Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.
3,110 Comments
Tomi Engdahl says:
Counterterrorism Conference Kicks Out Intercept Journalist
https://firstlook.org/theintercept/2015/04/22/counter-terror-expo-london-banned/
“We’re not banning you, we’re just not allowing you access,”
The event, the Counter Terror Expo, is held in a large conference hall in Kensington (pictured above) on the west side of London. Hundreds of companies and government officials come together there every year to discuss the latest developments in the broad field of national security.
pass had been rejected because of a decision made by someone “higher up.”
Welcomed with open arms are the journalists who write puff pieces about the latest counterterror technology for defense industry magazines. But veer too far from that script, expose the industry to some proper scrutiny, and you can expect to be kicked out the door.
Tomi Engdahl says:
Europe Looks to Tame Web’s Economic Risks
European Union considers new regulator to oversee mainly U.S.-based Internet firms
http://www.wsj.com/article_email/eu-considers-creating-powerful-regulator-to-oversee-web-platforms-1429795918-lMyQjAxMTE1MTI1MzYyNzMwWj
The European Union could create a powerful new regulator to oversee a swath of mainly U.S.-based Internet companies, according to an internal document that lays bare the deep concerns in top EU policy circles around the economic threat posed by companies like Google Inc. and Facebook Inc.
Such a move would throw the biggest obstacle yet in the way of U.S. Internet companies operating in Europe, a number of which are already embroiled in investigations and lawsuits over issues including unfair competition and tax avoidance.
The paper warns that some online websites—such as search engines, online marketplaces and social networks—“are transforming into super-nodes that can be of systemic importance” for the rest of the economy.
Tomi Engdahl says:
Finnish cities, the authorities and the Council of State are threatened with denial of service attacks, warns Finnish Communications Regulatory Authority Kyberturvallisuuskeskus. The matter is Promoted by the internationally well-known hacker group.
Among other things, Turku, Pori, Tampere and Joensuu cities website activity has been threatened. Similarly, the police and government services can be compromised. The preparedness plan, there is also a wider harassment case.
Source: http://www.tivi.fi/Kaikki_uutiset/2015-04-24/Eduskunnan-kyberhy%C3%B6kk%C3%A4ykset-esimakua-Useita-suomalaisia-kaupunkeja-ja-viranomaisia-uhataan-3220476.html
Tomi Engdahl says:
America’s cyber-security proto-laws branded ‘surveillance in disguise’
You wait ages for a computer security bill, then two come along at once
http://www.theregister.co.uk/2015/04/23/house_of_representatives_passes_bills_for_sharing_security_info_despite_privacy_worries/
The US House of Representatives has passed not one but two computer security bills that allow companies and Uncle Sam to share information about citizens, cyber-attacks and software vulnerabilities – and removes any legal liabilities for firms doing so.
The Protecting Cyber Networks Act [PDF] (PCNA),
demands a new Cyber Threat Intelligence Integration Center – a clearing house for material that can be swapped between companies, or with the federal government.
The second bill, the National Cybersecurity Protection Advancement Act [PDF] (NCPAA) also adds legal cover, shielding companies from lawsuits if they choose to share information.
Now the two bills will be combined into one document, which has some privacy warriors worried.
“The bills are not cybersecurity ‘information sharing’ bills, but surveillance bills in disguise,” said Mark Jaycox, legislative analyst at the Electronic Frontier Foundation.
Tomi Engdahl says:
Most enterprise security programs are designed to prevent attackers from getting inside the network. This 30-year-old strategy prevails even though advanced malware regularly evades perimeter defenses. While the hope of a ‘prevention pill for all your ills’ has gone by the way of Fonzie’s waterskies, enterprise security is not a lost cause. Detection is the “new cool.”
Source: https://webinar.darkreading.com/19798?keycode=DRWE01
Tomi Engdahl says:
Massive TalkTalk data breach STILL causing customer scam tsunami
Fall-out from massive February data theft continues
http://www.theregister.co.uk/2015/04/23/fresh_wave_of_scammers_target_talktalk_customers/
A fresh wave of scammers appear to be targeting TalkTalk customers, following a massive data theft earlier this year, The Register has learned.
In February, TalkTalk admitted to suffering a major breach into its users’ sensitive information, which may have led to some customers handing over bank data to hackers.
In an email to subscribers, the company said: “We are aware of a small, but nonetheless significant, number of customers who have been directly targeted by these criminals and we have been supporting them directly.”
The budget telco said that – following an investigation – some of its subscriber information, such as names, addresses, phone and account numbers, could have been illegally accessed, with scammers quoting these details to customers.
“Possibly customers’ details have been leaked to more than one bunch of crooks,” they said. “I don’t think one set of criminals could be inept enough to try the same trick on me so many times.”
Tomi Engdahl says:
Ransomware crims drop Bitcoin faster than Google axes services
Rocky BTC only good for laundering cash, not saving and spending
http://www.theregister.co.uk/2015/04/24/ransomware_bitcoin/
RSA 2015 The falling price of Bitcoin is forcing ransomware masterminds to convert the crypto-currency as soon as they can. Rather than holding on to their ill-gotten BTC, the crims are simply laundering the ransom money as soon as possible.
“I’ve seen this discussion in underground forums among Russian criminals,” Etay Maor, senior fraud prevention strategist at IBM Security, told The Register today in San Francisco.
“They use Bitcoin for the money laundering part and take payment with it, but they’ll move it out almost immediately. Most of them won’t keep bitcoins – they don’t like the valuations Bitcoin has – so they just use it as a layer of obfuscation, and move it to a different form of money.”
Bitcoin has played a huge part in the ransomware market, where the currency is almost exclusively used. When ransomware malware infects a PC, it encrypts all the documents it can find, and will only hand over the secret decryption key once the victim pays up in BTC.
Maor said the malware operators are adept at laundering their ransoms into other online currencies or farming the job out to money mules who launder the funds through their accounts in exchange for a commission.
Such mules usually don’t know exactly what they are doing – until the police come knocking. Then they find themselves in the big house while the malware operator goes free.
Tomi Engdahl says:
Fukushima nuclear plant ordered to upgrade from Windows XP
48,000 PCs running on out-of-date operating system
http://www.theinquirer.net/inquirer/news/2405425/fukushima-nuclear-plant-ordered-to-upgrade-from-windows-xp
A JAPANESE WATCHDOG has slammed the operators of the Fukushima Daiichi nuclear power plant after an audit revealed that most of its PCs run on Microsoft’s Windows XP.
