Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.
3,110 Comments
Tomi Engdahl says:
US Security Chief Warns of ‘New Phase’ in Terror Threat
http://www.securityweek.com/us-security-chief-warns-new-phase-terror-threat
The global terrorist threat has entered a “new phase,” where media-savvy Islamist extremists are successfully drawing lone wolf attackers to their cause, the US secretary of Homeland Security warned Sunday.
“We’re very definitely in a new environment, because of ISIL’s (IS’s) effective use of social media, the Internet, which has the ability to reach into the homeland and possibly inspire others,” Johnson said.
“We’re very definitely in a new phase in the global terrorist threat, where the so-called lone wolf could strike at any moment.”
The US military bolstered security at bases across the country Friday.
“Because of the use of the Internet, we could have little or no notice in advance of an independent actor attempting to strike. And so that’s why law enforcement at the local level needs to be ever more vigilant and we are constantly reminding them to do that,”
Tomi Engdahl says:
MacKeeper Patches Serious Remote Code Execution Flaw
http://www.securityweek.com/mackeeper-patches-serious-remote-code-execution-flaw
The developers of MacKeeper, the controversial utility software suite for OS X, have patched a critical vulnerability that could have been exploited to remotely execute arbitrary code on affected systems.
Tomi Engdahl says:
CareerBuilder Attack Sends Malware-Rigged Resumes To Businesses
Sponsored by Dark Reading
https://registrations.darkreading.com/DR_0511?_mc=EM_DR_WP_NF_051115&cid=EM_DR_WP_NF_051115
Some cyberattacks involve sophisticated malware and meticulous planning to pull off, while others, just a lot of smarts. Email security firm Proofpoint reported one attack Thursday that falls into the latter category: they describe it as a “clever email-based attack” involving the use of phishing and social engineering techniques to sneak malware into several businesses.
Tomi Engdahl says:
Widespread Windows XP Use Remains Among Businesses Despite End-of-Life: Survey
http://www.securityweek.com/widespread-windows-xp-use-remains-among-businesses-despite-end-life-survey
Windows 10 may be on the way, but many organizations are still stuck deep in the past when it comes to using versions of Microsoft’s flagship operating system.
According to a survey from Bit9 + Carbon Black, many enterprises in the U.K. and the U.S. are still running Windows XP, which reached its end-of-life last year. The survey, which fielded responses from 500 medium and large businesses in those countries, found that 34 percent are still using a combination of Windows XP and Windows Server 2003. Another 10 percent continue to use Windows XP exclusively, bringing the total percentage of organizations in the survey using XP to 44 percent.
“More than a year after the end-of-support deadline for XP, the fact that 44 percent of companies surveyed are still using it is startling,” said Chris Strand, PCIP, senior director of compliance and governance for Bit9 + Carbon Black, in a statement. “Companies that have been running Windows XP without compensating controls—such as application control combined with continuous monitoring solutions—have been exposed to a host of possible exploits that may have allowed hackers to take advantage of the vulnerabilities associated with the unsupported machines. These vulnerabilities could lead to the compromise of companies’ critical infrastructure and loss of essential information—including customers’ personal data.”
“Although patching for XP and 2003 end-of-life will be rare, companies should still do the normal blocking and tackling, like proper network segmentation and patching applications that run on top of the OS,”
Tomi Engdahl says:
Sometimes, Perception is Just as Important as Reality
http://www.securityweek.com/sometimes-perception-just-important-reality
In the world of security, there is often a significant difference between perceived reality and what is actually happening. On a near daily basis we are inundated with stories about cyberattacks, and most people have no problem rattling off a list of companies that were compromised in the past year. However, it would be significantly more difficult for them to recall exactly how these organizations and their customers were impacted by these breaches.
That means even if a breach doesn’t directly cost your organization a ton of money or expose customers’ sensitive information, it can still create significant problems. You can’t expect the general public to dig into the story or process the details like a security expert.
After hackers claiming allegiance to the Islamic State took control of the U.S. military’s Central Command social media accounts, we received countless questions about whether we suspected sensitive information had been exposed, if U.S. soldiers and civilians were in danger, etc. Of course, there’s a significant difference between a massive data breach and a case of cyber-vandalism.
But many people will not make that distinction. A breach, no matter how insignificant, will simply register as a “breach.” And even for those who do understand the nuances of a breach, a minor slip up can rightfully cause concern that security best practices aren’t being followed in other (and perhaps more critical) areas.
A more high-level example of this line of thinking can be seen in the recent case of the White House fence jumper. Fortunately the attack was not successful, but significant damage was done to the Secret Service’s reputation. The incident rightly caused the public to doubt their capabilities.
So, what does this mean for you?
It means that the public’s perception of security within your organization can be just as important as reality, and it’s your job to manage that perception.
If a breach does occur, by being forthcoming with information and doing everything in your power to help those who were affected, you can hopefully repair some of the damage on a reputational level. Anthem is a great example of this. They came clean about their breach right away, and they discovered and reported it themselves. They didn’t wait for someone else to find it for them. This went a long way in restoring their credibility.
I’d be willing to bet Anthem had a solid incident response plan – being clear and forthcoming at the time of a breach is a lot easier if you’ve prepared for such an event. Who’s responsible for communicating with the media, customers, employees, and stockholders? Who’s going to handle your forensics and security investigation?
These aren’t issues you want to start fumbling through at the time of a crisis. If you haven’t already, establish your internal incident response team. It should include communications, legal, security, and the executive team, plus a few others depending on the nature of your business.
Infosec professionals are often analytical by nature, and it can be easy to get bogged down in the technical details, but it’s a mistake to ignore the human side of security.
