Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.
3,110 Comments
Tomi Engdahl says:
+5 ROOTKIT OF VENGEANCE defeats forces of gaming good
Kernel-level code helps gamers to vanquish anti-cheatware
http://www.theregister.co.uk/2015/04/10/rootkit_tweaks_strike_anticheat_systems_dead/
Security boffins Joel St. John and Nicolas Guigo have developed a rootkit-like gaming cheat system they say bests anti-cheating mechanisms.
The iSec Partners hackers say the anti-cheating platforms in use by the world’s most popular games cannot stop cheating and actually increase the attack surface open to hackers.
In a presentation most recently given at BlackHat Asia last month the pair outlined “practical” attacks against external anti-cheat engines that could earn attackers big bucks.
” … not only is the current state of anti-cheat software inadequate to fully stop cheaters, but it also adds significant attack surface to the software — if a serious bug is found in this software, an attacker may be able to leverage it to get system-level access on clients or servers,” the duo say in the paper Next Level Cheating and Leveling Up Mitigations
“In the current model there is no way to fully stop cheaters and the research demonstrated here can be used to easily make any existing cheats undetectable by anti-cheat engines.
The best game companies can hope for is obfuscation to make cheating harder in what amounts as a race to launch first.
NEXT LEVEL CHEATING AND LEVELING UP MITIGATIONS
https://www.blackhat.com/docs/asia-15/materials/asia-15-StJohn-Next-Level-Cheating-And-Leveling-Up-Mitigations-wp.pdf
Tomi Engdahl says:
WiFi hotspots can put iPhones into eternal super slow-mo
‘Phantom’ hack sends your iThings into a tailspin of torpor
http://www.theregister.co.uk/2015/04/10/apple_phantom_attack_ios_fix/
A vulnerability fixed in this week’s Apple patch run can easily brick iPhones, researchers say.
The flaw (CVE-2015-1118) dubbed “Phantom” allows attackers who can trick users into changing their iDevice proxy settings to tap into multiple use-after-free vulnerabilities.
Doing so causes constant ubiquitous app crashing including the system platform. Rebooting sends affected devices into a “coma” state.
FireEye bods Zhaofeng Chen; Hui Xue; Tao Wei, and Yulong Zhang, say attackers could set up large WiFi hotspots to con users into altering their settings and destroying their phones.
“Configuring HTTP proxy to abnormal values triggers multiple use-after-free (UAF) issues in libsystem_network.dylib. This vulnerability can lead to several undesired security consequences, e.g. most of networking apps will crash immediately, including system components; the system will respond sluggishly, and it is even not able to reboot successfully.”
Tomi Engdahl says:
Cyber-crypto-criminal-cock-up. Little money and (probably) embarrassed
Ransomware coding fail foils fraudsters
http://www.theregister.co.uk/2015/04/10/ransomware_crypto_mistakes_coding_error/
A newly released crypto-ransomware strain has been broken, thus allowing victims — in over two out of three cases — to get back their data without paying.
The Scraper ransomware has a flaw, meaning that in about 70 per cent of cases files can be decrypted, according to Kaspersky Labs, with the Russian security firm publishing a free decryption utility.
Of course, it’s a lot better not to get infected in the first place but for those who do get hit the utility offers the chance to save $300.
Scraper (AKA TorLocker) first appeared in an attack against Japanese users last October. Scraper, which later appeared in an English language version, encrypts the victim’s documents and demands a ransom ($300 or greater, payable in BitCoin or UKash) to decrypt them.
More specifically, the malware encrypts the user’s office documents, video and audio files, images, archives, databases, backup copies, virtual machines encryption keys, certificates and other files on all hard and network drives. It also deletes all system recovery points. Scraper only infects Windows machines.
The user’s files are encrypted using AES-256 with a randomly generated one-time key;
“Although Scraper encrypts all files with AES-256 + RSA-2048, in 70 per cent plus cases they can be decrypted because of the errors made during the implementation of cryptography algorithms,” Kaspersky researchers Victor Alyushin and Fedor Sinitsyn explain.
The success of the notorious CryptoLocker ransomware has spawned several similar scams, such as CTB-Locker and Scarper.
A flawed ransomware encryptor
https://securelist.com/blog/research/69481/a-flawed-ransomware-encryptor/
Tomi Engdahl says:
ICANN urges US, Canada: Help us stop the ‘predatory’ monster we created … dot-sucks!
Just give the word if you think gTLD sucks, watchdogs told
http://www.theregister.co.uk/2015/04/10/icann_ftc_dot_sucks/
DNS overlord ICANN – which opened the floodgates to waves of new dot-word domains on the internet – says it needs help in killing one of those dot-words: .sucks.
In a letter [PDF] to the US Federal Trade Commission (FTC) and Canadian Office of Consumer Affairs (OCA), ICANN claims .sucks domains are being sold to trademark owners in a “predatory” manner.
Apparently, it can’t do anything about that unless laws are being broken, so ICANN wants someone official-looking to knock on doors and find out. And if the law is being violated, ICANN can use that to shutdown the dot-word.
The DNS overlord is upset that Vox Populi, which bought the rights to sell .sucks domains, is charging people $2,500 (£1,700) to defensively register domains before the trolls do. All remaining .sucks domains go on sale to everyone from May 29 this year.
It’s worth repeating that ICANN engineered the dot-word explosion by allowing anyone with enough cash to apply for and create generic top-level domains, from .book to .xyz. Vox Populi paid ICANN $185,000 to apply for .sucks, and won it in a private auction against rival registries.
“ICANN, through its registry agreement, may seek remedies against Vox Populi if the registry’s actions are determined to be illegal,”
Tomi Engdahl says:
Daniel Rivero / Fusion:
Advocacy group Privacy International creates fake companies to gain access to surveillance industry trade shows and expose the industry’s surveillance powers
Meet the privacy activists who spy on the surveillance industry
by Daniel Rivero
http://fusion.net/story/112390/unveiling-secrets-of-the-international-surveillance-trade-one-fake-company-at-a-time/
On the second floor of a narrow brick building in the London Borough of Islington, Edin Omanovic is busy creating a fake company. He is playing with the invented company’s business cards in a graphic design program, darkening the reds, bolding the blacks, and testing fonts to strike the right tone: informational, ambiguous, no bells and whistles. In a separate window, a barren website is starting to take shape. Omanovic
Once he’s infiltrated the trade show, he’ll pose as an industry insider, chatting up company representatives, swapping business cards, and picking up shiny brochures that advertise the invasive capabilities of bleeding-edge surveillance technology. Few of the features are ever marketed or revealed openly to the general public, and if the group didn’t go through the pains of going undercover, it wouldn’t know the lengths to which law enforcement and the intelligence community are going to keep tabs on their citizens.
“I don’t know when we’ll get to use this [company], but we need a lot of these to do our research,” Omanovic tells me. (He asked Fusion not to reveal the name of the company in order to not blow its cover.)
The strange tactic– hacking into an expo in order to come into close proximity with government hackers and monitors– is a regular part of operations at Privacy International, a London-based anti-surveillance advocacy group founded 25 years ago.