The plant’s owner might have been expected to ensure that systems are up to date and as secure as possible after the meltdown of three of the plant’s six nuclear reactors in March 2011. But apparently not.
Tokyo Electric Power Company (Tepco) has had its wrists slapped by the Board of Audit of Japan, an organisation that oversees the finances of Japan’s government and its agencies, after it discovered that about 48,000 of Tepco’s PCs were running XP. This is an outdated version of Windows that no longer receives security updates or technical support from Microsoft.
“Upgrading the operating system must be done as swiftly as possible, and the firm must not push it back, given the security risks,” said the board.
Technical support for XP ended just over a year ago, but that doesn’t mean people have stopped using it.
The latest monthly figures from Netmarketshare show that XP has a market share of 16.94 percent.
One reason for this is piracy.
XP works no matter how many times you use the same Product Key.
There are millions of users in mainland China, for example, working on pirated copies of XP. There are others who simply don’t trust newer versions of Windows
Tomi Engdahl says:
Google Updates: Project Fi, nuked TV networks and Loch Ness monsters
It’s been a huge week for Google
http://www.theinquirer.net/inquirer/news/2405464/google-updates-project-fi-nuked-tv-networks-and-loch-ness-monsters
Google has been in the news so much this week that it’s difficult to know where to start.
So let’s talk about NPAPI plug-in and YouTube depreciation, HTTPS everywhere for adverts, Android Wear going WiFi, the switch off of several outdated log-in protocols, and Google’s Project Fi, and finish off with the Loch Ness Monster. No. Really.
Google to turn off support for NPAPI plug-ins in Chrome.
The problem is that NPAPI powers Silverlight, and Silverlight powers a number of major broadcasters including Sky Go, BT Sport, Now TV and a slew of other multimedia content and a whole bunch of proprietary software.
So was the hate for Google that ensued justified? Yes and no.
At the same time, Google also switched off the v2 API for YouTube.
Smart TVs, some as recent as 2012, have now stopped supporting YouTube
Also gone this week are several outdated methods for logging into sites. ClientLogin, OAuth 1.0, AuthSub and OpenID 2.0 are now officially no longer supported, in favour of the more modern OAuth 2.0 and OpenID Connect.
Continuing in the spirit of improved security Google has confirmed that, as part of its commitment to the HTTPS Everywhere initiative of the Electronic Frontier Foundation, the vast majority of its advertising on YouTube is already encrypted, and that the rest of its ads from Google Display Netwrok, AdMob and DoubleClick will be in place by 30 June.
Why is it important that adverts are encrypted? Because Google’s algorithm will start to heavily favour encrypted sites at a later date.
Which brings us to this week’s big change in Google Search: the adoption of a ‘mobile first’ strategy under which sites not deemed ‘mobile friendly’ face a big fall in the Google rankings in what is being dubbed #mobilegeddon.
Tomi Engdahl says:
Good: Companies Care About Data Privacy Bad: No Idea How To Protect It
http://it.slashdot.org/story/15/04/23/2220208/good-companies-care-about-data-privacy-bad-no-idea-how-to-protect-it
Research performed by Dimensional Research demonstrated something most of us know: Just about every business cares about data privacy, and intends to do something to protect sensitive information. But when you cross-tabulate the results to look more closely at what organizations are actually doing to ensure that private data stays private, the results are sadly predictable: While smaller companies care about data privacy just as much as big ones do, they’re ill-equipped to respond.
A Deep Dive into Data Privacy: It’s Not Just Big Companies, Folks
http://www.druva.com/blog/a-deep-dive-into-data-privacy-its-not-just-big-companies-folks/
IT is grappling with how to protect sensitive data, making the state of data privacy worrisome no matter how big or small the organization is. Smaller companies care about data privacy just as much as big ones do, but they’re ill-equipped to do much about it. Large enterprises take more measures to deal with the issue, but they aren’t that successful, either.
A recent report among IT and business professionals responsible for corporate data, sponsored by by Druva, shows that 93% of respondents across company size are challenged by data privacy.
Larger organizations put more energy into protecting the privacy of sensitive data; after all, they have to contend with greater risks. A single stumble can result in major corporate embarrassment, such as millions of customer records being stolen. So we see 77% of businesses with more than 5,000 employees investing more effort into this initiative in 2015, as are 100% of companies with 1,000-5,000 employees.
Large companies have more resources, such as the opportunity to offer and enforce employee training. And indeed, when it comes to training employees on data privacy, 82% of the largest organizations do tell the people who work for them the right way to handle personally identifiable data and other sensitive information. Similarly, 71% of the businesses with 1,000-5,000 employees offer such training.
Another example of the difference in organizational behavior is security audits. It’s become commonplace, if not exactly routine, for organizations to conduct regular security audits to ensure compliance with data security standards. These are conventionally done in large organizations (in this study, 91% of the businesses with over 5,000 employees do regular security audits) though they are less frequent in smaller businesses (about half of companies with fewer than 1,000 employees have regular security audits).
On the other hand, data privacy audits are far less common. Just 54% of companies overall do data privacy audits regularly (compared to two thirds who do security audits), most commonly in the largest organizations (among the large enterprises, four in five regularly do data privacy audits… which means about 20% aren’t policing their practices). In contrast, only 28% of businesses with under 100 employees do these kind of audits.
Auditing business practices (in any context) measures how well an organization complies with the way things are supposed to be done.
Tomi Engdahl says:
Groupon Refuses To Pay Security Expert Who Found Serious XSS Site Bugs
http://news.slashdot.org/story/15/04/23/229250/groupon-refuses-to-pay-security-expert-who-found-serious-xss-site-bugs
Bounty programs benefit everyone. Companies like Microsoft get help from security experts, customers gain improved security, and those who discover and report vulnerabilities reap the rewards financially. Or at least that’s how things are supposed to work. Having reported a series of security problems to discount and deal site Groupon, security researcher Brute Logic from XSSposed.org was expecting a pay-out — but the site refuses to give up the cash
Groupon refuses to pay security expert who found serious XSS site bugs
http://betanews.com/2015/04/22/groupon-refuses-to-pay-security-expert-who-found-serious-xss-site-bugs/
Having reported a series of security problems to discount and deal site Groupon, security researcher Brute Logic from XSSposed.org was expecting a pay-out — but the site refuses to stump up the cash. In all, Brute Logic reported more than 30 security issues with Groupon’s site, but the company cites its Responsible Disclosure policy as the reason for not handing over the cash.