Tomi Engdahl says:
Pro-ISIS Hackers Compromise U.S. CENTCOM Twitter, YouTube Accounts
http://www.securityweek.com/pro-isis-hackers-compromise-us-centcom-twitter-youtube-accounts
Hackers supporting Islamic State jihadists briefly took control of the Twitter and YouTube accounts of the U.S. Central Command (CENTCOM), the Department of Defense confirmed Monday.
In the attack, hackers replaced the main banner for CENTCOM’s Twitter account with an image of a masked fighter along with the words “CyberCaliphate” and “I love you ISIS”.
Tomi Engdahl says:
Fortune 100 Firms Challenged by Social Media Compliance Violations: Study
http://www.securityweek.com/fortune-100-firms-challenged-social-media-compliance-violations-study
A new report from Proofpoint’s Nexgate research team found that many Fortune 100 companies are not doing a good job of policing compliance violations tied to their social media accounts.
The report, entitled the ‘State of Social Media Infrastructure, Part II’, outlines how Fortune 100 social media pages are failing to keep up with the pace of social communication while following various federal regulations. The study is based on research conducted over a 12-month period between July 2013 and June 2014 that focused on the social media presence of Fortune 100 companies.
“The average firm suffered from a total of 69 unmoderated compliance incidents during our 12 month research window,” according to the report.
The challenge facing these organizations can be significant. According to the report, the average Fortune 100 firm has more than 320 branded social media accounts as well as thousands of followers and employees potentially interacting in discussions on social media such as Facebook, Twitter and LinkedIn.
“FINRA [Financial Industry Regulatory Authority] financial service and FDA [U.S. Food and Drug Administration] healthcare regulations are examples of standards with specific provisions covering Commenter postings,” the report explains. “These requirements require much larger scale compliance operations than regulations applied only to Brand posts.”
Tomi Engdahl says:
Crispin Cowan / Microsoft Edge Dev Blog:
Microsoft Edge will not support VML, VB Script, Toolbars, BHOs, or ActiveX to improve security
Microsoft Edge: Building a safer browser
http://blogs.windows.com/msedgedev/2015/05/11/microsoft-edge-building-a-safer-browser/
Web Security Threats
While the web is predominantly a safe environment, some sites are designed to steal money and personal information. Thieves by nature don’t care about rules, and will use any means to take advantage of victims, most often using trickery or hacking:
Trickery: in real life, a “con man” will use tricks to take advantage of a victim, e.g. “got two 10s for a 5?” On the web, attackers will try to fool victims using things like “phishing” attacks that convince a user to enter their banking password into a web site that looks like their bank, but isn’t.
Hacking: in real life, a mugger might assault you and take your money, or a burglar might break into your home and steal your valuables. On the web, attackers present a victim’s browser with malformed content intended to exploit subtle flaws in your browser, or in various extensions your browser uses, such as video decoders. This lets the attacker run their code on the victim’s computer, taking over first their browsing session, and perhaps ultimately the entire computer.
These are threats faced by every browser. Let’s explore how Microsoft Edge addresses these threats and is helping make the web a safer experience.
Web Standards
As we announced recently, Microsoft Edge hosts a new rendering engine, Microsoft EdgeHTML. This engine is focused on modern web standards, allowing web developers to build and maintain one consistent site that supports all modern browsers. This greatly simplifies the hard work of building first class web sites, allowing more time and energy for web developers to focus on reliability and security rather than the complexities of interoperability.
Microsoft EdgeHTML helps in defending against “con man” attacks using new security features in the W3C and IETF standards:
Support for the W3C standard for Content Security Policy helping developers everywhere defend their sites from XSS (Cross-Site Scripting) attacks in a cross-browser manner.
Support for HTTP Strict Transport Security helping ensure that connections to important sites, like your Bank, are always secured.
So to make browsers safer against attacks, and just more reliable, it is important to create an extension model that is safer, by sharing less state between the browser itself and the extensions. Thus Microsoft Edge provides no support for VML, VB Script, Toolbars, BHOs, or ActiveX. The need for such extensions is significantly reduced by the rich capabilities of HTML5, and using HTML5 results in sites that are interoperable across browsers.
To enable extensibility beyond what is provided by HTML5, we are working on plans for a modern, HTML/JS-based extension model
To enable extensibility beyond what is provided by HTML5, we are working on plans for a modern, HTML/JS-based extension model
Microsoft Edge is an App
The largest change in Microsoft Edge security is that the new browser is a Universal Windows app. This fundamentally changes the process model, so that both the outer manager process, and the assorted content processes, all live within app container sandboxes. This provides the user and the platform with the confidence provided by other Windows store apps.
App Container Sandbox by Default
Microsoft Edge is rebooting our browser extension model, allowing it to run its content processes in app containers, not just as a default, but all the time. Thus every Internet page that Microsoft Edge visits will be rendered inside an app container, the latest and most secure client-side app sandbox in Windows.
Microsoft Edge is also 64-bit, not just by default, but at all times when running on a 64-bit processor.
Tomi Engdahl says:
Cheers Ireland! That sorts our Safe Harbour issues out – Dropbox
Irish data protection is now for life, not just St Patrick’s day
http://www.theregister.co.uk/2015/05/12/cheers_ireland_that_sorts_out_our_safe_harbour_concerns_nicely_sez_dropbox/
Following Twitter’s lead, Dropbox will treat Africans, Asians and Australians as Europeans from June 1.
The file transfer site has updated its privacy rules so that all accounts outside North America will be managed by Dropbox Ireland.
This means that stricter European data protection laws will apply, rather than US rules.
The timing of the move is significant, as sources told El Reg that the company is getting ready for European courts to pull the plug on the so-called Safe Harbour agreement between the EU and the US.
