the macro code without knowing the password. Luckily, he learned of a surprisingly simple trick to completely bypass the macro password.
After loading the macros, [Ronnie] quickly noticed that most of the code was obfuscated to make it difficult to analyze.
There were, however, three named modules that reference possible sandbox evasion techniques. The malware first invokes these functions to detect the presence of a virtual machine or other type of sandbox. If it detects nothing, then the rest of the malware program is decoded and executed.
The next step was to try to view the decoded instructions.
Decoding ZeuS Malware Disguised as a .DOC
http://hackaday.com/2015/03/06/decoding-zeus-malware-disguised-as-a-doc/
[Ronnie] started out by downloading the .doc attachment in a virtual machine. This would isolate any potential damage to a junk system that could be restored easily.
The next step was to open the .doc file in Notepad++ for analysis. [Ronnie] quickly noticed that the file was actually a .rtf disguised as a .doc. [Ronnie] scanned through large chunks of data in an attempt to guess what the malware was trying to do.
Tomi Engdahl says:
Sean Michael Kerner / eWeek:
At Pwn2Own, researchers exploit fully patched versions of Firefox, Chrome, IE 11, and Safari, while payouts total $557K
http://www.eweek.com/security/hp-awards-240k-for-firefox-ie-chrome-and-safari-exploits.html
Tomi Engdahl says:
Brian Barrett / Wired:
Chrome extension Ugly Mail identifies which of your Gmail emails are being monitored using pixel tracking
A Clever Way to Tell Which of Your Emails Are Being Tracked
http://www.wired.com/2015/03/ugly-mail/
While you’ve likely never heard of companies like Yesware, Bananatag, and Streak, they almost certainly know a good deal about you. Specifically, they know when you’ve opened an email sent by one of their clients, where you are, what sort of device you’re on, and whether you’ve clicked a link, all without your awareness or consent.
That sort of email tracking is more common than you might think. A Chrome extension called Ugly Mail shows you who’s guilty of doing it to your inbox.
Sonny Tulyaganov, Ugly Mail’s creator, says he was inspired to write the “tiny script” when a friend told him about Streak, an email-tracking service whose Chrome extension has upwards of 300,000 users. Tulyaganov was appalled.
“[Streak] allowed users track emails, see when, where and what device were used to view email,” he recalled to WIRED. “I tried it out and found it very disturbing, so decided to see who is actually tracking emails in my inbox.” Once the idea for Ugly Mail was born, it only took a few hours to make it a reality.
The reason it was so easy to create is that the kind of tracking it monitors is itself a simple procedure. Marketers—or anyone who’s inspired to snoop—simply insert a transparent 1×1 image into an email. When that email is opened, the image pings the server it originated from with information like the time, your location, and the device you’re using. It’s a read receipt on steroids that you never signed up for.
Pixel tracking is a long-established practice, and there’s nothing remotely illegal or even particularly discouraged about it; Google even has a support page dedicated to guiding advertisers through the process. That doesn’t make it any less unsettling to see just how closely your inbox activity is being monitored.
Tomi Engdahl says:
Not Everyone Planning to Give Up on Windows Server 2003, Survey Shows
http://news.softpedia.com/news/Not-Everyone-Planning-to-Give-Up-on-Windows-Server-2003-Survey-Shows-476485.shtml
Microsoft will stop providing support for Windows Server 2003 on July 14 this year, so after that, computers still running this OS version will no longer get updates and security patches.
Even though the security risks of running an unpatched version of Windows are pretty obvious, especially because we’re talking about a platform that’s in 99 percent of the cases connected to the Internet, a new survey conducted by Spiceworks shows that not all IT admins are planning to migrate from Windows Server 2003 in the next 12 months.
The survey included 1,300 IT professionals, and 22 percent of them admit that upgrading from Windows Server 2003 before July is not on their agenda right now.
The reasons behind this decision are worrying to say the least.
No less than 51 percent of the respondents say that Windows Server 2003 still runs like a charm on their servers, so if everything works so well, why do they need to change it?
48 percent of them explain that they do not have the time to handle such a complex task, while 37 percent say that they lack the financial resources to do it.
According to the survey, companies are preparing on average a budget of $60,000 (€52,000) for this task, which could lead to a $100 billion (€73 billion) business that involves not only migration services but also new software and hardware.
Tomi Engdahl says:
China has finally released official information about the state kybersotakyvystä. Until now, the existence of a network warrior units has been a well-kept open secret.
Cyber warrior established the existence of the People’s Liberation Army Research Institute in Military Strategy as a science.
Tripwire security analyst Ken Westin, it would be naive to imagine that States develop their cyber knowledge: “Everyone must stay on their toes.”
China to take advantage of official cyber army but also the so-called cyber mercenary that sneak information about the companies.
Source: http://www.tivi.fi/Kaikki_uutiset/2015-03-23/Kiina-paljasti-tarkoin-varjellun-salaisuuden—Kuin-sanoisi-ettei-maapallo-ole-litte%C3%A4-3217843.html
Tomi Engdahl says:
How an acute shortage of cyber talent gave rise to ‘spooks as a service’
http://www.itworld.com/article/2862915/how-an-acute-shortage-of-cyber-talent-gave-rise-to-spooks-as-a-service.html
At the RSA Security Conference last year, companies large and small were trumpeting the spy agency connections of senior staff as never before. Startups in areas like ‘threat intelligence’ and endpoint protection touted their executives’ experience at three-letter agencies as a precursor to conversations about the scourge of advanced threats and attacks.
