Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.
3,110 Comments
Tomi Engdahl says:
NOVA Next:
Snowden: NSA should re-prioritize cyber warfare goals and focus more on defensive measures given US’s dependence on high-tech
Exclusive: Edward Snowden on Cyber Warfare
http://www.pbs.org/wgbh/nova/next/military/snowden-transcript/
Cyber warfare used to be the stuff of sci-fi movies and military exercises. But with the advent of the Stuxnet worm, the Sony Pictures hacking—which was allegedly carried out with the backing of the North Korean government—and this week’s assault on German government websites, large-scale cyber attacks with suspected ties to nation states are growing increasingly prevalent.
Few people have lifted the veil on cyber warfare like Edward Snowden, a former NSA contractor who leaked a massive number of documents to the press.
Last June, journalist James Bamford, who is working with NOVA on a new film about cyber warfare that will air in 2015, sat down with Snowden in a Moscow hotel room for a lengthy interview. In it, Snowden sheds light on the surprising frequency with which cyber attacks occur, their potential for destruction, and what, exactly, he believes is at stake as governments and rogue elements rush to exploit weaknesses found on the internet, one of the most complex systems ever built by humans. The following is an unedited transcript of their conversation.
Tomi Engdahl says:
The Cluetrain Manifesto:
Two “Cluetrain Manifesto” authors present 121 “New Clues” to take on threats to the Internet of 2015
Hear, O Internet.
It has been sixteen years since our previous communication.
http://cluetrain.com/newclues/
We come to you from the years of the Web’s beginning. We have grown old together on the Internet. Time is short.
We, the People of the Internet, need to remember the glory of its revelation so that we reclaim it now in the name of what it truly is.
Tomi Engdahl says:
State of Bitcoin 2015: Ecosystem Grows Despite Price Decline
http://www.coindesk.com/state-bitcoin-2015-ecosystem-grows-despite-price-decline/
CoinDesk is pleased to announce the latest quarterly State of Bitcoin report, featuring a 2014 Year in Review, an in-depth analysis of data and events from the fourth quarter of 2014 and a look ahead to what 2015 might bring.
Overall, 2014 could be characterized as a ‘Tale of Two Bitcoins’.
On the one hand, significant bitcoin venture investment continued and much progress was made in furthering adoption, particularly in bitcoin payment acceptance by big brand names such as Microsoft and Dell.
On the other hand, early on in 2014, the collapse of Mt Gox dealt a crippling blow to bitcoin’s extraordinary price momentum.
All-time bitcoin startup VC investment crosses $400 million
The Bitcoin Thought Leaders survey revealed that international remittances are viewed as one of the most compelling bitcoin use cases for 2015.
Tomi Engdahl says:
Cory Bennett / The Hill:
Senior Democrat on the House Intelligence Committee will reintroduce controversial cybersecurity information sharing bill, CISPA, on Friday
prev next
Home | Policy | Cybersecurity
House Dem revives major cyber bill
http://thehill.com/policy/cybersecurity/228945-top-house-dem-to-reintroduce-major-cyber-bill
“The reason I’m putting bill in now is I want to keep the momentum going on what’s happening out there in the world,” Rep. Dutch Ruppersberger (D-Md.), told The Hill in an interview, referring to the recent Sony hack, which the FBI blamed on North Korea.
The measure — known as the Cyber Intelligence Sharing and Protection Act (CISPA) — has been a top legislative priority for industry groups and intelligence officials, who argue the country cannot properly defend critical infrastructure without it.
The House passed Ruppersberger’s bill last year, but it stalled in the Senate amid concerns from privacy advocates that it would enable more collection of Americans’ private information.
Congress Should Say No to “Cybersecurity” Information Sharing Bills
https://www.eff.org/deeplinks/2015/01/congress-should-say-no-cybersecurity-information-sharing-bills
The Sony hack is beginning to leave its mark on lawmakers in Washington, DC. Right before leaving for their winter vacation, politicians touted cybersecurity bills as the silver bullet to stopping future Sony-like hacks. The specific cybersecurity bills don’t focus on advancing research and development, but on the sharing of computer threat information between the public and private sector. What these lawmakers neglect to tell the public is that the bills wouldn’t have solved the Sony hack and that companies can already share information concerning computer threats.
Information Sharing would not Have Stopped the Sony Attack
New cybersecurity legislation isn’t needed and it wouldn’t have stopped the Sony hack. Instead of proposing unnecessary privacy-invasive bills, we should be collectively tackling the low-hanging fruit. This includes encouraging companies to use the current information sharing regimes immediately after discovering a threat.
Companies Can Already Share Information
The bills—which are identical to the infamous CISPA—provide private companies new authorities to spy on users and broad legal immunity to share the information obtained with the government.
Private Sharing
Sharing between private companies routinely happens through Information Sharing and Analysis Centers (ISACs), public reports, and private communications, but needs to happen faster and in greater quantities.
Public Sharing
Secondly, companies can already share the information with the government. In 2012, President Obama created the Enhanced Cybersecurity Services. It directed DHS to create an information sharing hub, collect private sector information from companies, and then spared that information throughout the public and private sectors.
Congress Should Say No to Privacy-Invasive Information Sharing Bills
As the Sony Hack continues to make news, we need to remember that the information sharing cybersecurity bills would not have stopped the Sony hack and that Congress has already passed reasonable cybersecurity bills.
Tomi Engdahl says:
Finnish Communications Regulatory Authority: Tapped used fake base stations has not yet been found
The Office began an investigation in conjunction with telecommunications operators last month.
Finnish Communications Regulatory Authority has so far not detected espionage used fake base stations.
Fake stations identification is difficult, but possible. Agency kyberturvallisuuskeskuksen Director Kirsti Karlamaa notes that the cast base stations is difficult to detect. Finding them require extensive control, which can not be done continuously. Network scanning does not reveal everything, but it can be found in the difference could be due to, for example, the text of the base stations.
Sources:
http://www.tivi.fi/kaikki_uutiset/yle+valetukiasemia+ei+loydetty+suomesta/a1040934
http://yle.fi/uutiset/viestintavirasto_salakuunteluun_kaytettavia_valetukiasemia_ei_ole_toistaiseksi_havaittu/7726986
Tomi Engdahl says:
ASUS router-popping exploit on the loose
Local users become mighty admins
http://www.theregister.co.uk/2015/01/09/asus_router_popping_exploit_on_the_loose/
ASUS routers contain a vulnerability that turns users into admins, researcher Joshua Drake says.
The boxes could be exploited by malicious local users, but not those on the wider internet, re-rerouting all users on the network to malicious sites, among other attacks.
everal popular models were affected including the RT-N66U and RT-AC66U.
ASUS Router infosvr UDP Broadcast root Command Execution
https://github.com/jduck/asus-cmd
Tomi Engdahl says:
First OSX Bootkit Revealed
http://apple.slashdot.org/story/15/01/08/214238/first-osx-bootkit-revealed
A vulnerability at the heart of Apple’s Mac OS X systems—one thus far only partially addressed by Apple—opens the door to the installation of malicious firmware bootkits that resist cleanup and give hackers persistent, stealthy control over a compromised Mac.
Hudson’s bootkit takes advantage of a vulnerability in how Apple computers deal with peripheral devices connected over Thunderbolt ports during a firmware update. In these cases, the flash is left unlocked, allowing an Option ROM, or peripheral firmware, to run during recovery mode boots. It then has to slip past Apple’s RSA signature check.
First Public Mac OS X Firmware Bootkit Unleashed
http://threatpost.com/first-public-mac-os-x-firmware-bootkit-unleashed/110287
A vulnerability at the heart of Apple’s Mac OS X systems—one thus far only partially addressed by Apple—opens the door to the installation of malicious firmware bootkits that resist cleanup and give hackers persistent, stealthy control over a compromised Mac.
