Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.
3,110 Comments
Tomi Engdahl says:
The rapid proliferation and use of personal and work-related mobile applications is one of the reasons a typical large enterprise may have up to 2000 or more unsafe applications installed in their environment.
In fact, a typical user accesses an average of 24.7 mobile applications per month.
Worse yet, traditional approaches taken by security teams, such as manually testing and blacklisting or whitelisting applications, are proving inadequate to keep up with the number of applications and rate of change in the mobile landscape.
Source: https://webinar.darkreading.com/19775?keycode=DRWE03
Tomi Engdahl says:
Virgin Media takes its time on website crypto upgrade
Mozilla and Chrome wave red flags at ISP
http://www.theregister.co.uk/2015/03/30/virgin_media_rc4_cipher_tls/
Virgin Media has failed to upgrade weak encryption software that it uses for sensitive parts of the telco’s website, despite complaints from customers who claim to have repeatedly flagged up security concerns to the firm.
In parallel with the gripes, Mozilla – which recently told netizens that it planned to end support for the RC4 stream cipher used by VM – has an open tracking bug about the cable company’s site.
Elsewhere, Google’s browser Chrome has also been spitting out security warnings about various Virgin Media pages (such as https://identity.virginmedia.com) because the connection has to first be retired to use an older version of the TLS (transport layer security) protocol.
But Virgin Media has yet to upgrade its service, even though it first heard about the potential security headache late last year.
“Although there are no practical exploits of the algorithm, we have a programme of work which is well underway that will address the issue.”
infosec bods recently called for the RC4 cipher to be outlawed by companies, after new research appeared to show that attacks against the scheme were becoming easier.
“Yes, the RC4 issue isn’t particularly practically exploitable based on the information that is known publicly, but – as pointed out to VM – the service is also TLS 1.2 intolerant, which means that the software they use can’t have been patched in years and is therefore, by definition, going to be security vulnerable to other issues.”
“No SSL/TLS stack has remained secure over that passage of time since this has been resolved so it’s a vulnerability canary,”
Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS
http://www.isg.rhul.ac.uk/tls/RC4mustdie.html
Tomi Engdahl says:
The NSA had considered ceasing mass surveillance before Snowden
Well, that would have saved it a whole lot of trouble
http://www.theinquirer.net/inquirer/news/2401953/the-nsa-had-considered-ceasing-mass-surveillance-before-snowden
THE US NATIONAL SECURITY AGENCY (NSA) considered dropping its local mass surveillance practices before Edward Snowden made his revelations, but decided that perhaps this was not the best idea.
Hindsight is a wonderful thing.
Us spectators can see why it might have a been a good idea for the NSA to cancel that controversial programme back then, and perhaps the NSA can too.
It would still have been controversial, but it might have been far less controversial and the NSA might not quite be as damned as it is today.
Associated Press sources claim that some sage bodies at the NSA felt that the incredible cost of dragnet snooping on innocent communications for the occasional mention of terror chat outweighed the benefits.
Officials were concerned that it cost too much money, was ineffective, unpopular and not a key tool in the fight against terrorism. Higher level officials, or presumably just more people, disagreed, and the system that we have come to know and be appalled by continued.
Tomi Engdahl says:
Andy Greenberg / Wired:
DHS subpoenas Reddit for personal data on users involved with defunct dark-web marketplace Evolution
Feds Demand Reddit Identify Users of a Dark-Web Drug Forum
http://www.wired.com/2015/03/dhs-reddit-dark-web-drug-forum/
Over the last year, Reddit’s “dark net markets” discussion forum has grown into one of the central fixtures of the online drug scene. At any given moment, hundreds of redditors are browsing reddit.com/r/darknetmarkets, many brazenly discussing anonymous online sales on the open internet.
Now the feds have noticed. And they’re telling Reddit to cough up a few of those users’ real-world identities.
The subpoena appears to be the first hint of a federal investigation of the recently defunct massive online market known as Evolution, which sold drugs, weapons, and stolen financial details.
All five targets of the subpoena were involved, to varying degrees, in the Reddit discussion of that black market’s abrupt disappearance two weeks ago, in which two top administrators apparently absconded with millions of dollars worth of bitcoin belonging to Evolution’s buyers and sellers.
When WIRED reached out to Reddit, a spokesperson pointed to the site’s privacy policy, which states that Reddit does collect IP addresses and other potentially identifying data from users, which it deletes after 90 days. The policy adds that it may disclose that data to law enforcement—or hold it longer than 90 days—if legally required to do so.
When WIRED reached out to Reddit, a spokesperson pointed to the site’s privacy policy, which states that Reddit does collect IP addresses and other potentially identifying data from users, which it deletes after 90 days. The policy adds that it may disclose that data to law enforcement—or hold it longer than 90 days—if legally required to do so.
Tomi Engdahl says:
Lorenzo Franceschi-Bicchierai / Motherboard:
GreatFire says China is behind the DDoS attacks on GitHub and its website in new report
China Is Behind DDoS Attack on GitHub, Activists Say
http://motherboard.vice.com/read/china-is-behind-ddos-attack-on-github-activists-say
A well-known group of activists that has fought Chinese online censorship for years is publicly accusing China of launching the massive distributed denial of service attacks against the coding website GitHub.
On Monday, as GitHub was still under attack, the Internet activist group GreatFire published a forensic report written by an independent security researcher.
“We now have proof,” Charlie Smith, a member of GreatFire who goes by a pseudonym to protect himself, told Motherboard. “The Cyberspace Administration of China is behind both of the recent DDoS attacks.”
The forensic analysis shows that both attacks relied on the same technique: malicious code injected within China’s network, between users and the so-called Great Firewall, where China can tamper with Internet traffic going into or out of the country.
On March 18, GreatFire revealed that its websites hosted on Amazon’s cloud hosting service AWS were being hit by a large and unprecedented DDoS attack that was costing the group as much as $30,000 a day in bandwidth.
“Hijacking the computers of millions of innocent internet users around the world is particularly striking as it illustrates the utter disregard the Chinese authorities have for international as well as even Chinese internet governance norms,” Smith said.
The attack against GreatFire relied on the same technique used against GitHub: malicious javascript code injected “someplace between when the traffic enters China and when it hits Baidu’s servers,” according to GreatFire.
“There’s not enough data to blame the government,” Blasco told Motherboard. “But it’s either the government, Baidu or Chinese Internet Service Providers who are modifying content.”
Tomi Engdahl says:
Facebook found leaking private photos
Creepy iOS, Android apps could suck down saucy pics
http://www.theregister.co.uk/2015/03/20/facebook_leaking_private_photos_vuln/
Bug hunter Laxman Muthiyah has reported a Facebook vulnerability that exposes private photos to potentially malicious applications.
The hacker received US$10,000 from Menlo Park for reporting the bug in Facebook Photo Sync and an API that allows third party apps to siphon private pics.
Muthiyah says iOS and Android apps that contain a user_photos permission could prior to the patch nab photos by simply residing on a victim’s device.
“A malicious app which you are using can read all of your private photos in few seconds,” Muthiyah says.
“After few minutes of testing, I realised that [the] vaultimages endpoint is vulnerable.
Muthiyah found the Facebook app makes GET requests to /vaultimages using a top level access token to read photos which is verified using an access token. Facebook however did not check what application issued the request.
Facebook pounced on Muthiyah’s disclosure, shuttering the bug in 30 minutes by whitelisting official applications.
It is unknown how many non-whitelisted apps now sport broken photo synchronisation features.
Tomi Engdahl says:
How Malvertising Abuses Real-Time Bidding On Ad Networks
http://it.slashdot.org/story/15/03/30/1524232/how-malvertising-abuses-real-time-bidding-on-ad-networks
Dark corners of the Internet harbor trouble. They’re supposed to. But what about when Yahoo, CNN.com, TMZ and other busy destination sites heave disaster upon visitors? That’s the challenge posed by malvertising, the latest hacker Golden Goose used in cybercrime operations and even in some targeted attacks.