Yet the big story about cyber talent that emerged in 2014 — at the RSA Security Conference and elsewhere – was of scarcity rather than abundance. Finding experts with experience identifying and analyzing sophisticated cyber threats is a herculean task. Hiring them is even harder, and few organizations can afford an internal team of cyber forensic experts to stand at the ready.
Most organizations do not have the people or the systems to continuously monitor extended networks and detect infiltrations, and then apply protections, in a timely and effective manner,” according to the report.
“The number one issue I hear is ‘we can’t find the people,’” said Mike Rothman, an analyst at the firm Securosis. “And I’m talking about guys who can configure IPS (intrusion prevention system) boxes, not malware analysis,”
Tomi Engdahl says:
IS ‘Hackers’ urge US-based jihadis: ‘Wipe yourselves out trying to kill 0.00005 of US forces’
Boneheaded plan from unskilled doxxers
http://www.theregister.co.uk/2015/03/23/isis_claim_to_dox_0_point_005_per_cent_of_us_military_personnel/
One hundred supposed US military personnel have apparently been doxed in a propaganda release signed by the “Islamic State Hacking Division,” which urges IS supporters in the USA to “kill them in their own lands, behead them in their own homes, stab them to death as they walk their streets thinking that they are safe”.
This release of names, photographs, and addresses — supposing that all those named genuinely are US service personnel — affects less than 0.005 (the same as our non-percentage headline figure) of one per cent of the United States Armed Forces’ 2,212,000 people.
The New York Times noted that, although the release came from self-described “hackers”, the information revealed all appeared to be publicly available.
ISIS Urges Sympathizers to Kill U.S. Service Members It Identifies on Website
http://www.nytimes.com/2015/03/22/world/middleeast/isis-urges-sympathizers-to-kill-us-service-members-it-identifies-on-website.html?hp&action=click&pgtype=Homepage&module=second-column-region®ion=top-news&WT.nav=top-news&_r=2
WASHINGTON — In a new online threat to American military personnel, the Islamic State has called on its members and sympathizers in the United States to kill 100 service members whose names, photos and purported addresses it posted on a website.
The group said that the personnel had participated in efforts to defeat it in Syria, Iraq, Yemen and elsewhere.
Defense Department and F.B.I. officials said that they were aware of the website and were investigating the posting.
Tomi Engdahl says:
Backing up cloud applications is never easy but Asigra gets it done
http://www.theregister.co.uk/2015/03/23/review_asigra_saas_backup/
As the recent Code Spaces debacle has taught us, just because you use cloud computing doesn’t mean you can’t properly engineer your IT design.
A huge part of that is having proper backups that are set up on separate providers with different administrative credentials. Asigra is a data protection company that claims it can accomplish this so I have been investigating its offerings.
Asigra hails from Toronto and has been around since 1986, which makes it a firmly established player in an overcrowded market. Despite this it is probably not the first data protection company many storage guys think of, or perhaps even in the top five.
That is a shame, as its offerings are competitive with the big guys and it has some fiercely loyal clients.
Recently the firm moved into cloud to cloud backup – backing up data from SaaS-based app such as Google Apps and Office 365. Not only can it back things up to the cloud, it can back workloads and data that are in the cloud over to other clouds or back down to your premises.
For better or worse, Asigra now represents “the cloud backup guys”. It even has a Docker containers backup whatchamacallit all built in. What separates it from all the eleven squillion other cloud backup guys out there, however, is that thing of having been around since 1986.
Data protection is miserable and nearly every application in the space is a nightmare to use. This is at least in part because data protection applications have to deal with an ungodly number of different applications, data sources and destinations.
Undercover agent
Data protection is data protection. It is hard to make it sexy. It has one job: make copies of your workloads and their data and get those copies back where they belong when you need them. Despite this, the idea that all backup software is awful is as true today as it ever has been, and you can’t escape having to actually understand how it works.
Anyone who has dealt with data protection applications of any kind will have encountered the agent-versus-agentless debate.
Pretty much by definition, any proper cloud backup software is the agentless variety.
Cloud services have APIs. If you want to get data on and off cloud services you have to go through APIs. So that means no agents (yay!) but it also means you are at the mercy of the API restrictions (boo!).
This has some important real-world implications that need to be considered when talking about cloud-to-cloud or cloud-to-home backups.
As any data protection software should, Asigra’s software will let you choose the frequency and granularity of your backups. It lets you do this per data source
Those pesky APIs the cloud providers use? They have limits. This can seriously affect your backup and recovery plans.
It is clearly designed by backup geeks for backup geeks. It is nerd-centric and presumes the fellow driving the software has a high level of privilege.
I won’t say Asigra is a joy to use, but then, what data protection software is? What I can honestly say is that of the dozen or so applications I have tried out that have some ability to backup my cloudy apps, I hate Asigra the least.