The end result is the installation of malicious firmware on an Apple machine that would survive reinstallation of OS X or replacement of the Solid State Drive (SSD). Thunderstrike is undetectable, Hudson said, and can be used for root access to an infected computer, putting all of its data and web traffic at risk for interception and monitoring.
Tomi Engdahl says:
MI5 Chief Seeks New Powers After Paris Magazine Attack
http://news.slashdot.org/story/15/01/09/0041215/mi5-chief-seeks-new-powers-after-paris-magazine-attack
“The head of MI5, Andrew Parker, has called for new powers to help fight Islamist extremism, warning of a dangerous imbalance between increasing numbers of terrorist plots against the UK and a drop in the capabilities of intelligence services to snoop on communications.”
MI5 chief seeks new powers after Paris magazine attack
Andrew Parker describes Charlie Hebdo outrage as ‘a terrible reminder of the intentions of those who wish us harm’
http://www.theguardian.com/uk-news/2015/jan/08/mi5-chief-charlie-hebdo-attack-paris-andrew-parker
The head of MI5, Andrew Parker, has called for new powers to help fight Islamist extremism, warning of a dangerous imbalance between increasing numbers of terrorist plots against the UK and a drop in the capabilities of intelligence services to snoop on communications.
Britain had increased security checks at the French border, including extra vehicle searches, in light of the Paris terrorist attack to make sure the suspects do not enter the country, Downing Street said .
The UK faces many of the same threats as France and the rest of Europe from al-Qaida, from extremist groups in Syria and Iraq and from elsewhere in the Middle East, Asia and North Africa.
About 50% of MI5’s work is now devoted to counter-terrorism.
Almost all of MI5’s top-priority UK counter-terrorism investigations had used intercept capabilities in some form to identify, understand and disrupt plots, he said.
The intelligence agencies in the UK and the US claim that the Snowden revelations in 2013 about the scale of bulk data collection have undermined their capabilities.
Tomi Engdahl says:
Post-POODLE, OpenSSL shakes off some fleas
New fixes repair DOS, authentication flaws
http://www.theregister.co.uk/2015/01/09/dead_openssl_bugs_more_fleas_than_poodles/
OpenSSL has squashed eight low severity vulnerabilities bugs that could result in denial of service or the removal of forward secrecy.
The holes, two graded “moderate”, were addressed in OpenSSL updates 1.0.0p, 0.98zd, and 1.0.1k.
Maintainers wrote in an advisory that Cisco warned last October that a crafted Datagram Transport Layer Security (DTLS) message could trigger a segmentation fault due (CVE-2014-3571) to a NULL pointer dereference.
Tomi Engdahl says:
The Finns found: The Russian authorities have defiled his colleagues in the euro computers
Security company F-Secure write a blog to have found evidence that a number of European countries against targeted malware behind Russia.
At different times observed CosmicDuke, MiniDuke and OnionDuke are all connected to each other.
CosmicDuke- and OnionDuke-haitakkeita using similar targets. Destinations have been either criminal organizations operating in Russia or foreign high-level officials. The subject is known to have had at least one European Ministry of Foreign Affairs.
Source: http://www.tivi.fi/uutisia/suomalaiset+havaitsivat+venalaiset+viranomaiset+ovat+saastuttaneet+eurokollegoidensa+tietokoneita/a1040765
The Connections Between MiniDuke, CosmicDuke and OnionDuke
https://www.f-secure.com/weblog/archives/00002780.html
In the mass infection campaigns of OnionDuke, the attackers have used compromised web servers and free hosting providers for command and control. In these campaigns, the victim computer has been infected with a limited backdoor version of OnionDuke whose main purpose is to contact the C&C server to download and execute additional components. These downloaded components then perform tasks such as collecting system information and user credentials. On the contrary, in the attacks on high-profile targets, the C&C infrastructure used by OnionDuke has been solely owned and operated by the attackers. This infrastructure is also largely shared with known MiniDuke infrastructure. In these cases, the attackers have used a much more full-featured version of OnionDuke that doesn’t need to download any additional components to perform its tasks. Importantly, this division of tactics perfectly aligns with the division of victims.
Tomi Engdahl says:
Computer chaos feared over 2015′s leap second
http://www.usatoday.com/story/tech/2015/01/08/computer-chaos-feares/21433363/
The year 2015 will have an extra second — which could wreak havoc on the infrastructure powering the Internet.
At 11:59 p.m. on June 30, clocks will count up all the way to 60 seconds. That will allow the Earth’s spin to catch up with atomic time.
The Earth’s spin is gradually slowing down, by about two thousandths of a second per day, but atomic clocks are constant. That means that occasionally years have to be lengthened slightly, to allow the slowing Earth to catch up with the constant clock.
But last time it happened, in 2012, it took down much of the Internet. Reddit, Foursquare, Yelp and LinkedIn all reported problems, and so did the Linux operating system and programs using Java.
The reset has happened 25 times since they were introduced in 1972, but the computer problems are getting more serious as increasing numbers of computers sync up with atomic clocks. Those computers and servers are then shown the same second twice in a row — throwing them into a panic.
Tomi Engdahl says:
Brian Krebs / Krebs on Security:
Lizard Squad’s DDoS attack service “Lizard Stresser” runs mostly on thousands of hacked home routers
Lizard Stresser Runs on Hacked Home Routers
http://krebsonsecurity.com/2015/01/lizard-stresser-runs-on-hacked-home-routers/
The online attack service launched late last year by the same criminals who knocked Sony and Microsoft’s gaming networks offline over the holidays is powered mostly by thousands of hacked home Internet routers, KrebsOnSecurity.com has discovered.
Just days after the attacks on Sony and Microsoft, a group of young hoodlums calling themselves the Lizard Squad took responsibility for the attack and announced the whole thing was merely an elaborate commercial for their new “booter” or “stresser” site — a service designed to help paying customers knock virtually any site or person offline for hours or days at a time. As it turns out, that service draws on Internet bandwidth from hacked home Internet routers around the globe that are protected by little more than factory-default usernames and passwords.
In the first few days of 2015, KrebsOnSecurity was taken offline by a series of large and sustained denial-of-service attacks apparently orchestrated by the Lizard Squad.
On Jan. 4, KrebsOnSecurity discovered the location of the malware that powers the botnet. Hard-coded inside of that malware was the location of the LizardStresser botnet controller, which happens to be situated in the same small swath Internet address space occupied by the LizardStresser Web site (217.71.50.x)
As we can see in that writeup, in addition to turning the infected host into attack zombies, the malicious code uses the infected system to scan the Internet for additional devices that also allow access via factory default credentials, such as “admin/admin,” or “root/12345”. In this way, each infected host is constantly trying to spread the infection to new home routers and other devices accepting incoming connections (via telnet) with default credentials.
The botnet is not made entirely of home routers; some of the infected hosts appear to commercial routers at universities and companies, and there are undoubtedly other devices involved. The preponderance of routers represented in the botnet probably has to do with the way that the botnet spreads and scans for new potential hosts. But there is no reason the malware couldn’t spread to a wide range of devices powered by the Linux operating system, including desktop servers and Internet-connected cameras.
Tomi Engdahl says:
Anonymous declares war over Charlie Hebdo attack
http://money.cnn.com/2015/01/09/technology/anonymous-charlie-hebdo-terrorists/index.html?iid=TL_Popular
Anonymous declared war on Islamic extremists Friday and promised to take revenge for the attack on French satirical magazine Charlie Hedbo.
In a video posted on YouTube, the group of hackers said they would track down websites and social media networks linked to terrorists, and take them down.
“We, Anonymous around the world, have decided to declare war on you the terrorists,” it said.
The video is described as a message for “al Qaeda, the Islamic State and other terrorists,” and promises to avenge the killing of 12 people in Wednesday’s attack.