Adding gasoline to the raging fire is the abuse of real-time ad bidding, a revolution in the way online ads are sold.
Ad Networks Ripe for Abuse Via Malvertising
https://threatpost.com/ad-networks-ripe-for-abuse-via-malvertising/111840
How targeted? Security company Invincea says geo-targeting of advertisements can pinpoint ads geographically, limiting attacks to specific states or even neighborhoods. Hackers can do the same kind of targeting, focusing in on an enterprise’s public IP space with malicious ads through RTB, or use more generic profiling of users through their shopping habits, or via high-traffic websites hosting certain click-bait types of content.
“All ads are RTB now, it’s been that way for 18 months, so any time you hear about malvertising, it’s always because RTB has been abused,” said Pat Belcher, director of malware analysis at Invincea.
Belcher said hackers who dabble in malvertising are generally a step ahead of defenders by exposing loopholes in controls put in place by ad networks to sidestep ad scanning. And even if malvertising campaigns are found out, they’re generally live only for a matter of hours and are burned to the ground before an ad network can take action against a phony account.
“It’s almost foolproof,” Belcher said.
Malvertising is the means to an end for an attacker–and the ends haven’t changed much. Hackers use the tactic to build botnets, distribute banking malware, or even deliver complicated exploits used in targeted attacks. The nuance is in the simplicity with which malvertising schemes are pulled off. Belcher said the first step is to create a phony corporate front in order to buy ads posing as a legitimate advertiser.
Usually, the attackers already manage compromised websites hosting exploit code where malvertising victims will be sent. Once a victim is chosen, either geographically, by entity, or user class, the hacker will bid up their ads via RTB to get their ads displayed on the sites they target. The money to jack up the bidding, Invincea says, is usually stolen or generated from click-fraud and other malware campaigns.
“Part of it is proliferation, part of it is attackers figuring out how insanely easy it is,” Hansen said. “It’s easier than hacking websites. Also ad space doesn’t cost them anything. If they hack a website, they’ll likely get busted, therefore it’s more costly to them.”
Major websites have been identified as hosting malvertising, cutting a wide swathe across the Internet, including big news and entertainment sites, search engines and many more. The scale at which campaigns can ramp up is undeniable–if hackers so choose. Their profits from these campaigns too are not limited to click fraud, which until the last six to nine months has been the most damaging outcome of malvertising forays.
Tomi Engdahl says:
Ebay snuffs malware upload bug
Flaw let crims sling drive-by-downloads
http://www.theregister.co.uk/2015/03/31/ebay_snuffs_malware_upload_bug/
Hacker Aditya Sood has disclosed two vulnerabilities in eBay that allow hackers to upload files for drive-by-download attacks.
Once uploaded to eBay, malware can be sent to victims using direct links.
“The eBay server fails to implement secure header checks on the image files being uploaded on the server,” Sood who found the flaws with colleague Rohit Bansal told the Kaspersky threat service.
“It basically verifies the image extensions. As a result, it is possible to upload a camouflaged malicious file with image file extension.
“The attacker can upload malicious exe file camouflaged as image files and then use the URL in drive by download attacks.”
eBay Fixes File Upload and Patch Disclosure Bugs
https://threatpost.com/ebay-fixes-file-upload-and-patch-disclosure-bugs/111898
eBay has fixed a pair of security vulnerabilities in its site that could enable attackers to upload executable files disguised as benign file types, construct full path URLs and then point victims to them through drive-by download attacks.
The first bug resulted from the failure of an eBay page to check the headers of image files uploaded by users. An attacker could take advantage of this to upload a malicious file disguised as an image, which the server then will accept and store.
Tomi Engdahl says:
Encryption is the REAL threat – Head Europlod
It’s all the tech firm’s fault!
http://www.theregister.co.uk/2015/03/31/europlod_encryption_services_real_threat_snowden/
Europe’s top cop has taken to the BBC to once again slam encryption as the biggest threat to counter-terrorism and law enforcement.
Europol Director Rob Wainright said encrypted communications gave plods across the continent the biggest headaches, and his main gripe was with the IT companies that provide them.
“We are disappointed by the position taken by these tech firms and it only adds to our problems in getting to the communications of the most dangerous people that are abusing the internet,” he said.
He told the civil liberties committee of the European Parliament the same thing last November. Now he says there is “a significant capability gap” that must be closed.
“It’s changed the very nature of counter-terrorist work from one that has been traditionally reliant on having good monitoring capability of communications to one that essentially doesn’t provide that anymore,” he told the Beeb.
National leaders across the EU have been calling for increased access to private communications since the Charlie Hebdo attacks in Paris.
Tomi Engdahl says:
Sign Up at irs.gov Before Crooks Do It For You
http://krebsonsecurity.com/2015/03/sign-up-at-irs-gov-before-crooks-do-it-for-you/
If you’re an American and haven’t yet created an account at irs.gov, you may want to take care of that before tax fraudsters create an account in your name and steal your personal and tax data in the process.
Screenshot 2015-03-29 14.22.55Recently, KrebsOnSecurity heard from Michael Kasper, a 35-year-old reader who tried to obtain a copy of his most recent tax transcript with the Internal Revenue Service (IRS). Kasper said he sought the transcript after trying to file his taxes through the desktop version of TurboTax, and being informed by TurboTax that the IRS had rejected the request because his return had already been filed.
was told a direct deposit was being made that very same day for his tax refund — a request made with his Social Security number and address but to be deposited into a bank account that he didn’t recognize.
“Since I was alerting them that this transaction was fraudulent, their privacy rules prevented them from telling me any more information, such as the routing number and account number of that deposit,” Kasper said. “They basically admitted this was to protect the privacy of the criminal, not because they were going to investigate right away. In fact, they were very clear that the matter would not be investigated further until a fraud affidavit and accompanying documentation were processed by mail.”
Kasper said the transcript indicates the fraudsters filed his refund request using the IRS web site’s own free e-file website for those with incomes over $60,000.
The transcript suggests that the fraudsters who claimed his refund had done so by copying all of the data from his previous year’s W2, and by increasing the previous year’s amounts slightly. Kasper said he can’t prove it, but he believes the scammers obtained that W2 data directly from the IRS itself, after creating an account at the IRS portal in his name (but using a different email address) and requesting his transcript.
“My tax refund fraud case had gone from stuck in the mud to an open case, almost overnight,” Kasper sad. “Or at least it seemed to be that simple. It turned out to be much more complex.”
The IRS’s process for verifying people requesting transcripts is vulnerable to exploitation by fraudsters because it relies on static identifiers and so-called “knowledge-based authentication” (KBA) — i.e., challenge questions that can be easily defeated with information widely available for sale in the cybercrime underground and/or with a small amount of searching online.
To obtain a copy of your most recent tax transcript, the IRS requires the following information: The applicant’s name, date of birth, Social Security number and filing status. After that data is successfully supplied, the IRS uses a service from credit bureau Equifax that asks four KBA questions. Anyone who succeeds in supplying the correct answers can see the applicant’s full tax transcript, including prior W2s, current W2s and more or less everything one would need to fraudulently file for a tax refund.
Unfortunately, the IRS is not the only government agency whose reliance on static identifiers actually makes them complicit in facilitating identity theft against Americans. The same process described to obtain a tax transcript at irs.gov works to obtain a free credit report from annualcreditreport.com, a Web site mandated by Congress.
Tomi Engdahl says:
Silk Road agents charged with stealing seized Bitcoin
http://www.bbc.com/news/technology-32124251
Two former US special agents have been charged with stealing large amounts of digital currency while investigating the notorious Silk Road marketplace.
Best known for selling illegal drugs, Silk Road was closed in 2013 following raids by the FBI and other agencies.
