Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.
3,110 Comments
Tomi Engdahl says:
Council of Europe: Don’t spy on your staff, you naughty employers
Barking watchdog? More like a neighbour’s yapping poodle
http://www.theregister.co.uk/2015/04/07/save_staff_from_snooping_bosses_says_council_of_europe/
Private electronic communications at work should not be monitored under any circumstances says the Council of Europe (not-an-EU-institution™).
The organisation, which has 47 signatory countries, issued its latest recommendation on privacy at work to update its previous advice, which dates from 1989. You can’t accuse them of rushing into anything.
The recommendation – which is all the CoE can do, as it has no legislative powers – is aimed at both public and private sectors. In a nutshell it says that employers have no right to unreasonable interference with employees’ private lives even in the workplace.
It says that if bosses want to stop their employees using Facebook or other time-wasters, they should employ preventive measures such as filters to block sites, rather than monitor their use.
Furthermore, employers should let staff know if they are going to read “the professional electronic communications” and then only for “legitimate reasons”.
Tomi Engdahl says:
Popular crypto app uses XOR and nothing else, hacker says
First 128 bytes are scrambled. But after the credits, your sex tape is open to all
http://www.theregister.co.uk/2015/04/07/uberpopular_crypto_app_uses_xor_and_nothing_else_hacker_says/
A programmer has levelled stern criticism at the designers of a super popular encryption app they say fails its core purpose: encryption.
The programmer using the alias NinjaDoge24 ran analysis of the NQ Vault app, and said it used only XOR (exclusive operator) to safeguard files.
NQ Vault has been downloaded more than 10 million times on the Google Play store alone and is also available on iOS.
The company behind the app stands by its product, calling its security “appropriate” and adding that messages, chats, calls logs, and contact information is encrypted using AES-128.
“Image and video files are stored in a format not readily readable by other applications and can only be viewed in Vault after entering the correct password on the device,” the company says.
“These standards are appropriate for the consumer use cases this application is meant for.”
The programmer’s findings have lead to critical reviews of the app on the Google Play store.
“Everything after the first 128 bytes remains untouched … Best encryption method ever.”
“The research suggests that the NQ’s Vault software attempts to only encrypt the first 128 bytes leaving the remainder of the file in the clear. If this is the case it should not be considered a mechanism to protect data,” Alcorn says.
“Encryption is hard, very hard! … This goes to re-emphasise one of the golden rules of secure development: do not create your own cryptographic functions.”
Tomi Engdahl says:
Consent That Goes Both Ways
http://www.linuxjournal.com/content/consent-goes-both-ways
Whatever your opinions about Do Not Track, set them aside for a minute and just look at what the words say and who says them.
It’s easy to lay the blame on lack of agreement about what Do Not Track does, or should do, and how. But the real problem is deeper: in the power asymmetry of client-server
Very few commercial sites give consent to users of any meaningful kind—except, perhaps, as legal butt-covering.
And there are few ways for individuals to express the desire for consent, especially around privacy. (Do Not Track is just one of them.) Basically we travel the Web naked, unless we’re wizards (such as Linux Journal readers) who know how to secure their on-line homes, wear the right protective clothing and customize their own vehicles.
Tomi Engdahl says:
The Problem With Using End-to-End Web Crypto as a Cure-All
http://it.slashdot.org/story/15/04/06/2148226/the-problem-with-using-end-to-end-web-crypto-as-a-cure-all
Since the Snowden revelations, end-to-end web encryption has become trendy.
The problem is that a decade of research shows that users habituate to these icons and come to ignore them. An attacker can pull off UI spoofing with a 90%+ success rate.
End-To-End Web Crypto: A Broken Security Model
https://www.indolering.com/e2e-web-crypto
Researchers have been testing the efficacy of security iconography for over a decade, and the results are dismal.
Increasing the size and prominence of the security indicator will not decrease the failure rate to acceptable levels.
The fundamental issue is that human cognition has limits: we cannot process unlimited amounts of information. The assumptions made by the security model underpinning security iconography ignores a decade of behavioral studies and runs counter to 50 years of cognitive psychological research.
The inability to effectively mitigate user interface spoofing attacks cripples the usability of these bolted-on E2E interfaces. They must lift the new message and reply UI elements out of the browser chrome. They must also create a distinct contact manager to handle public keys. The only thing left is detecting encrypted messages, which Mailvelope decrypts and displays in an iFrame. I’m not sure that even this is safe, since the service provider could display a “Reply Securely” button over the decrypted message.
A website is a very hostile environment to be operating in.
On the web, the best we can do is ensure a secure connection and valid DNS information; trust in the service provider should be assumed. With traditional software systems, we can use reproducible build systems to distribute trust and security audits to increase the cost of backdooring software. But without a clear separation between the messaging system and the software used to retrieve messages, we cannot build usable messaging systems that deploy end-to-end encryption. Any user interface that is secure against UI spoofing will only be a step above manually copying and pasting in the ciphertext.
But one of the many lessons Snowden has taught us is that the only thing worse than bad security is the illusion of good security. Such solutions should not be used by high-risk groups until they can prove that they can reliably defend against malicious service providers. Until then, vendors of such software have a moral duty to try and prevent users from high risk groups from using their software.
Tomi Engdahl says:
Viewing CCTV on every street corner
http://hackaday.com/2012/07/20/viewing-cctv-on-every-street-corner/
2.4 GHz video transmitters are everywhere these days, in many, many products ranging from baby monitors to CCTV setups. Surprisingly, most owners of these video devices don’t realize they’re transmitting an unencrypted video signal, a belief [Benjamin] hopes to rectify.
[Ben]’s project started with him driving around cities recording unencrypted 2.4GHz video feeds. His idea has since expanded to include building metal boxes with an LCD display and attaching them to light poles.
Tomi Engdahl says:
Can’t patch this: Mozilla pulls encryption feature after just a WEEK
Stop right there. This thing ain’t ready
http://www.theregister.co.uk/2015/04/07/mozilla_crypto_encryption_snafu_pull/
Mozilla has pulled Firefox 37′s opportunistic encryption feature after less than a week when it learned that tech designed to enhance security actually broke SSL certificate validation.
A simple patch wouldn’t do the trick, so Mozilla opted to release an update, Firefox 37.0.1, that removed opportunistic encryption.
Going into reverse ferret mode and stripping out technology that evidently wasn’t ready for prime time is a little embarrassing for Mozilla even though this is the responsible action to take in the circumstances.
Mozilla correctly labels Firefox 37.0.1 as a critical update.
Opportunistic encryption offers some basic encryption of data previously sent as clear text.
The CVE-2015-0799 bug in Mozilla’s HTTP Alternative Services implementation – discovered by security researcher Muneaki Nishimura – left surfers vulnerable to man-in-the-middle attacks that involved hackers impersonating genuine sites.