“We intend to take revenge in their name, we are going to survey your activities on the net, we are going to shut down your accounts on all social networks,”
Tomi Engdahl says:
Producer: It was really just a question about (inaudible) vulnerabilities going beyond operating systems that we know of, (inaudible) and preserving those vulnerabilities, that that paradox extends over into critical infrastructure as well as—
Snowden: Let me just freestyle on that for a minute, then you can record the question part whenever you want. Something we have to remember is that everything about the internet is interconnected. All of our systems are not just common to us because of the network links between them, but because of the software packages, because of the hardware devices that comprise it. The same router that’s deployed in the United States is deployed in China. The same software package that controls the dam floodgates in the United States is the same as in Russia. The same hospital software is there in Syria and the United States.
So if we are promoting the development of exploits, of vulnerabilities, of insecurity in this critical infrastructure, and we’re not fixing it when we find it—when we find critical flaws, instead we put it on the shelf so we can use it the next time we want to launch an attack against some foreign country. We’re leaving ourselves at risk, and it’s going to lead to a point where the next time a power plant goes down, the next time a dam bursts, the next time the lights go off in a hospital, it’s going to be in America, not overseas.
Snowden: So I don’t actually want to get in the business of enumerating the list of the horrible of horribles, because I don’t want to hype the threat. I’ve said all these things about the dangers and what can go wrong, and you’re right that there are serious risks. But at the same time, it’s important to understand that this is not an existential threat. Nobody’s going to press a key on their keyboard and bring down the government. Nobody’s going to press a key on their keyboard and wipe a nation off the face of the earth.
We have faced threats from criminal groups, from terrorists, from spies throughout our history, and we have limited our responses. We haven’t resorted to total war every time we have a conflict around the world, because that restraint is what defines us.
Snowden:
When you look at the problem of the U.S. prioritizing offense over defense, imagine you have two bank vaults, the United States bank vault and the Bank of China. But the U.S. bank vault is completely full. It goes all the way up to the sky. And the Chinese bank vault or the Russian bank vault of the African bank vault or whoever the adversary of the day is, theirs is only half full or a quarter full or a tenth full.
But the U.S. wants to get into their bank vault. So what they do is they build backdoors into every bank vault in the world. But the problem is their vault, the U.S. bank vault, has the same backdoor. So while we’re sneaking over to China and taking things out of their vault, they’re also sneaking over to the United States and taking things out of our vault. And the problem is, because our vault is full, we have so much more to lose. So in relative terms, we gain much less from breaking into the vaults of others than we do from having others break into our vaults. That’s why it’s much more important for us to be able to defend against foreign attacks than it is to be able to launch successful attacks against foreign adversaries.
Source: http://www.pbs.org/wgbh/nova/next/military/snowden-transcript/
Tomi Engdahl says:
Michael Mimoso / Threatpost:
Microsoft service for early Patch Tuesday notifications now available only to paying customers
Microsoft Limits Advanced Patch Notifications to Premier Customers
http://threatpost.com/microsoft-limits-advanced-patch-notifications-to-premier-customers/110294
Tomi Engdahl says:
Google Engineers Critical of Aviator Browser Security
Google’s public disclosure and subsequent public criticism over social media of Aviator–which is built upon the Chromium code base, the same one used by Google to build the Chrome browser–kicked off an tense back and forth between the $50-billion search giant and the small-by-comparison private security company – See more at: http://threatpost.com/google-engineers-critical-of-aviator-browser-security/110323#sthash.wWmbtR7y.dpuf
Tomi Engdahl says:
Android IMSI-Catcher Detector
http://hackaday.io/project/3824-android-imsi-catcher-detector
Detect and avoid fake base stations (IMSI-Catchers and StingRays) as well as Silent/Stealth SMS in GSM/UMTS Networks on your phone!
Calling all ANDROID DEVELOPERS and Privacy Enthusiasts: Join our GitHub!
We are always seeking Android Developers to join our team to make this happen!
With our App, the Android IMSI-Catcher Detector (short: AIMSICD) we want to detect and avoid IMSI-Catchers, StingRay and Silent SMS – and provide a free and fully open source solution to everyone out there, thus making people much more aware of these hidden dangers. Our goal is to support as many devices as possible and to make this a project driven by you and for you – because your smartphone is the most important piece of hardware you are carrying around with yourself.
https://github.com/SecUpwN/Android-IMSI-Catcher-Detector/releases
Tomi Engdahl says:
Ask Hackaday: A Robot’s Black Market Shopping Spree
http://hackaday.com/2015/01/04/darknet-shopper/
It was bad when kids first started running up cell phone bills with excessive text messaging. Now we’re living in an age where our robots can go off and binge shop on the Silk Road with our hard earned bitcoins. What’s this world coming to? (_sarcasm;)
For their project ‘Random Darknet Shopper’, Swiss artists [Carmen Weisskopf] and [Domagoj Smoljo] developed a computer program that was given 100 dollars in bitcoins and granted permission to lurk on the dark inter-ether and make purchases at its own digression. Once a week, the AI would carrying out a transaction and have the spoils sent back home to its parents in Switzerland. As the random items trickled in, they were photographed and put on display as part of their exhibition, ‘The Darknet.
The trove of random purchases they received aren’t all illegal, but they will all most definitely get you thinking… which is the point of course. They include everything from a benign Lord of the Rings audio book collection to a knock-off Hungarian passport, as well as the things you’d expect from the black market, like baggies of ecstasy and a stolen Visa credit card.
Though [Weisskopf] and [Smoljo] aren’t worried about being persecuted for illegal activity, as Swiss law protects their right to freely express ideas publicly through art, the implications behind their exhibition did raise some questions along those lines. If your robot goes out and buys a bounty of crack on its own accord and then gives it to its owner, who is liable for having purchased the crack?
Tomi Engdahl says:
David Meyer / Gigaom:
EU ministers propose coordinating with ISPs to monitor and report content that incites terror
EU response to free speech killings? More internet censorship
https://gigaom.com/2015/01/11/eu-response-to-free-speech-killings-more-internet-censorship/
In the wake of this week’s terrorist attacks in Paris, which began with the killing of 12 people at the offices of satirical publication Charlie Hebdo, the interior ministers of 12 EU countries have called for a limited increase in internet censorship.
The interior ministers of France, Germany, Latvia, Austria, Belgium, Denmark, Spain, Italy, the Netherlands, Poland, Sweden and the U.K. said in a statement (PDF) that, while the internet must remain “in scrupulous observance of fundamental freedoms, a forum for free expression, in full respect of the law,” ISPs need to help “create the conditions of a swift reporting of material that aims to incite hatred and terror and the condition of its removing, where appropriate/possible.”
This sounds similar to recent agreements in the U.K. whereby ISPs use filters to stop citizens seeing “extremist” online content, though it’s hard to tell without more details.
At the Paris meeting, the ministers also agreed on a more positive way to counter terrorist propaganda: more speech. They said they had resolved “to develop positive, targeted and easily accessible messages, able to counter this propaganda, aimed at a young audience that is particularly vulnerable to indoctrination.”
Tomi Engdahl says:
Todd Bishop / GeekWire:
Microsoft chastises Google for disclosing Windows 8.1 security hole prior to patch
Microsoft chastises Google for disclosing Windows 8.1 security hole prior to patch
http://www.geekwire.com/2015/microsoft-chastises-google-disclosing-windows-8-1-security-hole-prior-patch/
Microsoft is publicly criticizing Google for releasing details about a security vulnerability in Windows 8.1 two days before the Redmond company was slated to patch the bug — saying that Google is putting users at risk by rejecting Microsoft’s request to wait until the fix is released.
Google made the latest disclosure as part of its “Project Zero” security initiative, which provides companies a 90-day deadline to fix vulnerabilities before they are disclosed publicly, giving hackers key details to exploit the bug. In this case, the flaw in the Windows 8.1 log-on mechanism would allow an attacker to escalate their privileges on a user’s computer, effectively taking over the machine.
“Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a “gotcha”, with customers the ones who may suffer as a result,” writes Chris Betz, senior director of the Microsoft Security Response Center, in a post today outlining Microsoft’s position. “What’s right for Google is not always right for customers. We urge Google to make protection of customers our collective primary goal.”