The man accused of running the site, Ross Ulbricht, was convicted in February, and prosecutors argued that he had earned about $18m in Bitcoin from the operation.
Shaun Bridges, who worked for the US Secret Service, is charged with wire fraud and money laundering.
The DoJ alleges that he transferred more than $800,000 in Bitcoin into an account at MtGox, a Japanese digital currency exchange that filed for bankruptcy in February.
Tomi Engdahl says:
Periscope smeared by streaming security SNAFU
Live vid titles leak from Twitter’s new app for the Bong! crowd
http://www.theregister.co.uk/2015/03/31/periscope_smeared_by_silly_snafu/
Twitter’s Meerkat-strangling live streaming app Periscope has had its first privacy SNAFU, leaking the titles (but not the content) of videos meant for private circulation only.
Periscope allows users to stream live video into their Twitter feeds. The app debuted mere days after a very similar app, Meerkat, became the Bong! crowd’s latest darling.
The flaw in Twitter’s app means audio and video of a private broadcast will remain private: only the title leaks.
Tomi Engdahl says:
Soon, Your Voice Will Be The Only Password You’ll Ever Need
http://www.businessinsider.com/nuance-voice-biometrics-2013-7
Being forced to remember a variety of passwords and answers to security questions is a very time consuming and difficult task.
Nuance, the voice recognition software company that helps power Apple’s Siri virtual assistant, just unveiled its latest voice biometrics platform.
The platform enables people to access their accounts using only their voice, instead of needing to remember PINs, passwords, and answers to obscure security questions.
Right now, the main focus is on customer service experiences, like those you may have with your bank, cable provider, or wireless service provider over the phone.
For example, private banking firm Barclays Wealth’s customer service line listens to your voice to collect the unique characteristics that define it. It then creates a voiceprint to identify you in the future. Though, another option would be to enable the customer to say “My voice is my password” in order to gain access.
Tomi Engdahl says:
Ask Slashdot: Who’s Going To Win the Malware Arms Race?
http://ask.slashdot.org/story/15/03/31/0140231/ask-slashdot-whos-going-to-win-the-malware-arms-race
We’ve been in a malware arms race since the 1990s. Malicious hackers keep building new viruses, worms, and trojan horses, while security vendors keep building better detection and removal algorithms to stop them. Botnets are becoming more powerful, and phishing techniques are always improving — but so are the mitigation strategies. There’s been some back and forth, but it seems like the arms race has been pretty balanced, so far.
My question: will the balance continue, or is one side likely to take the upper hand over the next decade or two?
Tomi Engdahl says:
Think server vulns are IT’s problem? Think again
Don’t get caught with your cyber pants down
http://www.theregister.co.uk/2015/03/31/security_is_everybodys_problem_vuln_response/
Regardless of the type or size of business you’re part of, the way we approach security has changed forever.
Gone are the days that a business can feel safe with its security design model. Attacks have become more sophisticated.
Your organization should no longer be thinking about “if” an attack will happen, but be planning for “when”.
The question is therefore, how this changes the scope of our organizational security strategy.
You need to look at the policies, procedures and tools needed to ensure your response is rapid and correct while also covering the steps that can be taken to start closing security gaps within your organization, and learning why security breaches are inevitable.
Only recently we’ve had two high-profile examples of security attack – Sony and Anthem (the latter is second-largest health insurance provider in the US).
In both cases, the best response firms could offer employees and customers was free identity protection services as a follow up.
The message here is simple: security needs to part of a combined business and public relations (PR) playbook. The security team within your IT department cannot standalone, and the way information is shared with customers and employees can destroy an organizations’ reputation if not done well.
Rethinking your approach and taking action can help significantly. Here are some strategic guidelines that can be used to protect your organizational employees and customers.
Keep up with regular patching and system maintenance: Symantec reckons we can eliminate 80 per cent of vulnerabilities just by patching servers and workstations routinely.
Security checks with penetration testing twice a year
Retire the really old legacy systems
Have excellent backups, and backups of the backups
Use more than one technology: A single vendor cannot cover everything and represents a weak link in your security chain.
PR and business planning: Develop a playbook with the appropriate legal and public relations folks so you have the correct response if, and when, something happens.
Tomi Engdahl says:
Joseph Cox / Motherboard:
Some Uber customers report fraudulent charges after news of accounts being sold on dark web; company maintains no evidence of breach
Uber Users Say They’re Being Charged for Trips They Didn’t Take
http://motherboard.vice.com/read/uber-users-say-theyre-being-charged-for-trips-they-didnt-take
On Friday, Motherboard revealed that fully functioning Uber accounts were for sale on the dark web. Today, it appears that some people have fallen victim to fraudulent trips being made with their login credentials.
“I’ve checked your account details and it looks like someone has accessed your account illegitimately. We believe that your email account may have been hacked as access was gained to your account by sending a password reset link to your email.”
In a statement issued following the initial news of stolen accounts being for sale, Uber said that it had found no evidence of a breach. The company told The Hill that the accounts for sale were unrelated to a 2014 hack.
Tomi Engdahl says:
Samuel Gibbs / Guardian:
Belgian data regulator finds Facebook tracks logged out, explicitly opted out, and unregistered users, thus breaching EU privacy law
Facebook ‘tracks all visitors, breaching EU law’
http://www.theguardian.com/technology/2015/mar/31/facebook-tracks-all-visitors-breaching-eu-law-report
Exclusive: People without Facebook accounts, logged out users, and EU users who have explicitly opted out of tracking are all being tracked, report says
Facebook tracks the web browsing of everyone who visits a page on its site even if the user does not have an account or has explicitly opted out of tracking in the EU, extensive research commissioned by the Belgian data protection agency has revealed.
The report, from researchers at the Centre of Interdisciplinary Law and ICT (ICRI) and the Computer Security and Industrial Cryptography department (Cosic) at the University of Leuven, and the media, information and telecommunication department (Smit) at Vrije Universiteit Brussels, was commissioned after an original draft report revealed Facebook’s privacy policy breaches European law.
The researchers now claim that Facebook tracks computers of users without their consent, whether they are logged in to Facebook or not, and even if they are not registered users of the site or explicitly opt out in Europe. Facebook tracks users in order to target advertising.
Tomi Engdahl says:
Finance More: RBS Rory Cullinan Snapchat Instagram
RBS boss leaves weeks after these Snapchat pictures were put on Instagram by his daughter
Read more: http://uk.businessinsider.com/rbs-boss-rory-cullinan-leaves-just-weeks-after-snapchat-pictures-were-unveiled-on-instagram-2015-3?r=US#ixzz3W2Bu2nXS
Tomi Engdahl says:
SCOTUS: GPS Trackers Are a Form of Search and Seizure
http://yro.slashdot.org/story/15/03/31/2113243/scotus-gps-trackers-are-a-form-of-search-and-seizure
If the government puts a GPS tracker on you, your car, or any of your personal effects, it counts as a search—and is therefore protected by the Fourth Amendment. The Supreme Court clarified and affirmed that law on Monday,
U.S. Supreme Court: GPS Trackers Are a Form of Search and Seizure
http://www.theatlantic.com/technology/archive/2015/03/supreme-court-if-youre-being-gps-tracked-youre-being-searched/389114/?single_page=true
If the government puts a GPS tracker on you, your car, or any of your personal effects, it counts as a search—and is therefore protected by the Fourth Amendment.
The Supreme Court clarified and affirmed that law on Monday, when it ruled on Torrey Dale Grady v. North Carolina, before sending the case back to that state’s high court. The Court’s short but unanimous opinion helps make sense of how the Fourth Amendment, which protects against unreasonable search and seizure, interacts with the expanding technological powers of the U.S. government.