Tomi Engdahl says:
Washington Post:
Inside the battle over crypto backdoors as the White House prepares report for President Obama — As encryption spreads, U.S. grapples with clash between privacy, security
http://www.washingtonpost.com/world/national-security/as-encryption-spreads-us-worries-about-access-to-data-for-investigations/2015/04/10/7c1c7518-d401-11e4-a62f-ee745911a4ff_story.html
Tomi Engdahl says:
Nicole Perlroth / New York Times:
SendGrid Account Breach Was Used to Attack Coinbase, a Bitcoin Exchange
http://bits.blogs.nytimes.com/2015/04/09/sendgrid-email-breach-was-used-to-attack-coinbase-a-bitcoin-exchange/?_r=0
Hackers targeted SendGrid, a mass email service used by 180,000 companies including Uber, Pinterest, Spotify and Foursquare, to infiltrate Coinbase, one of the most popular Bitcoin exchanges.
SendGrid confirmed that one of its Bitcoin-related clients was compromised on Wednesday. It would not name the customer, but Coinbase confirmed in an email on Thursday that hackers had compromised its SendGrid account, though it said no Bitcoin were stolen.
Mass email services like SendGrid, which sends 14 billion emails a month, are a powerful tool for hackers looking to send spear-phishing emails on a large scale. SendGrid sends transactional emails on behalf of trusted companies like Spotify and Pinterest, alerting customers to updates in the service and new followers. Most customers don’t even realize the emails are coming from SendGrid, making it more likely that they would take the bait and click on malicious code that grants hackers access to their accounts.
Mass email services like SendGrid, which sends 14 billion emails a month, are a powerful tool for hackers looking to send spear-phishing emails on a large scale. SendGrid sends transactional emails on behalf of trusted companies like Spotify and Pinterest, alerting customers to updates in the service and new followers. Most customers don’t even realize the emails are coming from SendGrid, making it more likely that they would take the bait and click on malicious code that grants hackers access to their accounts.
Tomi Engdahl says:
Credit card factories given new secure manufacturing rules
Reinforce that safe, make fire doors one-way, and don’t give your courier the keys
http://www.theregister.co.uk/2015/04/13/card_councils_guide_to_paranoid_data_security/
The world’s payment card producers have released the latest guidelines to help interested businesses to protect payment data.
Version 1.1 of the PCI Card Production Security Requirements (pdf) modifies and introduces features for physical and logical security advising on everything from printing PINs to guarding vaults.
The requirements, first introduced in 2013, are designed for card manufacturers but are general enough to be tweaked for the common rabble.
It unifies recommendations and requirements previously administered in silos by Mastercard, Visa, and friends.
Altered and new fields introduced by the Payment Card Industry Security Standard (PCI SSC) includes access controls, alarms, and emergency exits and fire doors.
Should enterprises wish to protect their cards to the level of say card producer Placard, admins will need to separate from the rest of the network via a demilitarised zone, check anti-virus updates daily, and run quarterly internal and external vulnerability ‘scans’.
Tomi Engdahl says:
Hacking oil and gas control systems: Understanding the cyber risk
http://www.controleng.com/single-article/hacking-oil-and-gas-control-systems-understanding-the-cyber-risk/3512b2934c407b6d5923f5a518798453.html
Cyber attacks are growing in number and intensity over the past decade. Companies in the oil and gas industry are high-profile targets and must take measures to protect themselves from hackers.
Understanding the risks
Successful hacks against financial institutions and various commercial entities have been well documented in the press for some time, and, as such, most people are well aware of them. Consequently, even the most technically savvy of us who use the Internet for banking and shopping do so with at least a little trepidation.
Conversely, most of us are only vaguely aware of hacking activity against control systems—those systems that control almost every process in manufacturing and operations today. Control systems such as these are used in the oil and gas industry to monitor and control processes associated with the processing, storage, and movement of oil and gas products. It may surprise you to learn that attacks against control systems have been plentiful in recent years—sometimes with devastating consequences. A recent report released by the German Government: Federal Office of Information Security stated that, “A German steel factory suffered massive damage after hackers managed to access production networks, allowing them to tamper with the controls of a blast furnace, the government said in its annual IT security report.”
Magnetrol
The fact that hackers were able to successfully gain control of a blast furnace in a manufacturing plant may surprise some of you. I have spoken to quite a few people in the industry over the years who have explained to me that cyber security in control system environments is simply an enormous waste of time and resources. Furthermore, I am often told that cyber security is potentially damaging to control systems because it can negatively affect operational reliability.
This type of thinking rests largely on the fundamentally flawed belief that cyber security is unnecessary in a particular control system environment because the system is “standalone. In other words, the system has no outside connectivity and therefore is not susceptible to outside attack. This mode of thinking is flawed for two reasons:
1. Most control systems are connected in some way to the Internet-often indirectly through a business network.
2. Even those systems that truly have no outside network connectivity are susceptible to compromise. Stuxnet is an excellent example.
Russian security software vendor Kaspersky Lab published an in depth report that claims that Energetic Bear attacks have successfully compromised more than 2,800 victims
Symantec went on to say that Energetic Bear attacks against control systems were successful to the extent that they, “…could have caused damage or disruption to energy supplies in affected countries” and that targets included “energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial control system equipment manufacturers.”
Evidence indicates that Energetic Bear attacks were conducted using commonly known and easily executable attack methods against system vulnerabilities that were common knowledge. In many cases, the attackers used variants of the Havex Trojan—a well-known piece of malicious software. Metasploit—a free tool that requires almost no programming skill to operate was in frequent use as well.
Malicious code associated with the Energetic Bear attack campaign was distributed using several primary methodologies including spear-phishing and waterholing attacks as well as compromised SCADA software updates.
Tomi Engdahl says:
NSA: ‘Back doors are a bad idea, give us a FRONT door key’
Spooks in still-don’t-like-encryption shock
http://www.theregister.co.uk/2015/04/13/nsa_back_doors_are_a_bad_idea_give_us_a_front_door_key/
“Give me your tired, your poor, your huddled masses yearning for an iPhone, and we’ll give you an encryption master key” seems to be the dream of the National Security Agency (NSA).
The NSA’s latest thought bubble, floated in front of noted cryptography journal The Washington Post, is that a “master key” for all products running encryption should be created, split up, and distributed among several agencies.
The idea was raised in a speech by Michael Rogers, boss of the NSA, in a speech at Princeton University.
“I don’t want a back door,” Rogers reportedly said, “I want a front door. And I want the front door to have multiple locks. Big locks.” The idea seems to be that only when all the agencies holding portions of a key decide to use it together will decryption become possible.
As encryption spreads, U.S. grapples with clash between privacy, security
http://www.washingtonpost.com/world/national-security/as-encryption-spreads-us-worries-about-access-to-data-for-investigations/2015/04/10/7c1c7518-d401-11e4-a62f-ee745911a4ff_story.html
For months, federal law enforcement agencies and industry have been deadlocked on a highly contentious issue: Should tech companies be obliged to guarantee government access to encrypted data on smartphones and other digital devices, and is that even possible without compromising the security of law-abiding customers?
Recently, the head of the National Security Agency provided a rare hint of what some U.S. officials think might be a technical solution. Why not, suggested Adm. Michael S. Rogers, require technology companies to create a digital key that could open any smartphone or other locked device to obtain text messages or photos, but divide the key into pieces so that no one person or agency alone could decide to use it?