The story starts a few days ago when Brute Logic discovered 32 XSS (cross-site scripting) issues affecting Groupon. He says they were particularly serious as they existed at the root of the site and could be easily exploited with a malicious URL. Brute Logic says that the security issue is all the more serious because Groupon stores credit card details, and it would be incredibly easy to craft a spoof Groupon-related URL to trick victims into visiting a fake site.
As a contributor to XSSposed.org Brute Logic spoke with people at the site and a reference to one of the security issues ended up being published.
Tomi Engdahl says:
https://www.xssposed.org/
Email Alerts 10994 reported vulnerabilities, 1984 fixed vulnerabilities
9132 vulnerable websites, 1950 vulnerable VIP websites
312 security researchers, 766 notification subscribers
Launched on 18/06/14, latest submission on 24/04/15
Tomi Engdahl says:
‘Clone Zone’ Is an Easy Tool for Building Fake Websites
http://motherboard.vice.com/read/clone-zone-is-an-easy-tool-for-building-fake-websites
My feed is full of stories I don’t believe.
Scrolling through Facebook every day, I come across Onion headlines, clickbait articles, and propaganda with passably authentic mastheads shared by my friends and family, all resonating half-truths within the echo chamber of my filter bubble.
Introduce into this environment of perpetual factual ambiguity Clone Zone, a new tool that makes it easy to edit any web page on the internet. Pick your canvas of choice—it’s as simple as entering a URL. Clone Zone immediately creates an editable copy. Upload your own images, drop in your own text, and share. With Clone Zone, anyone can treat themselves to a New York Times byline or the announcement of a lucrative round of funding on TechCrunch. With this tool, the whole internet is instantly and totally customizable.
Tomi Engdahl says:
The Internet Is a Giant Lie Factory
http://motherboard.vice.com/blog/the-internet-is-a-giant-lie-factory?trk_source=recommended
Look through your Facebook feed and chances are you’ll find a bunch of half-truths, conspiracies, and chain letter–quality hoaxes sharing space with links to reputable news stories.
The problem is, you can look at the internet as a collection of random odds and ends that it is your job to curate—some of these things may be “truer” than others, but what’s really important is whether you love or hate them enough to post them to the social website of your choice. Objective truth is a myth anyway, right? There’s no reason to independently verify anything, and you don’t have time for that, since all you’re doing is clicking the “like” button and sending it into the internet. Voila, stuff like that viral fake MLK quote from two years ago is born.
Unwittingly posting some false information is forgivable, but when it happens over and over again on a large scale, it populates the internet with myths and rumors and makes it more difficult to wade through the murk in search of, for instance, what MLK actually said. And people’s inclination toward blindly sharing whatever moves them at the moment has led to viral content being created, packaged, and spread without anyone ever questioning whether that content is full of lies.
Tomi Engdahl says:
How a computer-generated 10-year-old girl caught over 1000 padophiles all over the world
http://www.wearobo.com/2013/11/see-how-computer-generated-10-year-old.html
Now that’s a good way to catch child sex abusers. You shouldn’t ponder on where to catch these criminals, just use a computer-generated sweetie and they will come like sharks—10,100, every hour.
A computer-generated 10-year-old girl has help caught more than 1000 child sex abusers. The virtual girl posed on video chat rooms as a young Filipino girl
The men, seeing how beautiful she was, irrespective of her age, offered her money to perform sexual acts like undressing herself on webcam .
However, the European Union policing agency Europol expressed reservations about Terre des Hommes’s approach.”We believe that criminal investigations using intrusive surveillance measures should be the exclusive responsibility of law enforcement agencies,” Europol spokesman Soren Pedersen said.
Tomi Engdahl says:
8 Views of Security from RSA
Internet of Things lacks root of trust
http://www.eetimes.com/document.asp?doc_id=1326422&
“We have a long way to go in IoT security just to bring designs up to the not-yet-adequate state of PC security,” Steve Hanna, co-chair of the IoT committee at the Trusted Computing Group (TCG), an industry alliance setting security standards for nearly a decade.
Tomi Engdahl says:
Magento Flaw Exploited in the Wild Within 24 Hours After Disclosure
http://www.securityweek.com/magento-flaw-exploited-wild-within-24-hours-after-disclosure
Malicious actors are attempting to hijack online shops by exploiting a recently disclosed critical vulnerability in Magento, the popular e-commerce platform owned by eBay.
According to Sucuri, the attacks, traced back to a couple of Russian IP addresses, started within 24 hours after the details of the vulnerability were published by researchers.
The security hole identified and reported by Check Point researchers in January, dubbed the “Shoplift bug,” is comprised of a chain of vulnerabilities that can be exploited by a remote attacker to execute PHP code on affected servers. The flaws are an authentication bypass (CVE-2015-1398), a SQL injection (CVE-2015-1397), and a remote file inclusion (CVE-2015-1399).
In the attacks spotted by Sucuri, the attackers are exploiting the SQL injection vulnerability to create admin accounts
Tomi Engdahl says:
Russian Hackers Infiltrated Pentagon Network: US
http://www.securityweek.com/russian-hackers-infiltrated-pentagon-network-us
Russian hackers were able to access an unclassified Pentagon computer network earlier this year, US Secretary of Defense Ashton Carter said Thursday.
“We quickly identified the compromise and had a team of incident responders hunting down the intruders within 24 hours,” Carter said during a speech on technology and cybersecurity at Stanford University in California.
“Earlier this year, the sensors that guard DoD’s unclassified networks detected Russian hackers accessing one of our networks,” Carter said, using an acronym for the Department of Defense.
Tomi Engdahl says:
FireEye Uncovers Decade-Long Cyber Espionage Campaign Targeting South East Asia
http://www.securityweek.com/fireeye-uncovers-decade-long-cyber-espionage-campaign-targeting-south-east-asia
FireEye on Sunday uncovered details of a decade-long cyber espionage campaign carried out by China targeting governments, journalists and businesses in South East Asia and India.
Likely state sponsored by the Chinese government, FireEye said the threat actor group has been conducting cyber espionage operations since at least 2005 and is one of the first to use malware that infects air-gapped networks.
Tomi Engdahl says:
NINETY PERCENT of Java blackhats migrate to footling Flash
Patch-or-die policy makes net scum move on to softer target
http://www.theregister.co.uk/2015/04/27/ninety_percent_of_java_blackhats_now_finger_flash/
RSA 2015 Almost every Java-hacking blackhat is now popping Adobe Flash after Microsoft’s hard line patch policy made it harder to target techs such as Java.