Tomi Engdahl says:
Which VPN Services Take Your Anonymity Seriously? 2015 Edition
By Ernesto
on February 28, 2015
https://torrentfreak.com/anonymous-vpn-service-provider-review-2015-150228/2/
Tomi Engdahl says:
Twitter is testing a feature that removes threats and abuse from your timeline
The “quality filter” is Twitter’s boldest step yet to address harassment
http://www.theverge.com/2015/3/23/8280513/twitter-quality-filter-hides-threats-abuse
After admitting that it’s failed to adequately combat abuse and harassment, Twitter has been moving swiftly to weed out its worst users — or at least make them easier to ignore. Its latest step appears to be a “Quality filter,” first noticed by Anil Dash, that will curate your timeline in an attempt to hide unwanted messages. The filter “aims to remove all tweets from your notifications timeline that contain threats, offensive or abuse language, duplicate content, or are sent from suspicious accounts.”
Tomi Engdahl says:
Owen Williams / The Next Web:
Twitch accounts were compromised, passwords are being reset for everyone
Twitch accounts were compromised, passwords for all users reset
http://thenextweb.com/insider/2015/03/23/twitch-accounts-were-compromised-passwords-being-reset/
Uh oh, game streaming service Twitch has posted a short notice to its blog warning that there “may have been” some unauthorized access to some Twitch user information.
It says that affected users will be contacted directly with additional details.
The company says all passwords have been reset along with stream keys. It has also disconnected accounts from both Twitter and YouTube. Everyone that uses the service will see the below password reset screen when they next log in.
Tomi Engdahl says:
Nick Wingfield / New York Times:
Online ‘Swatting’ Becomes a Hazard for Popular Video Gamers and Police Responders
http://www.nytimes.com/2015/03/21/technology/online-swatting-becomes-a-hazard-for-popular-video-gamers-and-police-responders.html
Practical jokers have delighted for years at tormenting celebrities at home by calling in bogus reports of violence and provoking huge police responses.
Now they have found a way to turn their pranks into an instant public spectacle by setting their sights on a new set of victims: video gamers who play live on the Internet, often in front of huge online audiences.
Someone had called 911 claiming Mr. Peters had just shot his roommate.
He is one of thousands of gamers who use hugely popular live online video services to entertain others and make money. And those cameras have made them irresistible targets for swatting, as the prank is called, allowing mischief makers to indulge their voyeurism by watching the tense and confusing moments of a police raid.
That has created an unexpected occupational hazard for gamers. Build a following by streaming — and make yourself a potential target.
“With the live-streaming platforms, it amplifies the entire situation,”
Traditional celebrities, those in the entertainment industry, are still targets.
Gamers, though, appear to have easily overtaken them as swatting victims. They are among the most avid live streamers around, so much so that Amazon bought their favored broadcasting service, Twitch, last year for around $1 billion. Game culture, too, is plagued by rivalries and grievances that can quickly turn toxic.
Game companies like Twitch have publicly said that swatting is dangerous, but that there is little else they can do to prevent the pranks.
“It’s an incredible waste of money,” said Mr. Beary, who is also the police chief at the University of Central Florida in Orlando. “It’s dangerous for victims and law enforcement.”
Tracking the culprits behind the pranks is difficult. While bomb scares and other hoaxes have been around for decades, making threats anonymously has never been so easy.
Swatters use text messages and online phone services like Skype to relay their threats, employing techniques to make themselves hard to trace.
The few swatting investigations that have caught suspects often involve a gaming connection.
Tomi Engdahl says:
Where Did VirusBarrier iOS Go?
http://www.intego.com/mac-security-blog/where-did-virusbarrier-ios-go/
Apple has elected to eliminate the category of anti-virus and anti-malware products from their iOS App Store. As a result of this decision, our product VirusBarrier iOS is no longer available for sale.
All of our existing VirusBarrier iOS customers will continue to get their virus definition updates as they have been for as long as they own the product. These updates do not go through the App Store and are not affected.
To be clear, this wasn’t an action directed specifically at Intego, we were one of several companies affected by Apple’s decision.
Tomi Engdahl says:
Apple reportedly cracks down on antivirus apps from iOS App Store, many apps pulled
http://9to5mac.com/2015/03/19/apple-app-store-antivirus/
Apple has seemingly decided to crack down on antivirus and antimalware apps, removing them from the App Store. Although there has been no official statement from Apple on a policy change, Apple’s loose guidelines allow them to pull pretty much anything at any time, particularly something like antivirus which has questionable utility within the sandboxed iOS environment of iPhones and iPads.
Tomi Engdahl says:
Mistake allowed the eavesdropping: “Power for which it was not part of”
Egyptian security company MCS Holdings has distributed a number of unauthorized certificates to Google domains.
Certificates are used to MCS Holdings would have been able to eavesdrop on the traffic of Google services and users. According to Google, this did not happen.
Irregularities were found on Friday. Both Google and Mozilla have prevented their web browser, MCS Holdings, a higher-level certificate.
Google is currently considering what measures it will take the MCS Holdings case.
Source: http://www.tivi.fi/Kaikki_uutiset/2015-03-24/Moka-mahdollisti-salakuuntelun-Valtaa-sill%C3%A4-jolle-se-ei-kuulunut-3217905.html
Tomi Engdahl says:
Unpatched Amazon XSS vulnerability leaves users exposed to data theft
Puts visitors and admins at risk of being compromised by hackers
http://www.theinquirer.net/inquirer/news/2401023/unpatched-amazon-xss-vulnerability-leaves-users-exposed-to-data-theft
SECURITY RESEARCH FIRM BruteLogic has pegged online retailer Amazon for having the kind of XSS vulnerability that makes headlines.