Mozilla plans to re-introduce opportunistic encryption once it irons out the wrinkles
Tomi Engdahl says:
Personal Data Theft Risk in Chrome Extension Found by ScrapeSentry
http://www.sourcewire.com/news/86782/personal-data-theft-risk-in-chrome-extension-found-by-scrapesentry#.VSPX1-FLZ4B
Researchers at leading anti-scraping and IT security specialists ScrapeSentry have uncovered a sinister side effect to a free app which over one million Google Chrome users have downloaded, and which potentially leaks their personal information back to a single IP address in the USA.
Webpage Screenshot, which is available in the official Google Chrome Extension web store has now been downloaded by over 1.2 million users. The extension allows users to take a screen capture and store it. But hidden in it is a menacing data theft capability.
“The repercussions of this could be quite major for the individuals who have downloaded the extension. What happens to the personal data and the motives for wanting it sent it to the US server is anyone’s guess, but ScrapeSentry would take an educated guess it’s not going to be good news.”
Tomi Engdahl says:
Your Porn Is Watching You
http://motherboard.vice.com/read/your-porn-is-watching-you
Thirty million Americans regularly watch porn online, according to the Wall Street Journal. That’s a lot more than fess up to it, even in anonymous surveys: In 2013, just 12 percent of people asked copped to watching internet porn at all. But thanks to pervasive online tracking and browser fingerprinting, the brazen liars of America may not have a say in whether their porn habits stay secret. Porn watchers everywhere are being tracked, and if software engineer Brett Thomas is right, it would be easy to out them, along with an extensive list of every clip they’ve viewed.
“If you are watching porn online in 2015, even in incognito mode, you should expect that at some point your porn viewing history will be publicly released and attached to your name,” Thomas proclaimed in a blog post titled “Online Porn Could Be the Next Big Privacy Scandal,” shortly after.
Thomas’s case went something like this: Your browser (Chrome, Safari, whatever) has a very unique configuration, and it broadcasts all sorts of information that can be used to identify you as you click around the web. You’re basically leaving “footprints,”
Thomas argued that “almost every traditional website that you visit saves enough data to link your user account to your browser fingerprint, either directly or via third parties.”
This, of course, has any number of damaging implication
“Private browsing modes don’t prohibit all cross-service tracking mechanisms.”
incognito mode does “virtually zero to stop this tracking”
“From a technical perspective, it’s incredibly hard to ensure zero traceability,” Brookman told me. “After all, we are always tethered to an IP address that could potentially be identified through ISP records.
“The far more likely scenario is just that a porn company gets hacked and credit-card data is stolen. If this were the case I think that an attacker would be more likely to sell the credit-card information than release it online ‘for the lulz,’”
“Unfortunately anonymity is just fundamentally incompatible with Javascript and the open web,”
Online Porn Could Be The Next Big Privacy Scandal
http://brettpthomas.com/online-porn-could-be-the-next-big-privacy-scandal.html
How is this possible?
This is an uncomfortable topic to talk/write about, which perhaps contributes to how we’ve arrived at the current state. So, to understand the threat, start with some technical considerations:
Browser footprints: Web browsers leave an essentially unique footprint every time you visit a web page, even in Incognito mode (and even without supercookies). This is well established; many web tools such as Panopticlick will confirm that you give a website lots of information about your computer every time you visit.
Global identifiers: Linking your browser footprint on one website to your footprint on another website – or to a previous footprint on the same website – is straightforward. You should think of your browser footprint as a persistent global identifier, and this is particularly true if you don’t take any measures to hide your IP address (eg. a VPN). The EFF has an excellent technical overview of how this works.
User tracking: Tracking web users is super valuable, so almost every traditional website that you visit saves enough data to link your user account to your browser fingerprint, either directly or via third parties. The Economist ran an overview of user tracking in September. (Though, interestingly, there is no mention of adult websites.)
Hacking is ubiquitous: We hear about data breaches that involve tangible harm – Target, Anthem, TurboTax – but not the (likely great majority) of cases when hackers don’t want additional exposure. Or, paraphrasing the FBI director: There are two types of companies…those that know they’ve been hacked…and those that don’t know they’ve been hacked.
Tomi Engdahl says:
SingTel to Buy U.S. Cybersecurity Firm Trustwave for $810 Million
SingTel is buying 98% of the equity of Trustwave, with the balance remaining with CEO Robert J. McCullen
http://www.wsj.com/article_email/singtel-to-buy-u-s-cybersecurity-firm-trustwave-for-810-million-1428448299-lMyQjAxMTE1MjA0NzMwNTcxWj
Singapore Telecommunications Ltd. Wednesday said it would buy Trustwave, a U.S. managed-security services specialist, in a deal valued at $810 million as it seeks to expand.
SingTel, Southeast Asia’s biggest telecommunications firm by revenue
Trustwave is the largest independent managed security services provider in North America, with a presence in Europe and Asia Pacific, SingTel said in a statement to Singapore Exchange. Its services include threat management, vulnerability management and compliance management.
“We aspire to be a global player in cybersecurity.”
Tomi Engdahl says:
Anonabox Recalls 350 ‘Privacy’ Routers for Security Flaws
http://www.wired.com/2015/04/anonabox-recall/
The project to build a tiny, anonymity-focused router known as Anonabox has overcome plenty of hurdles to get to market: critics who pointed to gaping flaws in its promised security, others who argued that it was a mere repackaging of stock Chinese hardware, and eventually Kickstarter’s decision to freeze its $600,000 fundraising campaign. But even after a second, more successful fundraiser, its acquisition by a larger tech firm, and the milestone of shipping the first batches of routers to customers, it turns out that Anonabox should have listened more closely to its detractors.
Late last month, Anonabox began contacting the first round of customers who bought its tiny, $100 privacy gadget to warn them of serious security flaws in the device, and to offer to ship them a more secure replacement free of charge.
the company has confirmed to WIRED that its first batch lacked basic password protection, with no way to keep out unwanted users in Wi-Fi range.
The two flaws combined make the effected devices “downright dangerous to use,” says the security researcher and consultant who uncovered them, Lars Thomsen. “This is worse than not using any privacy device at all. Anyone in range can listen to your traffic without you noticing,” Thomsen says. “Anyone can gain access to the device and install a sniffer to capture all that traffic.”
Tomi Engdahl says:
Russia hacked White House, stole President Obama’s schedule – CNN
http://www.fxstreet.com/news/forex-news/article.aspx?storyid=84fa3aa1-eb49-4fdc-b59a-f85ab9770298
CNN is reporting that Russia hacked White House communications to steal information on President Obama’s schedule.
Report: Russians hacked White House computers
http://www.miamiherald.com/news/nation-world/world/article17778128.html
WASHINGTON
Russians are responsible for infiltrating the State Department and White House computer systems in recent months, CNN reported Tuesday.
The report says the hackers had access to non-classified, sensitive information, such as the president’s schedule, by first breaking into the State Department.
The Obama administration had acknowledged suspicious activity in the unclassified network that serves the executive office of the president in October, but had not said who was behind it.
On Tuesday, the White House again declined to comment on who is responsible.
How the U.S. thinks Russians hacked the White House
http://edition.cnn.com/2015/04/07/politics/how-russians-hacked-the-wh/index.html
Russian hackers behind the damaging cyber intrusion of the State Department in recent months used that perch to penetrate sensitive parts of the White House computer system, according to U.S. officials briefed on the investigation.