“It doesn’t matter what the context is, and it doesn’t matter whether it’s a car or a person. Putting that tracking device on a car or a person is a search,”
Tomi Engdahl says:
Ask Slashdot: Dealing With User Resignation From an IT Perspective?
http://ask.slashdot.org/story/15/03/31/1711244/ask-slashdot-dealing-with-user-resignation-from-an-it-perspective
Today one of my fellow workers has announced he has found another job and will be leaving our company in two weeks’ time.
he is simply working through his notice period and finishing up some jobs. I have already set some fileserver folders to Read-Only for him and taken a backup of his mailbox in case he empties it on the last day.
Comments:
Get him to delete anything personal, because chances are his co-workers are going to be asking for access to his files and emails so they can continue whatever work he was in the middle of.
And beyond this… if it’s on the company computer, it’s on the company’s time, and is the company’s business. A lot of people forget this and use company systems for personal stuff, but it’s still company data, and has been proven to be so in court.
So yeah; back up everything now, and then provide a sanitized version for others to look through as need arises.
The truth is, even if there’s something critical in the backup, it’s likely that nobody will ever know its there and so have reason to go looking for it. But CYA is always important for IT.
If he is not a disgruntled worker just work with him to set up expectations from the IT side of things. Do you expect him to turn his computer in? When? Should he delete files off? Yes/No? I think most people would be happy to work though an exit checklist and it would make you seem really organized.
If he wanted to screw with stuff, the seeds are already planted and will go off after he’s gone.
And if he hasn’t wanted to screw up stuff, don’t give him a reason to regret that decision by treating him in a dick way.
If that’s the case, don’t be a dick about it. Instead of “Go work from home for the two weeks because we’re afraid you’re going to fuck us over.” Say, “Enjoy the next two weeks of paid vacation on us as a parting gift. Best of luck on your career.”
Both accomplish the exact same thing, but one of them doesn’t create dicks out of good employees. I mean what’s the chance he’s going to be productive those two weeks anyway?
Every time I’ve known I was going to turn in my notice, I end up going through everything and cleaning out any personal stuff and clean up my mailbox before the letter ever gets put in.
Removing access immediately is important for 2 reasons. The first is obviously security. Then 2nd is figuring out what he does & making sure somebody else has that access & knowledge.
Tomi Engdahl says:
Facebook ‘tracks all visitors, breaching EU law’
http://www.theguardian.com/technology/2015/mar/31/facebook-tracks-all-visitors-breaching-eu-law-report
Exclusive: People without Facebook accounts, logged out users, and EU users who have explicitly opted out of tracking are all being tracked, report says
Facebook tracks the web browsing of everyone who visits a page on its site even if the user does not have an account or has explicitly opted out of tracking in the EU, extensive research commissioned by the Belgian data protection agency has revealed.
The researchers now claim that Facebook tracks computers of users without their consent, whether they are logged in to Facebook or not, and even if they are not registered users of the site or explicitly opt out in Europe. Facebook tracks users in order to target advertising.
The issue revolves around Facebook’s use of its social plugins such as the “Like” button, which has been placed on more than 13m sites including health and government sites.
Facebook places tracking cookies on users’ computers if they visit any page on the facebook.com domain, including fan pages or other pages that do not require a Facebook account to visit.
When a user visits a third-party site that carries one of Facebook’s social plug-ins, it detects and sends the tracking cookies back to Facebook – even if the user does not interact with the Like button, Facebook Login or other extension of the social media site.
EU privacy law states that prior consent must be given before issuing a cookie or performing tracking, unless it is necessary for either the networking required to connect to the service (“criterion A”) or to deliver a service specifically requested by the user (“criterion B”).
Tomi Engdahl says:
Amazon’s clouds are da bomb, say EU data protection watchdogs
AWS meets Europe’s privacy requirements, whatever they may be worth
http://www.theregister.co.uk/2015/04/01/amazon_privacy_europe/
Amazon’s cloud services have been declared safe by Europe’s privacy rights watchdogs.
The Article 29 Working Party (a group made up of all Europe’s national data protection authorities), led by the Dutch CNPD, has found that Amazon Web Services’ standard contractual clauses meet all the requirements of EU data protection – whatever they may be worth. The rules are undergoing some degree of reform at the moment.
According to the working party, Amazon cloud customers can be sure that even when their data is transferred across the world, under the so-called “controller-to-processor” clauses it will still get the same level of protection as if it was stored in the European Union.
Following the Edward Snowden revelations, cloud customers have been concerned about where their files are held and processed, and who has access to them. Companies including Amazon have sought to capitalise on the fear of foreign surveillance by guaranteeing data is stored in countries specifically selected by customers. (Microsoft is having a spot of bother with that plan.)
In the EU, Amazon customers can choose to have their data stored in Dublin in Ireland or Frankfurt in Germany.
Tomi Engdahl says:
Angry Boss Phishing Emails Prompt Fraudulent Wire Transfers
http://it.slashdot.org/story/15/04/01/032230/angry-boss-phishing-emails-prompt-fraudulent-wire-transfers
Lots of studies have shown that assertiveness works in the professional sphere as well as the personal one.
Websense Labs has posted a blog warning of a new round of spear phishing attacks that rely on e-mail messages posing as urgent communications from senior officers to lower level employees. The messages demand that the employees wire funds to a destination account provided in the message.
The key element of their attack is – simply – “obeisance,” Websense notes. “When the CEO or CFO tells you to do something, you do it.”
The messages were brief and urgent, included (phony) threads involving other company executives and demanded updates on the progress of the transfer, making the request seem more authentic
Tomi Engdahl says:
Tor proposes crowdsourced and more accessible hidden services
As encryption faces yet more criticism
http://www.theinquirer.net/inquirer/news/2402265/tor-proposes-crowdsourced-and-more-accessible-hidden-services
INVISIBILITY BLANKET SYSTEM Tor is proposing some new hidden services. The outfit is looking to get them crowdsourced and would like user feedback, as opposed to external feedback, a lot of which might suggest that it takes its anonymising talk and shoves it.
Tor, and similar services that we might lump under an encryption banner, is a controversial thing these days, and it is regularly made the scapegoat for failings at the security agencies and as a thorn in the side of just about anyone who ever attempted to stop a bad thing happening.
Tor claimed that its services are needed and prized but are used by only four percent of the possible userbase. It wants to address this and is looking to find ways of bridging the gap between what it does and what citizens are able to work with.
“Hidden services provide a means for Tor users to create sites and services that are accessible exclusively within the Tor network, with privacy and security features that make them useful and appealing for a wide variety of applications,” Tor noted.
The use of Tor is a relatively underground thing, but there are similarly controversial security systems in use by the big technology firms.
Companies like Google and Apple have got it in the neck for securing their users’ privacy, and their unwillingness to drop this stance has frustrated needy detectives.
“[Tech firms] are doing it, I suppose, because of a commercial imperative driven by what they perceive to be consumer demand for greater privacy of their communications.”
Tomi Engdahl says:
Brian X. Chen / New York Times:
Verizon Wireless Customers Can Now Opt Out of ‘Supercookies’ — Verizon Wireless customers now have the ability to completely opt out of the phone carrier’s controversial ad-targeting program that tagged users with undeletable tracking codes, which critics called “supercookies.”
http://bits.blogs.nytimes.com/2015/03/31/verizon-wireless-customers-can-now-opt-out-of-supercookies/?_r=0
Tomi Engdahl says:
Kim Zetter / Wired:
US Used Zero-Day Exploits Before It Had Policies for Them
http://www.wired.com/2015/03/us-used-zero-day-exploits-policies/
Around the same time the US and Israel were already developing and unleashing Stuxnet on computers in Iran, using five zero-day exploits to get the digital weapon onto machines there, the government realized it needed a policy for how it should handle zero-day vulnerabilities, according to a new document obtained by the Electronic Frontier Foundation.