In the Microsoft post today, Betz hints at why this latest fix has taken longer than the 90-day period.
“Responding to security vulnerabilities can be a complex, extensive and time-consuming process,” he writes.
Tomi Engdahl says:
Cloud security now considered ‘a board-level issue’
http://www.cloudpro.co.uk/cloud-essentials/cloud-security/4748/cloud-security-now-considered-a-board-level-issue
How cyber breaches and shadow IT are making firms more cautious of cloud
Shadow IT and cyber breaches are propelling data security into a board-level concern, it is claimed.
Nearly two-thirds of companies say their executives get involved in security discussions, while 41 per cent are cautious over adopting cloud services, according to joint research between the Cloud Security Alliance (CSA) and Skyhigh Networks.
Cyber attacks, like last November’s hack of Sony Pictures, have prompted businesses to focus on external threats, with 63 per cent most concerned about malware attacks.
Fears over data security have also led 72 per cent of companies to demand greater visibility into shadow IT deployments, the research revealed.
“What companies have got to do is provide an alternative. If they just start blocking services, they often achieve the opposite effect they want to.”
Tomi Engdahl says:
Seeking a Risk Intelligence Model for Long-Term Cyber Resiliency? Look to Healthcare.
http://www.securityweek.com/seeking-risk-intelligence-model-long-term-cyber-resiliency-look-healthcare
Most businesses today cannot say with any certainty how the cybersecurity tools or people they acquire and use align with their specific cyber problems.
That’s where PSOs come in. They provide risk intelligence. Just as in real-life battles against a difficult and sophisticated foe, PSOs are the vital strategy component that drives successful, focused tactics to make everyday healthcare safer.
As pointed out on Wikipedia, PSOs:
1. Collect data on the prevalence and individual details of errors.
2. Analyze sources of error by root cause analysis.
3. Propose and disseminate methods for error prevention.
4. Design and conduct pilot projects to study safety initiatives, including monitoring of results.
5. Raise awareness and inform the public, health professionals, providers, purchasers and employers.
6. Conduct fundraising and provide funding for research and safety projects
7. Advocate for regulatory and legislative changes.
More than just implementing tactical changes to each and every treatment or procedure, PSO organizations help individual organizations and the healthcare industry as a whole develop long-term resiliency against harm by collecting and analyzing incidents that occur each and every day across a wide variety of healthcare functions and engagements.
In other words, healthcare organizations – steeped in scientific approaches to almost everything – realized that, to mitigate risk and make their whole environment safer for patients, it requires a diligent, permanent approach to knowing what risks exist, how they occur, what effects they have and what happens as a result.
You’d be surprised how powerful this kind of data is over time and what it makes possible for organizational safety.
In short, the key is that it takes tactics and strategy to fully mitigate risks over a long period. The evaluated data of a solid strategic approach informs and guides in ways ephemeral tactics cannot. The most critical cures in our day and age have not come about overnight, instead they have arisen over years of studying the problem and problem space.
Data diligence; It’s simply a key part of good science.
In today’s cyber defense world for almost all businesses, there is almost no commitment at the institutional or organizational level to a permanent, managed and scientific cybersecurity strategy component based on long-term commitment to data collection and analysis.
Sadly, today, cyber is dominated almost solely by tactics. Cyber defense has become all lever-pulling and button-pushing at an operator level. It’s the never-ending cycle of react, retreat, get hit again.
Can you imagine surgeons taking this approach? Not studying the data and historical information when trying to improve or innovate on existing tactics when something has gone wrong more than once? It’s like saying, “well, that last one didn’t work, let’s try it again and see what happens! We can’t live in past!” That kind of approach is all tactics, no strategy.
The same goes for businesses.
Tactical defenses are critical, vital even to cyber defense, but would you bet on the success of any business that didn’t have leadership control, strategy and planning based on solid data diligence
It’s possible to win some battles this way, but the bigger war will be always be lost. Again, just as with healthcare, data-driven strategy drives effective tactics.
Most businesses today can’t say whether they’re focusing (i.e. spending) enough or too little in any given area.
Worst of all, nearly no business can say where they expect the highest near-term impact to come from against their operations/finances/legal budget/products/customers/partners.
Tomi Engdahl says:
Integrated Threat Defense: On the Big Screen and the Computer Screen
http://www.securityweek.com/integrated-threat-defense-big-screen-and-computer-screen
The threat landscape is ever evolving and always advancing with tailor-made, stealthy threats that evade traditional, point-in-time security defenses.
The threat landscape is ever evolving and always advancing with tailor-made, stealthy threats that evade traditional, point-in-time security defenses. Instead of relying on a single attack vector, an advanced attack will use whatever unprotected paths exist, often combining paths in a blended method, to reach its target and accomplish its mission. Cyber criminals go to great lengths to remain undetected, using technologies and methods that result in nearly imperceptible Indications of Compromise (IoCs). At the same time, modern networks are also evolving, extending beyond traditional walls to include public and private data centers, endpoints, virtual machines, mobile devices, and the cloud.
In today’s dynamic IT and threat environment, point-in-time solutions lack the visibility and control defenders need to implement an effective security policy that addresses advanced threats. And disjointed approaches only add to capital and operating costs and administrative complexity.
Converged solutions that combine two or more security functions together on a single platform attempt to address these shortcomings. However, simply consolidating security functions on one appliance is far from adequate. The level of integration, if any, is typically limited to device management and post-event analysis – where data is combined into a single repository (often in a SIEM) for later manual analysis. This visibility and analysis aren’t automatically correlated in real time
It should come as no surprise then that for the last few years the Verizon Data Breach Investigations Report has revealed that most breaches are found by law enforcement and other third parties – not by the breached organizations themselves. To make security investments more effective, what’s needed is a comprehensive approach with tightly integrated threat defense across the extended network and the entire attack continuum – before, during, and after an attack.
Each security function must be tightly integrated for truly effective multi-layered protection against the full spectrum of attacks – including known and unknown attacks. This is done by gathering telemetry data across the extended network and encompassing all attack vectors for full contextual awareness, and then analyzing it continually to surface IoCs that would otherwise go unnoticed. With these IoCs, we can prioritize events and stop threats sooner, hopefully before much damage is done, essentially providing an ‘early warning system’ for unknown cyberattacks.
Integrated threat defense provides better and faster protection at multi-gigabit speeds – before you have a known signature, before valuable data is stolen, and before a third party discovers and alerts you to the breach.
There are other aspects of joining forces, besides integrating security functions. At the industry level, open source is a valuable tool for defenders as they rapidly innovate to close security gaps and gather great intelligence about potential threats.
Tomi Engdahl says:
Mobile Security Predictions for 2015
http://www.securityweek.com/mobile-security-predictions-2015
1) The future of enterprise mobility management
In 2015, enterprise mobility management (EMM) will become commoditized and cost will decrease, as enterprises realize it does not provide much return on investment.
2) Focus on mobile app security
Secondly, mobile app security will become increasingly important in 2015. Currently, there are a number of ways to secure content on mobile devices, like MDM, MAM and EMM; however, as we continue to see an uptick in the number of mobile security threats, one method will come out on top. Protecting and securing the actual code of mobile applications
3) A “New Relic” of Mobile Security will emerge
there will be increased demand for mobile analytics that monitor the real-time security posture of apps and the data throughout the mobile ecosystem
4) iOS vs. Android
Lastly, the delta between the security of iOS and Android will continue to shrink. In 2014, we saw that the recent release of iOS 8 made the platform less restrictive and Android added more enterprise security features to its operating system, making it more secure. With the two operating systems looking more alike in 2015, enterprises will need to take a long, hard look at what they’re securing, as neither Android nor iOS will be completely reliable, or completely trustable.