The stricken scum now face a choice: work harder to find Java zero-day or abandon ship and start exploiting old Flash bugs.
Redmond’s security brains trust Tim Rains, Matt Miller, and David Watson say its patch wrecking ball applied only to out of date Java installations last year forced 90 percent of that platform’s hackers to move to Flash.
“2014 saw a shift from a balanced targeting of Java and Flash to over 90 percent focus on Flash,” the team told delegates to the RSA San Francisco last week.
“The drop in Java exploits corresponds to a new Internet Explorer feature which blocks the use of out-of-date Java.”
Now the battle to build Flashy hacks is heating up. Five of eight new exploits worked into exploit kits last year targeted Adobe, while three of those five were exploited within 10 days of public vulnerability disclosure.
Tomi Engdahl says:
Declassified Report From 2009 Questions Effectiveness of NSA Spying
http://news.slashdot.org/story/15/04/26/0347222/declassified-report-from-2009-questions-effectiveness-of-nsa-spying
With debate gearing up over the coming expiration of the Patriot Act surveillance law, the Obama administration on Saturday unveiled a 6-year-old report examining the once-secret program code-named Stellarwind, which collected information on Americans’ calls and emails. The report was from the inspectors general of various intelligence and law enforcement agencies.
They found that while many senior intelligence officials believe the program filled a gap by increasing access to international communications, others including FBI agents, CIA analysts and managers “had difficulty evaluating the precise contribution of the [the surveillance system] to counterterrorism efforts because it was most often viewed as one source among many available analytic and intelligence-gathering tools in these efforts.”
Declassified Report Shows Doubts About Value of N.S.A.’s Warrantless Spying
http://www.nytimes.com/2015/04/25/us/politics/value-of-nsa-warrantless-spying-is-doubted-in-declassified-reports.html?_r=0
Tomi Engdahl says:
Large terminals manufacturer has sold more than two decades, the devices with the same identical default password.
Many traders do not realize to change the password because they are thought to be unique to their machine. Nine out of ten on the investigated terminals used according to scientists still the default password.
Google search reveals that VeriFone sold devices that password. Verifone has sold a total of 150 countries, more than 27 000 000 terminals.
Verifone admitted on Thursday that all its equipment was the same password, which the company says is Z66831.
Verifone, however, says that knowledge of the password does not jeopardize the customer or card information.
The company encourages its customers to change your password. New products are delivered in such a way that they require users to change their password during the installation process.
The United States has occurred in recent years, large-scale POS terminals made using information leaks.
Partly because of these cases in the United States, banks are transitioning to Chip payment cards.
Source: http://www.tivi.fi/Kaikki_uutiset/2015-04-25/Kauppojen-27-miljoonassa-maksulaitteessa-identtinen-salasana-90-luvulta-saakka-3220561.html
Tomi Engdahl says:
“Attackers will always have the advantage as long as they have unlimited opportunities to determine which tactics are effective, while defenders struggle to understand the nature of what is confronting them,” said Chris Young, senior vice president and general manager of the Intel Security Group. “To shift the advantage from attackers to defenders, we need to dramatically re-think how we see, understand, and respond to security events, allowing defenses to adapt at least as fast as attackers adapt their tactics.”
Source: http://www.securityweek.com/intel-security-enhances-enterprise-product-portfolio
Tomi Engdahl says:
Mobile Malware Not a Big Problem in US: Damballa
http://www.securityweek.com/mobile-malware-not-big-problem-us-damballa
Research presented on Wednesday by automated breach defense solutions provider Damballa at the RSA Conference in San Francisco shows that mobile malware infection rates in the United States are low.
Damballa, which currently monitors nearly half of the mobile data traffic in the United States, conducted a test over a one-month period in the fourth quarter of 2014. The company identified roughly 150 million mobile devices that connected to over 2.7 million unique hosts.
However, researchers determined that only 0.0064 percent of these devices, representing 9,688 devices, connected to a domain on the mobile blacklist (MBL). The security firm has pointed out that there is a bigger chance of being struck by lightning (0.01 percent chance in a lifetime) than having a mobile device infected with malware.
Damballa conducted a similar study in 2012, when the company was monitoring one third of the mobile data traffic in the United States. At the time, roughly 3,500 of the 23 million devices they had identified (0.015 percent) contacted a malicious domain.
Tomi Engdahl says:
DevOps and Security Mingle at RSA Conference
http://www.securityweek.com/devops-and-security-mingle-rsa-conference
RSA Conference 2015 — “The DevOps train is coming, and security can choose to get on board or not, but DevOps isn’t going away.”
In his talk, Mortman and co-presenter Joshua Corman of Sonatype mentioned five ways DevOps can improve security. First, is by instrumenting everything.
“DevOps pros love data and measuring and sharing that data is a key tenet of DevOps,” Mortman said Wednesday. “DevOps folks tend to instrument to a great degree in order to have deep insight into the state of their systems. Even seemingly trivial stats such as CPU temperature or fan speed can be indicators of compromise in the right situations. As Galileo famously said, measure all that is measurable, and that which is not, make measurable.”
Second, he advised organizations to be “mean” to their code.
“This idea has been heavily pushed by the folks Netflix who bump it a tool called Chaos Monkey, which intentionally initiates faults to help ensure that systems are resilient and stable,” he said. “By forcibly failing in controlled ways we can build better stronger code faster.”
Reducing complexity and focusing on change management are third and fourth on his list.
“DevOps orgs tend to be extremely process oriented and leverage automation whenever possible,” he said. “As a result of the use of systems like Chef and Puppet or Jenkins these orgs have also automatically created change management/change tracking systems. This not only improves security and operations but also makes auditors happier.”
But perhaps the most important aspect of the DevOps movement is empathy, he said.
“Only by understanding and having empathy for the needs and concerns of all the players can we effectively build software,” said Mortman. “It’s time to break down silos and talk to each other like friends instead of enemies.”
Tomi Engdahl says:
Three Questions You Should Ask Security Vendors
http://www.securityweek.com/three-questions-you-should-ask-security-vendors
1. What business problem does this solve?
2. Do I have the resources to plan, design, implement and operationalize?
3. What task does this automate that my existing tools cannot do?
Tomi Engdahl says:
What Machine Learning Can Bring to IT Security
http://www.securityweek.com/what-machine-learning-can-bring-it-security
Last week, Amazon announced a new AWS service called Amazon Machine Learning, designed to “make it easy for developers of all skill levels to use machine learning (ML) technology.” The service is based on the same ML technology Amazon uses to anticipate efficiencies in supply chain management or detect fraudulent transactions, and is a counter-punch to the Microsoft Azure Machine Learning service announced last February.