The European Parliament has repeatedly called for the Safe Harbour deal to be suspended, arguing that the voluntary register does not sufficiently protect Europeans’ data privacy rights.
Tomi Engdahl says:
9 things you can hire a hacker to do and how much it will (generally) cost
http://uk.businessinsider.com/9-things-you-can-hire-a-hacker-to-do-and-how-much-it-will-generally-cost-2015-5?op=1?r=US
The underbelly of the web is vast and scary. Knowing the right search terms can lead down a rabbit hole of illicit offerings.
While it’s well-known that the dark web offers black market marketplaces for things like drugs and firearms, so too are there places where hackers offer up their skills for a fee.
Hacking a generic website: As much as $2,000
A tool to hack Facebook accounts: $19.99 for 3 months
Yelp reviews: $3 – $350
Hacking lessons: $20
Gmail account access: $90
Facebook account access: $350
Hilton HHonors Points: $15
Netflix passwords: $1.25
Crypting services: $8
Read more: http://uk.businessinsider.com/9-things-you-can-hire-a-hacker-to-do-and-how-much-it-will-generally-cost-2015-5?op=1?r=US#ixzz3a0Rf1d9m
Tomi Engdahl says:
Hire the RIGHT hacker.
https://hackerslist.com/
Hiring a hacker shouldn’t be a difficult process, we believe that finding a trustworthy professional hacker for hire should be a worry free and painless experience. At Hacker’s List we want to provide you with the best opportunity to find your ideal hacker and for professional hackers around the world to find you.
Tomi Engdahl says:
Electronic Frontier Foundation:
EFF pulls support for USA Freedom Act after court ruling that the Patriot Act’s Section 215 does not authorize mass collection of telephone metadata
ACLU v. Clapper and the Congress: How The Second Circuit’s Decision Affects the Legislative Landscape
https://www.eff.org/deeplinks/2015/05/aclu-v-clapper-and-congress-how-second-circuits-decision-affects-legislative
The U.S. Court of Appeals for the Second Circuit in ACLU v. Clapper has determined that the NSA’s telephone records program went far beyond what Congress authorized when it passed Section 215 of the Patriot Act in 2001.
EFF filed amicus briefs in this case in both the district and circuit courts, and we congratulate our colleagues at the ACLU on this significant victory.
Tomi Engdahl says:
Car hacking is afraid by potential car buyers already:
Drivers Not Ready to Let Cars Take Over, Says Poll
http://www.eetimes.com/document.asp?doc_id=1326584&
Do car owners have confidence in algorithms and control units that eventually could take over the command over their vehicles? A recent study reveals deep-seated concerns.
The German subsidiary of IT consulting company CSC recently conducted a poll among a representative cross section of the population in Germany, Austria and Switzerland showed that though car drivers acknowledge that the digitization of the car offers some benefits, their confidence into this technology is not really unlimited.
Almost 70 percent of the respondents said they were afraid of malicious hackers taking over the car.
Almost the same percentage said they simply don’t trust enough into the technology to leave the responsibility for driving to the machine.
Two thirds expressed doubts that in the case of an accident the liability issues could be settled to their disadvantage.
Nevertheless, there was also a strong majority expecting that automated driving would improve traffic safety.
Tomi Engdahl says:
NFC Tags Get Much Needed Security Upgrade
NFC Forum beefs up security on its tags as IoT apps proliferate
http://www.eetimes.com/document.asp?doc_id=1326579&
The NFC Forum, which manages and promotes the Near Field Communications protocol, has just come up with a major update of its Signature Record Type Definition (SRTD) 2.0 spec for securing NFC transactions. It comes none too soon, with companies introducing a flood of applications related to cell phones as well a variety of IoT use cases.
According to NFC Forum estimates derived from shipment numbers its members reported, there are in excess of 500 million NFC-enabled smartphones in the global marketplace. And according to market research collected by Strategy Analytics, the number of NFC-enabled devices will grow sharply as an increasing number of manufacturers integrate NFC technology into devices in the home and in commercial buildings, where many will use already widely available smart phones as the means to access such devices.
Then, too, there is the use of NFC in wearable Internet of Things (IoT) applications, where its transmission range of about four inches (10 centimeters) makes NFC ideal for a variety of near-body network apps where such devices need to pass information back and forth and coordinate activities.
The barrier to widespread application is that NFC has had to overcome the lack of adequate security for its various transaction modalities.
In Version 1.0 of the SRTD spec, the mechanisms used for guaranteeing the security of messages using the NFC Data Exchange Format (NDEF) were based on techniques similar to those used in most web browsers, where code signing techniques for securing a transaction are tied to internally create digital certificates, causing a host of security problems.
According to Tony Rosati, NFC Forum Security Technical Working Group Chair, in the original specification signed NDEF records were used to prevent malicious use of NFC tags. So when a smartphone user taps NFC tags containing URLs, there was some protection against such things as phishing attacks that directed users to unsafe network locations. Theoretically, signing the NDEF record protected the integrity of the contents and allowed the user to identify the signer if they wish.
However, the signature RTD mechanisms incorporated into the original specification contained vulnerabilities that permitted the content of signed NDEF records to be manipulated.
According to Rosati, many of these concerns have been dealt with successfully in the Forum’s new Signature Record Type Definition RTD 2.0 spec. In the new version, the signing certificate mechanisms have been beefed up to prevent malicious use of NFC tags. This is done through the use of protected NDEF records that are assigned a certificate obtained from third party Certificate Authorities.