“The level of transparency we have now is not enough,” says Andrew Crocker a legal fellow at EFF. “It doesn’t answer a lot of questions about how often the intelligence community is disclosing, whether they’re really following this process, and who is involved in making these decisions in the executive branch. More transparency is needed.”
The timeframe around the development of the policy does make clear, however, that the government was deploying zero-days to attack systems long before it had established a formal policy for their use.
Tomi Engdahl says:
This one weird trick deletes any YouTube flick in just a few clicks
No Minecraft videos were harmed in the making of this exploit
http://www.theregister.co.uk/2015/04/01/simple_trick_to_delete_any_youtube_flick/
Security bod Kamil Hismatullin has disclosed a simple method to delete any video from YouTube.
The Russian software developer and hacker found videos can be instantly nuked by sending the identity number of a video in a post request along with any token.
“I wanted to find there some CSRF or XSS issues, but unexpectedly discovered a logical bug that let me to delete any video on YouTube with just one request,” Hismatullin says.
“… this vulnerability could create utter havoc in a matter of minutes in [hackers'] hands who could extort people or simply disrupt YouTube by deleting massive amounts of videos in a very short period of time.”
Hismatullin says Google responded quickly when he reported the bug Saturday.
Tomi Engdahl says:
Facebook hits back at data use privacy criticisms
http://www.bbc.com/news/technology-32131760
Facebook has attacked a report that said its privacy policy may be in breach of EU laws.
The report, produced last month by academics at the request of the Belgian privacy commission, said that the site tracks people without their consent.
An annexe to that report, published last week, added details of Facebook’s tracking and prompted fresh criticism.
Facebook said the report was “inaccurate” and complained that it was not contacted before its publication.
“This report contains factual inaccuracies,” a spokesperson said.
“The authors have never contacted us, nor sought to clarify any assumptions upon which their report is based.”
Facebook disputes study saying it might violate European security laws
Read more: http://uk.businessinsider.com/facebook-tracking-report-2015-3?r=US#ixzz3W3csaK1j
Tomi Engdahl says:
South Korea Creates Cyber-security Post to Counter North’s Threat
http://www.securityweek.com/south-korea-creates-cyber-security-post-counter-norths-threat
Seoul – Concerned by the growing threat of cyber-attacks from North Korea, South Korea’s cabinet on Tuesday approved the creation of a new presidential post handling cyber-security.
The post will provide a “control tower” for efforts to counter North Korean hackers, presidential spokesman Min Kyung-Wook told reporters.
Seoul has blamed North Korean hackers for a series of cyber-attacks on military institutions, banks, government agencies, TV broadcasters and media websites in recent years.
South Korea’s defence ministry believes North Korea runs an elite cyber-warfare unit with up to 6,000 personnel, and regards its ability to launch hacking attacks as a major security threat.
Tomi Engdahl says:
Tech leaders: Is your biggest threat North Korea or your own board?
Less PCs, more devices, even more security threats
http://www.theregister.co.uk/2015/04/01/who_is_your_biggest_security_threat_roundtable/
If you’re a tech boss looking to increase your profile, the one sure-fire way to make the headlines is to have a major security breach on your watch.
Just ask some of the senior techies who used to work at the DWP, Sony, Target, and…well, you get the picture.
Your biggest worry may be an irate despot, or a corrupt business rival. Or it may be your own execs, whose appetite for mobility and accessibility outstrips their understanding of basic security.
Either way, we want you to swap war stories, learn from each other, and give us some insight into the real world problems today’s top IT bosses face.
Tomi Engdahl says:
Mystery ‘Explosive’ cyber-spy campaign traced back to Lebanon
Round up the unusual suspects, you know the drill
http://www.theregister.co.uk/2015/04/01/lebanon_explosive_cyberspy_mystery_campaign/
A nation-state cyber-attack campaign running since 2012 has been traced back to a somewhat unlikely launchpad in Lebanon.
Security researchers at Check Point reckon hackers behind the so-called Volatile Cedar campaign have hit defence contractors, telecommunications and media companies, and educational institutions in multiple countries.
The hackers’ main tool is a custom malware implant codenamed ‘Explosive’ (named by the attackers). Once installed, the tool continuously runs a key-logger and a clipboard logger, which transmit the results to command-and-control servers. The implant has built-in file deletion functionality as well as arbitrary code execution capabilities
Evidence obtained by the Israeli security firm suggests the attacker group is based in Lebanon.
“The [Volatile Cedar] campaign has been continually and successfully operational through this entire timeline, evading detection through a well-planned and carefully managed operation that constantly monitors its victims’ actions and rapidly responds to detection incidents,”
“This is one face of the future of targeted attacks: malware that quietly watches a network, stealing data, and can quickly change if detected by anti-virus systems,”
Volatile Cedar – Analysis of a Global Cyber Espionage Campaign
http://blog.checkpoint.com/2015/03/31/volatilecedar/
Today, we announced the discovery of Volatile Cedar, a persistent attacker group originating possibly in Lebanon with political ties.
Beginning in late 2012, the carefully orchestrated attack campaign we call Volatile Cedar has been targeting individuals, companies and institutions worldwide.
We have seen clear evidence that Volatile Cedar has been active for almost 3 years. While many of the technical aspects of the threat are not considered “cutting edge”, the campaign has been continually and successfully operational throughout this entire timeline, evading detection by the majority of AV products. This success is due to a well-planned and carefully managed operation that constantly monitors its victims’ actions and rapidly responds to detection incidents.
The modus operandi for this attacker group initially targets publicly facing web servers, with both automatic and manual vulnerability discovery.
Volatile Cedar is an APT malware campaign first detected and investigated by Check Point.
Who was attacked?
Among the confirmed targets, we identified defense contractor firms, telecommunications and media companies, and educational institutions. We confirmed live infections in approximately 10 different countries, including the USA, Canada, UK, Turkey, Lebanon and Israel.
Can Explosive cause damage?
The main threat is sensitive data theft and cyber espionage. The implant has built-in file deletion functionality as well as arbitrary code execution, making it possible for the attackers to inflict a lot of damage on an infected system.
Tomi Engdahl says:
Barack Obama / Medium:
Obama signs Executive Order authorizing targeted sanctions over cyberattacks — A New Tool Against Cyber Threats — It’s one of the great paradoxes of our Information Age—the very technologies that empower us to do great good can also be used by adversaries to inflict great harm.
A New Tool Against Cyber Threats
https://medium.com/@PresidentObama/a-new-tool-against-cyber-threats-1a30c188bc4
It’s one of the great paradoxes of our Information Age — the very technologies that empower us to do great good can also be used by adversaries to inflict great harm. The same technologies that help keep our military strong are used by hackers in China and Russia to target our defense contractors and systems that support our troops. Networks that control much of our critical infrastructure — including our financial systems and power grids — are probed for vulnerabilities by foreign governments and criminals.
Cyber intrusions and attacks — many of them originating overseas — are targeting our businesses, stealing trade secrets, and costing American jobs. Iranian hackers have targeted American banks. The North Korean cyber attack on Sony Pictures destroyed data and disabled thousands of computers. In other recent breaches that have made headlines, more than 100 million Americans had their personal data compromised, including credit card and medical information.
In response to these cyber threats, our government is using every tool at our disposal — including diplomacy, law enforcement, and cooperation with other nations and the private sector — to strengthen our defenses and detect, prevent, respond to, and recover from attacks. Still, it’s often hard to go after bad actors, in part because of weak or poorly enforced foreign laws, or because some governments are either unwilling or unable to crack down on those responsible.
Tomi Engdahl says:
Frederic Lardinois / TechCrunch:
Google says 5% of its visitors have ad injectors installed, disables 192 deceptive Chrome extensions
Google Says 5% Of Visitors To Its Sites Have Ad Injectors Installed
http://techcrunch.com/2015/03/31/google-says-5-of-web-browsers-have-ad-injectors-installed/#gypjlZ:FfZd
According to a study Google conducted with researchers at the University of California, Berkeley, 5 percent of people visiting Google’s sites and services now have at least one ad injector installed.