Tomi Engdahl says:
Russian censor warns against meme ‘misuse’
Taking Putin’s piss could result in a take-down order
http://www.theregister.co.uk/2015/04/13/russian_censor_warns_against_meme_misuse/
Tomi Engdahl says:
Maine police departments pay ransom to computer hackers in exchange for cop records
http://www.nydailynews.com/news/national/maine-police-departments-pay-ransom-computer-hackers-article-1.2182133
Computers at the Lincoln County Sheriff’s Office and four police agencies were recently infiltrated by a type of virus called ransomware.
A group of Maine police departments were forced into paying a ransom to computer hackers to get their police records back.
Sheriff Todd Brackett told WCSH-TV that after several attempts to retrieve the records, his agency paid a ransom of about $300 to get their files back.
The FBI helped track the payment to a Swiss bank account, according to Brackett. But efforts to identify the hackers were unsuccessful.
Tomi Engdahl says:
Spanish election site in security cert warning screwup snafu
Say hola! to hopeless holey homepage hell
http://www.theregister.co.uk/2015/04/13/spanish_election_site_cert_screw_up/
Website crypto problems on the Spanish online voting registration website are causing it to generate all manner of security warnings.
However, the warnings vary depending on the operating system and browser a surfer is using.
Such website problems are sadly common, but the flaws in the Spanish voter registration website are more than normally important, since the site requests that users upload personal information, including copies of passports, ID cards and marriage certificates.
IT security consultant Paul Moore said that the site’s certificate is not self-signed, contrary to Singh’s initial conclusion. Moore does agree with Singh that the site is beset with crypto problems, however, as evidenced by the poor rating from SSL Labs. The site scores an F.
“It’s a complete mess, but it certainly highlights the dichotomy between how browsers define ‘secure’. Firefox warns you that it’s not safe, Chrome & IE literally give the green light,” Moore added.
Tomi Engdahl says:
Watch DARPA Artificial Intelligence Search For Crime On the “Dark Web”
http://yro.slashdot.org/story/15/04/12/1518238/watch-darpa-artificial-intelligence-search-for-crime-on-the-dark-web
Memex In Action: Watch DARPA Artificial Intelligence Search For Crime On The ‘Dark Web’
http://www.forbes.com/sites/thomasbrewster/2015/04/10/darpa-memex-search-going-open-source-check-it-out/
In a week’s time, the wider world will be able to tinker with components of the military research body’s in-development search tool for the dark web. The Memex technology, named after an mechanical mnemonic dreamt up just as the Second World War was coming to a close, has already been put to use by a number of law enforcement agencies, who are looking to counter crime taking place on networks like Tor, where Hidden Services are protected by the privacy-enhancing, encrypted hosting, often for good, often for bad. In its first year, the focus at Memex has been on tracking human trafficking, but the project’s scope stretches considerably wider.
the main barriers to modern search: crawlers can’t click or scroll like humans do and so often don’t collect “dynamic” content that appears upon an action by a user.
“Our approach to solving this problem is to build a system that sees the web more like a human user with a browser, and therefore actually behaves like a human user by using a browser to crawl the web, to the point of being able to scroll down a page, or even hover over an object on the page to reveal more content…. we are teaching the system how to act like a human and handle virtually any web page scenario. Eventually our system will be like an army of robot interns that can find stuff for you on the web, while you do important things like watch cat videos,”
The Memex team also wants to get a better understanding of what Hidden Services are running on Tor.
DARPA hasn’t yet divulged which components outside of SourcePin will be going open source. White said a fuller toolset will be made available to the wider public in December
Tomi Engdahl says:
Windows XP, the shortcomings in data security is also threatened by European banking machines. EAST (European ATM Security Team) According to a report XP-malware because of a certain European country ATMs succeeded last year to steal .2 million.
EAST estimates that more European country will be reported to the corresponding offense this year. This indicates that the technique is spreading among the criminals.
Multi ATM machines manufacturing company has reported that Windows XP creates a significant security risk, monetary transactions. Still, the transition from XP to newer platforms has been very slow.
Source: http://www.etn.fi/index.php?option=com_content&view=article&id=2668:windows-xp-uhkaa-pankkiautomaatteja&catid=13&Itemid=101
More:
European ATM Related Fraud Incidents fall 26%, although Skimming Losses rise
https://www.european-atm-security.eu/european-atm-related-fraud-incidents-fall-26-although-skimming-losses-rise/
Losses due to ATM related physical attacks rose 17% to €27 million (up from €23 million in 2013). The average cash loss for ram raids/ATM burglary was €25,640 per incident, up from €11,393 in 2013. While around 40% of such attacks do not result in cash loss, collateral damage to equipment and buildings can be significant.
In 2014 EAST began to collect statistics for ATM Malware after the first incidents were reported in Western Europe. These were ‘cash out’ or ‘jackpotting’ attacks. In 2014 51 such incidents were reported, with related losses of €1.23 million.
Tomi Engdahl says:
Jon Russell / TechCrunch:
FireEye identifies cyber espionage group dubbed “APT 30”, likely sponsored by Chinese state, targeting South East Asia since 2005
China Accused Of Decade Of Cyber Attacks On Governments And Corporates In Asia
http://techcrunch.com/2015/04/12/fireeye-apt-30-southeast-asia-india-report/
The Chinese government is accused of being behind a newly discovered set of cyber attacks waged against government agencies, corporate companies and journalists across India and Southeast Asia over the past ten years.
Security firm FireEye released a report today revealing a spate of corporate espionage and cyber spying offenses against targets located in India, Malaysia, Vietnam, Thailand, Nepal, Singapore, Philippines, Indonesia and beyond. The group said attacks began in 2005.
“There’s no smoking gun that shows this is a Chinese government operation, but all signs point to China” FireEye’s APAC CTO Bryce Boland told TechCrunch in an interview. “There’s huge intellectual property development in Asia — that’s the new battleground.”
Tomi Engdahl says:
Middle school student charged with cybercrime in Holiday
http://www.tampabay.com/news/publicsafety/crime/middle-school-student-charged-with-cyber-crime-in-holiday/2224827
A middle school student who said he was just trying to play a prank on a teacher he didn’t like was charged with a cybercrime Wednesday after authorities said he hacked into his school’s secure computer network.
The Pasco County Sheriff’s Office has charged Domanik Green, an eighth-grader at Paul R. Smith Middle School, with an offense against a computer system and unauthorized access, a felony. Sheriff Chris Nocco said Thursday that Green logged onto the school’s network on March 31 using an administrative-level password without permission. He then changed the background image on a teacher’s computer to one showing two men kissing.
One of the computers Green, 14, accessed also had encrypted 2014 FCAT questions stored on it, though the sheriff and Pasco County School District officials said Green did not view or tamper with those files.
But Green, interviewed at home, said students would often log into the administrative account to screen-share with their friends. They’d use the school computers’ cameras to see each other, he said.
The school district is in the process of changing the network password, district spokeswoman Linda Cobbe said.
The sheriff said Green’s case should be a warning to other students: “If information comes back to us and we get evidence (that other kids have done it), they’re going to face the same consequences,” Nocco said.