Tomi Engdahl says:
Maritime Cybersecurity Firm: 37% of Microsoft Servers On Ships Are Vulnerable
http://it.slashdot.org/story/15/05/04/227217/maritime-cybersecurity-firm-37-of-microsoft-servers-on-ships-are-vulnerable
Tomi Engdahl says:
Metasploit maker Rapid7 gobbles web app security testing firm
Firm hopes you’ll squirt some of its sealant gunge into leaky apps
http://www.theregister.co.uk/2015/05/05/rapid7_buys_web_app_security_firm_nto/
Metasploit firm Rapid7 has snapped up web and mobile application security testing company NT OBJECTives (NTO). Financial terms of the deal, announced Monday, were undisclosed.
Rapid7 has folded NTO’s application security testing product, renamed as Rapid7 AppSpider, into its security data and analytics platform to give customers a better handle on web application security risk. The acquired technology – delivered either via software or in the cloud – bundles automated attack simulation and scanning, among other features.
Tomi Engdahl says:
Maritime cybersecurity firm: 37% of Microsoft servers on ships vulnerable to hacking
http://www.networkworld.com/article/2917856/microsoft-subnet/maritime-cybersecurity-firm-37-of-microsoft-servers-not-patched-vulnerable-to-hacking.html
Tomi Engdahl says:
Adobe updated its PDF readers and Flash Player
Adobe has released updates APSB15-09 and APSB15-09. Updates are repaired classified as critical vulnerabilities in Adobe Flash Player, AIR, Acrobat and Reader software.
Most of the vulnerabilities related to memory errors in reading. These vulnerabilities could allow it is possible to perform a malicious program code on the target system user rights by persuading a user to open a specially crafted crafted file. Some of the vulnerabilities may lead to a variety of hedging bypassing or application crash.
Source: https://www.viestintavirasto.fi/kyberturvallisuus/haavoittuvuudet/2015/haavoittuvuus-2015-042.html
Tomi Engdahl says:
Another cloud leaks data:
Photo Printing Website Artisan State Allows Access To All User-Uploaded Photos
http://it.slashdot.org/story/15/05/12/2115251/photo-printing-website-artisan-state-allows-access-to-all-user-uploaded-photos
Popular photo printing website Artisan State, which specializes in bound photo books mostly for weddings or other events, unintentionally makes all its uploaded user photos available publicly for download. This case study shows how their photos are able to be downloaded and discusses the things vendors should think about when considering security of seemingly private user content.
All Artisan State User-Uploaded Photos are Publicly Accessible
http://privacylog.blogspot.fi/2015/05/all-artisan-state-user-uploaded-photos.html
Artisan State is a photo printing service that specializes in flush mount books and other photo books. They are managed from San Francisco with fulfillment in Hong Kong and Houston and manufacturing in Shanghai.
I always report these issues to the vendor. And it should go without saying. But responsible disclosure is a hot topic on Slashdot, so we’ll expanding on this. I provided the details and offered to help fix all their issues. Also, it was clear I intended to publish this — a date was set for 2 months, which is today. The customer support person said they would forward this to engineering and engineering would follow up with me.
Since my emails are falling on deaf ears and because the (very generous) embargo period has passed, I am posting this live exploit publicly on the internet. Other people have probably already found these items and others.
Ethics, responsible disclosure, privacy… the books are still being written on what the right thing to do is.
There are many attack vectors on this website.
Here is the URL of one of my photos
If you are not logged in as me then you have no business accessing that photo. But alas… you can. There is nothing special about that URL, in fact you can access every photo this way.
It is not hard to figure out how to edit this command to download all photos. Please don’t.
Based on how many photos are on Artisan State and the fact that they use Amazon S3, it will cost them about $80 each time you run the edited command.
The solution to this vector is to either add entropy to each url or authenticate on each image load. Of course there is even a possible solution where the thumbnailing server above does not need to access the database, the files do not need to be renamed, htaccess or cookies are not needed, and security can still be reasonably assured.
Does hearing this story change your perspective of the vendor? And would you change your mind about placing an order with them?
Tomi Engdahl says:
Beware the Ticking Internet of Things Security Time Bomb
http://it.slashdot.org/story/15/05/12/1942234/beware-the-ticking-internet-of-things-security-time-bomb
A panel of security experts, including from IBM, LogMeIn and formerly RSA, warn that IoT security is a growing threat because device makers haven’t baked in security. IT security staffs are already inundated with safeguarding internal infrastructure and cloud-based resources, so guarding against a slew of new threats is likely to be overwhelming.
Beware the ticking Internet of Things security time bomb
http://www.networkworld.com/article/2921004/internet-of-things/beware-the-ticking-internet-of-things-security-time-bomb.html
Debate focuses on moving full-speed ahead with IoT vs. pausing to build in security first
Taneja responded that technology is advancing at a rate that’s outstripping enterprises’ ability to secure internal and cloud resources, and then along comes IoT in the form of all sorts of networked sensors and gadgets. “Organizations aren’t spending that much on security. It’s increasing, but it’s not enough and IoT only makes it worse,’ he said. “So it is a time bomb. “
Money will start being spent on IoT security once serious breaches occur, said Taneja, who sold security company Aveska to EMC in 2013.
Srinivasan, VP and head of products for Xively Internet of Things at LogMeIn, said that a big difference between the emergence of IoT and cloud computing is that lines of business were the main catalysts for the cloud whereas OEMs of physical products (say light bulbs) have taken the lead on IoT. “Most of them barely have IT staff,” said Srinivasan, whose company offers remote access and support via a SaaS model.