The vulnerability is detailed on the XSSposed website, alongside claims that it is still a problem on Amazon.com. We have asked Amazon to comment on the claims and are waiting for a response.
amazon.com XSS vulnerability
https://www.xssposed.org/incidents/56006/
Tomi Engdahl says:
Cisco uncovers PoSeidon malware targeting point of sale systems
Threat has the ability to breach machines and obtain credit card information
http://www.theinquirer.net/inquirer/news/2400994/cisco-uncovers-poseidon-malware-targeting-point-of-sale-systems
SECURITY RESEARCHERS at Cisco have revealed details of a new point of sale (PoS) attack that could part firms from money and users from personal data.
The threat has been called PoSeidon by the Cisco team and comes at a time when eyes are on security breaches at firms like Target.
Cisco said in a blog post that PoSeidon is a new threat that has the ability to breach machines and scrape them for credit card information.
Credit card numbers and keylogger data is sent to an exfiltration server, while the mechanism is able to update itself and presumably evade some detection.
The security industry agrees that PoS malware is a cash cow for cyber thieves, highlighting the importance of vigilance and keeping systems up to date.
“PoS malware has been extremely productive for criminals in the last few years, and there’s little reason to expect that will change anytime soon,” said Tim Erlin, director of product management at Tripwire.
“Standards like the PCI Data Security Standard can only lay the groundwork for protecting retailers and consumers from these threats. A standard like PCI can specify a requirement for malware protection, but any specific techniques included may become obsolete as malware evolves.
“Monitoring for new files and changes to files can detect when malware installs itself on a system, as PoSeidon does.”
Threat Spotlight: PoSeidon, A Deep Dive Into Point of Sale Malware
http://blogs.cisco.com/security/talos/poseidon
Tomi Engdahl says:
So, you know those exciting movie-style 3D visual cyber attack ops centres?
Yep, definitely not reality: The MoD is buying one
http://www.theregister.co.uk/2015/03/24/airbus_awarded_14m_cyber_protection_study/
Airbus has been awarded a contract worth £1.4m to “develop and mature” a movie-style 3D Virtual Cyber Centre of Operations (VCCO) for the Ministry of Defence.
The research contract engages Airbus to develop a “3-D virtual world to enable collaboration and shared situational awareness,” across a sprawling network of security bods.
The VCCO is intended to demonstrate “how virtual collaboration might give commanders a better understanding of how they are being targeted by cyber enemies on the battlefield”.
At a press demonstration in London yesterday, the Oculus Rift VR headset was being shown as a possible interface.
“The VCCO concept aims to provide decision makers and SMEs with an overview of the shared cyber environment, so they can understand where the threats might lie, and how they might collaborate securely to defeat those threats,” states an Airbus press release.
Tomi Engdahl says:
Xen shows off 35-piece cloudpocalypse collection
The latest fixing fashions for open-source hypervisors hit the catwalk
http://www.theregister.co.uk/2015/03/24/xen_shows_off_35piece_cloudpocalypse_collection/
The Xen Project has fixed 35 flaws, all rated critical, for versions 4.3 and 4.4 of its flagship hypervisor. The fixes appear to correspond to flaws identified after the late February 2014 cloudpocalypse, when major cloud providers feared they would once again need to reboot substantial parts of their server fleets to keep them secure.
Tomi Engdahl says:
BlackHat talk hibernated over 0-day in SAP’s Afaria mobile manager
Researcher has form as a gent: he held back disclosure of medical records leak
http://www.theregister.co.uk/2015/03/24/sap_blackhat_talk_nixed_medical_app_vulns/
Alexander Polyakov has been forced to withdraw a talk detailing dangerous vulnerabilities into SAP’s mobile device management product Afaria scheduled to be given at BlackHat Asia Pacific this week.
The prolific SAP hacker and chief technology officer of ERPScan says his talk was scuppered after SAP failed to patch the vulnerabilities after being informed some 12 months ago.
“The vulnerabilities are pretty dangerous and not easy to fix,’ Polyakov told The Register.
“We can’t deliver the talk because they (SAP) were unable to fix some issues.”
Polyakov says the flaws relate to an unexpectedly privileged level of control attackers can achieve on mobile devices under management, rather than data theft.
The hacker would have also revealed tardy patching efforts for a dangerous flaw in SAP’s Electronic Medical Records Unwired application that until last week could grant attackers access to sensitive medical records.
He found a second flaw in the app that meant attackers could force it to connect to malicious servers.
It took SAP six months to fix the first flaw but nearly two years to patch the second after it first acknowledged it in April 2013, despite Polyakov considering the issues an “easy” fix.
Tomi Engdahl says:
The insurance company smelled a business niche: Virus Insurance
Denial of Service Attack and intrusion are accidents like fires, believes that the insurance company If.
Now, the company provides shelter and counseling, among other things, theft, malicious applications and viruses. It will also replace the damage to the business.
The insurance conditions is that the company has taken care of properly protection of the data, backups and virus protection, says the insurance company If corporate business manager Jens Jensen.
There are other restrictions, such as companies themselves with stolen devices-made intrusions are not paid. “We can not investigate stolen devices. Access to the company’s information systems must be prevented,” says Jensen.
Insurance cost depends on many factors. Price starts usually some of the thousands of euros a year.