Tomi Engdahl says:
‘Chinese hackers’ rifled through SE Asian drawers for YEARS
Nefarious, gov-sponsored, secret-grabbing life begins APT 30
http://www.theregister.co.uk/2015/04/13/chinese_state_sponsored_hackers_menace_se_asia_apt_30/
Tomi Engdahl says:
Blathnaid Healy / Mashable:
People who share revenge porn in the UK can now be jailed for 2 years
http://mashable.com/2015/04/13/revenge-porn-law-uk/?utm_cid=mash-com-Tw-main-link
People who share explicit images without consent can be jailed for up to two years under new laws that came into effect in the UK on Monday.
The new law means that sharing explicit images via text, email, social networks and messaging apps without the consent of the person in the photo is now an offence. It also covers the sharing of photos offline.
The law, which is part of the Criminal Justice and Courts Act, makes revenge porn a specific offence.
The law “covers images that show the genitals but also anything that a reasonable person would consider to be sexual, so this could be a picture of someone who is engaged in sexual behaviour or posing in a sexually provocative way,”
The clause added to the Criminal Justice and Courts Act says: “It is an offence for a person to disclose a private sexual photograph or film if the disclosure is made (a) without the consent of an individual who appears in the photograph or film, and (b) with the intention of causing that individual distress.”
Tomi Engdahl says:
NIST Solicits Comments On Electronic Authentication Guideline
http://news.slashdot.org/story/15/04/12/1238212/nist-solicits-comments-on-electronic-authentication-guideline
The National Institute of Standards and Technology (NIST) is poised to make what is expected to be a major revision of Special Publication 800-63-2, Electronic Authentication Guideline.
NIST SOLICITS COMMENTS ON ITS ELECTRONIC AUTHENTICATION GUIDELINE
http://csrc.nist.gov/groups/ST/eauthentication/sp800-63-2_call-comments.html
Tomi Engdahl says:
French Intelligence Bill: 5 Web Hosting Providers Threaten To Leave the Country
http://it.slashdot.org/story/15/04/12/1343230/french-intelligence-bill-5-web-hosting-providers-threaten-to-leave-the-country
Five popular French web hosting providers, including Gandi and OVH, said on Thursday that the new French intelligence bill might push them to leave the country (French) in order not to lose their customers. The five companies are protesting against the “real-time capture of data connection” and their analysis by the intelligence services using “+black boxes+ with blurred lines”.
French surveillance legislation is off to a bad start
http://www.euractiv.com/sections/infosociety/french-surveillance-legislation-bad-start-313616
The new French Intelligence Bill has provoked concern among many of the country’s lawmakers, as well as international NGOs. According to French Human Rights Defender Jacques Toubon, the legislation contravenes the rulings of the European Court of Human Rights. EurActiv France reports.
Despite boasting the support of France’s two major political parties, the Union for a Popular Movement (UMP) and the Socialist Party (PS), the Intelligence Bill has come in for some strong criticism in France, and it is now also beginning to raise eyebrows abroad.
“The law should be sufficiently clear and precise to give individuals adequate protection against the risk of abuse from the executive in its use of surveillance techniques,” the Human Rights Defender said.
“Interference with the laws regarding private life is so serious that it should be governed by clear and detailed rules, especially as the technical procedures of surveillance are being diversified and perfected,”
Tomi Engdahl says:
China’s ‘Great Cannon’: Taking censorship across country borders
http://www.zdnet.com/article/chinas-great-cannon-taking-censorship-across-country-borders/
Summary:China’s ruling party is ramping up the censorship battle with a powerful new weapon which hijacks traffic outside of the country.
China has developed a new censorship weapon to accompany its Great Firewall in order to silence not only its citizens — but critics around the globe.
According to a report released Friday by Citizen Lab, the ‘Great Cannon’ was first used against GitHub and Greatfire.org servers, both incidents of which were high-profile DDoS attacks designed to deny access to materials criticizing China’s regime, censorship tools and copies of websites banned in the country.
This system, dubbed China’s ‘Great Cannon,’ is reportedly a “distinct attack tool” with different capabilities to the Great Firewall. Rather than acting as an extension of the wall, Citizen Labs says the tool can “hijack traffic to (or presumably from) individual IP addresses, and can arbitrarily replace unencrypted content as a man-in-the-middle (MITM).”
“The operational deployment of the Great Cannon represents a significant escalation in state-level information control: the normalization of widespread use of an attack tool to enforce censorship by weaponizing users. Specifically, the Cannon manipulates the traffic of “bystander” systems outside China, silently programming their browsers to create a massive DDoS attack,” the researchers say.
The idea that China’s cybercapabilities may allow it to divert traffic from surfers outside of the country for its own ends is concerning.
The Great Cannon is similar in many ways to the use of QUANTUM by the US National Security Agency (NSA) and UK’s GCHQ intelligence agency. The weapon used by these agencies, revealed in documents leaked by Edward Snowden, can deploy programs which intercept vast networks of traffic in order to redirect these streams to locations of their choosing.
Tomi Engdahl says:
How big a problem is Cloud security?
In and out of the shadows
http://www.theregister.co.uk/2015/04/13/how_big_a_problem_is_cloud_security/
we have put together a short, sharp temperature check survey on the topic of cloud security.
We know this is a major concern for many of you, especially given the difficulties of getting senior management to understand the issues.
Tomi Engdahl says:
Nearly Half of Game of Thrones Season 5 Leaks Online
http://slashdot.org/story/15/04/13/1148203/nearly-half-of-game-of-thrones-season-5-leaks-online
Paul Tassi reports at Forbes that the first four episodes of the new season of “Game of Thrones”, nearly half of the ten total episodes, have been leaked online to various torrent sites. The four episodes appeared to come from a screener sent to reviewers with the digital watermark blurred out and are in 480p video format, equivalent to standard-definition TV, not HD.
Nearly Half Of ‘Game of Thrones’ Season 5 Has Leaked Online
http://www.forbes.com/sites/insertcoin/2015/04/12/nearly-half-of-game-of-thrones-season-five-has-leaked-online/
Bad news today for HBO, which is attempting to marry the recent debut of their HBO Now streaming service with season 5 of Game of Thrones. As of last night, the first four episodes of the new season, nearly half of the ten total episodes, have been leaked online to various torrent sites.
After appearing online yesterday afternoon, the episodes have already been downloaded almost 800,000 times, and that figure will likely blow past a million downloads by the season 5 premiere tonight.
Game of Thrones has consistently set records for piracy, which has almost been a point of pride for HBO.
Tomi Engdahl says:
Fraudsters target Nazi Android malware at Russian bank customers
Accomplices cuffed in fascist mobile zombie menace swoop
http://www.theregister.co.uk/2015/04/13/android_malware_fascist_imagery_russia/
Alleged members of a gang of “cyber-fascist” Android malware-slingers have been arrested in Russia.
The alleged perps behind the scam targeted customers of Russian bank Sberbank with software they called “Fifth Reich”, which used Nazi symbols in the management system. Fraudsters targeted malware attacks at Android-operated mobile devices belonging to customers of Russian banks.1.