The perceived information security risk of installing a non-networked light bulb is basically zero, but “the minute you connect it, there are so many things you have to think about… Most OEMs spent decades building those products and honestly don’t have that much software savvy.” Coming up with cost efficient security will be a challenge, but he said it should be worth it to the OEMs since they stand to transform service and sales enablement. He cited Michelin’s strategy to sell “tires as a service,” using embedded technology to detect wear, under-inflation, etc.
IDC’s Mehra says the key to IoT security will be baking security in to IoT devices or at least integrating it as a service from a partner company (IDC sees the number of IoT devices – including those that process data and don’t — exploding from 9 billion in 2014 to 30 billion by 2020). Otherwise, IoT vendors “run massive risk of their business plans falling apart,” he says.
Even if IoT device makers are thinking about security now, a problem is that no one really understands yet what’s needed security-wise, Taneja said. Issues such as data ownership, when it comes to wearables, are up in the air. “As a security industry we haven’t come up with models to deal with this,” he said.
After all, there are companies out there looking to monetize data from him and others, without giving him a cut. “It’s almost like credit bureaus buying and selling info about you, and the only one who doesn’t know anything about you is you,”
Tomi Engdahl says:
‘Venom’ Security Vulnerability Threatens Most Datacenters
http://it.slashdot.org/story/15/05/13/1251208/venom-security-vulnerability-threatens-most-datacenters
An anonymous reader sends a report about a new vulnerability found in open source virtualization software QEMU, which is run on hardware in datacenters around the world (CVE-2015-3456). “The cause is a widely-ignored, legacy virtual floppy disk controller that, if sent specially crafted code, can crash the entire hypervisor. That can allow a hacker to break out of their own virtual machine to access other machines — including those owned by other people or companies.” The vulnerable code is used in Xen, KVM, and VirtualBox, while VMware, Hyper-V, and Bochs are unaffected.
Bigger than Heartbleed, ‘Venom’ security vulnerability threatens most datacenters
http://www.zdnet.com/article/venom-security-flaw-millions-of-virtual-machines-datacenters/
Summary:Security researchers say the zero-day flaw affects “millions” of machines in datacenters around the world.
VENOM
Virtualized Environment Neglected Operations Manipulation
http://venom.crowdstrike.com/
VENOM, CVE-2015-3456, is a security vulnerability in the virtual floppy drive code used by many computer virtualization platforms. This vulnerability may allow an attacker to escape from the confines of an affected virtual machine (VM) guest and potentially obtain code-execution access to the host. Absent mitigation, this VM escape could open access to the host system and all other VMs running on that host, potentially giving adversaries significant elevated access to the host’s local network and adjacent systems.
Tomi Engdahl says:
Jamie Oliver’s website hacked again, drops password stealer
https://blog.malwarebytes.org/exploits-2/2015/05/jamie-olivers-website-hacked-again-drops-password-stealer/
The website of popular British Chef Jamie Oliver is still having issues and potentially infecting visitors looking for a recipe or other material on JamieOliver.com.
We already reported the site serving malware twice at least, once in February and then March. On both of these occasions the main site was directly affected and redirecting to the Fiesta exploit kit.
This time is no different and browsing any page will trigger a malicious redirection chain to the aforementioned exploit kit:
Malwarebytes Anti-Exploit users were automatically protected from this attack and subsequent malware drops (password stealers).
http://www.malwarebytes.org/antiexploit/?utm_source=blog&utm_medium=social
Tomi Engdahl says:
Infosec bods demo GPU keylogger. Don’t tell the NS – oh, wait
Threat relies on in-transit interception of hardware
http://www.theregister.co.uk/2015/05/13/graphics_card_malware_gpu_keylogger/
Security researchers have demonstrated how malicious code can be run on graphics processors (GPUs) rather than the central processing unit (CPUs) at the heart of a computer.
Team Jellyfish’s Demon keylogger proof-of-concept code operates in a blind spot that conventional security software is simply not designed to inspect.
The nasty – which runs on AMD and NVIDIA graphics cards – would be capable of capturing keystrokes and passwords before storing them in GPU memory. The associated Jellyfish rootkit is capable of spying on CPU host memory via direct memory access (DMA).
Both strains of the nasty work on Linux systems, but doing something similar on Windows or Mac machines would appear to present difficulties. Even on Linux machines neither of the nasties are ready for malicious misuse, fortunately. Team Jellyfish said it’s working on a proof-of-concept remote access tool (RAT) for Windows computers.
Graphics cards are already widely used for number crunching applications such as password cracking and Bitcoin mining. The possibility that malware authors might be able to hook into this power is bad news, because it could allow the bad guys to more easily run more complex polymorphic and encryption routines, aside from the more general risk of even more stealthy malware.
“It is easy, in this post-Snowden world, to imagine a scenario where a state-sponsored attacker might have the means and ability to either meddle with the supply chain of a graphics card manufacturer to embed malware, or to poison legitimate hardware as it is en route from a supplier to a particular organisation,” writes security veteran Graham Cluley in a post on patch management firm Lumension’s blog.
Tomi Engdahl says:
Don’t look now: Fujitsu ships new mobe with EYEBALL-scanning security
Because passwords are just so passé
http://www.theregister.co.uk/2015/05/13/fujitsu_thinks_fingerprints_are_pass_new_smartphone_scans_your_eyes/
The Fujitsu Arrows NX F-04G, first displayed at Mobile World Congress earlier this year, comes with the usual accoutrements you’d expect in a smartphone. It has a 5.2-inch 1440-by-2560 resolution touchscreen, an eight-core Snapdragon 810 processor, NFC, and the Android 5.0 operating system.
But unlike most handsets, the Arrows NX F-04G’s front-facing camera doubles as a biometric iris scanner to replace passwords for operating the phone and its apps. The software closes in on the irises, matches them to the version stored internally, and then grants access (or not).