Tomi Engdahl says:
OpenSSL Project Swats 8 Security Bugs
http://www.securityweek.com/openssl-project-swats-8-security-bugs
Tomi Engdahl says:
Android Manifest File Attacks Can Make Devices Inoperable
http://www.securityweek.com/android-manifest-file-attacks-can-make-devices-inoperable
Researchers at Trend Micro have identified a vulnerability related to the Android manifest file that can be exploited to cause devices to crash.
The Android manifest file, AndroidManifest.xml, can be found in every application’s root directory. The file contains essential information about the app, including the name of the Java package, a description of components, the permissions needed, and the processes that host components.
According to experts, a specially crafted manifest file can be used to make devices inoperable by getting them into a reboot loop.
The vulnerability has been successfully reproduced by Trend Micro on Android 4.4.4, Android Lollipop, and older versions of the operating system. Researchers have found two ways to exploit the flaw: by using long strings and memory allocation, and through .APK files and a specific intent filter.
Trend Micro says it has notified Google of this flaw, but it’s uncertain if the search engine giant plans on doing anything to address it.
Tomi Engdahl says:
Hackers try to Blackmail Swiss Bank After Stealing Data: Report
http://www.securityweek.com/hackers-try-blackmail-swiss-bank-after-stealing-data-report
Geneva – Swiss bank BCGE said Thursday hackers had stolen the personal data of thousands of clients as a newspaper reported it was being blackmailed.
The Banque Cantonale de Geneve said the theft had affected several thousand of its estimated 240,000 clients but that there had been “no financial damage.”
The stolen data included names, addresses, telephone numbers and account numbers.
Tomi Engdahl says:
PCI 3.0 Compliance Standard Arrives With Start of New Year
http://www.securityweek.com/pci-30-compliance-standard-arrives-start-new-year
The New Year brought many things – good tidings, champagne…and new requirements for the Payment Card Industry Data Security Standard (PCI DSS).
PCI DSS 3.0 is a reality now for businesses, and though some of the requirements in it won’t be mandatory until July 1, businesses need to adjust to the standard. A full summary of the changes can be read here.
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3_Summary_of_Changes.pdf
Tomi Engdahl says:
Browsing in privacy mode? Super Cookies can track you anyway
New technique allows websites to bypass privacy mode unless users take special care.
http://arstechnica.com/security/2015/01/browsing-in-privacy-mode-super-cookies-can-track-you-anyway/
For years, Chrome, Firefox, and virtually all other browsers have offered a setting that doesn’t save or refer to website cookies, browsing history, or temporary files. Privacy-conscious people rely on it to help cloak their identities and prevent websites from tracking their previous steps. Now, a software consultant has devised a simple way websites can in many cases bypass these privacy modes unless users take special care.
Ironically, the chink that allows websites to uniquely track people’s incognito browsing is a much-needed and relatively new security mechanism known as HTTP Strict Transport Security. Websites use it to ensure that an end user interacts with their servers only when using secure HTTPS connections.
Sam Greenhalgh, a technology and software consultant who operates RadicalResearch, has figured out a way to turn this security feature into a potential privacy hazard. His proof of concept is known as HSTS Super Cookies. Like normal cookies, they allow him to fingerprint users who browse to his site in non-privacy mode, so if they return later, he will know what pages they looked at.
Update: The latest version of firefox, 34.0.5, no longer allows HSTS Super Cookies set in regular mode to persist in private mode.
Tomi Engdahl says:
Leaked Palantir Doc Reveals Uses, Specific Functions And Key Clients
http://techcrunch.com/2015/01/11/leaked-palantir-doc-reveals-uses-specific-functions-and-key-clients/
Since its founding in 2004, Palantir has managed to grow into a billion dollar company while being very surreptitious about what it does exactly. Conjecture abounds. The vague facts dredged up by reporters confirm that Palantir has created a data mining system used extensively by law enforcement agencies and security companies to connect the dots between known criminals.
Palantir’s data analysis solution targets three industries: government, the finance sector and legal research. Each of these industries must wrestle with massive sets of data. To do this, Palantir’s toolsets are aimed at massive data caches, allowing litigators and the police to make connections otherwise invisible.
Palantir’s software sits on top of existing data sets and provides users with what seems like a revolutionary interface. Users do not have to use SQL queries or employ engineers to write strings in order to search petabytes of data. Instead, natural language is used to query data and results are returned in real-time.
Clients include the Los Angeles Police Department which used Palantir to parse and connect 160 data sets: Everyone from detectives to transit cops to homeland security officials uses Palantir at the LAPD. According to the document, Palantir provides a timeline of events and has helped the massive police department sort its records.
The leaked report quotes Sergeant Peter Jackson of the LAPD stating: “Detectives love the type of information it [Palantir] provides. They can now do things that we could not do before. They can now exactly see great information and the links between events and people. It’s brought great success to LAPD.”
“It’s the combination of every analytical tool you could ever dream of. You will know every single bad guy in your area.”
Tomi Engdahl says:
Attackers have long been classified them into four agency for requirements:
1) amateurs, experimenters or users who by accident in your unconscious or conscious activity may cause disturbance in. This agency as the biggest problem will be the fact that the internet is available in more powerful tools, services, and practical steps to cause problems. In principle, the (almost) anyone can prepare the attack, make a denial of service or to embed a friend’s phone or a portable spy-monitoring program, if the drawing board for a while there.
2) Hacktivists and others who want to influence the organizations or authorities. They will benefit in the same way as the previous available means enlargement of cheaper services and information release. Cloud services, elastic, scalable capacity services benefit also hostile parties.
3) cyber criminals. As and when we digitalise the operations, the criminals are constantly increases attack surface area, or they are easier to target and pick up items that match. Similarly, they have been able to develop their new attack methods and services,
4) The state intelligence to live in all of this outside. If the above parties may be motivated by increasing your reputation, the reputation of the pollution of the object or the economic benefits of achieving state actors mainly focus on data collection. However, if the object is required in respect of any other (ruining the reputation or business of the difficulty), it can be implemented easily.
Now that the last two years, has always understood the communication, usually logs importance of monitoring, I bet that this year we will find a record number of state actors, as well as ancient, dinosaur-era campaigns that modern, active campaigns. In this sense, Snowden-revelations are beginning to bear fruit properly until now, almost two years after the revelations.
What are your biggest concern?
1. Targeted attacks more common
2. The mobile world begins to crumble
3. Banks, money to other properties is developed previously unknown attack methods
4. Add the BIG zero-day vulnerabilities
5. The home devices and other organizations hedges outside the devices are subject to significant threat
Source: http://www.tivi.fi/blogit/turvasatama/12+ennustusta+kyber+ja+tietoturvallisuuden+osalta+vuodelle+2015/a1041288
Tomi Engdahl says:
Disappeared in the airline’s frequent flier points? Thousands of stolen user data
More than 20 tourism-related network user data has been leaked in the past two months.
Information Criminals are peddling, including airlines and travel agents for user data underworld forums. Information Leakage expressed the security researcher Alex Holden.
The American United Airlines admitted on Sunday that the three thousand loyal customer information was leaked data for breaking.
Also, American Airlines has been exported 10 000 loyal customer information, the AP reported on Monday.
Security Researcher Holden, the airline loyalty services on the attacks are common and often successful. At least two American Airlines’ loyalty points were used reserved for flight or increased travel class.
Source: http://www.tivi.fi/kaikki_uutiset/katosivatko+lentoyhtion+kantaasiakaspisteesi+tuhansilta+varastettu+kayttajatietoja/a1041661
Tomi Engdahl says:
FBI Access To NSA Surveillance Data Expands In Recent Years
http://yro.slashdot.org/story/15/01/12/1759210/fbi-access-to-nsa-surveillance-data-expands-in-recent-years
The FBI’s access to email and other data collected from overseas targets in the NSA’s Prism program has been growing since 2008, according to a 2012 U.S. Department of Justice inspector general’s report
FBI access to surveillance program expands in recent years
http://www.itworld.com/article/2867815/fbi-access-to-surveillance-program-expands-in-recent-years.html
In 2008, the FBI began reviewing email accounts targeted by the NSA through the Prism program, according to the report and a New York Times story.