“They used a Trojan that was requesting account balances of the credit card tied to the mobile device, hiding incoming SMS-notifications and making payments to the accounts of fraudsters,” according to Group-IB, the Russian computer forensics firm that assisted in the investigation
Tomi Engdahl says:
Researchers Developing An Algorithm That Can Detect Internet Trolls
http://tech.slashdot.org/story/15/04/13/1214222/researchers-developing-an-algorithm-that-can-detect-internet-trolls
Researchers at Cornell University claim to be able to identify a forum or comment-thread troll within the first ten posts after the user joins with more than 80% accuracy, leading the way to the possibility of methods to automatically ban persistently anti-social posters
It also observes that higher rates of community intolerance are likely to foster the anti-social behavior and speed the ban.
Scientists develop algorithm that can auto-ban internet trolls
http://thestack.com/cornell-justin-cheng-troll-behavior-130415
“[communities] may play a part in incubating antisocial behavior. In fact, users who are excessively censored early in their lives are more likely to exhibit antisocial behavior later on. Furthermore, while communities appear initially forgiving (and are relatively slow to ban these antisocial users), they become less tolerant of such users the longer they remain in a community. This results in an increased rate at which their posts are deleted, even after controlling for post quality,”
Tomi Engdahl says:
Hacked French TV Station Admits New ‘Blunder’ Over Password
http://www.securityweek.com/hacked-french-tv-station-admits-new-blunder-over-password
French TV5Monde television channel, which suffered a major hack by self-proclaimed Islamic State militants this week, on Friday admitted an Internet security ‘blunder’ Thursday during a program discussing the cyber-attack.
The gaffe came during a report by fellow TV channel France 2 on the attack on TV5Monde, which authorities say was likely a “terrorist act”.
A TV5 Monde journalist being questioned was in front of a window where several sheets of paper were hanging. On one of them could be seen a password for the TV5Monde YouTube account.
“We don’t hide the fact that this is a blunder,”
Tomi Engdahl says:
Hackers Attack Belgian Press Group, Second in Days
http://www.securityweek.com/hackers-attack-belgian-press-group-second-days
Brussels – Hackers attacked one of Belgium’s top newspaper publishers on Sunday just days after Tunisian Islamist militants took control of a regional government portal to denounce US counter-terror operations.
There was no immediate indication the incidents were linked to each other or to a massive cyberattack against French station TV5Monde on Wednesday which Paris said was likely a “terrorist act.”
Didier Hamann, head of the Le Soir newspaper, said the daily had been “the victim of an attack.”
“Nothing concrete to link it with TV5 or RW,”
The TV5Monde hackers for their part said French President Francois Hollande had committed “an unforgivable mistake” by joining the US-led air campaign against the extremist Islamic State group in Syria and Iraq, which had led to the January killings in Paris.
Belgium is also part of the US-led operation and in February said it would send around 35 soldiers to Iraq to help train its army in the fight against IS.
Tomi Engdahl says:
Cisco, Level 3 Disrupt SSH Brute Force Attacks Used to Deliver DDoS Bot
http://www.securityweek.com/cisco-level-3-disrupt-ssh-brute-force-attacks-used-deliver-ddos-bot
Cisco’s Talos research group and Level 3 Communications have joined forces in an effort to disrupt the activities of a malicious actor that has been using Secure Shell (SSH) brute force attacks to distribute a sophisticated Linux DDoS bot.
The activities of this group, dubbed “SSHPsychos,” were first documented by the MalwareMustDie research group last year. In February, FireEye also published a report on the threat actor’s operations.
The attackers use a list of more than 300,000 unique passwords in an effort to guess root passwords. Cisco noticed in the first quarter of 2015 that the number of SSH authentication attempts from the netblock used by the group was larger than the number of attempts from all other hosts combined. In fact, at times, the attackers’ activities accounted for more than a third of the total Internet SSH traffic, Cisco said.
Once the SSH login is successful, the malicious actor, which is believed to have Chinese roots, downloads the XOR.DDoS malware onto the victim’s system.
Tomi Engdahl says:
Black Duck Solution Tackles Open Source Vulnerabilities
http://www.securityweek.com/black-duck-solution-tackles-open-source-vulnerabilities
Open source software management firm Black Duck Software has launched a new solution that helps security and development teams find and remediate security vulnerabilities in open source software.
Dubbed “Black Duck Hub”, the solution helps customers identify open source used within their code, identify known security vulnerabilities, and triage, schedule, and track remediation, the company said.
“With more than 4,000 new open source vulnerabilities reported each year, understanding what open source is used within an organization is critical,” Black Duck said in a statement. “Thousands of unknown open source vulnerabilities go unnoticed within a typical enterprise.”
Tomi Engdahl says:
Zero-day Threats Call for Integrated Security and a Few Good Combat Metaphors
http://www.securityweek.com/zero-day-threats-call-integrated-security-and-few-good-combat-metaphors
Spring has arrived, so a baseball metaphor like “cover your bases” might be in order, but cybercriminals aren’t playing games. They’re attacking organizations with everything they’ve got. With that in mind, when recommending ways to detect and block zero-day attacks, the language of cyber-warfare seems more appropriate.
1. Guard the perimeter as if your life depended on it
2. “Know the enemy and know yourself…”
3. Build a security apparatus based on pre-emptive self-defense
Tomi Engdahl says:
Midsized Companies, Supersized Network Security Needs
http://www.securityweek.com/midsized-companies-supersized-network-security-needs
Small and midsized businesses (SMBs) are the engine of the recovering economy. According to recent U.S. government numbers, just over 60 percent of the U.S. private sector workforce is now employed by companies with fewer than 1,000 employees. Not only are SMBs significant employers, they are also among the earliest adopters of new technologies.
In general, these companies conduct much of their business over the Internet and are quick to embrace new apps, online payment systems, cloud, and BYOD technologies. Fast adoption of innovations helps SMBs to compete against larger organizations. But their leading role in the economic recovery will be in jeopardy if they cannot enhance their cyber threat defense. Small and midsized companies are at growing risk of being exploited by expert, organized, global adversaries for financial gain.
Adversaries are not just targeting prized assets like customer and employee data, intellectual property, and corporate secrets. Cybercriminals also recognize that smaller companies are a vector into the networks of larger corporations.
SMB technologists understand that cyber risk is here to stay. They do not have the resources to deploy an army of remediation consultants after a breach, and they have many competing, diverse demands on their attention, but they are always seeking cost-effective ways to reduce risk. Traditionally, they’ve relied on either unified threat management solutions, which too often represent a compromise, or multiple point solutions (stateful firewalling, application control, intrusion prevention, and advanced malware mitigation) that impose inordinate complexity and management challenges.
Reducing cyber risk is no longer just a security issue – it is a boardroom issue. Midsized organizations have the same significant threat protection needs as larger organizations.
Tomi Engdahl says:
Don’t Be Fodder for China’s ‘Great Cannon’
http://krebsonsecurity.com/2015/04/dont-be-fodder-for-chinas-great-cannon/
China has been actively diverting unencrypted Web traffic destined for its top online search service — Baidu.com — so that some visitors from outside of the country were unwittingly enlisted in a novel and unsettling series of denial-of-service attacks aimed at sidelining sites that distribute anti-censorship tools, according to research released this week.
“Their willingness to be so public mystifies me,”
Earlier this month, Github — an open-source code repository — and greatfire.org, which distributes software to help Chinese citizens evade censorship restrictions enacted by the so-called “Great Firewall of China,” found themselves on the receiving end of a massive and constantly-changing attack apparently designed to prevent people from being able to access the sites.