Given the system, the camera specification on the phone seems a touch odd. The handset has a 21-megapixel camera on the back, but the iris-scanning front camera is a paltry two megapixels, which suggests either the iris-scanning software is very good or someone at Fujitsu economized a little too much.
Iris scanning has been around for a while and in controlled circumstances can be very useful. But attempts to introduce it on a commercial level have proven fraught with difficulties.
although “everybody” in the mobile phone biz is said to be looking into iris scanning as an authentication option – including Samsung, for example – Fujitsu appears to be the first to actually bring a device to market.
Tomi Engdahl says:
Forget silly privacy worries – help biometrics firms make MILLIONS
Beancounter reckons dabs-scanning tech is the next big moneypit
http://www.theregister.co.uk/2014/09/10/forget_about_privacy_and_well_all_make_beeelions/
Tech firms are set to experience a biometric bonanza – as long as they can persuade ordinary folk to give up worrying about their privacy.
That’s the claim in a briefing note from “growth consulting firm” Frost & Sullivan, which suggested the number of smartphones equipped with biometric gubbins will soar from 43 million to 471 million by 2017.
This, according to the beancounters, means the biometric revenue from smart phones will soar from increase from $53.6m in 2313 to $396.2m in 2019, amounting to an annual growth rate of 39.6 per cent.
“Due to existing hardware capabilities across devices, most of the growth is expected from facial and voice authentication technologies,” said Frost & Sullivan ICT Global Programme Director Jean-Noël Georges.
Tomi Engdahl says:
Flight company starts bug bounty program:
United Airlines bug bounty program
http://www.united.com/web/en-US/content/contact/bugbounty.aspx
A bug bounty program permits independent researchers to discover and report issues that affect the confidentiality, integrity and/or availability of customer or company information and rewards them for being the first to discover a bug.
Tomi Engdahl says:
Has Your Cyber Security Program Jumped The Shark?
https://webinar.darkreading.com/19798?keycode=DRWE04
Most enterprise security programs are designed to prevent attackers from getting inside the network. This 30-year-old strategy prevails even though advanced malware regularly evades perimeter defenses. While the hope of a ‘prevention pill for all your ills’ has gone by the way of Fonzie’s waterskies, enterprise security is not a lost cause. Detection is the “new cool.”
At the end of this webinar you will understand how to:
Rate your current tools’ effectiveness versus advanced threats
Recognize the difference between preventing attacks and detecting infections
Take a forward-thinking approach to stopping data theft after compromise occurs
Shift your Tier 2 & Tier 3 security teams from chasing alerts to solving long-term security challenges
Tomi Engdahl says:
Kim Zetter / Wired:
United Airlines offers hackers up to 1M mileage points to find vulnerabilities in its sites, apps, and online portals, but excludes testing of inflight systems
United Will Reward People Who Flag Security Flaws—Sort Of
http://www.wired.com/2015/05/united-will-reward-people-flag-security-flawssort/
United Airlines announced this week that it’s launching a bug bounty program inviting researchers to report bugs in its websites, apps and online portals.
The announcement comes weeks after the airline kicked a security researcher off of one of its flights for tweeting about vulnerabilities in the Wi-Fi and entertainment networks of certain models of United planes made by Boeing and Airbus.
It’s believed to be the first bounty program offered by an airline. But curiously, United’s announcement doesn’t invite researchers to submit the most crucial vulnerabilities researchers could find—those discovered in onboard computer networks, such as the Wi-Fi and entertainment systems. In fact, the bounty program specifically excludes “bugs on onboard Wi-Fi, entertainment systems or avionics” and United notes that “[a]ny testing on aircraft or aircraft systems such as inflight entertainment or inflight Wi-Fi” could result in a criminal investigation.
Tomi Engdahl says:
This Little 3-D Printed Robot Cracks Combination Locks in 30 Seconds
http://www.wired.com/2015/05/little-3-d-printed-robot-cracks-combination-locks-30-seconds/
Careful what you leave in your lockers, high school students and gym-goers. An invasion of 3-D printed robots may be coming, capable of popping one of the world’s most ubiquitous brands of combination locks in as little as half a minute.
On Thursday, well-known hacker Samy Kamkar published on his website the blueprint and software code for a 3-D-printable Arduino-based lock-opening robot he calls the “Combo Breaker.” Attach it to any of millions of Master Lock combination locks, turn it on, and it can take advantage of a Master Lock security vulnerability Kamkar recently discovered to open the lock in a maximum of five minutes with no human interaction. “The machine pretty much brute-forces the lock for you,” says Kamkar. “You attach it, leave it, and it does its thing.”
Master Lock didn’t immediately respond to WIRED’s request for comment. But Kamkar says his cracking technique is likely no major surprise to the lock maker, nor should it necessarily register as a serious security crisis. Master Lock gives its locks a 1-to-10 security rating displayed on its packaging, and the locks he tested were all rated 3. “The moral is pretty simple,” he says. “If you’re trying to protect valuables in a storage locker, you should probably be using a better lock.”
Tomi Engdahl says:
Plod wants your PC? Brick it with a USB stick BEFORE they probe it
‘USBKill’ fries your machine to foil forensic sniffing
http://www.theregister.co.uk/2015/05/05/usbkills_laptops_to_beat_the_heat/
Criminals, activists, and whistle-blowers have a new tool to help foil police by shutting down laptops before they are examined.
“USBKill” is a script that turns an innocent-looking thumb drive into a kill switch that, when unplugged, forces computers to shut down.
Author “Hephaestos” (@h3phaestos) says their tool will prevent users becoming the next Ross Ulbricht, the former boss of the Silk Road drug marketplace arrested in a raid in which his laptop was seized while still powered on.