While the White House has said the breach only affected an unclassified system, that description belies the seriousness of the intrusion. The hackers had access to sensitive information such as real-time non-public details of the president’s schedule. While such information is not classified, it is still highly sensitive and prized by foreign intelligence agencies, U.S. officials say.
The FBI, Secret Service and U.S. intelligence agencies are all involved in investigating the breach, which they consider among the most sophisticated attacks ever launched against U.S. government systems. The intrusion was routed through computers around the world, as hackers often do to hide their tracks, but investigators found tell-tale codes and other markers that they believe point to hackers working for the Russian government.
Tomi Engdahl says:
Tighten the criticism received Bitcoin Foundation denies the verge of bankruptcy. The economic situation is still tight, because Bitcoin development of co-ordinating the Foundation has suffered significant financial losses for the virtual currency declines in value.
“Bitcoin price decline was significantly affected by the Foundation’s financial situation, as most of the funds were invested Bitcoin”
At the end of 2013 it told money they had about 4.5 million dollars, which meant that at the current rate of about 6,000 Bitcoin. At the current rate of their value would be only 1.5 million dollars.
Virtual Currency value of the invoice is not the only reason plight, but money is also used to ambitious projects, which subsequently has been stopped before the results of the creation.
Source: http://www.tivi.fi/Kaikki_uutiset/2015-04-08/Bitcoinin-arvonlasku-s%C3%B6i-p%C3%A4%C3%A4kehitt%C3%A4jien-varat—miljoonia-katosi-kassasta-3218475.html
Tomi Engdahl says:
FBI to WordPress users: patch now before ISIL defaces you
It’s good advice – another holey plug-in’s just been popped
http://www.theregister.co.uk/2015/04/08/supercache_goes_ballistic_word_press_is_atrocious/
The United States Federal Bureau of Investigation (FBI) has issued a warning to WordPress users: hurry up and patch your content management system before web site is defaced by ISIL sympathisers.
The Bureau has issued a notice titled “ISIL defacements exploiting WordPress vulnerabilities” in which it warns that “Continuous Web site defacements are being perpetrated by individuals sympathetic to the Islamic State in the Levant (ISIL) a.k.a. Islamic State of Iraq and al-Shams (ISIS).”
“The defacements have affected Web site operations and the communication platforms of news organizations, commercial entities, religious institutions, federal/state/local governments, foreign governments, and a variety of other domestic and international Web sites,” the notice says. “Although the defacements demonstrate low-level hacking sophistication, they are disruptive and often costly in terms of lost business revenue and expenditures on technical services to repair infected computer systems.”
The good news is that the Bureau thinks the perps are not ISIL members, but sympathisers. It nonetheless advises WordPress users to get their heads around security and patch plugins ASAP.
It’s sound advice: Sucuri researcher Alexandre Montpas is warning of a persistent cross-site scripting vulnerability in the WordPress Super Cache plugin that allows up to a million sites to be hijacked.
Montpas reveals the bug affecting versions below 1.4.3 which have been downloaded more than a million times according to WordPress statistics.
WordPress hacking is a favourite pastime of lazy hackers and exploit kit -slingers who seek to achieve maximum carnage for minimum effort.
Tomi Engdahl says:
Cisco pitches security for SMEs
ASA plus FirePOWER for the rest of us
http://www.theregister.co.uk/2015/04/08/cisco_pitches_security_for_smes/
Small and/or medium businesses and branch offices rejoice: Cisco has joined the ranks of vendors deciding you warrant security you can afford.
As incidents like the Target “hack” demonstrated, a small contractor can easily provide a path into an enterprise network, so one of the key chunks of The Borg’s latest announcement is to push its ASA/FirePOWER combo down the food chain somewhat.
As Cisco Australia’s security sales honcho Anthony Stitt explained to Vulture South, the Adaptive Security Appliance line first got FirePOWER integration last September.
The latest announcement, Stitt said, is to offer “the same services and capabilities … in a form factor and price point for the SME and the branch office”.
Tomi Engdahl says:
Security in Three Ds: Detect, Decide and Deny
http://www.linuxjournal.com/content/security-three-ds-detect-decide-and-deny
Whenever a server is accessible via the Internet, it’s a safe bet that hackers will be trying to access it. Just look at the SSH logs for any server you use, and you’ll surely find lots of “authentication failure” lines, originating from IPs that have nothing to do with you or your business. Brute-force attempts (such as “dictionary attacks”) try different passwords over and over to try to get into your box, and there’s always a chance that they eventually will succeed. Thus, it’s a good idea to apply these “three Ds” for your security: detect intruder attempts, decide when they’ve gone “over the top” (past what would be acceptable for honest-to-goodness typing mistakes), and deny them access at least for a (longish!) while.
Tomi Engdahl says:
Your home automation things are a security nightmare
Veracode tests leave lazy devs red-faced
http://www.theregister.co.uk/2015/04/08/your_home_automation_things_are_a_security_nightmare/
It’s not just home broadband routers that have hopeless security: according to security outfit Veracode, cloudy home automation outfits also need to hang their collective heads in shame.
With nothing but standard by-the-manual configurations and network traffic capture – but with no attacks against the devices or the cloud services – the testers reckon they turned up a variety of vulnerabilities in kit from Chamberlain Group, SmartThings, Ubi and Wink.
It seems that if you’re the kind of uber-lazy gadget-fan who can’t imagine pressing a button to do something voice control is possible, you’re matched by uber-lazy device developers. Versacode found that all but one of the devices it tested failed even its non-hostile vulnerability tests.
Tomi Engdahl says:
Google Ads go NUCLEAR, foist exploit kit
Choc Factory puts boot into hacked ads
http://www.theregister.co.uk/2015/04/08/google_ads_go_nuclear_foist_exploit_kit/
Security bod Maarten van Dantzig says a large number of Google ads sold through Bulgarian reseller EngageLab have been pointing users to the dangerous Nuclear exploit kit.
The Fox-IT binary basher found the campaign, which may at the time of writing have been subject to the Choc Factory’s boot, could result in a “very large” number of attacks.
Victims could be compromised over Adobe Flash, Java, and Microsoft’s lonely orphan Silverlight.
Nuclear exploit kit redirection was first observed overnight targeting Fox-IT customers, van Dantzig says.
Tomi Engdahl says:
Fake Pirate Bay site pushes banking Trojan to WordPress users
Pirated pirate site springs ‘You’ve been iFramed’ drive-by surprise
http://www.theregister.co.uk/2015/04/01/fake_pirate_bay_malware_scam/
Multiple WordPress sites are being redirected to a Pirate Bay copycat which in turn was being used to sling malware, anti-malware firm Malwarebytes warns.
Several WordPress sites were injected with the same iframe over the last few days as part of an attack ultimately geared towards serving content from sites such as thepiratebay(dot)in(dot)ua. This is not the officially maintained Pirate Bay mirror site, but rather a clone set up through The Open Bay project by hackers rather than file sharers.