Amazon’s claim is that, “The service uses powerful algorithms to create ML models by finding patterns in your existing data. Then, Amazon Machine Learning uses these models to process new data and generate predictions for your application.”
ML is something that the financial industry has utilized for decades to spot fraud. For example, many of us have had experiences when our credit card provider has contacted us to confirm the legitimacy of a recent purchase.
Machine Learning ImageIn IT security, we have relied heavily on static rules to detect threats based on known attack patterns. But if the steady revelation of new victims is any indication, that approach has long ago reached its limits. The recent development of the democratization of ML is an indication that it’s time to consider adding it to our security arsenal.
Not just any analytics
The most important aspect of analytics in the context of IT security today is user behavior analytics. Based on what has been reported, many of the recent and largest breaches, including Anthem and Sony Pictures, can be attributed to the theft of insider credentials, particularly those of privileged users. So understanding what behavior is normal for users and being able to identify behavior that is abnormal is a critical component of finding threats.
But in order to support user behavior analytics, we must know who our users are. Identity and Access Management (IAM) systems can supply identity context with attributes such as role, entitlements and organizational structure, to enhance the information necessary to determine risk.
Will this actually work?
It remains to be seen whether Amazon or Microsoft’s approach to ML can be applied to IT security (or IAM). While machine learning as a service (MLaaS) is the latest iteration, there are certainly other approaches, such as Apache Spark and their Spark ML library. Regardless of the approach, the time for applying machine learning to IT security has come. The financial fraud industry, who started this in the 1970s, is wondering what took us so long.
Tomi Engdahl says:
Russian Hackers Read Obama’s Unclassified Emails, Officials Say
http://www.nytimes.com/2015/04/26/us/russian-hackers-read-obamas-unclassified-emails-officials-say.html
Some of President Obama’s email correspondence was swept up by Russian hackers last year in a breach of the White House’s unclassified computer system that was far more intrusive and worrisome than has been publicly acknowledged, according to senior American officials briefed on the investigation.
The hackers, who also got deeply into the State Department’s unclassified system, do not appear to have penetrated closely guarded servers that control the message traffic from Mr. Obama’s BlackBerry, which he or an aide carries constantly.
Tomi Engdahl says:
Critical HTTPS bug may open 25,000 iOS apps to eavesdropping attacks
Just when you thought it was safe to use AFNetworking apps, a new threat emerges.
http://arstechnica.com/security/2015/04/24/critical-https-bug-may-open-25000-ios-apps-to-eavesdropping-attacks/
At least 25,000 iOS apps available in Apple’s App Store contain a critical vulnerability that may completely cripple HTTPS protections designed to prevent man-in-the-middle attacks that steal or modify sensitive data, security researchers warned.
“The result is an attacker with any valid certificate can eavesdrop on or modify an SSL session initiated by an app with this flawed library,” Nate Lawson, the founder of security analytics startup SourceDNA, told Ars. “The flaw is that the domain name is not checked in the cert, even though the cert is checked to be sure it was issued by a valid CA. For example, I can pretend to be ‘microsoft.com’ just by presenting a valid cert for ‘sourcedna.com.’”
Tomi Engdahl says:
8 Views of Security from RSA
Internet of Things lacks root of trust
http://www.eetimes.com/document.asp?doc_id=1326422&
The Internet of Things, along with everything else, is insecure. The U.S. government wants to help with that and other security problems — if you still trust them.
Those were two of several messages from the annual RSA Conference here.
“We have a long way to go in IoT security just to bring designs up to the not-yet-adequate state of PC security,” Steve Hanna, co-chair of the IoT committee at the Trusted Computing Group (TCG), an industry alliance setting security standards for nearly a decade.
Hana was one of a handful of experts who gave a half-day seminar showing at RSA. They demoed ways cost-constrained embedded systems could adapt the group’s approach to providing a hardware-backed root of trust, something well established in x86-based PCs and servers.
“Without hardware security, IoT devices are as vulnerable as PCs were 15-20 years ago, perhaps more so because they only use software security and it’s rarely updated, so it’s pretty easy to attack and control a device,” said Stacy Cannady, the other IoT committee co-chair and a security expert at Cisco Systems.
Other experts such as Adi Shamir, the ‘A’ in the RSA algorithm, agreed. He noted the recent phenomenon of ransom-ware in which remote hackers lock up someone’s device and demand a ransom to fix it.
“Think about your smart TV being ‘ransomwared’ and you have to pay someone in Moldovia to get your service back,” Shamir said. “We failed in a particularly miserable way because there is no good security program to protect from ransomware…and it’s a very serious problem. Police in Maine had to pay $300 to get police computers released from scam artists,” he added.
To help lock down commercial IoT devices, the TCG is writing profiles of its specs for specific classes of IoT devices. It already released a profile for car engine controllers. TCG’s embedded and mobile working groups are expected to publish profiles of their own later this year.
Tomi Engdahl says:
Surveillance cameras play increased role for Boston Marathon security
http://www.vision-systems.com/articles/2015/04/surveillance-cameras-play-increased-role-for-boston-marathon-security.html?cmpid=EnlVSDApril272015
This morning, as more than one million estimated spectators and approximately 30,000 runners gather for the 119th annual Boston Marathon, 100 some-odd HD surveillance cameras have reportedly been put in place as an additional measure of security.
In NPR photos, HD PTZ camera from DVTEL are shown perched over street corners. While the specific model isn’t mentioned, the article does say that the cameras installed feature 30x zoom capabilities, which indicates that the camera could possibly be the Quasar CP-4221-301 PTZ from DVTEL, which features a 1/2.8” progressive scan CMOS image sensor, focal lengths from 4.3 to 129 mm, and streams broadcast quality H.264 video.
With all of these cameras around town, police can remotely monitor feeds from and control the cameras. The cameras have also been programmed to react to sound—automatically turning toward the sound of gunshots, adding an extra measure of safety.
Tomi Engdahl says:
Hackers can hit airplane navigation systems (video)
https://www.youtube.com/watch?v=dK7U6uPDsVI
Tomi Engdahl says:
Rail signal upgrade ‘could be hacked to cause crashes’
http://www.bbc.com/news/technology-32402481
A hi-tech signalling system that will eventually control all of Britain’s trains could potentially be hacked to cause a serious crash, according to a scientist who advises the government.