When it comes to malware, ad injectors may seem relatively benevolent at first. They put an ad on your Google Search page that didn’t belong there, for example. That’s annoying, but doesn’t seem dangerous. But ad injection was pretty much what Lenovo’s Superfish was doing and that created plenty of security issues for users. Indeed, the research, which is based on the analysis of 100 million pageviews across Google’s sites from Chrome, Firefox and Internet Explorer, classified about a third of these injectors as “outright malware.”
Given that these kinds of ad injectors are often bundles with legitimate software — and desktop developers and download sites often see them as a relatively easy way to make a bit of extra money with their installers and download wrappers — it’s easy enough to install one of them inadvertently.
Google and the Berkeley researchers found that ad injectors are now available on all major platforms and browsers. Out of those 5 percent of users that have at least one installed, one-third actually had four of them running simultaneously and half were running two. Clearly, there is a group of users that is a bit more prone to catching one of these than others.
“Unwanted ad injectors aren’t part of a healthy ads ecosystem,” Google Safe Browsing engineer Nav Jagpal writes in today’s announcement. “They’re part of an environment where bad practices hurt users, advertisers and publishers alike. ”
Google says it has already banned 192 Chrome extensions that affected 14 million users based on this research and it is now using the same techniques the researchers used to scan all new and updated extensions in the Chrome Web Store.
Tomi Engdahl says:
The easy Java and Flash security fix everyone hates to do
http://www.pcworld.com/article/2903333/the-most-foolproof-java-and-flash-security-fix-is-the-one-thing-few-people-do.html
Quickly patching vulnerable software is key to keeping computer systems secure. Yet, consumers are increasingly leaving their systems open to attack by failing to patch two ubiquitous third-party programs: Oracle’s Java and Adobe’s Flash.
Over the past five quarters, the portion of U.S. Java users with unpatched versions of the program on their systems increased to 50 percent at the end of 2014, up from 44 percent in Fall, 2013, according to data from vulnerability management firm Secunia. A similar, if slightly muted trend, affects U.S. users of Adobe Flash: The portion of users with older versions of the program reached 24 percent at the end of 2015, slightly up from five quarters earlier.
Programs like Java and Flash, which run on many different operating systems are “gifts to hackers,” said Kasper Lindgaard, director of research and security for Secunia.
“They run on all different kinds of operating systems, so if there is a vulnerability, the attackers can use it on every target,” he said.
No wonder, then, that the creators and users of key cybercriminal tools, known as exploit kits, regularly focus on both Java and Flash. While the number of attacks from exploit kits has declined since the 2013 arrest of the group suspected of being behind the popular Blackhole exploit kit, a number of other popular kits have popped up, and almost every one has included exploits for Adobe’s Flash, Oracle’s Java or both.
“The majority of attacks we see are exploiting software not up-to-date on the latest security updates, therefore we strongly recommend that users install the latest security updates and enable the background updater as the best possible defense against those with malicious intent,” Uhley said.
Cisco found that consumers and companies that enable automatic updates are less vulnerable.
“The research clearly indicates that software that automatically installs its own updates seems to have an advantage in creating a safer security framework,” Cisco stated in its 2015 Annual Security Report.
Tomi Engdahl says:
Zack Whittaker / ZDNet:
GitHub reports it’s operating normally after five days of sustained DDoS attacks blamed on China
GitHub 1, China 0, as sustained cyberattack ends after five days
http://www.zdnet.com/article/github-1-china-0-as-sustained-cyberattack-ends-after-five-days/
Summary:The code-sharing website is back up and running after a week-long attack crippled its services. The attack was blamed on Beijing, an allegation it didn’t actually deny.
Tomi Engdahl says:
Martin Anderson / The Stack:
‘Trojan.Laziok’ reconnaissance malware targets Middle East energy sector
http://thestack.com/symantec-trojan-laziok-middle-east-energy-targets-310315
Researchers at Symantec have observed that a relatively new data exfiltration software has been put to service in a winter campaign against energy companies in the Middle East.
In a blog post Symantec’s Christian Tripputi reveals that Symantec observed a ‘multi-staged, targeted attack campaign’ against energy companies around the world, between January and February this year – with a distinct emphasis on the Middle East.
Though the central malware has been dubbed ‘Trojan.Laziok’ by Symantec, In fact the Laziok Trojan has been identified and addressed before, with uninstall information widely available at various sites – and would appear to have been picked up as a campaign tool by as-yet unknown actors seeking sensitive information from the energy sector.
New reconnaissance threat Trojan.Laziok targets the energy sector
http://www.symantec.com/connect/fr/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector
A new information stealer, Trojan.Laziok, acts as a reconnaissance tool allowing attackers to gather information and tailor their attack methods for each compromised computer.
Between January and February, we observed a multi-staged, targeted attack campaign against energy companies around the world, with a focus on the Middle East. This attack campaign used a new information stealer, detected by Symantec as Trojan.Laziok. Laziok acts as a reconnaissance tool allowing the attackers to gather data about the compromised computers.
The detailed information enables the attacker to make crucial decisions about how to proceed further with the attack, or to halt the attack. During the course of our research, we found that the majority of the targets were linked to the petroleum, gas and helium industries, suggesting that whoever is behind these attacks may have a strategic interest in the affairs of the companies affected.
The initial infection vector involves the use of spam emails coming from the moneytrans[.]eu domain, which acts as an open relay Simple Mail Transfer Protocol (SMTP) server. These emails include a malicious attachment packed with an exploit for the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158). This vulnerability has been exploited in many different attack campaigns in the past, such as Red October.
Tomi Engdahl says:
Sony tells hacked gamer to pay for crooks’ abuse of Playstation account
Firm puts gun to customer’s head over charges run up by fraudsters
http://www.theregister.co.uk/2015/04/02/sony_holds_gun_to_gamers_heads_over_fraud_charges/
Sony has told a victim of fraud he must either pay the outstanding charge caused by his Playstation account being hacked, or remain locked out – effectively rendering his console unusable.
In February, Ben Smyth’s account was hacked and £49.99 was fraudulently charged to his credit card. His details were changed by Sony and the company told him the case was “under investigation”.
Sony refused to provide a refund but he was able to get his credit card provider to block the payment going out.
Two months later Sony froze his Playstation account because of the outstanding £49.99, which it said was his responsibility to settle. The company does not dispute the fraudulent nature of the payment.
Tomi Engdahl says:
Met Police in egg/face blunder as shop-a-crim site’s SSL cert expires
Rozzers play fast and loose with concerned citizens’ security
http://www.theregister.co.uk/2015/04/02/met_police_ssl_certificate_expires_shop_a_crim_site/
The Metropolitan Police has allowed its SSL certificate to expire, possibly exposing users of its website to criminal snooping – and leaving victims and witnesses of crime vulnerable to exploitation.
With shocking disregard for the most basic standards of web security, the Met have allowed their SSL certificate for https://online.met.police.uk/ to expire.
When SSL certificates expire, although the information passed between the browser and the server continues to be encrypted, users can no longer trust that the encryption has not been compromised.
Tomi Engdahl says:
Google kills 200 ad-injecting Chrome extensions, says many are malware
Crackdown comes as Google discovers use of ad injectors is surprisingly high.
http://arstechnica.com/security/2015/04/google-kills-200-ad-injecting-chrome-extensions-says-many-are-malware/
Google is cracking down on ad-injecting extensions for its Chrome browser after finding that almost 200 of them exposed millions of users to deceptive practices or malicious software.
More than a third of Chrome extensions that inject ads were recently classified as malware in a study that Google researchers carried out with colleagues from the University of California at Berkeley. The Researchers uncovered 192 deceptive Chrome extensions that affected 14 million users. Google officials have since killed those extensions and incorporated new techniques to catch any new or updated extensions that carry out similar abuses.