Source: http://www.tivi.fi/Kaikki_uutiset/2015-03-23/Vakuutusyhti%C3%B6-haistoi-bisnesraon-Virusvakuutus-3217899.html
Tomi Engdahl says:
Adobe Flash fix FAIL exposes world’s most popular sites
You had one job, Adobe, one job …
http://www.theregister.co.uk/2015/03/24/borked_adobe_flash_files_expose_worlds_most_popular_sites/
Hackers Luca Carettoni and Mauro Gentile found a badly-applied four-year-old Adobe patch allows attackers to steal information and commandeer accounts for three of the world’s top ten websites and ‘many’ others.
The LinkedIn and Minded Security researchers say the indirect Same-Origin-Policy Request Forgery and Cross-Site Request Forgery bypasses relates to a failed patch (CVE-2011-2461) issued in 2011. It is intended to fix Adobe Shockwave files that are vulnerable when built through the company’s Flex software development kit compiler.
Carettoni (@_ikki) and Gentile (@sneak_) found files need to be recompiled after the patch is applied and tipped off the unnamed affected websites and Adobe.
“The particularity of CVE-2011-2461 is that vulnerable Flex applications have to be recompiled or patched; even with the most recent Flash player, vulnerable Flex applications can be exploited,” the duo wrote in an advisory.
Tomi Engdahl says:
Nobody Is Sure What Should Count As a Cyber Incident
http://it.slashdot.org/story/15/03/23/2237233/nobody-is-sure-what-should-count-as-a-cyber-incident
Despite a lot of attention to the problem of cyber attacks against the nation’s critical infrastructure, The Christian Science Monitor notes that there is still a lot of confusion about what, exactly, constitutes a “cyber incident” in critical infrastructure circles. The result: many incidents in which software failures affect critical infrastructure may go unreported.
How cyberattacks can be overlooked in America’s most critical sectors
Across some of the most crucial sectors of the American economy, there’s a lack of consensus of what exactly should be considered a ‘cyberincident’ – and whether technical mishaps, even without malicious intent, should count. That’s a problem.
http://www.csmonitor.com/World/Passcode/2015/0323/How-cyberattacks-can-be-overlooked-in-America-s-most-critical-sectors
The most critical sectors of the American economy were affected by 245 “cyberincidents” last year, according to the Department of Homeland Security. As high as that number seems, however, security experts caution the real number may be much higher.
Turns out, there’s a huge gulf between the Internet-related attacks the department’s Industrial Control System Cyber Emergency Response Team recorded for the country’s critical infrastructure – important areas such as energy, manufacturing, agriculture, and healthcare – and the true number of malfunctions, technological failures, or other happenings within those sectors.
The discrepancy comes down to widespread uncertainty of when something should be classified as a “cyberincident” in the first place.
This lack of consensus, security experts warn, may actually cause many cyberattacks on critical infrastructure to go undetected or unrecognized altogether, especially since a malicious attack could first appear like technical glitches or human error.
Generally, NIST considers a cyberincident to be any situation in which a failure in electronic communications leads to a loss confidentiality, integrity, or availability. Malicious incidents such as a distributed denial of service attack or hacking control system software certainly qualify, but its definition of “incident” is far broader than just cyberattacks or malicious actions.
What’s ‘cyber’ and what’s not
In its annual report for 2014, Homeland Security acknowledged that many malicious cyberincidents go unreported – possibly because critical infrastructure owners are wary of bad publicity, or because they determine that they have the incident under control and do not need outside assistance in managing it.
Those missed reports about malicious incidents are an important source of data about threats to control systems.
“Incidents don’t have to be malicious to cause bad things to happen,” says Weiss, managing partner at the security firm Applied Control Solutions. “In fact, nonmalicious incidents are the most probable and frequent incidents that occur.”
His list includes some of the most deadly and destructive public sector accidents of the last two decades – events that are not generally considered “cyberincidents” by NIST or within critical infrastructure circles. Among them: a 2006 emergency shutdown of Unit 3 at the Browns Ferry nuclear plant in Alabama, the 1999 Olympic Gas pipeline rupture and explosion in Bellingham Washington that killed three people and the 2010 Pacific Gas & Electric gas pipe explosion in San Bruno, Calif., that killed eight people and destroyed a suburban neighborhood.
None of those incidents are believed to be the result of a malicious attack. However, in each of them, there was a failure in Supervisory Control and Data Acquisition (SCADA) software that managed critical infrastructure. That failure contributed – directly or indirectly – to the subsequent accident. In at least one case, the SCADA failure was the primary cause of the accident.
Tomi Engdahl says:
Opinion
5 Myths (Debunked) About Security and Privacy for Internet of Things
http://www.cio.com/article/2875101/security-and-privacy/5-myths-debunked-about-security-and-privacy-for-internet-of-things.html
IoT has the potential to enable improvements to so many facets of life, the list is endless. Its primary advancement is enabling the interconnectedness of “things” and resulting insights and synergies. Yet that same connectedness raises concerns for security and privacy that must be addressed.
Myth # 1: More security means less privacy, and vice versa.
Myth #2: Existing IT security and privacy concepts and practices are sufficient to meet IoT challenges.
Myth #3: Cyber security today is a well-established, mature science that addresses most IoT concerns.
Myth #4: Software security that works for IT will work for IoT.
Myth #5: IoT cybersecurity is a challenge the private sector can meet alone.