Prof David Stupples told the BBC that plans to replace ageing signal lights with new computers could leave the rail network exposed to cyber-attacks.
UK tests of the European Rail Traffic Management System are under way.
Network Rail, which is in charge of the upgrade, acknowledges the threat.
“We know that the risk [of a cyber-attack] will increase as we continue to roll out digital technology across the network,” a spokesman told the BBC.
“We work closely with government, the security services, our partners and suppliers in the rail industry and external cybersecurity specialists to understand the threat to our systems and make sure we have the right controls in place.”
Once the ERTMS is up and running, computers will dictate critical safety information including how fast the trains should go and how long they will take to stop.
“Certain ministers know this is absolutely possible and they are worried about it. Safeguards are going in, in secret, but it’s always possible to get around them.”
“The weakness is getting malware into the system by employees. Either because they are dissatisfied or being bribed or coerced,” he explained.
Independent security expert Graham Cluley agreed that the sector could be vulnerable.
“Seeing as we have seen nuclear enrichment facilities targeted with state-sponsored malware attacks and ‘massive damage’ done to a German steelworks, you have to ask yourself whether it is likely that a train signal system would be any better defended?” he asked.
“The most obvious danger is going to be human.”
Tomi Engdahl says:
Tesla Twitter account and website hijacked, Elon Musk pwned
Schizophrenic crims send Tesla claim calls to home of allegedly unconnected individual
http://www.theregister.co.uk/2015/04/27/tesla_hijack/
The website and Twitter account of carmaker Tesla were hacked over the weekend, as part of what looks like a prank between rival hackers.
BREAKING: Elon Musk, Tesla Motors’ Twitter Account, Website Hacked in Embarassing Security Breach
https://transportevolved.com/2015/04/25/breaking-tesla-motors-twitter-account-website-hacked-in-embarassing-security-breach/
In this instance, it appears that the hack originated by someone hacking into a load balancer used by Tesla to redirect traffic to its website, modifying the main DNS records to point somewhere else.
Instead of sending your computer to Tesla’s real site, the hackers told the load balancing system to look elsewhere instead. Namely, the supposed hacked site. Tesla’s original website is still there… you just can’t get to it.
That technique was also used to redirect Tesla’s emails elsewhere by modifying something called an MX record. MX records are DNS records that are used to direct emails to the correct recipient.
Tomi Engdahl says:
US hospitals to treat medical device malware with AC power probes
‘WattsUpDoc’ is a stethoscope that detects viruses in sealed-box medicomputers
http://www.theregister.co.uk/2015/04/27/us_hospitals_to_treat_medical_device_malware_with_ac_power_probes/
Two large US hospitals will in the next few months begin using a system that can detect malware infections on medical equipment by monitoring AC power consumption.
The unnamed hospitals will be the first in a list to test the add-on monitoring platform dubbed WattsUpDoc to check for potentially life-threatening malware running on critical medical devices.
PhDs Benjamin Ransford and Denis Foo Kune developed the platform which uses the “traditionally undesirable” power consumption side channel to detect malware with the accuracy of desktop anti-virus at run-time without the need to modify the hardware or software of systems.
The duo first revealed WattsUpDoc in a 2013 paper WattsUpDoc: Power Side Channels to Nonintrusively Discover Untargeted Malware on Embedded Medical Devices [PDF] and have since formed the commercial outfit Virta Labs.
They say the need to secure embedded systems without modifying code is critical for sectors such as healthcare which cannot due to risk or regulation easily patch ”zombie” machinery.
“We are thinking about those machines that are really hard to patch, really hard to upgrade, and really hard to get inside.”
“We turned side-channel analysis on it’s head … traditionally it is used to disclose secrets but in this case we want to spy on malware instead of people.”
Ransford and Kune cannot yet name the hospitals which are trialling the platform as beta in the second quarter this year but told El Reg they have build a machine-learning feed for system infomration and even management (SIEM) systems and upgraded WattsUpDoc hardware.
“We’ve productised our research in two ways; designing a new hardware that puts the technology on a singe board, and building a cloud-based machine-learning infrastructure that processes the information flowing in from our hardware and integrates with SIEMs,” Ransford says.
In tests the platform detected known and unknown malware with at least 94 percent and 85 percent accuracy respectively over different embedded devices, which was about the same rate as PC-based anti-virus.
Challenges to monitoring malware over AC include the wide variation in power consumption in modern computers – OS X regulates power consumption between keystrokes – and carving through noise for the hypothetical centralised monitoring of multiple machines.
Tomi Engdahl says:
NINETY PER CENT of Java blackhats migrate to footling Flash
Patch-or-die policy makes net scum move on to softer target
http://www.theregister.co.uk/2015/04/27/ninety_percent_of_java_blackhats_now_finger_flash/
RSA 2015 Almost every Java-hacking blackhat is now popping Adobe Flash, after Microsoft’s hard-line patch policy made it harder to target techs such as Java.
The stricken scum now face a choice: work harder to find Java zero-days or abandon ship and start exploiting old Flash bugs.
Redmond’s security brains trust – Tim Rains, Matt Miller, and David Watson – say its patch wrecking ball, applied only to out-of-date Java installations last year, forced 90 per cent of that platform’s hackers to move to Flash.
“2014 saw a shift from a balanced targeting of Java and Flash to over 90 per cent focus on Flash,” the team told delegates to RSA San Francisco last week. “The drop in Java exploits corresponds to a new Internet Explorer feature which blocks the use of out-of-date Java.”
Tomi Engdahl says:
App makers, you’re STILL doing security wrong
Microsoftie Troy Hunt unpicks privacy invasion and unencrypted passwords
http://www.theregister.co.uk/2015/04/26/app_makers_youre_still_doing_security_wrong/
Security expert Troy Hunt has taken a look at what mobile apps collect to send home to their owners, and isn’t impressed: even PayPal is still addicted to invasive habits, he says.
“Whilst this is but a very small selection here, the problems were found very quickly and are extremely worrying”,
Tomi Engdahl says:
Location Is Your Most Critical Data, and Everyone’s Watching
http://www.wired.com/2015/04/location/
A few years ago, one foolproof way of saving the battery on you phone was to turn off GPS. You didn’t really need it. At most, it was an added convenience in a few apps.