And in April 2012, the FBI began nominating email addresses and phone numbers that the NSA should target in it surveillance program, according to the document.
Tomi Engdahl says:
Obama Proposes 30-Day Deadline For Disclosing Security Breaches
http://it.slashdot.org/story/15/01/12/1835241/obama-proposes-30-day-deadline-for-disclosing-security-breaches
Following the string of massive data breaches at major corporations, President Obama has called for legislation that would standardize how these incidents are disclosed to the public.
“The Personal Data Notification and Protection Act would demand a single, national standard requiring companies to inform their customers within 30 days of discovering their data has been hacked.”
“the current patchwork of state laws does not protect Americans and is a burden for companies that do business across the country.”
“will announce voluntary agreements by companies to safeguard home energy data and to provide easy access to credit scores as an “early warning system” for identity theft.”
Tomi Engdahl says:
Remember Corel? It’s just entered .DLL hell
Hijack hole found in Corel Draw and other doodleware
http://www.theregister.co.uk/2015/01/13/hijack_hole_found_in_corel/
Local zero day vulnerabilities have been disclosed in Corel applications, potentially affecting more than 100 million users.
The holes were dropped by Marcos Accossatto of Core Security after the doodleware company did not respond to his private disclosure.
“Given that this is a client-side vulnerability, affected users should avoid opening untrusted files whose extensions are associated with Corel software and contain any of the [affected] DLL files,”
Corel was warned 9 December and 2 January of the vulnerabilities and that they would be publicly disclosed if no response was made.
Tomi Engdahl says:
This $10 phone charger will wirelessly keylog your boss
Arduino tool sniffs wireless Microsoft keyboards
http://www.theregister.co.uk/2015/01/13/this_10_phone_charger_will_wirelessly_keylog_your_boss/
MySpace mischief-maker Samy Kamkar has released schematics for a dirt-cheap wireless sniffer capable of plundering keystrokes from office cubicles.
The “Keysweeper” looks and functions like a generic USB phone charger, but conceals Arduino-powered sniffing gear within.
The device targets Microsoft wireless keyboards and contained a host of functions allowing hackers to monitor keystrokes in real-time and have SMSes sent when certain keywords such as login credentials are typed by victims.
“[We can decrypt any Microsoft wireless keyboard without even knowing the MAC address which is great.
“Using a few-dollar Arduino and a US$1 Nordic RF chip we can decrypt these packets and see any keystroke of any keyboard in the vicinity that’s using the Microsoft wireless keyboard protocol and it doesn’t matter what OS is used.”
KeySweeper
http://samy.pl/keysweeper/
KeySweeper is a stealthy Arduino-based device, camouflaged as a functioning USB wall charger, that wirelessly and passively sniffs, decrypts, logs and reports back (over GSM) all keystrokes from any Microsoft wireless keyboard in the vicinity.
All keystrokes are logged online and locally. SMS alerts are sent upon trigger words, usernames or URLs, exposing passwords. If unplugged, KeySweeper continues to operate using its internal battery and auto-recharges upon repowering. A web based tool allows live keystroke monitoring.
Tomi Engdahl says:
How Bitcoin Could Be Key To Online Voting
http://yro.slashdot.org/story/15/01/12/1717231/how-bitcoin-could-be-key-to-online-voting
If implemented correctly, the proliferation of online voting could solve one of the biggest problems in American democracy: low voter turnout.
However, in the past few years, there’s been a renewed effort to solve the conundrum of online voting using a most unexpected tool: Bitcoin.
Can Bitcoin save democracy?
http://kernelmag.dailydot.com/issue-sections/staff-editorials/11334/bitcoin-online-voting-issues/
If implemented correctly, the proliferation of online voting could solve one of the biggest problems in American democracy: low voter turnout. The 2014 midterms boasted the lowest voter turnout in 72 years. In the three most populous states in the country, less than one-third of voters submitted ballots.
Low turnout leads to political polarization because the most ideologically extreme voters on either side are the most likely to participate.
Making online voting work is infinitely harder than it initially seems. However, in the past few years, there’s been a renewed effort to solve the conundrum of online voting using a most unexpected tool: Bitcoin.
The most important thing to know about Bitcoin is that, despite the popular perception, it’s not just a currency. Bitcoin’s ability to hold monetary value is necessary for the network on which it runs to function, but Bitcoin’s full potential goes far beyond that.
Bitcoin was created to solve a very specific problem: how to avoid double-spending with an online currency.
Nakamoto’s solution was a giant public ledger containing a record of all Bitcoin transactions called the blockchain. The blockchain traces the history of every bitcoin from the moment it was created. The blockchain gives Alice the confidence that Bob can only send her bitcoins that he actually has because the network, which consists of computers around the world running Bitcoin nodes, checks for double-spending and automatically stops users from sending bitcoins they don’t actually have.
The system may have initially been built for for monetary transactions, but it’s not difficult to see how the blockchain could be useful in online voting.
The main job in online voting is ensuring that the election system records someone’s vote the way they intended. Running votes over the blockchain, which is public, creates an auditable trail linking a person and their vote.
“The thing about Bitcoin is that you don’t have to trust any single entity with your money or with your identity,”
Van Kuyk started V-Initiative about two years ago as platform for streamlining group decision-making, which at the end of the day, is what all voting boils down to.
“We were always up against the general public perception that closed systems are secure and that voting requires the ultimate security,” he said, noting that Bitcoin’s open, decentralized nature is the core of its strength.
The V-Initiative isn’t alone when its comes to cryptocurrency voting. Similar efforts to use Bitcoin to enhance online elections have been put forth by organizations like BitCongress, Liquid Feedback, and Agora Voting.
While Bitcoin voting systems could do an admirable job of ensuring that a vote is recorded accurately after it leaves a computer or smartphone, what happens before that is a huge black hole.
“There’s no way to verify if the votes are actually being recorded accurately on these machines because the complexity of computer systems is so great no one knows what’s going on in full detail,” Dill insisted. “There are just so many ways for somebody to put malicious software on them.”
A hacker could install malware on a voter’s computer undetectably changing their vote. Done en masse, a single virus spreading its way through an area’s Internet users could easily swing an election from one side to the other—especially in close races.
The Bitcoin system technically allows for a voter to double-check their vote has been registered the way they intended. However, that brings up a whole mess of new problems.
One of the cornerstones of any anonymous voting system, like the one in the United States, is ensuring the voter isn’t left with a record of how they voted.
The anonymity issue is one of the things that makes online voting fundamentally different from online shopping.
“Fraud in online banking can be quantified—they know how much is getting ripped off so they can adjust the usability vs. security knob to get it to the point where the risk is acceptable,” Dill noted. “But there’s no way to quantify that level of risk in elections. There’s no way to rationally set that knob because there’s no way of knowing if we can accept a 1 percent or 3 percent fraud rate in elections.”
Despite the myriad issues, online voting has been tried in various forms.
Tomi Engdahl says:
Mark Scott / New York Times:
British Prime Minister wants to ban encrypted messaging services like WhatsApp and iMessage if security agencies can’t access them —
British Prime Minister Suggests Banning Some Online Messaging Apps
http://bits.blogs.nytimes.com/2015/01/12/british-prime-minister-suggests-banning-some-online-messaging-apps/
Popular messaging services like Snapchat and WhatsApp are in the cross hairs in Britain.
That was the message delivered on Monday by Prime Minister David Cameron, who said he would pursue banning encrypted messaging services if Britain’s intelligence services were not given access to the communications.
The statement comes as many European politicians are demanding that Internet companies like Google and Facebook provide greater information about people’s online activities after several recent terrorist threats, including the attacks in Paris.
“Are we going to allow a means of communications which it simply isn’t possible to read?” Mr. Cameron said at an event on Monday, in reference to services like WhatsApp, Snapchat and other encrypted online applications. “My answer to that question is: ‘No, we must not.’ ”
Mr. Cameron said his first duty was to protect the country against terrorist attacks.