Tomi Engdahl says:
Why CSI: Cyber Matters
http://entertainment.slashdot.org/story/15/04/07/2315256/why-csi-cyber-matters
CSI: Cyber has been the butt of many jokes in the infosec community since its inception. But in addition to facilitating lots of cyber bingo events and live tweets to call out technical errors, the show has real value in bringing awareness about infosec issues to the masses.
Why CSI: Cyber Matters
http://www.cyberdefensereview.org/2015/04/07/csi-cyber/
CSI: Cyber is getting beat-up by the information security community and at first we went along for the ride. You have to admit it is fun to play cyber bingo, live tweet during the show, or critique the technical inconsistencies, but there is something more here, something very important. The security community has long fought an uphill and losing battle to recruit new talent and educate users about the risks of information security. CSI: Cyber offers the potential to do just that, and on a massive scale. It also has the potential to spread Fear, Uncertainty and Doubt (FUD) and scare the masses, and our lawmakers, into reactions that would be counterproductive.
CSI: Cyber offers the infosec community a tremendous opportunity to raise public awareness, educate, and inspire the next generation of information security professionals.
Tomi Engdahl says:
Facebook can strike depression – “More problems further”
While Facebook can be a great tool to stay in touch with friends, its use can also lead your life on a comparison service to shared experiences and achievements. Researcher at the University of Houston Mai-Ly Steers that social comparison and the time spent on Facebook can be linked to symptoms of depression, says Science Daily .
“It does not mean that Facebook would cause depression, but depression emotions and Facebook, as well as the time spent in self-comparison to other is a connection,” Steers said.
“A lot of our friends on Facebook to share their lives taking place in the good things and leave out the bad. If we compare ourselves only with our friends the highlights, it can give the impression that their lives are better than us and increase the problem even further. ”
Source: http://www.tivi.fi/Kaikki_uutiset/2015-04-08/Facebookissa-voi-iske%C3%A4-masennus—%E2%80%9DLis%C3%A4%C3%A4-ongelmia-entisest%C3%A4%C3%A4n%E2%80%9D-3218471.html
More: http://www.sciencedaily.com/releases/2015/04/150406144600.htm
Tomi Engdahl says:
A MILLION Chrome users’ data was sent to ONE dodgy IP address
Chocolate Factory stays silent as infosec bods reveal badness
http://www.theregister.co.uk/2015/04/08/one_million_chrome_users_data_stolen_browser_extension/
A team of security researchers have found malware in a popular Chrome extension which may have sent the browsing data of over 1.2m users to a single IP address.
ScrapeSentry credits its researchers with uncovering “a sinister side-effect to a free app [...] which potentially leaks [users'] personal information back to a single IP address in the USA”.
“Everything downloaded from the internet needs to be treated with suspicion, it’s a good idea to look what others have to say about programs and extensions first if you don’t have the knowledge to pick them apart yourself.”
A spokesman for Webpage Screenshot told the BeeB there was nothing malicious about the data it gathered.
“Users could opt out of sharing data, he said.”
http://www.bbc.co.uk/news/technology-32206511
Tomi Engdahl says:
Tories’ mandatory age-check plans could make online porn more expensive
Cost of the technology likely would to be passed on to viewers
http://www.theinquirer.net/inquirer/news/2402865/tories-mandatory-age-check-plans-could-make-online-porn-more-expensive
THE CONSERVATIVE PARTY plans to introduce mandatory age-checks on porn websites if re-elected in May, following last year’s hugely unpopular plans to introduce filters on such content.
Culture secretary Sajid Javid announced on Tuesday that an independent regulator would work with websites to verify users’ ages using as-yet-unspecified methods.
“Imagine a 12-year-old boy being allowed to walk into a sex shop and leave with a DVD”
“In 2015 anyone, regardless of their age, is only ever two clicks away from the kind of material that would be kept well away from young eyes in the high street.”
There are no further details as to how the age-checks will work, but experts have warned that a mandatory system could be costly and difficult to implement.
Tomi Engdahl says:
Windows XP is still clinging on, one year later
Some organisations are going to get stung for millions
http://www.theinquirer.net/inquirer/news/2402985/windows-xp-is-still-clinging-on-one-year-later
365 DAYS have passed since Windows XP, the stalwart operating system beloved and hated in equal measure by computer users from Bali to Broadstairs, popped its clogs after Microsoft elected to pull the final plug.
The operating system moved from the ‘extended support’ to ‘end of life’ phase on 8 April 2014, meaning that Microsoft would no longer offer any sort of protection or security updates for the software.
But Windows XP hasn’t gone quietly. A user-created Service Pack 4 was produced to increase the lifespan of the operating system for consumers, while many organisations that had failed to heed the warnings ended up paying large sums of money to Microsoft for continuing bespoke support.
Windows XP gets an unofficial Service Pack 4
Developer community steps into Microsoft’s shoes
http://www.theinquirer.net/inquirer/news/2362314/windows-xp-gets-an-unofficial-service-pack-4
Tomi Engdahl says:
Hacks on critical infrastructure are more common than you think
54 percent of American firms have seen ‘attempts to manipulate their equipment’
http://www.theinquirer.net/inquirer/news/2402978/hacks-on-ciritcal-infrastructure-are-more-common-than-you-think
HACKERS WHO SEEK to destroy, rather than steal, important data and launch attacks on systems that control major critical infrastructure are more common than widely believed, a report from the Organisation of American States has revealed.
The report was given to Reuters ahead of publication and quoted the results of a poll of critical infrastructure companies and agencies in crucial sectors throughout North and South America.
Almost a third of the respondents were public entities, principally in the communications, security and finance industries.
The figures show that 40 percent of the organisations that responded had battled attempts to shut down their computer networks, while 44 percent had dealt with bids to delete files.
A disturbing 54 percent of those surveyed had encountered “attempts to manipulate” equipment through a control system.
Even more worrying is that just 60 percent of the 575 companies polled had detected any attempts to steal data, long considered the predominant hacking goal.
The report suggests that cyber attacks on infrastructure are not so widely known, but they are certainly not unheard of.
Tomi Engdahl says:
Household and industrial intelligent systems in the firing line
Industry and home automation systems is increasingly more unprotected on the Internet. Information security general practices and principles do not necessarily apply automation systems, as they are sensitive entities. In addition, the automation of its effects in the physical world require extensive risk assessment.
Automation system means the personnel, equipment and computer software of a package, which regulates some of the physical world or in the process of collecting and present information about it.
Most of the additional benefits of automation systems is obtained by connecting them to data networks, in which case they can be remotely managed and their activities can be real time information.
Many smart devices can be considered home automation systems. Automation system means the personnel, equipment and computer software of a package, which regulates some of the physical world or in the process of collecting and present information about it.
Poorly protected home automation systems for controlling the fraction of men can choose their objects of apartments, whose inhabitants are, for example, traveling. In particular, burglar alarms are often connected to the Internet, either directly or through a mobile network.