But it’s time to turn GPS back on. Your location has become one of the best things about your phone, your smartwatch, and every other connected device you carry. Our tech is learning to adapt to us, nestling into every aspect of our lives so it is more responsive, more useful, and more intuitive. This is awesome, and it’s happening because of three things: location, location, location.
Your phone’s ability to pinpoint your exact location and use that info to deliver services—a meal, a ride, a tip, a coupon—is reason for excitement. But this world of always-on GPS raises questions about what happens to our data. How much privacy are we willing to surrender? What can these services learn about our activities? What keeps detailed maps of our lives from being sold to the highest bidder? These have been issues as long as we’ve had cellphones, but they are more pressing than ever.
Tomi Engdahl says:
You Should Google Everyone, Even Your Therapist
http://www.wired.com/2015/04/google-everyone-even-therapist/
So I Googled him. I found his Facebook page
That’s how I got comfortable.
A couple of weeks ago, Anna Fels wrote for the New York Times about patients Googling their therapists.
knowing about your doctor’s personal life can affect the experience of therapy. She also acknowledged it happens in the other direction, too: ER nurses, for instance, are Googling their patients to find out if they’re criminals, or if they’re famous, or just if they’re anything interesting at all.
“The experience of evaluating a patient with fresh eyes and no prior assumptions may, for better and for worse, disappear,” Fels wrote.
I know that overGoogling can pose a problem for lots of people: Job seekers are legally entitled to a discrimination-free application process, for instance. And juries, too
We are. Still, I Google every single person I meet.
Tomi Engdahl says:
Google, Facebook help families, friends locate loved ones
http://timesofindia.indiatimes.com/tech/tech-news/Google-Facebook-help-families-friends-locate-loved-ones/articleshow/47057691.cms
NEW DELHI: At a time when Nepal and parts of India have been convulsed by a devastating earthquake, modern web technology is turning out to be a boon as distressed family members are able to locate their loved ones.
Social networking website Facebook, and Google’s Person Finder have helped locate the whereabouts of those stranded in quake-hit areas.
For instance, members of one Himmatramka family residing in Birgunj in Nepal marked themselves safe on Facebook. “Our relatives back in India were worried about our safety. So, we marked ourselves safe to inform them,” said Nitesh Himmatramka.
People from parts of West Bengal and Uttar Pradesh have also used this app mentioning that they are safe.
Facebook’s safety tool, ‘Safety App’, is being used to find those in the affected areas. Launched in October last, the app is used to generate alerts to Facebook friends of those trapped in the affected areas who, in turn, confirm that they are safe.
“Safety Check is our way of helping our community during natural disasters and gives you an easy and simple way to say you’re safe and check on all your friends and family in one place,” Facebook’s founder Mark Zuckerberg had said in a post.
Tomi Engdahl says:
When Time is of the Essence, Threat Intelligence is Too
http://www.securityweek.com/when-time-essence-threat-intelligence-too
Attackers are expanding their tactics, users are unknowingly aiding attacks, and breaches are now the new normal. Remaining undetected for longer periods of time, attacks are more difficult to stop. During that time, sensitive customer information and intellectual property is compromised, putting a company’s reputation, resources, and value at risk. How quickly defenders can detect and respond to a breach can mean the difference between a nuisance and a nightmare. To deal with this evolving threat landscape, over the last few years there has been a shift from traditional event-driven security and response programs to an approach enabled by intelligence.
In a world where data exfiltration can take only minutes but discovery can take months or even years, reducing time to detection (TTD) and time to resolution (TTR) are now measures of security effectiveness. Threat intelligence is critical to accelerate security and response programs, but it must have the following attributes:
Tactical: Reliably and consistently collect the right intelligence from the right and trusted sources, manage and correlate that data, learn what adversaries are doing, and take action
Contextual: Indicators are not considered to be atomic elements, such as IPs, and need to be defined as a collection of elements that requires context to be applied to it. This context can be based on region, vertical or historical distribution, and can work in concert with Indicators of Compromise (IoCs), feeds or other enrichment.
Automated: Automated intelligence creation allows organizations the ability to seamlessly consume atomic and contextual threat content for the creation of actionable and specific intelligence. You shouldn’t have to press a button to retrieve it; threat intelligence should continuously feed into your environment to ensure its effectiveness.
Tomi Engdahl says:
What’s Your Security Maturity Level?
http://krebsonsecurity.com/2015/04/whats-your-security-maturity-level/
Not long ago, I was working on a speech and found myself trying to come up with a phrase that encapsulates the difference between organizations that really make cybersecurity a part of their culture and those that merely pay it lip service and do the bare minimum (think ‘15 pieces of flair‘). When the phrase “security maturity” came to mind, I thought for sure I’d conceived of an original idea and catchy phrase.
Very often, experience is the best teacher here: Data breaches have a funny way of forcing organizations — kicking and screaming — from one vertical column to another in the Security Maturity matrix. Much depends on whether the security professionals in the breached organization have a plan (ideally, in advance of the breach) and the clout for capitalizing on the brief post-breach executive attention on security to ask for changes and resources that can assist the organization in learning from its mistakes and growing.
Tomi Engdahl says:
“We felt a traditional path was a sure path to failure…so we brought in PhDs and Harvard math experts”
“There are differences, but we also need to challenge our fundamental assumptions,” Young said.
For example, he suggested organizations should stop chasing down 98% of their security alerts. Instead they should trust their security products and go on the offensive.
“Take your most talented people, think like an attacker and hunt for the 2% of threats you should really care about,” Young said. “That requires a different mindset,” he said.
Source: http://www.eetimes.com/document.asp?doc_id=1326422&page_number=4
Tomi Engdahl says:
Feds: 6 died as a result of overdosing from Silk Road-purchased drugs
Defense: despite new gov’t allegations, site actually implemented harm reduction.
http://arstechnica.com/tech-policy/2015/04/25/feds-6-died-as-a-result-of-overdosing-from-silk-road-purchased-drugs/
The head attorney for Silk Road founder and convicted felon Ross Ulbricht has asked the judge that his upcoming sentencing hearing be postponed, according to a Friday court filing.
Why does this lawyer, Joshua Dratel, want the date to be pushed back? Because, he argues, the defense needs adequate time to review the government’s latest revelation that six people died as a result of overdosing on drugs they purchased on Silk Road.
Tomi Engdahl says:
Ransomware crims drop Bitcoin faster than Google axes services
Rocky BTC only good for laundering cash, not saving and spending
http://www.theregister.co.uk/2015/04/24/ransomware_bitcoin/
RSA 2015 The falling price of Bitcoin is forcing ransomware masterminds to convert the crypto-currency as soon as they can. Rather than holding on to their ill-gotten BTC, the crims are simply laundering the ransom money as soon as possible.