“USBKill waits for a change on your usb ports, then immediately kills your computer,” Hephaestos says in a Github document.
“The police will use a mouse jiggler to keep the screensaver and sleep mode from activating.
Tomi Engdahl says:
Michael A Riley / Bloomberg Business:
Penn State’s College of Engineering hires Mandiant, cuts Internet connection after FBI warns of two breaches, one linked to state-sponsored hackers in China
Chinese Hackers Force Penn State to Unplug Engineering Computers
http://www.bloomberg.com/news/articles/2015-05-15/china-hackers-force-penn-state-to-unplug-engineering-computers
Penn State University, which develops sensitive technology for the U.S. Navy, disclosed Friday that Chinese hackers have been sifting through the computers of its engineering school for more than two years.
One of the country’s largest and most productive research universities, Penn State offers a potential treasure trove of technology that’s already being developed with partners for commercial applications. The breach suggests that foreign spies could be using universities as a backdoor to U.S. commercial and defense secrets.
The hackers are so deeply embedded that the engineering college’s computer network will be taken offline for several days while investigators work to eject the intruders.
The Federal Bureau of Investigation notified the university of the breach in November 2014, spawning a months-long investigation that eventually found two separate groups of hackers stealing data.
The first group has been linked by investigators to the Chinese government
The second group has not been identified
The investigation and remediation efforts have already cost Penn State millions of dollars, said Nicholas Jones, the university provost.
U.S. engineering schools — Massachusetts Institute of Technology, the California Institute of Technology, Berkeley, Carnegie Mellon, and Johns Hopkins University — have been among the top targets of Chinese hacking and other intelligence operations for many years. These forays have been for both commercial and defense purposes, and universities have struggled to secure their computers against these advanced attacks.
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Security researchers publish Google App Engine exploits 3 weeks after private disclosure to company with no response; Google now says it’s mitigating the issues —
Researcher turns tables, discloses unpatched bugs in Google cloud platform
Bugs give hackers beachhead to attack Google App Engine, run malicious code.
http://arstechnica.com/security/2015/05/researcher-turns-tables-discloses-unpatched-bugs-in-google-cloud-platform/
Tomi Engdahl says:
Wall Street Journal:
Belgian Watchdog Slams Facebook’s Privacy Controls
Belgian Watchdog Raps Facebook for Treating Personal Data ‘With Contempt’
Facebook is facing a wave of probes by European regulators into its privacy practices
http://www.wsj.com/article_email/belgian-watchdog-slams-facebooks-privacy-controls-1431685985-lMyQjAxMTE1ODEwNTYxMTU2Wj
Belgium’s privacy watchdog ripped into Facebook Inc. for treating the personal data of Internet users “with contempt” and failing to cooperate with its inquiries, stoking a dispute between the company and European regulators that could result in heavy fines and orders to change its business practices.
The Belgian report, which was released Friday, is part of a broader effort by privacy regulators in several European countries to examine new privacy policies Facebook implemented this year for use of data from its services, which include Instagram and WhatsApp, to target advertising. The review is being led by authorities in the Netherlands and includes watchdogs in France, Spain and Germany.
Belgium’s Privacy Commission, in its 28-page report, said Facebook processes the personal data of its members as well as other Internet users “in secret,” without asking for consent or adequately explaining how the data would be used.
Tomi Engdahl says:
Joshuah Bearman / Wired:
The fall of Silk Road: how the FBI closed in on Dread Pirate Roberts
The Untold Story of Silk Road, Part 2: The Fall
http://www.wired.com/2015/05/silk-road-2/
Tomi Engdahl says:
Kim Zetter / Wired:
FBI claims security researcher Chris Roberts told them he was able to hack in-flight entertainment system during a flight and issue commands to engines
Feds Say That Banned Researcher Commandeered a Plane
http://www.wired.com/2015/05/feds-say-banned-researcher-commandeered-plane/
A security researcher kicked off a United Airlines flight last month after tweeting about security vulnerabilities in its system had previously taken control of an airplane and caused it to briefly fly sideways, according to an application for a search warrant filed by an FBI agent.
Chris Roberts, a security researcher with One World Labs, told the FBI agent during an interview in February that he had hacked the in-flight entertainment system, or IFE, on an airplane and overwrote code on the plane’s Thrust Management Computer while aboard the flight. He was able to issue a climb command and make the plane briefly change course, the document states.
“He stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights,” FBI Special Agent Mark Hurley wrote in his warrant application (.pdf). “He also stated that he used Vortex software after comprising/exploiting or ‘hacking’ the airplane’s networks. He used the software to monitor traffic from the cockpit system.”
Hacker told F.B.I. he made plane fly sideways after cracking entertainment system
http://aptn.ca/news/2015/05/15/hacker-told-f-b-made-plane-fly-sideways-cracking-entertainment-system/
A well-known U.S. hacker told F.B.I. agents he took momentary control of an airplane’s engines mid-flight by hacking into its inflight entertainment system, according to a document filed in U.S. federal court and obtained by APTN National News.
Roberts, who has been interviewed at least three times by the F.B.I. this year, is under investigation for allegedly hacking into the electronic entertainment systems of airplanes, according to an application for a search warrant to probe seized electronic equipment.
agents discovered the boxes in seats A2 and A3 showed evidence of tampering, according to the warrant application document.
The document stated the box under A2 was “damaged” with the outer cover “open approximately” half and inch and “one of the retaining screws was not seated and was exposed.”