Building automation system means building equipment controlling information technology. Typically, systems control the ventilation, heating, lighting or automatic access control. The traditional data networks uncoupled building automation the security of information can take care of alone mode security. If the system is connected to the network, there will be cyber expose the surface. Building automation devices are used in a variety of buildings, single-family houses to large commercial real estate.
Potential attackers to building automation systems of interest not only of the physical preparation of a burglary useful information in the system use the data break as an intermediate step.
Industrial automation systems enhance the productivity of work.
Industrial automation systems have been part of the corporate information systems for the past twenty years. Blending is done on the Internet nowadays often used techniques. It is on the one hand to facilitate the implementation of the systems, but also against those attacks and allow the abuse.
The direct cause damage there is only one possible cyber attacks target. Industrial automation systems also contain a lot of confidential information, which can be a valuable to industrial spying.
Industrial automation, information security special features include:
Many serious disturbances in the direct effects of the physical world. Improperly functioning automation system may cause irreversible damage to the environment, for example.
Automation systems, long life cycle and special software. Old hardware and software development is not taken into account in the modern networked world set of security requirements.
To securing the necessary additional arrangements require the application of the protected system. It may not carried out correctly compromise the protected system reliability.
Different groups of users and uses. Automation systems activities are an integral part of the whole work community. The changes must be carefully considered.
Automation systems, information security special feature can also be considered that they have been conceived in a closed system. Therefore, information technology attacks against them have not been considered probable.
Source: https://www.viestintavirasto.fi/kyberturvallisuus/tietoturvanyt/2015/03/ttn201504011647.html
Tomi Engdahl says:
EU Commish mulls new bloc-wide rule on web content takedowns
National laws? No no no, our unelected rulers need to dictate this one
http://www.theregister.co.uk/2015/04/08/eu_commish_mulls_single_blocwide_rule_on_web_content_takedowns/
The European Commission is considering creating an EU-wide complaint procedure for people whose websites are wrongly blocked by internet service providers.
Justice Commissioner Věra Jourová said in a letter that “the Commission is analysing the need for a specific initiative on notice-and-action procedures to bring legal certainty and transparency to the way online intermediaries take down content that is alleged to be illegal.”
However, those familiar with the planned Digital Single Market legislative package, due to be presented next month, say there is no specific reporting measure included as yet.
“The blocking of internet sites without prior judicial authorisation which recently started in France is a clear example of the risks that such measures represent for human rights, and particularly for freedom of expression and the right to receive and communicate information”
Tomi Engdahl says:
Privacy Commissioner of Canada Rules Bell’s Targeted Ad Program Violates the Law
http://news.slashdot.org/story/15/04/07/223241/privacy-commissioner-of-canada-rules-bells-targeted-ad-program-violates-the-law
The Commissioner’s press release soft-pedals the outcome — “Bell advertising program raises privacy concerns” — but the decision is clear: Bell’s so-called relevant ads program violates Canadian privacy law.
News Release
Bell advertising program raises privacy concerns
https://www.priv.gc.ca/media/nr-c/2015/nr-c_150407_e.asp
The “Relevant Advertising Program” involves tracking the Internet browsing habits of customers, along with their app usage, TV viewing and calling patterns. By combining this information with demographic and account data already collected from customers, Bell can create highly detailed profiles that enable third parties to deliver targeted ads to Bell’s customers for a fee. The program involves combining customer information from several Bell affiliates that offer a range of mobile, home phone, Internet and TV services.
“Bell’s ad program involves the use of vast amounts of its customers’ personal information, some of it highly sensitive,” Commissioner Therrien says.
While the company has agreed to make a number of changes to address privacy concerns raised during the investigation, it has so far refused to implement a key recommendation to obtain express consent from customers.
Tomi Engdahl says:
Heartbleed One Year Later: Has Anything Changed?
http://it.slashdot.org/story/15/04/08/040204/heartbleed-one-year-later-has-anything-changed
It was on April 7, 2014 that the CVE-2014-0160 vulnerability titled “TLS heartbeat read overrun” in OpenSSL was first publicly disclosed — but to many its a bug known simply as Heartbleed.
Qualys’ SSL Pulse claims that only 0.3 percent of sites are still at risk. Whatever the risk is today, the bottom line is that Heartbleed did change the security conversation — but did it change it for the better or the worse?
Heartbleed a Year Later: How the Security Conversation Changed
http://www.eweek.com/security/heartbleed-a-year-later-how-the-security-conversation-changed.html
Extraordinary branding, however, is not why Heartbleed was and still remains a non-trivial security issue. OpenSSL is a widely deployed open-source technology that is used on endpoints, mobile devices and servers. The promise of OpenSSL is that it provides the Secure Sockets Layer/Transport Layer Security (SSL/TLS) cryptographic libraries necessary to secure data transport. The danger of Heartbleed is that the SSL/TLS could be decrypted, leaving users at risk.
Since OpenSSL is open-source, many pundits were quick to criticize the open-source model as being at the core of the Heartbleed vulnerability. In response, the open-source community, led by the Linux Foundation, rallied and launched the Core Critical Infrastructure (CCI) effort. CCI raised $5.5 million in funding from Adobe, Bloomberg, Hewlett-Packard, VMware, Rackspace, NetApp, Microsoft, Intel, IBM, Google, Fujitsu, Facebook, Dell, Amazon and Cisco in an effort to secure open-source infrastructure and development. CCI is now providing some funding to OpenSSL developers to help prevent another Heartbleed.
The OpenSSL project itself has released multiple security updates over the course of the past year
Even with 12 months of time, there is still Heartbleed risk today. In a new report, security vendor Venafi claims that 74 percent of the Global 2000 are still at risk from Heartbleed. Venafi’s numbers, however, are not just about servers being updated with the latest OpenSSL milestone, but also about replacing SSL/TLS certificates.
“It’s akin to saying that even though you’ve had heart bypass surgery to mitigate a clot in an artery, you are still in immediate danger of having a heart attack because you haven’t stopped eating fatty and unhealthy foods,” Alperovitch said at the time.
While Venafi claims that the majority of sites it surveyed are still at risk from Heartbleed, the Qualys-sponsored SSL Pulse site currently reports that only 0.3 percent of sites are currently at risk from Heartbleed.
Tomi Engdahl says:
In past years, the job of the enterprise chief information security officer (CISO) was to establish and maintain a security perimeter around corporate data and a strategy for defending it. But today’s CISO is faced with a wide variety of new challenges that the security department has never seen before. While cloud computing, open source, distributed and outsourced software development, bring-your-own-device policies, and other initiatives create “shadow IT” environments that often take control out of the CISO’s hands, the steady barrage of high-volume, high-publicity security breaches in the headlines are putting unprecedented pressures on the CISO’s office. The reality is that today’s CISO is under more scrutiny than ever – including from the board – and yet, he/she has less control over the IT environment than ever before.
Source: https://webinar.darkreading.com/19728?keycode=DRWE02
Tomi Engdahl says:
Denial of service attacks pour through rift in Network Time Protocol
Mismatched clocks allow poison packets to prevent synching, and sink you
http://www.theregister.co.uk/2015/04/09/ntp_vulns/
Red Hat security chap Miroslav Lichvar has revealed two vulnerabilities in the Network Time Protocol (NTP) that allow attackers to get clients to execute unauthenticated packets.