“I’ve seen this discussion in underground forums among Russian criminals,” Etay Maor, senior fraud prevention strategist at IBM Security, told The Register today in San Francisco.
“They use Bitcoin for the money laundering part and take payment with it, but they’ll move it out almost immediately. Most of them won’t keep bitcoins – they don’t like the valuations Bitcoin has – so they just use it as a layer of obfuscation, and move it to a different form of money.”
Bitcoin has played a huge part in the ransomware market, where the currency is almost exclusively used.
There’s still no sign that the ransomware fad is going away any time soon. Far too many people are willing to pay up to have their data decrypted; for the crims, this is so much easier than the arduous process of stealing money from others through identity theft.
Tomi Engdahl says:
RAIN RFID tag leverages cryptographic security
http://www.edn.com/electronics-products/other/4439237/RAIN-RFID-tag-leverages-cryptographic-security?_mc=NL_EDN_EDT_EDN_productsandtools_20150427&cid=NL_EDN_EDT_EDN_productsandtools_20150427&elq=c054b4b2f33645aa9c69df262ccc6666&elqCampaignId=22734&elqaid=25571&elqat=1&elqTrackId=98640ca128fb4528a0c8cdf059e70621
NXP Semiconductors’ UCODE DNA is one of the first UHF RAIN RFID tags to combine long-range read performance with cryptographic authentication, giving developers contactless performance and security in a single IC. The tag IC can be used in a wide variety of applications, such as electronic road tolling, electronic vehicle registration, license plate authentication, access control, asset tracking, brand protection, and special service offerings at large-scale venues.
Cryptographic authentication provides dynamic security with each transmission being different from the one before, minimizing the ability for data to be emulated. The UCODE DNA delivers ISO/IEC 29167-10 standardized cryptographic security using a 128-bit key based on AES (advanced encryption standard) algorithms. It is also compliant with the GS1 EPC Gen 2 V2 air interface standard, which supports cryptographic authentication in RFID systems operating in the UHF range (860 MHz to 960 MHz).
Tomi Engdahl says:
Internet Privacy Is The Wrong Conversation
http://techcrunch.com/2015/04/26/internet-privacy-is-the-wrong-conversation/#.utwu3c:rq1F
On April 2, the Wall Street Journal reported that Facebook is in hot water with government regulators in six European countries over its practice of tracking users’ movements across the web to sell targeted advertising. The kerfuffle illustrates the bind that the world finds itself in over tracking — the collection and sharing of data on users’ browsing habits to help sites offer personalized content such as ads or recommendations.
On one hand, tracking has become a backbone of the Internet’s advertising ecosystem and is understood by most Internet users to be a necessary evil in exchange for a richer, more convenient online experience. (Do people really want to fill out purchasing forms on Amazon.com every time they order a book?)
On the other hand, cookies and other tracking mechanisms continue to raise hot-button issues about privacy as companies get ever-more creative and aggressive in their tactics and find ways to defeat a growing raft of anti-tracking technologies.
People will never achieve true privacy and anonymity online.
Tomi Engdahl says:
Russell Brandom / The Verge:
China’s Great Firewall has been replacing Facebook Connect’s Javascript module with redirection code since Sunday, seemingly for DDoS purposes
Facebook’s login system is being hijacked by China’s Great Firewall
http://www.theverge.com/2015/4/28/8508117/facebook-connect-great-firewall-great-cannon-censorship
For the last three days, China’s Great Firewall has been intercepting the Javascript module from Facebook Login, which allows third-party sites to authorize users through Facebook infrastructure.
First reported on Sunday, the attack causes sites using Facebook Login to redirect to a third-party page for many web users in China. “This behavior is occurring locally and beyond the reach of our servers,” a Facebook spokesperson told The Verge. “We are investigating the situation.”
Because the code is intercepted within China’s national telecom infrastructure, only users located in China (and accessing the web without a VPN) will be affected. The attack can also be avoided by disabling Javascript, since the inserted code runs as a Javascript applet.
It’s not the first time China has performed this kind of traffic interception. In March, a similar redirection was used to perform a denial-of-service attack on GitHub, apparently in retaliation for dissident content posted through the service. Since the new code is injected as content passes through China’s national web filters, there’s little doubt that the Chinese government is responsible for the attacks.
It’s difficult to say why Facebook Login is being targeted, since the net effect for most users is simply to redirect the browser to an unrelated homepage. Facebook itself is officially blocked in China, although the block has been relaxed in recent years.
Tomi Engdahl says:
The rise and fall of Silk Road
http://www.wired.com/2015/04/silk-road-1/
Tomi Engdahl says:
Bodyprint could let you unlock your phone with your ear print
http://www.cnet.com/news/bodyprint-could-let-you-unlock-your-phone-with-your-ear-print/
An experimental system uses a smartphone’s capacitive screen as a low-res sensor keyed to the user’s body prints.
You may one day be able to unlock your smartphone by holding it against your ear instead of your finger.
That is the goal of Bodyprint, an authentication system created by Yahoo Labs that turns a smartphone’s capacitive touchscreen into a biometric scanner. But because the scanning device is much larger than a fingerprint scanner, the system allows smartphone owners to unlock their handsets using body parts other than their fingerprint — such as their ear when answering a call.
“While the input resolution of a touchscreen is about 6 dpi, the surface area is larger, allowing the touch sensor to scan users’ body parts, such as ears, fingers, fists, and palms by pressing them against the display,” the Yahoo Labs team wrote on the project’s web page.
From email to texts, phonebook entries, and pictures, your phone has lots of personal information that’s potentially accessible to prying eyes. Passcodes are effective but sometimes tedious. Fingerprint scanners are a convenient way to secure handsets, but they are pricey and often limited to high-end handsets, noted the Yahoo team, which was led by Christian Holz
“Bodyprint compensates for the low input resolution with an increased false rejection rate, but does not compromise on authentication precision,”
The results were precise: “Scanning users’ ears for identification, Bodyprint achieves 99.8 percent authentication precision with a false-rejection rate of 1 out of 13, thereby bringing reliable biometric user authentication to a vast number of commodity devices.”
Bodyprint: Biometric User Identification on Mobile Devices Using the Capacitive Touchscreen to Scan Body Parts
http://www.christianholz.net/bodyprint.html