This attack method, which the researchers have dubbed the “Great Cannon,” works by intercepting non-Chinese traffic to Baidu Web properties, Weaver explained.
“It only intercepts traffic to a certain set of Internet addresses, and then only looks for specific script requests. About 98 percent of the time it sends the Web request straight on to Baidu, but about two percent of the time it says, ‘Okay, I’m going to drop the request going to Baidu,’ and instead it directly provides the malicious reply, replying with a bit of Javascript which causes the user’s browser to participate in a DOS attack, Weaver said.
The researchers said they tracked the attack for several days after Github apparently figured out how to filter the malicious traffic, which relied on malicious Javascript files that were served to visitors outside of China that were browsing various Baidu properties.
Chillingly, the report concludes that Chinese censors could just have easily served malicious code to exploit known Web browser vulnerabilities.
Tomi Engdahl says:
FBI Warns of Fake Govt Sites, ISIS Defacements
http://krebsonsecurity.com/2015/04/fbi-warns-of-fake-govt-sites-isis-defacements/
The Federal Bureau of Investigation (FBI) is warning that individuals sympathetic to the Islamic State of Iraq and al-Shams (ISIS) are mass-defacing Websites using known vulnerabilities in WordPress. The FBI also issued an alert advising that criminals are hosting fraudulent government Web sites in a bid to collect personal and financial information from unwitting Web searchers.
According to the FBI, ISIS sympathizers are targeting WordPress Web sites and the communication platforms of news organizations, commercial entities, religious institutions, federal/state/local governments, foreign governments, and a variety of other domestic and international sites. The agency said the attackers are mainly exploiting known flaws in WordPress plug-ins for which security updates are already available.
Tomi Engdahl says:
‘Revolution’ Crimeware & EMV Replay Attacks
http://krebsonsecurity.com/2015/04/revolution-crimeware-emv-replay-attacks/
In October 2014, KrebsOnSecurity examined a novel “replay” attack that sought to exploit implementation weaknesses at U.S. financial institutions that were in the process of transitioning to more secure chip-based credit and debit cards. Today’s post looks at one service offered in the cybercrime underground to help thieves perpetrate this type of fraud.
Several U.S. financial institutions last year reported receiving tens of thousands of dollars in fraudulent credit and debit card transactions coming from Brazil and hitting card accounts stolen in recent retail heists, principally cards compromised as part of the October 2014 breach at Home Depot.
The affected banks were puzzled by the attacks because the fraudulent transactions were all submitted through Visa and MasterCard‘s networks as chip-enabled transactions, even though the banks that issued the cards in question hadn’t yet begun sending customers chip-enabled cards.
Fraud experts said the most likely explanation for the activity was that crooks were pushing regular magnetic stripe transactions through the card network as chip card purchases using a technique known as a “replay” attack.
Seller in underground forum describes his “Revolution” software to conduct EMV card fraud against banks that haven’t implemented EMV fully.
Tomi Engdahl says:
Software Testing Needs More Automation
http://www.eetimes.com/author.asp?section_id=36&doc_id=1326326&
As software and hackers get more sophisticated, QA testing will gain importance. That will require more software QA engineers and more test automation. Software QA budgets are on the rise.
Tomi Engdahl says:
Want to See Domestic Spying’s Future? Follow the Drug War
http://www.wired.com/2015/04/want-see-domestic-spyings-future-follow-drug-war/
The NSA isn’t the only three-letter agency that’s been quietly collecting Americans’ data on a mind-boggling scale. The country learned this week that the Drug Enforcement Agency spied on all of us first, and with even fewer privacy protections by some measures. But if anyone is surprised that the DEA’s mass surveillance programs have been just as aggressive as the NSA’s, they shouldn’t be. The early targets that signal shifts in America’s domestic surveillance techniques aren’t activists and political dissidents, as some privacy advocates argue—or terrorists, as national security hawks would claim. They’re drug dealers.
The DEA’s newly revealed bulk collection of billions of American phone records on calls to 116 countries preceded the NSA’s similar program by years and may have even helped to inspire it, as reported in USA Today’s story Wednesday. And the program serves as a reminder that most of the legal battles between government surveillance efforts and the Fourth Amendment’s privacy protections over the last decades have played out first on the front lines of America’s War on Drugs. Every surveillance test case in recent history, from beepers to cell phones to GPS tracking to drones—and now the feds’ attempts to puncture the bubble of cryptographic anonymity around Dark Web sites like the Silk Road—began with a narcotics investigation.
“If you asked me last week who was doing this [kind of mass surveillance] other than the NSA, the DEA would be my first guess,” says Chris Soghoian, the lead technologist with the American Civil Liberties Union. “The War on Drugs and the surveillance state are joined at the hip.”
Tomi Engdahl says:
Dennis Fisher / Threatpost:
Vulnerability in all supported versions of Windows allows hijacking of user credentials if network is compromised, disclosed by researchers at Cylance
New SMB Flaw Affects All Versions of Windows
https://threatpost.com/new-smb-flaw-affects-all-versions-of-windows/112134
There is a serious vulnerability in all supported versions of Windows that can allow an attacker who has control of some portion of a victim’s network traffic to steal users’ credentials for valuable services. The bug is related to the way that Windows and other software handles some HTTP requests, and researchers say it affects a wide range of applications, including iTunes and Adobe Flash.
The vulnerability, disclosed Monday by researchers at Cylance, is an extension of research done by Aaron Spangler nearly 20 years ago, and it’s known as Redirect to SMB. This weakness can enable an attacker to force victims to try to authenticate to an attacker-controlled server.
“Redirect to SMB is a way for attackers to steal valuable user credentials by hijacking communications with legitimate web servers via man-in-the-middle attacks, then sending them to malicious SMB (server message block) servers that force them to spit out the victim’s username, domain and hashed password,” a blog post by Brian Wallace from Cylance says.
“Many software products use HTTP requests for various features such as software update checking. A malicious user can intercept such requests (such as with a MITM proxy) and use HTTP Redirect to redirect the victim a malicious SMB server. If the redirect is a file:// URL and the victim is running Microsoft Windows, Windows will automatically attempt to authenticate to the malicious SMB server by providing the victim’s user credentials to the server. These credentials can then be logged by the malicious server. The credentials are encrypted, but may be “brute-forced” to break the encryption,” the CERT advisory says.
“This is a novel attack that can be easily abused to significantly increase the exploitability of Windows client systems communicating on untrusted or compromised networks. While tools like KARMA, Metasploit, and Responder.py depend on the user to make a SMB connection back to the attacker, the Cylance research improves on the attack by abusing how HTTP redirects are handled by callers of the URLMon API,” said HD Moore, chief research officer at Rapid 7.
“I would expect this vulnerability to be used as part of a two-stage phishing attack:” – See more at: https://threatpost.com/new-smb-flaw-affects-all-versions-of-windows/112134#sthash.ZfzQKwUy.dpuf
Tomi Engdahl says:
Windows Remains Vulnerable To Serious 18-Year-Old SMB Security Flaw
http://it.slashdot.org/story/15/04/13/1956229/windows-remains-vulnerable-to-serious-18-year-old-smb-security-flaw
A serious security hole leaves millions of Windows users open to attack, making it possible to extract encrypted credentials from a target machine. Researchers at Cylance say the problem affects “any Windows PC, tablet or server” (including Windows 10) and is a slight progression of the Redirect to SMB attack discovered by Aaron Spangler way back in 1997.”