Lichvar reported the two since-patched holes (CVE-2015-1798) in which packets are accepted with message authentication codes are accepted regardless of whether it is included, and a denial of service condition (CVE-2015-1799).
The latter flaw affects NTP installations that use symmetric key authentication (xntp3.3wy to ntp-4.2.8p1) in which a denial of service condition is created when two peering hosts receive packets that contain mismatched originate and transmit timestamps.
“An attacker who periodically sends such packets to both hosts can prevent synchronisation,”
Punters should update to version ntp-4.2.8p2.
Tomi Engdahl says:
Cisco security software needs security patch
NTP daemon also needs some work
http://www.theregister.co.uk/2015/04/09/cisco_security_software_needs_security_patch/
Cisco’s ASA FirePOWER services and ASA CX Services are vulnerable to a denial of service (DoS) bug in the virtualisation layer.
Tomi Engdahl says:
Chrome trumps all comers in reported vulnerabilities
Beats Solaris, flattens Gentoo
http://www.theregister.co.uk/2015/03/26/chrome_trumps_all_in_reported_vulnerabilities/
More vulnerabilities were discovered in Google Chrome last year than any other piece of core internet software – that’s according to research that also found 2014 clocked record numbers of zero-day flaws.
The Secunia Vulnerability Review 2015 report [PDF] is built on data harvested by the company’s Personal Software Inspector tool residing on “millions” of customer end points, each with an average of 76 installed applications.
It said the Chocolate Factory’s web surfer had more reported vulnerabilities than Oracle Solaris, Gentoo Linux, and Microsoft Internet Explorer which rounded out the top four among the analysed core products.
(Obviously, it’s in Secunia’s interests, as a security tool maker, to talk up holes in applications; Google’s engineers would like you to know that the reported bugs are patched, or not even exploitable in the first place, and counting vulnerabilities is misleading.)
Tomi Engdahl says:
The Internet of Things Poses Cybersecurity Risk
https://info.veracode.com/whitepaper-the-internet-of-things-poses-cybersecurity-risk.html
The FTC has warned that cyberattackers could potentially hijack sensitive information recorded by the devices, and their mobile apps and cloud services…
or could even create physical safety risks for consumers.
Tomi Engdahl says:
DARPA-funded team says it can SMELL Android malware
There once was a racehorse called ‘Hoof-Hearted’
http://www.theregister.co.uk/2015/04/09/darpa_blue_team_produces_world_class_android_malware_probe/
A trio of DARPA-backed Iowa State University researchers have developed a tool to help speed up android malware analysis.
The Security Toolbox developed by the DARPA blue team uses features including ‘smells’ which sport stronger heuristics to flag possible signs of hidden malware badness.
Benjamin Holland, Tom Deering, and Suresh Kothari produced the platform described as ‘human-in-the-loop program analysis’, to be presented at ICSE next month, that can detect malware from Android app source or Java bytecode.
The toolbox is built on the team’s Atlas general purpose code analysis tool they birthed at last year’s conference.
Tomi Engdahl says:
LG monitor software quietly kills UAC, dev says
Life’s Good for malware
http://www.theregister.co.uk/2015/04/09/lg_monitor_software_quietly_kills_uac/
German developer Christopher Bachner has alleged LG monitor software is quietly disabling User Account Control (UAC), putting Windows punters at risk of malware infection.
Introduced with Windows Vista and available on higher Microsoft platforms, UAC boosts security by restricting applications to standard user privileges unless administrators clicked OK.
In the words of Microsoft it “makes it so that even if you’re using an administrator account, changes cannot be made to your computer without you knowing about it, which can help prevent malware and spyware from being installed on or making changes to your computer”.
Bachner says that protection has been quietly binned by LG’s monitor software in a bid to make the user experience smoother.
“This is not only lazy, but also extremely dangerous, since applications that should never run with admin privileges were executed with admin privileges. For example, my browser was running each time with full admin rights,” Bachner says.
Tomi Engdahl says:
Digia to encrypt voice and data
Digia says the launch of the new, public authorities and businesses aimed at the high-security communications solution. Latch Digia is a Finnish national and European platforms designed for mobile communications product, which encrypts the strong as well as a speech that the message traffic phones, tablets and desktops.
Digia Latch is aimed at users for whom it is important to ensure communications security and privacy, and allows communication to be kept secret affairs. The latch can be utilized both internal and organizations communication.
The latch is designed in Qt for Android, iOS and Windows Phone. System to the end user the most visible part of the terminal run Latch application, which also serves as tablets and desktops.
Source: http://www.etn.fi/index.php?option=com_content&view=article&id=2655:digia-salaa-puheen-ja-datan&catid=13&Itemid=101
Tomi Engdahl says:
Sam Machkovech / Ars Technica:
Presidential candidate Rand Paul promises to end warrantless searches of phone, computer records; campaign site sells $15 “NSA spy cam blocker” sticker
Rand Paul sells “NSA spy cam blocker” as presidential bid fundraiser
Bid announcement video taken off YouTube due to copyright claim over a song.
http://arstechnica.com/tech-policy/2015/04/rand-paul-sells-nsa-spy-cam-blocker-as-presidential-bid-fundraiser/
Tomi Engdahl says:
Rebecca R. Ruiz / New York Times:
FCC fines AT&T $25M for failing to protect personal information, including SSNs, of customers
F.C.C. Fines AT&T $25 Million for Privacy Breach
http://bits.blogs.nytimes.com/2015/04/08/f-c-c-fines-att-25-million-for-privacy-breach/?_r=0
The Federal Communications Commission announced on Wednesday a $25 million fine against AT&T for failing to protect the personal information, including the Social Security numbers, of its customers.
Employees at AT&T call centers were found to have stolen the names and full or partial Social Security numbers of about 300,000 of the wireless carrier’s customers in the United States. Those customer service workers at call centers in Mexico, Colombia and the Philippines sold the information to third parties.
F.C.C. officials said the parties who bought the data appeared to have been trafficking stolen cellphones they sought to activate.
“We’ve changed our policies and strengthened our operations,” AT&T said in a statement issued on Wednesday.
Tomi Engdahl says:
TTIP: Protect our privacy in EU-US trade deal or ELSE, snarl MEPs
Lawmakers rattle sabres, Commish doesn’t blink, for now
http://www.theregister.co.uk/2015/04/09/ttip_eu_parliament_rattles_eu_commissions_cage_data_protection/
MEPs have called on American and European negotiators to guarantee citizens’ right to privacy in an international trade deal.
Members of the European Parliament’s civil liberties committee said last week that an “unambiguous, horizontal, self-standing provision” in the Transatlantic Trade and Investment Partnership (TTIP) must be created to safeguard Europe’s data protection laws.
Although the ongoing negotiations on TTIP do not specifically deal with data protection, MEPs say that they “touch upon international data flows, while excluding privacy and data protection entirely.”