Tomi Engdahl says:
Hertz installs cameras and microphones in rental cars
http://www.cnet.com/news/hertz-installs-cameras-and-microphones-in-rental-cars/
Technically Incorrect: Some of Hertz’s NeverLost systems now have cameras and mics — which the company claims it doesn’t intend to use at this time.
Tomi Engdahl says:
Online criminals to blackmail companies should not be granted. “The payment does not guarantee that you can get away with,” says Check Point Petri Sonkeri.
Earlier the corporate network hacking was made mainly by experienced teens, now the attacks matter are professional criminals.
“Attacks the motives vary: in addition to the commercial crime should not forget the political motives or even terrorism.”
“Information security industry is really timely: the security threats are growing all the time”
“Now that the companies do not have their own data centers, systems revolve around the cloud. Users should use their own devices actually in use who knows what the network”
Sonkeri recalls that the threats may be applied even in a small company.
” It can be tightened, for example, to pay a thousand dollars ransom or otherwise firm networks threatened to bust”
The ransom payment is not in his opinion, a good solution.
“The payment does not guarantee that you get off the hook. The best solution is to prevent criminals access to their own networks and enterprise data”
Criminals use of these technologies evolve and their ability to hide in the hedges effective. Standard anti-virus software can not recognize this time the worst threat of new viruses that prevention programs do not yet know.
“Threats are changing all the time, and already recognized qualification malware change shape. Traditional firewalls and anti-virus are ineffective, if someone wants to seriously attack against the company, “Sonkeri estimates
Also, zero-day attacks become more frequent. Check Point’s studies show that only one percent of the companies are properly hedged against them.
“Our analysis of network traffic also revealed that almost all the big companies that have achieved the network found in malware”
“The world is a global and uhkatkin are common. Finland may have been more tranquil corner of, but by the end of the big gears denial of service attacks act as a wake-up: a hedge against them began to be interested.”
Sonkerin also automation systems for the protection is enormous:
“Automation systems for protecting is woken up until now. In today’s Internet of Things, several automation systems are connected to the Internet. Embedded systems is not updated as frequently as traditional IT equipment and systems for a long life. Who knows what kind of holes from there can not be found? ”
Source: http://summa.talentum.fi/article/tv/uutiset/145896
Tomi Engdahl says:
Section 66A: India court strikes down ‘Facebook’ arrest law
http://www.bbc.com/news/world-asia-india-32029369
India’s Supreme Court has struck down a controversial law which allowed police to arrest people for comments on social networks and other internet sites.
The court ruled that the controversial Section 66A of the Information Technology Act was unconstitutional.
In recent years, several people have been arrested for their comments on Facebook or Twitter, sparking outrage.
The government had defended the law, saying it was meant to deter people from uploading offensive material.
Section 66A was sweeping in its powers – it could send a person to jail for three years for sending an email or other electronic message that “causes annoyance or inconvenience”.
Tomi Engdahl says:
“The science of cyber security is still in its infancy.” The emphasis here should be on the term “science,” in terms of an evidence-based foundation for our concepts and practices.
One area that needs to be explored: we don’t have good cyber-domain models of human, user behavior. What drives us to make good – or poor – security and privacy decisions? That’s critical, because humans are involved in every element of the IoT, including its design, implementation, operation, deployment, maintenance, use and decommissioning.
With humans so integral to the Internet and IoT, we’d better understand ourselves in a scientific fashion.
The challenge here is that human behavior doesn’t have a closed form like math. Encryption, for instance, has a nice, neat, closed form, in terms of how it describes a problem and how it provides a solution. Science is a good way to deal with systems – like human behavior – that don’t have closed forms. I’m aware that astronaut and pilot behavior has been modeled to streamline spacecraft and jet controls. Digital advertising companies have done online human behavior monitoring for years, with some controversy over privacy issues. Biologists are modeling the behavior of cells. But in the broader, everyday realm of ordinary people, as they interact with IoT, we’ve only just begun.
Source: http://www.cio.com/article/2875101/security-and-privacy/5-myths-debunked-about-security-and-privacy-for-internet-of-things.html?page=2
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Google warns of unauthorized TLS certificates trusted by almost all OSes
Misissued certs known to impersonate several Google domains, may affect others.
http://arstechnica.com/security/2015/03/google-warns-of-unauthorized-tls-certificates-trusted-by-almost-all-oses/
In the latest security lapse involving the Internet’s widely used encryption system, Google said unauthorized digital certificates have been issued for several of its domains and warned misissued credentials may be impersonating other unnamed sites as well.
The bogus transport layer security certificates are trusted by all major operating systems and browsers, although a fall-back mechanism known as public key pinning prevented the Chrome and Firefox browsers from accepting those that vouched for the authenticity of Google properties, Google security engineer Adam Langley wrote in a blog post published Monday. The certificates were issued by Egypt-based MCS Holdings, an intermediate certificate authority that operates under the China Internet Network Information Center (CNNIC). The Chinese domain registrar and certificate authority, in turn, is included in root stores for virtually all OSes and browsers.
The issuance of the unauthorized certificates represents a major breach of rules established by certificate authorities and browser makers. Under no conditions are CAs allowed to issue certificates for domains other than those legitimately held by the customer requesting the credential. In early 2012, critics blasted US-based CA Trustwave for doing much the same thing and Langley noted an example of a France-based CA that has also run afoul of the policy.