Tomi Engdahl says:
Phishing catches victims ‘in minutes’
http://www.bbc.com/news/technology-32285433
It takes 82 seconds for cyber-thieves to ensnare the first victim of a phishing campaign, a report suggests.
Compiled by Verizon, the report looks at analyses of almost 80,000 security incidents that hit thousands of companies in 2014.
It found that, in many companies, about 25% of those who received a phishing email were likely to open it.
“Training your employees is a critical element of combating this threat,” said Bob Rudis, lead author on the report.
Tricking people into opening a booby-trapped message let attackers grab login credentials that could be used to trespass on a network and steal data, the report said.
“They do not have to use complex software exploits, because often they can get hold of legitimate credentials,” Mr Rudis said.
Although attackers racked up victims quickly, it took companies far longer to notice they had been compromised, Mr Rudis said.
Tomi Engdahl says:
Backdoor bot brains snatched after cops, white hats raid servers
Password-stealing, malware-spreading Simda nasty found on 770,000 PCs
http://www.theregister.co.uk/2015/04/13/simda_botnet_takedown/
Microsoft and Interpol have teamed up to derail a malware infection that compromised more than 770,000 Windows PCs worldwide.
Simda is a “pay-per-install” software nasty: fraudsters pay miscreants some sum of money for every 1,000 or so machines they compromise. The hackers effectively earn cash by selling access to the infected computers, renting out the botnet real-estate to other crooks.
The Simda malware, once installed and has set itself up to run after every system startup, kills off antivirus software, logs keystrokes made by the user so it can steal passwords and other sensitive information, downloads and executes banking Trojans and other malicious programs, upload copies of the user’s files, and so on.
It opens a backdoor to a command-and-control server, so it can receive orders from the brains behind the malware, and send back any stolen data.
Tomi Engdahl says:
Kaspersky releases decryption tool that unlocks ransomware
http://www.engadget.com/2015/04/14/kaspersky-releases-decryption-tool-that-unlocks-ransomware/?ncid=rss_truncated
You never should have clicked on the email attachment from that Nairobian prince. Now ransomware’s got you locked out of your own computer and is demanding money before you can use it again. But before you reach for you wallet, take a look at this decryption key generator that Kaspersky has built. The Netherland’s National High Tech Crime Unit (NHTCU) recently got its hands on a CoinVault command-and-control server (a type of ransomware that has been infecting Windows systems since last November) and, upon examining it, discovered a large database of decryption keys. The NHTCU shared this information with Kaspersky which used it to build the Noransomware decryption tool.
ransomware decryptor
https://noransom.kaspersky.com/
Tomi Engdahl says:
Hacker strikes more often – up to 70% of the companies granted
Up to 70 per cent of companies had a data break-in last year, says Cyberthreat Defense Report survey.
Responded to the survey of more than 800 security experts from North America and Europe, operating company.
More than half of respondents believe that their business will have a successful launch cyber-attacks in this year. Last year, thus believed that only 39 per cent.
The single biggest security risk according to the respondents are employees of companies – especially those with extensive rights.
“Firms are subject to hacking, denial of service attacks, and intelligent network attacks have increased. It is worrying that at the same time, organizations, security experts believe less and less of the organization’s own ability to fight launch cyber-attacks. Experts named the most important Vulnerability workers lack of awareness of cyber security, that is the biggest challenge for companies is found inside. Users can not identify all of the risks and the ways in which information can now steal, ”
Source: http://www.tivi.fi/Kaikki_uutiset/2015-04-13/Tietomurtaja-iskee-yh%C3%A4-useammin—jopa-70–yrityksist%C3%A4-my%C3%B6nt%C3%A4%C3%A4-3218721.html
Tomi Engdahl says:
This open-source personal crypto-key vault wants two things: To make the web safer … and your donations
Cryptech in need of funds
http://www.theregister.co.uk/2015/04/14/cryptech_donations/
An open-source hardware project aimed at making the internet “a little bit safer” needs an influx of cash to continue its work.
The Cryptech effort was created following revelations from NSA whistleblower Edward Snowden that the US government and its pals are exploiting standards and weak crypto algorithms to gain access to citizens’ private correspondence and documents.
In response, a group of engineers decided there needed to be an open-source hardware engine that could provide strong and reliable encryption and decryption for email, plus public-private key cryptography for all sorts of things from digitally signing messages and files to DNSSEC.
“The algorithmic issues are in the domain of the heavy math cryptography folk. But we must also deal with the implementation issues. We therefore are embarking on development of an open-source hardware cryptographic engine that meets the needs of high-assurance internet infrastructure systems that use cryptography.
“The open-source hardware cryptographic engine must be of general use to the broad internet community, covering needs such as secure email, web, DNS, PKIs, etc.”
Cryptech’s goal is to develop an inexpensive ARM-powered Hardware Security Module (HSM) that can store cryptokeys and act as a signing engine to establish the authenticity of digital content.
The Cryptech prototype uses a Novena single-board computer with an ARM Cortex-A9 system-on-chip (SoC) and an Xilinx field-programmable gate array (FPGA). The team has implemented SHA-512, SHA-256, AES and other algorithms in the programmable array, and a true random number generator fed with noise from onboard electronics – this is essential for providing strong cryptography.
So far, big names including Google and Comcast (yes, Comcast, apparently) have contributed the maximum of $100,000
More info: http://wiki.cryptech.is/
Tomi Engdahl says:
Spy Boss on NSA surveillance: “There is nothing, compared to Google”
In cyber war the big players are reaching nuclear war-like deterrent effect, estimates the former US intelligence boss Dennis Blair.
“All countries will suffer if the two countries would take cyber hits against civilians, and that is why the world’s leaders in China and Russia are not willing to release that kind of power,” Blair believes.
China confirmed earlier that the country has its own kybersodankäynnin department.
The former spy boss Blair to defend the US National Security Agency NSA to mass control. Blair, the NSA’s surveillance remains, such as Google’s and completely outside the control of the data in the shadow.
Blair, the collection of data management has already been lost. Now you should be concerned about where the information is used.
Source: http://www.tivi.fi/Kaikki_uutiset/2015-04-14/Vakoilupomo-NSA-valvonnasta-%E2%80%9DEi-mit%C3%A4%C3%A4n-verrattuna-Googleen%E2%80%9D-3219713.html
Tomi Engdahl says:
Why you should be spending more on security
http://www.cio.com/article/2904364/security0/why-you-should-be-spending-more-on-security.html
As the cost and likelihood of security breaches increases, CIOs need to boost security measures — and spending — to mitigate the risk to your business.
Many CIOs endanger their companies simply by not spending enough on security.
That may seem odd to posit, given that a recent Pricewaterhouse Coopers survey found that businesses now spend a higher percentage of their IT budgets on security than ever before. According to the survey, large organizations spend an average of 11 percent of their IT budgets on security while small businesses spend nearly 15 percent.