“The attacks in Paris demonstrated the scale of the threat that we face and the need to have robust powers through our intelligence and security agencies in order to keep our people safe,” he added.
Tomi Engdahl says:
Adam Clark Estes / Gizmodo:
Hackers claiming to be ISIS “Cyber Caliphate” seize US Central Command’s Twitter and YouTube accounts
Someone Claiming to Be ISIS Says They Hacked CENTCOM, Leaks Docs Online
http://gizmodo.com/somebody-claiming-to-be-isis-says-theyve-hacked-centcom-1679003951
U.S. Central Command’s Twitter and YouTube accounts just lit up in a bad way. It looks like somebody who’s claiming to be an ISIS affiliate called “CyberCaliphate” managed to gain access to the account and is currently tweeting images of documents, allegedly internal CENTCOM documents.
The first tweet links to a Pastebin post with links to downloads of “confidential data.” However, upon further inspection, the documents don’t appear to be so confidential.
“We are aware of the issue,” CENTCOM said
“We can confirm that the CENTCOM Twitter and YouTube accounts were compromised earlier today.”
Tomi Engdahl says:
Tod Beardsley / Metasploit:
Google stops providing security patches for pre-KitKat WebView, leaves 930M users vulnerable
Google No Longer Provides Patches for WebView Jelly Bean and Prior
https://community.rapid7.com/community/metasploit/blog/2015/01/11/google-no-longer-provides-patches-for-webview-jelly-bean-and-prior
Over the past year, independent researcher Rafay Baloch (of “Rafay’s Hacking Articles”) and Rapid7′s Joe Vennix have been knocking out Android WebView exploits somewhat routinely, based both on published research and original findings. Today, Metasploit ships with 11 such exploits, thanks to Rafay, Joe, and the rest of the open source security community. Generally speaking, these exploits affect “only” Android 4.3 and prior — either native Android 4.3, or apps built with 4.3 WebView compatibility.
WebView is the core component used to render web pages on an Android device. It was replaced in Android KitKat (4.4) with a more recent Chromium-based version of WebView, used by the popular Chrome browser.
Despite this change, though, it’s likely there will be no slow-down of these Android security bugs, and they will probably last a long time due to a new and under-reported policy from Google’s Android security team: Google will no longer be providing security patches for vulnerabilities reported to affect only versions of Android’s native WebView prior to 4.4.
it would appear that over 930 million Android phones are now out of official Google security patch support, given the published Gartner and WSJ numbers on smartphone distribution).
Roll Your Own Patches?
It’s important to stress that Android is, in fact, open source. Therefore, it’s not impossible for downstream handset manufacturers, service providers, retailers, or even enthusiastic users to come up with their own patches. This does seem to happen today; a 4.3 vulnerability may affect, say, a Kyocera handset, but not a Samsung device with the “same” operating system.
No Patches == No Acknowledgement
To complicate matters, Google generally does not publish or provide public comment on Android vulnerabilities, even when reported under reasonable disclosure procedures. Instead, Android developers and consumers rely on third party notifications to explain vulnerabilities and their impact, and are expected to watch the open source repositories to learn of a fix.
Please Reconsider, Google
Google’s engineering teams are often the best around at many things, including Android OS development, so to see them walk away from the security game in this area is greatly concerning.
Tomi Engdahl says:
Your private Instagrams weren’t as private as you thought they were
http://qz.com/323307/instagram-privacy/
A privacy hole was publicly exposing an untold number of photographs Instagram users believed were private, until Instagram fixed it this weekend in apparent response to queries by Quartz.
Tests by Quartz had showed that a photograph posted to Instagram when a user’s account is set to public—the default setting—would remain publicly viewable on the web, even if the user made her account private.
Instagram—the Facebook-owned social network with more than 300 million users—acknowledged the situation in a statement responding to Quartz late last week. It then updated its software to fix the privacy hole. As of this weekend, some images posted on private accounts that were once publicly accessible are no longer viewable.
Even with this hole now patched, any privacy glitches are potentially sensitive for Facebook
Regardless, the Instagram loophole is an example of the sort of complexity that ordinary users are required to navigate if they aim to control the online availability of personal information such as photos. And it highlights how internet companies such as Instagram arguably under-communicate to users the nuances of privacy settings as those controls increase in complexity.
Tomi Engdahl says:
Do We Need Regular IT Security Fire Drills?
http://it.slashdot.org/story/15/01/13/008250/do-we-need-regular-it-security-fire-drills
Do we need regular IT security fire drills?
http://www.net-security.org/secworld.php?id=17810
IT security ‘fire drills’, supported by executive management and the risk committee should be conducted regularly in organizations, in order to understand the appropriate course of action in advance of a security breach. So says Neil Campbell, Group General Manager for Dimension Data’s Security Business Unit.
Organizations need to move beyond focusing purely on the prevention of security incidents, and start to concentrate on what they will do when an incident occurs.
“It’s inevitable that security incidents will occur. It’s therefore critical that organizations begin to focus on identifying what we call ‘indicators of compromise’, putting a comprehensive incident response plan in place, and performing regular IT security ‘fire drills’”, explains Campbell. He points out the regular fire drills – or rehearsals – will ensure that, in the event of an incident, IT and management teams are clear about what needs to be done, and the business is less at risk. This includes recovering evidence, identifying and resolving the root cause of the incident (not just the symptoms), and undertaking a forensic investigation.
So what other issues are on the watch-list in 2015 for IT security professionals?
IT security gets cloudy
Both Campbell and Gyde predict a continued increase in the adoption of cloud services for security in 2015. “This holds true for software-as-a-service solutions, such as secure Web proxy, and secure email in the cloud. These solutions are particularly attractive as the implementation effort is negligible – you’re simply redirecting traffic to take advantage of the service through a consumption-based model. And the services are highly scalable”
From security technologies to secure platforms
2015 will also see the notion of security being a secure platform − rather than a series of point products or devices on the network – gaining traction. The expectation on security professionals will be to deliver a secure platform that allows the business to confidently run multiple applications, in a secure environment.
Endpoint security back in vogue
Campbell predicts a resurgence in interest in endpoint security in the industry. “This is closely tied to the first trend we discussed − incident response − and the fact that some traditional network-based security controls aren’t as effective as they used to be. Security professionals will be looking at devices – whether they’re PCs, Macs, or smartphones – for indicators of compromise, and then enabling some form of incident response process. They’ll deploy technologies to endpoints to make incident response easier,” he says.
Tomi Engdahl says:
Microsoft Wireless keyboards seem to be insecure:
This USB wall charger secretly logs keystrokes from Microsoft wireless keyboards nearby
http://venturebeat.com/2015/01/12/this-usb-wall-charger-secretly-logs-keystrokes-from-microsoft-wireless-keyboards-nearby/
Privacy and security researcher Samy Kamkar has released a keylogger for Microsoft wireless keyboards cleverly hidden in what appears to be a rather large, but functioning USB wall charger. Called KeySweeper, the stealthy Arduino-based device can sniff, decrypt, log, and report back all keystrokes — saving them both locally and online.
This is no toy. KeySweeper includes a web-based tool for live keystroke monitoring, can send SMS alerts for trigger words, usernames, or URLs (in case you want to steal a PIN number or password), and even continues to work after it is unplugged thanks to a rechargeable internal battery. That’s an impressive list of features, especially given that Kamkar told VentureBeat the whole process “took a few days” including a few over Christmas break and this past weekend when he decided “to properly document it.”
This “spy tool” only affects Microsoft wireless keyboards, and it allegedly works with many, if not most, of them. As a result, we reached out to let the company know. “We are aware of reports about a ‘KeySweeper’ device and are investigating,” a Microsoft spokesperson told VentureBeat.
Kamkar says the unit cost for KeySweeper ranges from $10 to $80, depending on which functions you require.