Maintaining digital certificate security
http://googleonlinesecurity.blogspot.fi/2015/03/maintaining-digital-certificate-security.html
On Friday, March 20th, we became aware of unauthorized digital certificates for several Google domains. The certificates were issued by an intermediate certificate authority apparently held by a company called MCS Holdings. This intermediate certificate was issued by CNNIC.
CNNIC is included in all major root stores and so the misissued certificates would be trusted by almost all browsers and operating systems. Chrome on Windows, OS X, and Linux, ChromeOS, and Firefox 33 and greater would have rejected these certificates because of public-key pinning, although misissued certificates for other sites likely exist.
We promptly alerted CNNIC and other major browsers about the incident, and we blocked the MCS Holdings certificate in Chrome with a CRLSet push. CNNIC responded on the 22nd to explain that they had contracted with MCS Holdings on the basis that MCS would only issue certificates for domains that they had registered. However, rather than keep the private key in a suitable HSM, MCS installed it in a man-in-the-middle proxy.
Tomi Engdahl says:
$1B TSA Behavioral Screening Program Slammed As “Junk Science”
http://yro.slashdot.org/story/15/03/24/1243245/1b-tsa-behavioral-screening-program-slammed-as-junk-science
The Transportation Security Administration has been accused of spending a billion dollars on a passenger-screening program that’s based on junk science. The claim arose in a lawsuit filed by the American Civil Liberties Union
$1 Billion TSA Behavioral Screening Program Slammed as Ineffective “Junk Science”
http://www.allgov.com/news/where-is-the-money-going/1-billion-dollar-tsa-behavioral-screening-program-slammed-as-ineffective-junk-science-150323?news=856031
The Government Accountability Office (GAO) reported in 2010 that “TSA deployed SPOT nationwide before first determining whether there was a scientifically valid basis for using behavior detection and appearance indicators as a means for reliably identifying passengers as potential threats in airports,” according to the ACLU. And in 2013, GAO recommended that the agency spend less money on the program, which uses 3,000 “behavior detection officers” whose jobs is to identify terrorists before they board jetliners.
The ACLU contends SPOT uses racial profiling, even though TSA has a zero-tolerance policy for such singling out of people based on their ethnicity.
Tomi Engdahl says:
Patricia Zengerle / Reuters:
‘Threat-sharing’ cybersecurity bill introduced in U.S. House
http://www.reuters.com/article/2015/03/24/us-cybersecurity-congress-idUSKBN0MK1ZM20150324
(Reuters) – Leaders of the House of Representatives Intelligence Committee introduced legislation on Tuesday to make it easier for companies to share information about cybersecurity threats with the government, without the fear of being sued.
Prompted in part by high-profile cyber attacks on corporations, the Protecting Cyber Networks Act has significant bipartisan support. Although privacy activists worry that it could lead to more surveillance, proponents say the measure has strong backing from the business community and a good chance of being passed by Congress.
“This is a growing concern and getting worse,”
Tomi Engdahl says:
F Secure : How You Can Protect Yourself from Evil DNS
http://www.4-traders.com/F-SECURE-OYJ-1412460/news/F-Secure–How-You-Can-Protect-Yourself-from-Evil-DNS-20081575/
How You Can Protect Yourself from Evil DNS
New one-button tool from online security leader F-Secure helps people keep their Internet traffic heading in the right direction.
Helsinki, Finland – March 25, 2015: The Internet works in mysterious ways for many people, and that’s something that attackers can use to their advantage. But Internet users now have an easy-to-use tool to help prevent themselves from becoming part of an online scam. The one-button Router Checker, developed by F-Secure, checks people’s Internet set-ups to help protect them from having their web traffic misdirected to websites that can spread malware or steal their personal information.
Router Checker makes it easy to identify altered Internet settings that can let attackers manipulate what people see and do online. Attacks that change router or Internet settings are popular amongst hackers because it allows them to reach large numbers of people without being noticed. According to F-Secure’s Labs, over 300,000 home or office routers were discovered to have altered settings in 2014, with each router potentially serving multiple computers, mobile phones and other devices.
Attacks like these are difficult to notice because they can manipulate people in very subtle ways. “Attacks that target Internet settings often go unnoticed because they don’t really have obvious symptoms for people to pick up on. People will suddenly see more ads, or they’ll be misdirected to a dangerous website that looks and feels safe”,
https://campaigns.f-secure.com/router-checker/
Tomi Engdahl says:
Flash-Based Vulnerability Lingers On Many Websites, Three Years Later
http://it.slashdot.org/story/15/03/24/2241220/flash-based-vulnerability-lingers-on-many-websites-three-years-later
The vulnerability known as CVE-2011-2461 was unusual because fixing it didn’t just require the Adobe Flex Software Development Kit (SDK) to be updated, but also patching all the individual Flash applications (SWF files) that had been created with vulnerable versions of the SDK. The company released a tool that allowed developers to easily fix existing SWF files, but many of them didn’t.
Flash-based vulnerability lingers on many websites three years later
http://www.itworld.com/article/2901235/flashbased-vulnerability-lingers-on-many-websites-three-years-later.html
The vulnerability, known as CVE-2011-2461, was found in the Adobe Flex Software Development Kit (SDK) and was fixed by Adobe in November 2011. The development tool, which has since been donated to the Apache Software Foundation, allows users to build cross-platform rich Internet applications in Flash.