Out with unwanted ad injectors
http://googleonlinesecurity.blogspot.ro/2015/03/out-with-unwanted-ad-injectors.html
The browsers in the screenshots above have been infected with ‘ad injectors’. Ad injectors are programs that insert new ads, or replace existing ones, into the pages you visit while browsing the web. We’ve received more than 100,000 complaints from Chrome users about ad injection since the beginning of 2015—more than network errors, performance problems, or any other issue.
Injectors are yet another symptom of “unwanted software”—programs that are deceptive, difficult to remove, secretly bundled with other downloads, and have other bad qualities. We’ve made several recent announcements about our work to fight unwanted software via Safe Browsing, and now we’re sharing some updates on our efforts to protect you from injectors as well.
Unwanted ad injectors: disliked by users, advertisers, and publishers
Unwanted ad injectors aren’t part of a healthy ads ecosystem. They’re part of an environment where bad practices hurt users, advertisers, and publishers alike.
People don’t like ad injectors for several reasons: not only are they intrusive, but people are often tricked into installing ad injectors in the first place, via deceptive advertising, or software “bundles.” Ad injection can also be a security risk, as the recent “Superfish” incident showed.
How Google fights unwanted ad injectors
We have a variety of policies that either limit, or entirely prohibit, ad injectors.
In Chrome, any extension hosted in the Chrome Web Store must comply with the Developer Program Policies.
On the ads side, AdWords advertisers with software downloads hosted on their site, or linked to from their site, must comply with our Unwanted Software Policy. Additionally, both Google Platforms program policies and the DoubleClick Ad Exchange (AdX) Seller Program Guidelines, don’t allow programs that overlay ad space on a given site without permission of the site owner.
Here’s a sample of the findings:
Ad injectors were detected on all operating systems (Mac and Windows), and web browsers (Chrome, Firefox, IE) that were included in our test.
More than 5% of people visiting Google sites have at least one ad injector installed. Within that group, half have at least two injectors installed and nearly one-third have at least four installed.
Thirty-four percent of Chrome extensions injecting ads were classified as outright malware.
Researchers found 192 deceptive Chrome extensions that affected 14 million users; these have since been disabled. Google now incorporates the techniques researchers used to catch these extensions to scan all new and updated extensions.
Tomi Engdahl says:
This tool detects then ATTACKS evil twin access points
Silent sentinel will DoS eavesdroppers
http://www.theregister.co.uk/2015/04/02/tool_automatically_detects_doses_evil_twin_access_points/
Mohamed Idris has created a tool to help network administrators discover and DoS rogue access points.
The EvilAP Defender open source tool published to GitHub can be run by admins at intervals to determine if attackers are attempting to get their users to connect to malicious networks.
Those evil twin attack networks are powerful copycats of legitimate access points that attempt to get users to connect in a bid to harvest subsequent traffic.
Idris says the tool will send email alerts to admins when evil twins are detected, and launch denial of service attacks to buy time.
“Additionally you can configure the tool to perform DoS on discovered evil AP in order to give the administrator more time to react,” Idris says.
“However, notice that the DoS will only be performed for evil APs which have the same SSID but different BSSID (AP’s MAC address) or running on a different channel. This to avoid DoS your legitimate network.”
EvilAP_Defender/README.TXT
https://github.com/moha99sa/EvilAP_Defender/blob/master/README.TXT
Tomi Engdahl says:
Snowden didn’t scare many out of US clouds says Forrester
A quarter of CIOs bail from US clouds, but only a third of those leave for fear of spooks
http://www.theregister.co.uk/2015/04/02/snowden_didnt_scare_many_out_of_us_clouds_says_forrester/
Analyst outfit Forrester has asked the question “Did PRISM Cause An Exodus From US Clouds?” and found the answer is yes. At least a bit.
The firm asked “1,668 non-US technology and business decision-makers” whether “In the past year, has your company explicitly halted or reduced your spending with US-based companies for Internet-based services (e.g., cloud, online service/outsourcing) due to these security concerns?”
26 per cent said yes, they had.
But the company’s next question, “What are the reasons you have decided to move away from using US-based companies for Internet-based services?” found 34 per cent of those asked said “Fear of intelligence community spying” was the reason for their departure. Others reasons for repatriating data or services included local laws, or greater comfort doing business with domestic providers.
The second question was answered by “427 non-US technology and business decision-makers whose firms have explicitly halted or reduced their spending with US-based companies for Internet-based services due to PRISM-related security concerns.” We’re not sure it is sound to do the math on this one and declare that a 34 per cent of 26 per cent means about eight per cent of people pulled data from clouds for fear of spying, because the exact nature of the samples isn’t explained.
The study concludes that organisations using any cloud service providers from any nation need to look for suppliers who give them more control over security, because if the spooks don’t get you, the crims will.
“Your business partners are accountable to their governments, and you can’t expect them to put your interests above their own or those of their government.”
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Firefox 37 enables opportunistic encryption by default, encrypts HTTP connections over TLS — New Firefox version says “might as well” to encrypting all Web traffic — Ready or not, “opportunistic encryption” goes live. (Some configuration required.)
New Firefox version says “might as well” to encrypting all Web traffic
Ready or not, “opportunistic encryption” goes live. (Some configuration required.)
http://arstechnica.com/security/2015/04/new-firefox-version-says-might-as-well-to-encrypting-all-web-traffic/
Developers of the Firefox browser have moved one step closer to an Internet that encrypts all the world’s traffic with a new feature that can cryptographically protect connections even when servers don’t support the HTTPS protocol.
Opportunistic encryption, as the feature is known, acts as a bridge between plaintext HTTP connections and fully compliant HTTPS connections based on transport layer security or its predecessor, protocol secure sockets layer. These traditional Web-based encryption measures require site operators to obtain a digital credential issued by a browser-recognized certificate authority and to implement TLS protection through OpenSSL or a similar code library. Even then, many sites are unable to fully encrypt their pages because they embed ads and other third-party content that’s still transmitted in plaintext. As a result, large numbers of sites (including this one) continue to publish some or all of their content in HTTP, which can be readily manipulated by people with the ability to monitor the connection.
OE, as opportunistic encryption is often abbreviated, was turned on by default in Firefox 37, which was released this week. The move comes 17 months after an Internet Engineering Task Force working group proposed OE become an official part of the HTTP 2.0 specification.
OE provides unauthenticated encryption over TLS for data that would otherwise be carried via clear text. This creates some confidentiality in the face of passive eavesdropping and also provides you much better integrity protection for your data than raw TCP does when dealing with random network noise. The server setup for it is trivial.
These are indeed nice bonuses for http:// – but it still isn’t as nice as https://. If you can run https you should – full stop. Don’t make me repeat it Only https protects you from active man in the middle attackers.
Two simple steps to configure a server for OE
Install a TLS based h2 or spdy server on a separate port. 443 is a good choice :). You can use a self-signed certificate if you like because OE is not authenticated.
Add a response header Alt-Svc: h2=”:443″ or spdy/3.1 if you are using a spdy enabled server like nginx.
When the browser consumes that response header it will start to verify the fact that there is a HTTP/2 service on port 443. When a session with that port is established it will start routing the requests it would normally send in cleartext to port 80 onto port 443 with encryption instead. There will be no delay in responsiveness because the new connection is fully established in the background before being used.
McManus may be overstating the ease many site operators will have in supporting OE. At the moment, implementing HTTP 2 is anything but trivial, mainly because popular Web servers such as Apache and nginx don’t yet ship with HTTP 2 support.