Ignoring data privacy has raised the ire of many in the civil liberties committee and they warned EU Commission negotiators to “keep in mind that Parliament’s consent to the final TTIP agreement could be endangered as long as the blanket mass surveillance activities are not completely abandoned and an adequate solution is found for the data privacy rights of EU citizens.”
In other words, the EU Parliament could hold the Commission to ransom.
The Commission is currently discussing a so-called data protection “umbrella agreement” with the US as well as mulling a new data retention law. If the Commish wants MEPs to approve its TTIP position it will likely have to give ground in these areas.
Tomi Engdahl says:
iOS, OS X apps sent into infinite dizzy DoS by this one weird kernel bug
Apple patches OOB boob to stop API noobs being duped
http://www.theregister.co.uk/2015/04/09/ios_os_x_apps_sent_into_infinite_dizzy_dos/
Kenton Varda has found a ‘weird’ kernel bug used in Apple gear that could result in trivial denial of service by remote attackers.
The hacker and LAN gamer bod says the Darwin kernel vulnerability (CVE-2015-1105) now patched by Cupertino for iOS and OS X is “no Shellshock” but could cause apps like Google Chrome to crash and Node.js to spin into infinite loops when OOB data is received.
“Confusing APIs are a security problem. If many users of your API get it wrong in a way that introduces a security bug, that’s a bug in your API, not their code.”
Tomi Engdahl says:
Facebook data row reaches top Euro court
http://www.bbc.com/news/technology-32036533
The future of how Europeans’ data is shared with US companies such as Facebook and Google is set to be considered by the EU’s highest court.
Lawyer and activist Max Schrems said revelations by whistleblower Edward Snowden showed agreed privacy practices were being ignored by Facebook and others.
He called for the current Safe Harbour deal, which allows the transfer of data to US firms, to be scrapped.
Facebook has not commented on the case.
At a hearing in Luxembourg on Tuesday the European Court of Justice’s (ECJ) Advocate General said he would give his final opinion on 24 June – the ECJ will make its final decision thereafter.
The result of the proceedings could have wide implications for all US firms dealing with Europeans’ data, including the likes of Twitter, Google, Microsoft and Yahoo.
It centres around the Safe Harbour agreement, in place since 2000, which allows US firms to collect data on their European users as long as certain principles around storage and security are upheld.
It means user data gathered in Europe can easily be stored legally in data centres within the US.
The ECJ is considering whether the Safe Harbour agreement is effective in the wake of the Snowden leaks.
‘Serious effects’
The ECJ’s eventual decision could have a dramatic impact on the business practices of Facebook and other US firms.
Scrapping the Safe Harbour agreement would make it much more difficult to transfer data from Europe to the US to be stored in data centres.
Tomi Engdahl says:
Bad news everyone: Cybercrime is getting even easier
And most of it is your fault for not caring enough about what you open
http://www.theregister.co.uk/2015/04/09/websense_threat_report/
The volume of malware threats is actually on the decline despite the increase in breaches, according to a study from Websense Security Labs.
Websense Security Labs logged 3.96 billion security threats in 2014, which was 5.1 per cent less than 2013. Despite this, the number of high-profile breaches increased.
Hackers have switched from spray and pray tactics to more “quiet, targeted and unique attacks” that Websense reckons are far more effective.
Websense’s 2015 Threat Report – published on Wednesday April 8 – also reports that malware authors are consistently reusing the same delivery techniques and infrastructure.
An overwhelming 99.3 per cent of malware uses a command and control infrastructure used by at least one other malware author. An only marginally smaller 98.2 per cent of malware authors used command and control hubs found in five other types of malware.
Around one in three (30 per cent) of end-users click through a malicious URL in an email even though they have been warned of the danger. “End users are increasingly desensitised from the warnings, don’t feel responsible and still lack enterprise-driven education,” according to Websense.
Hackers are gaining capabilities through the adoption of cutting-edge tools instead of technical expertise. Hackers are blending old tactics, such as macros, in unwanted emails with new evasion techniques. Old threats are being “recycled” into new threats launched through email and web channels, creating a noxious attack landscape in the process.
Redirect chains, code recycling and a host of other techniques are allowing these actors to remain anonymous, making attribution time consuming, difficult and ultimately unreliable.
Even entry-level threat actors (AKA script kiddies) can successfully create and launch attacks due to greater access to exploit kits for rent, Malware-as-a-Service and other opportunities to buy or subcontract portions of a complex multi-stage attack, Websense concludes.
Tomi Engdahl says:
The Courage of Bystanders Who Press ‘Record’
Police-worn body cameras may be necessary, but we still need citizens who are brave enough to capture video of conflict.
http://www.theatlantic.com/technology/archive/2015/04/the-courage-of-bystanders-who-press-record/389979/
A couple hundred feet away, a Canadian named Paul Pritchard was recording the incident on his phone. His video—which was confiscated by police, and which he only reclaimed through litigation—did not match the police report.
The police and Pritchard’s video were so different as to resemble alternate worlds.
The video made a difference.
Tomi Engdahl says:
ISIS: You bomb us, we’ll interrupt your TV transmissions
French broadcast signal affected, social media disturbed
http://www.theregister.co.uk/2015/04/09/isis_french_tv_channel_disturbed_hebdo/
TV5Monde was prevented from broadcasting last night, and claims to still be working on a return to its regular programming schedule, after “hackers” interrupted its transmissions for a couple of hours.
The signal jammers claimed affiliation with ISIS and took to the French broadcaster’s social media accounts to spam the world with jihadi copypasta.
They were however unable to hijack the channel’s signal and merely prevented its transmission.
Explaining their actions, the juvenile jihadis took to the network’s Facebook page
Interrupted signals are one of the more retro features of hacking culture, the most famous incident occurring in 1987 when two Chicago television stations had their broadcast signals hijacked by an unknown person wearing a Max Headroom mask.
The earliest known broadcast signal intrusion dates back to 1977
Hijacking incidents have typically been considered culture jamming activities employed by activists to disrupt or subvert institutional media, although they have also been used for propaganda purposes in wars.
The damage caused to TV5Monde is unclear.
TVM5Monde is “trying to analyse what happened: how this very powerful cyber-attack could happen when we have extremely powerful and certified firewalls”.
A statement which seems to contradict that on TV5Monde’s website which claims the penetration probably occurred via a stolen password or the installation of malware.
The intrusion occurs only a week after TV5Monde’s broadcast platform was upgraded by Ericsson.
Although no lives were lost or injuries received, the Guardian is reporting that the French culture minister has called an “urgent meeting of media groups” following the intrusion.
French media groups hold emergency meeting in wake of Isis hacking attack
http://www.theguardian.com/world/2015/apr/09/french-tv-network-tv5monde-hijacked-by-pro-isis-hackers
French culture minister calls urgent meeting after television network TV5Monde was taken over by individuals claiming to belong to Islamic State
The French culture minister has called an urgent meeting of media groups to assess their vulnerability to hacking after the television network TV5Monde was taken over by individuals claiming to belong to Islamic State, blacking out broadcasts and hacking its websites and Facebook page.