The vulnerability was unusual because fixing it didn’t just require Flex SDK to be updated, but also patching all the individual Flash applications (SWF files) that had been created with vulnerable versions of the SDK.
According to an Adobe tech note at the time, all Web-based Flash applications compiled with Flex 3.x and some built with Flex 4.5 were vulnerable. The company released a tool that allowed developers to easily fix existing SWF files, but many of them didn’t.
Last year, Web application security engineers Luca Carettoni from LinkedIn and Mauro Gentile from Minded Security came across the old flaw while investigating Flash-based techniques for bypassing the Same-Origin Policy (SOP) mechanism found in browsers.
SOP prevents scripting content loaded from one website—or an origin—from affecting the content of another website.
The researchers released their SWF test tool, which is called ParrotNG and is written in Java, on GitHub.
https://github.com/ikkisoft/ParrotNG/releases
If any vulnerable files are found, they should be patched with the Adobe tool released in 2011 or recompiled with newer Apache Flex SDK versions
Without this mechanism in place, any malicious site could load, for example, Gmail in a hidden iframe and when authenticated Gmail users visit the malicious site, it could steal their Gmail authentication cookies.
According to Carettoni and Gentile, the Flex vulnerability makes such attacks possible. It also allows a malicious website to load a vulnerable SWF file from a target website and then execute unauthorized actions on behalf of that site’s users when they visit the malicious Web page.
They found SWF files that were still vulnerable on Google, Yahoo, Salesforce, Adobe, Yandex, Qiwi and many other sites. After notifying the affected websites, they presented their findings last week at the Troopers 2015 security conference in Germany.
“There are still many more websites that are hosting vulnerable SWF files out there,”
Tomi Engdahl says:
BT Home Hub SIP backdoor blunder blamed for VoIP fraud
You say ‘block all connections’, I say ‘my port’s still open’
http://www.theregister.co.uk/2015/03/25/bt_home_hub_fraud_sip_voip_calls/
Flaws in a BT Home Hub set-up are being blamed for helping facilitate a VoIP scam.
Independent security consultants at Pen Test Partners confirmed a security issue in BT’s Home Hub setup, but argued the telco’s kit (which is not really designed for small businesses) was only partially to blame.
This type of fraud involves crooks hacking into a VoIP system before selling on the illicit access they’ve obtained.
“Ultimately, it made sure that the BT Home Hub security settings were set as high as they could be, and the firewall was turned on and set to block external connections. All SIP [Session Initiation Protocol] accounts had 256-bit passwords, and I am sure he/she was under the impression that the firewall on the Home Hub would stop all forms of outside access, and wasn’t to know that there was a built-in weakness,”
Tomi Engdahl says:
Vulnerabilities in many F-secure products:
FSC-2015-2: Path Traversal Vulnerability
Risk Level: HIGH
https://www.f-secure.com/en/web/labs_global/fsc-2015-2
During internal testing in F-Secure, it was discovered that it is possible for a remote attacker to perform path traversal against the update channel through a Man-in-the-Middle (MITM) attack. The effect of this upon successful exploitation is that an attacker can replace any file on an affected system.
This advisory will be updated as additional information becomes available.
Note: Appropriate fixes have been applied to all F-Secure backend systems prior to the security advisory release.
Tomi Engdahl says:
Sex extortion the rise
Take place through the internet sex-related extortion cases have increased, the security company Trend Micro reported. Cases is that criminals are cheating victims to save himself sexually sensitive material that is threatening to spread.
The cases have increased by Trend Micro, especially in Asia. The company has studied the cases in addition to tools used by criminals.
Extortion malware has resulted, for example, stolen from the victim’s phone contact information.
Trend Micro, the recently revealed in extortion show that the improvement of technical skills in addition to a good criminals have better abilities to manipulate their victims.
Source: http://www.tivi.fi/Kaikki_uutiset/2015-03-25/Seksikiristykset-kasvussa-3218013.html
Tomi Engdahl says:
Kreditech Investigates Insider Breach
http://krebsonsecurity.com/2015/03/kreditech-investigates-insider-breach/
Kreditech, a consumer finance startup that specializes in lending to “unbanked” consumers with little or no credit rating, is investigating a data breach that came to light after malicious hackers posted thousands of applicants’ personal and financial records online.
The site announced that a group of hackers calling itself “A4″ put the information online after finding “hundreds of gigabytes” of Kreditech’s documents, including what appear to be configuration files from the company’s Intranet and internal servers.
“The company, getting multimillion investments, probably decided to spend them for anything but security of their clients’ data,” the hacker group wrote. “
The hacker group didn’t say how it obtained the documents.
Friedrich said Kreditech believes the data was stolen not from customers but only from credit applicants.
Tomi Engdahl says:
Dark Web’s ‘Evolution Market’ Vanishes
http://krebsonsecurity.com/2015/03/dark-webs-evolution-market-vanishes/
The Evolution Market, an online black market that sells everything contraband — from marijuana, heroin and ecstasy to stolen identities and malicious hacking services — appears to have vanished in the last 24 hours with little warning. Much to the chagrin of countless merchants hawking their wares in the underground market, the curators of the project have reportedly absconded with the community’s bitcoins — a stash that some Evolution merchants reckon is worth more than USD $12 million.