But if you consider the proportion of the overall IT budget that businesses allocate to security, you’ll find a red herring. That’s because the purpose of spending money on IT security — aside from ticking regulatory compliance boxes — is to reduce the risk of a security breach to an acceptable level. The amount of spending required to achieve this is not connected to overall IT spending in any way.
How to assess risk
In the most basic terms, security risk is the product of the cost or financial impact of a security breach and the likelihood that a breach occurs. In other words, Risk = Cost x Likelihood.
It was using this equation that led Sony’s senior vice president of information security, Jason Spaltro, to point out back in 2007 that “it’s a valid business decision to accept the risk” of a security breach, adding, “I will not invest $10 million to avoid a possible $1 million loss.”
Sony may have made some spectacular miscalculations in terms of cost and likelihood, but Spaltro’s economic argument for allocating resources to security is sound: There is no point in making any investment — in security or anything else — if the greatest possible return is less than the amount invested.
Sony bases its estimates on events from the past; but in recent months, it’s become evident that the security landscape has fundamentally changed.
In the past, most security breaches were carried out by criminal hackers with limited resources, motivated by financial gain.
The Sony attack was likely carried out by foreign-government-sponsored hackers or perhaps even military personnel,
These types of attackers are highly skilled and have enough resources to breach any security defense they want to. And because it seems that they are motivated beyond money—such as the desire to cause financial or reputation damage, for example—there is no strong incentive for them to move on to the next target unless the defenses they encounter are high.
“Criminals are opportunistic. They just want to make money. But government-sponsored hackers will just keep trying and won’t give up,” Lewish says. “The Sony hackers were vindictive. This was not done for money—it was politically motivated, and there was no effort made to sell the data they stole.”
If hackers can breach any company regardless of its current defenses and they’re interested in getting their hands on everything—not just data they can sell—then the likelihood of a breach has gone up.
But it gets worse. The Sony hack has also taught us that the potential cost of a breach has risen. That’s because government-backed hackers aren’t looking to steal structured data, such as credit card information or social security numbers. The cost of losing this type of information is well known, and averages $201 per compromised record, according to the Ponemon Institute’s 2014 Cost of Data Breach study.
“If you look at liability and the cost of lawsuits, this always turns out to be the most expensive part of a breach,” Lewis says.
Because Risk = Cost x Likelihood, and since both the likelihood and cost terms have gone up, risk has increased on both fronts.
“I think that most organizations should be spending more on security, but obviously the concern is that even if there is a 5 percent increase in the security budget, it doesn’t mean it will be spent wisely,”
If government-sponsored hackers can break in to any company’s IT infrastructure, then increasing spending on perimeter defenses may not be the right route. A more promising approach might be to invest in more effective intrusion detection systems to prevent hackers from exfiltrating data after they have broken in, according to Anton Chuvakin, research director at Gartner.
The good news is that there is new security technology on the horizon
Tomi Engdahl says:
HP Support Framework Bug Allows Arbitrary File Downloads, Data Harvesting
http://www.securityweek.com/hp-support-framework-bug-allows-arbitrary-file-downloads-data-harvesting
HP has patched a vulnerability in the HP Support Solution Framework that can be exploited by a remote attacker to deliver arbitrary files and steal information from users’ systems.
The flaw, which can be exploited with minimal user interaction, was uncovered last month by security researcher Tom Forbes, who noticed that the authentication mechanism used by the HP product detection software can be easily bypassed, allowing a malicious actor to carry out various actions.
HP’s support website allows users to identify their products and find the appropriate drivers and updates via the HP Support Solution Framework. This piece of software is capable of collecting system information, reading files and registry keys, obtaining information on installed devices and drivers, and initiating file downloads via the HP Download and Install Assistant.
The problem, according to Forbes, is that the software authenticates valid requests only by checking if they originate from a hostname ending in “hp.com.” The expert has noted that an attacker could simply register a domain such as “nothp.com” and his malicious requests would be accepted.
Tomi Engdahl says:
Avoiding Tree Rings: Why a Security Organization Must Never Stop Growing
http://www.securityweek.com/avoiding-tree-rings-why-security-organization-must-never-stop-growing
Over the course of my career, I’ve built or enhanced a number of different security operations programs. During that time, I’ve noticed that most (though not all) programs tend to follow an evolution that involves four main stages: conception, implementation, operation, and stagnation. Granted, this last stage does not sound particularly flattering
Tomi Engdahl says:
It’s 2015 and a RICH TEXT FILE or a HTTP request can own your Windows machine
Patch now before someone writes exploits for these bugs
http://www.theregister.co.uk/2015/04/15/april_patch_tuesday/
Microsoft has delivered its latest monthly batch of security updates to address flaws in Windows, Office and Internet Explorer.
Redmond’s latest Patch Tuesday payload includes 11 bulletins, four of which are rated critical as they allow attackers to execute malicious code on victims’ computers from across the internet.
Tomi Engdahl says:
Arielle Duhaime-Ross / The Verge:
29 million US health records exposed by data breaches between 2010 and 2013
Most of the information was stored electronically
http://www.theverge.com/2015/4/14/8411041/electronic-health-record-hacking-united-states
Approximately 29 million health records were affected by data breaches between 2010 and 2013 in the US — 67 percent of which were stored electronically, according to a study published in the Journal of the American Medical Association today. These data breaches involved unencrypted information that could be identified and tied back to individuals. And what’s worse is that the study indicates that these data breaches are on the rise.
“The personal health information of patients in the United States is not safe,” write Commonwealth Fund physician David Blumenthal and health care lawyer Deven McGraw, in an editorial published alongside the study today. “And it needs to be.”
Overall, 58 percent of the data breaches occurred via theft. The other 42 percent had to do with loss or improper disposal of data, unauthorized access or disclosure of health information, and hacking or information technology incidents. In 67 percent of cases, data breaches involved health information stored electronically. And most of the time, these breaches were connected to laptop computers and portable electronic devices, like cell phones and tablets.
Tomi Engdahl says:
Verizon, NetFlix, KFC ad-men pay traffic cons $500k a month
Real time fleecing of instant ad buys is a thing, says researcher
http://www.theregister.co.uk/2015/04/15/verizon_netflix_kfc_admen_pay_traffic_cons_500k_a_month/
Gergő Varga reckons Verizon, Fedex, and Smirnoff are being robbed half a million dollars a month by advertising scammers.
The risk boffin and founder of advertising security firm outfit Enbrite.ly says the telco, transport and tipple trio which also includes Netflix and KFC are paying for fraudulent ad clicks.
“A relatively simple fraud scheme within the video RTB (real time bidding) ecosystem is costing advertisers such as Verizon, Netflix, Fedex, KFC and Smirnoff among others up to US$500,000 a month,” Varga says.
“While they may believe that their ads are reaching premium inventory, in fact they are appearing on file sharing, piracy and pornographic websites through this arbitrage scheme.
“So basically what we have here is a very lucrative form of impression fraud and traffic laundering.”
Real time bidding systems flog ads per impression in the milliseconds before web pages load. It is chimes AcuityAds a “revolutionary force” for online ad-men thanks to its “targeting and cost efficiency opportunities”.
But unscrupulous fraudsters are plundering these opportunities by serving ads on piracy and porn sites.