KeySweeper
http://samy.pl/keysweeper/
Tomi Engdahl says:
Big Yellow brings in Boeing bods to bolster Big data bid
Symantec also licensing technology from network monitor Narus
http://www.theregister.co.uk/2015/01/13/symantec_turns_to_boeing_for_big_data_security_expertise/
Symantec is acquiring 65 security engineers from Boeing as a part of a deal to beef up its expertise in Big Data, prior to a split between its security and storage divisions later this year.
As part of the deal Big Yellow is also licensing technology from Boeing’s Narus security division, which develops network-monitoring technologies used by customers including the US government.
Boeing bought Narus in 2010, four years after the security tools developer was dragged into controversy with claims by a whistle-blower that its technology was used by AT&T to fulfil the National Security Agency’s warrantless wiretap program, Bloomberg notes.
Tomi Engdahl says:
Windows 7 MARKED for DEATH by Microsoft – starting NOW
Mainstream support ends TODAY
http://www.theregister.co.uk/2015/01/13/windows_7_doom_clock_countdown_starts_now/
Today, 13 January, is the day on which Microsoft’s Windows 7 passes from mainstream support into extended support.
The milestone is the first on the road to Microsoft pulling the plug on January 14th, 2020.
Windows 7 is a widely-admired version of Windows
All versions of Windows 7 move to extended support today and expire come 2020, save the embedded version which Microsoft’s page for support timing says is exempt from obsolescence.
The change from mainstream to extended support means Microsoft won’t do free support for Windows 7 as of today. Even those with licences paid up, or signed up to licensing programs, will now be charged for Windows 7 support
Security patches will continue to flow until 2020.
Microsoft Product Lifecycle – Windows 7
http://support2.microsoft.com/lifecycle/search/default.aspx?alpha=windows+7
Tomi Engdahl says:
SLIDESHOW: Making Healthcare Unhackable
https://ssl.www8.hp.com/hpmatter/issue-no-3-winter-2015/slideshow-making-healthcare-unhackable
According to the Identity Theft Resource Center, 44% of all registered data breaches in 2013 targeted medical companies. The National Crime Prevention Council reports that 10% of drugs traded worldwide could be counterfeit. It’s common to believe that technology makes such costly data breaches easier than ever to pull off. But tech also holds the solution.
Healthcare organizations often have a combination of legacy and new applications running on disparate proprietary networks, which can create interoperability, visibility, and security issues.
Tomi Engdahl says:
The Importance of Deleting Old Stuff
http://it.slashdot.org/story/15/01/13/0548233/the-importance-of-deleting-old-stuff
Bruce Schneier has codified another lesson from the Sony Pictures hack: companies should know what data they can safely delete. He says, “One of the social trends of the computerization of our business and social communications tools is the loss of the ephemeral. Things we used to say in person or on the phone we now say in e-mail, by text message, or on social networking platforms. … Everything is now digital, and storage is cheap — why not save it all?
Sony illustrates the reason why not. The hackers published old e-mails from company executives that caused enormous public embarrassment to the company.
Schneier recommends organizations immediately prepare a retention/deletion policy so in the likely event their security is breached, they can at least reduce the amount of harm done.
http://arstechnica.com/security/2015/01/the-importance-of-deleting-old-stuff-another-lesson-from-the-sony-attack/
Tomi Engdahl says:
10 Crimes Caught On Google Earth
https://www.youtube.com/watch?v=5EaZIpqIjK8
Thieves, tax evaders, and drug dealers have all been caught red handed on Google Earth.
Tomi Engdahl says:
How To Hijack Your Own Windows System With Bundled Downloads
http://tech.slashdot.org/story/15/01/13/1513247/how-to-hijack-your-own-windows-system-with-bundled-downloads
How-To Geek has tested and described something that you probably shouldn’t do on your own computer — unless, as they did, you do it on a virtual machine just for this purpose. Namely, they downloaded 10 of the most popular software titles from download.com, clicking through as a naive user might, accepting the defaults or the most obvious Next buttons, as most users surely do.
Bundled software, some pieces of it at odds with others, was attached to each of the downloads, and from download to installation the process by design foisted more and more junk on their system, even if some of the bundled junk could have been avoided by a user jaded by previous hijackings.
Here’s What Happens When You Install the Top 10 Download.com Apps
http://www.howtogeek.com/198622/heres-what-happens-when-you-install-the-top-10-download.com-apps/?PageSpeed=noscript
Seriously, we don’t recommend doing this at home on your primary PC, unless you want to make your computer a smoking pile of useless. If you do want to try it, make sure to use a virtual machine.
Free software vendors make so much more money by bundling other software than they do by selling subscriptions that it’s pretty much the only business plan that anybody can consider using. At least Avast is bundling something good, so we can’t really argue with it.
Our story ends here, but hopefully we’ve all learned some important lessons from this quick journey through the world of crapware. Freeware software vendors make almost all of their money by bundling complete nonsense and scareware that tricks users into paying to clean up their PC, despite the fact that you could prevent the need to clean up your PC by just not installing the crappy freeware to begin with.
And no matter how technical you might be, most of the installers are so confusing that there’s no way a non-geek could figure out how to avoid the awful. So if you recommend a piece of software to somebody, you are basically asking them to infect their computer.
And it doesn’t matter which antivirus you have installed — we’ve actually done this experiment a number of times with different antivirus vendors, and most of them completely ignored all of the bundled crapware. Avast did a pretty good job this time compared to some of the other vendors, but it didn’t block all of it for sure.
Tomi Engdahl says:
Cory Doctorow / Boing Boing:
Why David Cameron’s proposal to ban encrypted messaging services won’t work, and would make Britons less secure
What David Cameron just proposed would endanger every Briton and destroy the IT industry
http://boingboing.net/2015/01/13/what-david-cameron-just-propos.html
David Cameron says there should be no “means of communication” which “we cannot read” — and no doubt many in his party will agree with him, politically. But if they understood the technology, they would be shocked to their boots.
What David Cameron thinks he’s saying is, “We will command all the software creators we can reach to introduce back-doors into their tools for us.” There are enormous problems with this: there’s no back door that only lets good guys go through it. If your Whatsapp or Google Hangouts has a deliberately introduced flaw in it, then foreign spies, criminals, crooked police (like those who fed sensitive information to the tabloids who were implicated in the hacking scandal — and like the high-level police who secretly worked for organised crime for years), and criminals will eventually discover this vulnerability. They — and not just the security services — will be able to use it to intercept all of our communications. That includes things like the pictures of your kids in your bath that you send to your parents to the trade secrets you send to your co-workers.
But this is just for starters. David Cameron doesn’t understand technology very well, so he doesn’t actually know what he’s asking for.
For David Cameron’s proposal to work, he will need to stop Britons from installing software that comes from software creators who are out of his jurisdiction. The very best in secure communications are already free/open source projects, maintained by thousands of independent programmers around the world. They are widely available
Cameron is not alone here. The regime he proposes is already in place in countries like Syria, Russia, and Iran (for the record, none of these countries have had much luck with it). There are two means by which authoritarian governments have attempted to restrict the use of secure technology: by network filtering and by technology mandates.
David Cameron has already shown that he believes he can order the nation’s ISPs to block access to certain websites (again, for the record, this hasn’t worked very well). The next step is to order Chinese-style filtering using deep packet inspection, to try and distinguish traffic and block forbidden programs. This is a formidable technical challenge.
More ambitious is a mandate over which code operating systems in the UK are allowed to execute. This is very hard indeed.
More difficult is the world of free/open operating systems like GNU/Linux and BSD. These operating systems are the gold standard for servers, and widely used on desktop computers (especially by the engineers and administrators who run the nation’s IT). There is no legal or technical mechanism by which code that is designed to be modified by its users can co-exist with a rule that says that code must treat its users as adversaries and seek to prevent them from running prohibited code.
no material effect on the ability of criminals to carry on perfectly secret conversations that “we cannot read”.