Visiting the network’s headquarters in Paris after the attack, Fleur Pellerin said she would bring together all heads of big French TV companies as well as newspaper groups and the news agency Agence France-Presse within 24 hours “to assure myself of their vulnerable points, any risks that exist and the best way to deal with it”.
For three hours on Wednesday night, between 10pm and 1am, all broadcasts were brought down in a blackout by hackers claiming allegiance to Isis. The hackers were able to seize control of the television network, simultaneously hacking 11 channels as well as its website and social media accounts.
The hackers posted documents on TV5Monde’s Facebook page purporting to be the identity cards and CVs of relatives of French soldiers involved in anti-Isis operations, along with threats against the troops.
TV5Monde had regained control of its social networks by 2am on Thursday but said television broadcasts were likely to take hours, if not days, to return to normal.
He said: “When you work in television and you hear that your 11 channels have been blacked out, it’s one of the most violent things that can happen to you. At the moment, we’re trying to analyse what happened: how this very powerful cyber-attack could happen when we have extremely powerful and certified firewalls.”
The attack appears to have been orchestrated by the Isis hacking division, which took credit for alleged attacks resulting in the leak of personal information from US military personnel in March, prompting an investigation by the Pentagon.
Tomi Engdahl says:
Pro-ISIS script kiddies deface Dublin Rape Crisis Centre site
FBI investigates related low-rent attacks on US WordPress installs
http://www.theregister.co.uk/2015/03/10/is_script_kiddies_defacement/
The FBI has begun investigating the hack of a number of websites – including the site of Dublin Rape Crisis Centre – by pro-ISIS script kiddies.
The Dublin Rape Crisis Centre in Ireland was defaced so that its home page featured the black ISIS flag and the message “Hacked by ISIS, we are everywhere.” A Flash audio plug-in planted on the page as part of the same hack played an Arabic song.
Tomi Engdahl says:
Google sticks anti-SQL injection vaccine into MySQL MariaDB fork
Encryption tables to trip up rogue data
http://www.theregister.co.uk/2015/04/09/mariadb_google_security_injection/
Google is dropping encryption into MariaDB, the fork of Oracle’s MySQL, to help shut out SQL injection attacks.
Mountain View is credited with developing and testing tablespace encryption in MariaDB Server 10.1 – the community edition of MariaDB.
The development has been branded a “major enhancement” for MariaDB security by those running the project, particularly for customers building PCI and other types of applications that need encryption at rest.
Appearing in a MariaDB community edition means Google’s crypto will be picked up by commercial and non-commercial spins of the open-source database.
The news of Google’s contribution accompanied today’s announcement of the Spring 2015 edition of MariaDB Enterprise. MariaDB Enterprsie Spring 2015 has been expanded to run on Red Hat Enterprise Linux 7.1, SUSE Enterprise Linux Server 12, Ubuntu 14.04 and binaries for IBM’s POWER 8 architecture.
That means Google’s SQL-injection-blocking will be available in MariaDB on three of the industry’s most popular brands of Linux.
SQL injection is one of the most frequently used tools in the hacker’s toolbox.
Google’s code shows up in the MariaDB database firewall filter. It will debut in the upcoming community MariaDB Server 10.1 and follow in a later version of MariaDB Enterprise Server that’s based on community server.
Google, of course, is a MySQL convert to MariaDB. Last year it dumped MySQL 5.1 for MariaDB 10.
Tomi Engdahl says:
Lisa Fleisher / Wall Street Journal:
Admitting Tracking ‘Bug’, Facebook Defends European Privacy Practices
http://blogs.wsj.com/digits/2015/04/09/admitting-tracking-bug-facebook-defends-european-privacy-practices/
Facebook Inc. pushed back on Thursday against some accusations from Belgian scholars that the social network trampled over its users’ privacy rights – but admitted that the academics found a “bug” that mistakenly tracked people even while they weren’t on Facebook’s website.
The company said it has started to fix the problem, which used “cookies” – or code stored in people’s web browsers – to track people who hadn’t signed up for Facebook when they visited websites that integrated certain Facebook technology.
In response, Facebook reiterated that the company follows all applicable laws and publishes audits by their European privacy regulator, the Irish Data Protection Commissioner. Some companies such as LinkedIn choose to keep those audits private.
Tomi Engdahl says:
TV5Monde victim of ‘very powerful cyber attack’ – video
http://www.theguardian.com/world/video/2015/apr/09/tv5monde-victim-powerful-cyber-attack-video
Yves Bigot, the director-general of French TV network TV5Monde, says the company’s firewalls were breached by people with a deep knowledge of security and possible links to Islamic State. TV5Monde’s firewalls were hacked on Wednesday and pro-Isis messages were posted on the company’s social media accounts. The network says it will take time for television broadcasts to return to normal
Tomi Engdahl says:
Gertrude Chavez-Dreyfuss / Reuters:
Bitcoin exchange Coinsetter acquires Cavirtex, the Canadian trading platform that recently shut down due to security breach
Bitcoin exchange Coinsetter acquires Canadian platform
http://www.reuters.com/article/2015/04/08/us-bitcoin-exchange-coinsetter-idUSKBN0MZ1WD20150408
(Reuters) – Coinsetter, a New York-based bitcoin exchange that targets institutional and professional traders, said on Wednesday it has acquired Canadian Virtual Exchange, a bitcoin trading platform which recently shut down due to security breaches.
According to sources, the deal was valued at $2 million, marking the first merger deal in the growing bitcoin exchange market.
Cavirtex shut down in March following a breach that compromised security information including password hashes. Lukasiewicz said the exchange would resume operation later on Wednesday.
banking relationships had become difficult to obtain for bitcoin companies and “bitcoin exchanges have become the connecting point between the traditional banking institutions and the bitcoin ecosystem.”
Coinsetter has an average daily volume of 1,200 bitcoins, or just over $290,000.
Tomi Engdahl says:
Don Clark / Wall Street Journal:
U.S. Agencies Block Technology Exports for Supercomputer in China
Moves comes as U.S. technology companies grapple with Beijing’s proposed restrictions
http://www.wsj.com/article_email/u-s-agencies-block-technology-exports-for-supercomputer-in-china-1428561987-lMyQjAxMTE1NDAwOTUwMTk4Wj
U.S. officials are blocking technology exports to facilities in China associated with the world’s fastest supercomputer, a blow to Intel Corp. and other hardware suppliers that adds to the list of tech tensions between the two countries.
Four technical centers in China associated with the massive computer known as Tianhe-2 have been placed on a U.S. government list of entities determined to be acting contrary to U.S. national security or foreign-policy interests.
Intel was denied an export license late last fall to supply more chips associated to Chinese supercomputer projects, Intel spokesman Chuck Mulloy said Tuesday.
The blockage comes at a time when U.S. technology companies are grappling with Beijing’s proposed new restrictions on their ability to do business in the vast Chinese market amid rising concerns there over cybersecurity. The companies are protesting China’s new banking-technology procurement rules as well as a proposed counterterrorism law that they say are overly invasive and involve handing over sensitive material. The Obama administration has called on Beijing to hold back on those efforts.