Tomi Engdahl says:
Barack Obama / Medium:
Obama signs Executive Order authorizing targeted sanctions against perpetrators of cyberattacks, with threats from overseas a primary focus
https://medium.com/@PresidentObama/a-new-tool-against-cyber-threats-1a30c188bc4
Tomi Engdahl says:
Indiana Pizzeria Closed, Owners “In Hiding” After Saying They Won’t Cater LGBT Weddings
The internet has unleashed its wrath.
http://www.buzzfeed.com/maryanngeorgantopoulos/indiana-pizzeria-owners-say-theyd-deny-lgbt-people-service-a#.xadM4W3m
The Christian owners of a small Indiana pizzeria who became the first to publicly state they would deny catering an LGBT couple’s wedding in the wake of the state’s new and controversial Religious Freedom Law, said the business was forced to close Wednesday after a wave of online criticism and threats.
In less than a day, thousands of negative reviews were posted on the restaurant’s Yelp page and a fake website with the company’s name was created.
Tomi Engdahl says:
ALL comp-sci courses will have compulsory infosec lessons – UK.gov
Colleges to become spook incubators
http://www.theregister.co.uk/2015/03/10/cyber_security_taught_in_colleges_from_next_year/
Cyber-security will appear on the UK curriculum from next year in a bid to get more kids into the industry, the government has announced.
The topic will be a key part of UK computing and digital further education qualifications from September 2016, Cabinet Office minister Francis Maude said today.
Its inclusion is part of a number of measures designed to boost the £6bn industry, which the government reckons is set to grow “significantly” over the coming years.
Maude said: “We need a supply of cyber-security experts for the future, so we are taking a series of further steps to attract the most gifted young people to this fast-moving area of technology.”
GCHQ’s information security arm, the CESG, has previously warned that one of the UK’s “most pressing problems is the lack of emerging talent to defend the UK online”.
Tomi Engdahl says:
Farbod Faraji / Electronic Frontier Foundation:
New South Wales Attacks Researchers Who Found Internet Voting Vulnerabilities
https://www.eff.org/deeplinks/2015/04/new-south-wales-attacks-researchers-who-warned-internet-voting-vulnerabilities
A security flaw in New South Wales’ Internet voting system may have left as many as 66,000 votes vulnerable to interception and manipulation in a recent election, according to security researchers. Despite repeated assurances from the Electoral Commission that all Internet votes are “fully encrypted and safeguarded,” six days into online voting, Michigan Computer Science Professor J. Alex Halderman and University of Melbourne Research Fellow Vanessa Teague discovered a FREAK flaw that could allow an attacker to intercept votes and inject their own code to change those votes, all without leaving any trace of the manipulation.
ut instead of taking the researchers’ message to heart, officials instead attacked the messengers.
The New South Wales (NSW) Internet voting system, iVote, was designed to make it easier for the disabled, residents not in NSW during voting hours, and rural residents 20 kilometers away from a polling location to vote. The problem is that the system was not ready to be one of the biggest online voting experiments in the world.
Sadly, NSW officials seemed more interested in protecting their reputations than the integrity of elections. They sharply criticized Halderman and Teague, rather than commending them, for their discovery of the FREAK attack vulnerability.
Criticizing Halderman and Teague for identifying security flaws in an Internet voting system is like criticizing your friend for pointing out that the lock on your front door doesn’t work.
As Verified Voting notes: “Current systems lack auditability; there’s no way to independently confirm their correct functioning and that the outcomes accurately reflect the will of the voters while maintaining voter privacy and the secret ballot.” Indeed, the researchers’ discovery was not the first indication that New South Wales was not ready for an Internet voting system.
Perhaps the Electoral Commission lashed out against Halderman and Teague because it has been forced to reckon with the potentially severe consequences of its flawed Internet voting system.
Tomi Engdahl says:
Cat Zakrzewski / TechCrunch:
In Snowden interview, John Oliver makes surveillance debate relatable by avoiding civil liberty hypotheticals, focusing on NSA’s ease of access to “dick pics”
John Oliver Just Changed The Surveillance Reform Debate
http://techcrunch.com/2015/04/06/john-oliver-just-changed-the-surveillance-reform-debate/#.utwu3c:WeKK
Remember Edward Snowden?
For many Americans who talked to John Oliver on Last Week Tonight, the answer is no.
It’s been almost two years since the world was captivated by Snowden’s leaks to The Guardian and The Washington Post about American surveillance programs. For weeks it seemed there was a new headline everyday about another previously classified surveillance program or another government official calling for action on this issue.
Although the Snowden leaks certainly proved to be much more than a “three-day story,” American surveillance practices remain largely the same two years later. The main difference is this issue no longer dominates our political discourse. In November, the FREEDOM Act — legislation under development for two years that would have overhauled NSA surveillance programs — died in a Senate procedural vote to little display.
Last night we found out Oliver’s HBO program was off last week because he was in Russia interviewing “the most famous hero and/or traitor in recent American history.” Oliver hit on many points that have been lacking in past interviews with the former government contractor
Oliver’s interview is timely as we approach an important deadline for surveillance reform on June 1.
Online this morning, Twitter, Reddit and the expected publications were abuzz with how “John Oliver killed it” and or “slayed it” in this new segment.
Last summer we saw Oliver’s ability to captivate the public’s attention when it came to the complex, technical issue of net neutrality.
So what will the 33 minutes he spent on government surveillance reform do?
Ever able to make us laugh about even the driest news topics, Oliver changed the topic of discussion from vague hypotheticals about civil liberties to something tangible he knew many Americans would care about — dick pics.
“Well the good news is there’s no program named, ‘the dick pic program,’” Snowden said. “The bad news is they are still collecting everybody’s information, including your dick pics.”
Tomi Engdahl says:
‘Revenge porn’ site operator gets 18 yrs
Victims say nude photos posted online ruined their lives. Defendant said “it was just fun.”
http://www.utsandiego.com/news/2015/apr/03/kevin-bollaert-revenge-porn-case-sentencing/2/?#article-copy
While that may be true, it was the impact Bollaert’s actions had on the victims’ lives that persuaded the judge to sentence him to 18 years behind bars.
“At the beginning it was kind of fun and entertaining, but now it’s kind of ruining my life.”
During the sentencing, Boulan Austin disputed the defense’s assertion that Bollaert was copying behavior modeled by other website operators and did not know what he was doing was illegal.
“This man was told time and time again, ‘You are ruining my life,’”
The prosecutor said UGotPosted.com featured more than 10,000 photos, most of them of women in various states of undress. He told investigators he made approximately $900 per month from advertising on the site
“My life has just gone through a down spiral,” said one woman
“I’m homeless because of this. I lost my family.”
“This has been a daily struggle to get my life back together…,” another woman said. “My mental state is completely broken.”
Tomi Engdahl says:
Bitcoin development is coordinated by a Bitcoin Foundation, will not go fast. The Foundation recently dismissed 90 per cent of its workforce, and now also money are out of stock. The Foundation’s Executive Committee belonging to Olivier Janssens, the Foundation is technically bankrupt.
Some of the Foundation for the dismissal of employees will continue to work on a voluntary basis.
Source: http://www.tivi.fi/Kaikki_uutiset/2015-04-07/Bitcoin-pomo-r%C3%A4j%C3%A4ytti-pommin-90-prosenttia-irtisanottiin-nyt-rahat-loppu-3218431.html
Tomi Engdahl says:
Mozilla Rolls Back Firefox 37′s Opportunistic Encryption Over Security Issue
http://news.slashdot.org/story/15/04/07/0426259/mozilla-rolls-back-firefox-37s-opportunistic-encryption-over-security-issue
Barely a week ago, Mozilla released Firefox 37, which had a key new feature called opportunistic encryption. The basic idea is that it will do some baseline encryption for data that would have otherwise been sent by a user via clear text. Unfortunately, Mozilla has already issued Firefox 37.0.1, which removes opportunistic encryption. A security vulnerability was reported in the underlying Alternative Services capability that helps to enable opportunistic encryption