Tomi Engdahl says:
Pete Rizzo / CoinDesk:
US-based Bitcoin storage company Xapo is moving its headquarters to Switzerland citing customer privacy concerns, will keep small presence in Palo Alto
Xapo Moves to Switzerland Citing Customer Privacy Concerns
http://www.coindesk.com/xapo-switzerland-privacy-concerns/
Xapo has officially relocated its corporate headquarters to Zurich, Switzerland, citing the country’s long history of neutrality and stability.
The bitcoin services and security firm said the transition was put in motion three months ago at the request of customers
Xapo indicated that its company representatives would now face potential fines and prison time for revealing customer information without consent in all but select circumstances.
“We decided to do what they had been asking us to do for a while, move our main company to Switzerland and benefit from the safeguards,” Casares explained.
While Casares suggested that Xapo was primarily interested in promoting user privacy, he noted that the company must still follow Swiss law. This includes monitoring transactions for potential money laundering, illegal transactions and terrorist financing.
“Ninety-six percent of the coins that we hold in custody are in the hands of people who are keeping those coins as an investment,” Casares continued.
Tomi Engdahl says:
Owen Bowcott / Guardian:
UK quietly amends law to give intelligence and law enforcement officers immunity from prosecution for hacking
Intelligence officers given immunity from hacking laws, tribunal told
http://www.theguardian.com/uk-news/2015/may/15/intelligence-officers-have-immunity-from-hacking-laws-tribunal-told
Legislative changes exempting law enforcement officers from ban on breaking into people’s digital devices were never debated by parliament, tribunal hears
We had previously thought [hacking] in this country to be unlawful,” said Ben Jaffey, a lawyer representing Privacy International. “The effect of this amendment has passed everyone by. Attention was not called to it during the parliamentary process, which may not have been accidental. It was hidden in plain sight.”
Hacking is more damaging than mere interception of messages, Jaffey told the tribunal, because it involves unlocking a backdoor into someone else’s computer system which was meant to be secure. It is not clear whether the damage done is always made good following a hacking attack.
Tomi Engdahl says:
Graham Cluley:
What we know so far on the story of the alleged in-flight system hacker Chris Roberts
Security researcher ‘hijacked plane in-flight’: questions and (some) answers
https://grahamcluley.com/2015/05/security-researcher-hijacked-plane/
What’s all the fuss about?
Well, at the end of last week, Wired published an extraordinary story: “Feds Say That Banned Researcher Commandeered a Plane”
Haven’t I heard of this security researcher before?
Quite possibly.
So now, Chris Roberts is saying that he actually commandeered a plane in-flight through hacking?
Not quite.
The report by Wired journalist Kim Zetter says that an FBI search warrant claims that the security researcher had confirmed during conversation that he identified vulnerabilities in aircraft in-flight entertainment (IFE) systems that we was keen for airlines to fix.
Still, even if the full facts aren’t yet known, it sounds serious. Interfering with the actual flight… that would be insane, wouldn’t it?
Or at least plane stupid.
That part of the search warrant at least creates some ambiguity, and could be read as tying in with Roberts’ claims to Wired that any meddling with avionics systems took place in simulated systems on a virtual environment, rather than directly to the in-flight plane.
If that were true, Roberts might have accessed the plane’s systems and data without permission, but perhaps never sent the real live system any commands to mess with the aircraft’s journey.
So, what now?
No doubt some of the hysteria in the mainstream press will continue to bubble away about hackers hijacking aircraft will continue, even though we don’t know what actually happened.
Tomi Engdahl says:
The right to privacy
NSA chief: I didn’t lie to Congress about spying on millions of Americans—I just forgot about it
https://rare.us/story/nsa-chief-i-didnt-lie-to-congress-about-spying-on-millions-of-americans-i-just-forgot-about-it/
Sen. Ron Wyden: “Does the NSA collect any type of data at all on millions or hundreds of millions of Americans?”
James Clapper: “No, sir.”
Wyden: “It does not?”
Clapper: “Not wittingly. There are cases where they could inadvertently perhaps collect, but not wittingly.”
Of course, it has become immensely clear since then that Clapper’s claim was blatantly false, and the NSA does exactly what Clapper said it doesn’t.
So how does Clapper account for this discrepancy? He claims he totally forgot about that whole mass surveillance thing
This, of course, is nonsense. Clapper didn’t forget; he lied under oath.
Tomi Engdahl says:
Ellen Nakashima / Washington Post:
Apple, Google, and leading cryptologists urge President Obama in letter to reject backdoors in smartphones and other devices
Tech giants urge Obama to resist ‘backdoors’ into encrypted communications
http://www.washingtonpost.com/world/national-security/tech-giants-urge-obama-to-resist-backdoors-into-encrypted-communications/2015/05/18/11781b4a-fd69-11e4-833c-a2de05b6b2a4_story.html
Tech behemoths including Apple and Google and leading cryptologists are urging President Obama to reject any government proposal that alters the security of smartphones and other communications devices so that law enforcement can view decrypted data.
“Strong encryption is the cornerstone of the modern information economy’s security,” said the letter, signed by more than 140 tech companies, prominent technologists and civil society groups.
The letter comes as senior law enforcement officials warn about the threat to public safety from a loss of access to data and communications. Apple and Google last year announced they were offering forms of smartphone encryption so secure that even law enforcement agencies could not gain access — even with a warrant.
FBI and Justice Department officials say they support the use of encryption but want a way for officials to get the lawful access they need.
Many technologists say there is no way to do so without building a separate key to unlock the data — often called a “backdoor,” which they say amounts to a vulnerability that can be exploited by hackers and foreign governments.
Richard A. Clarke, former cybersecurity adviser to President George W. Bush and one of three review group members to sign the letter, noted that a similar effort by the government in the 1990s to require phone companies to build a backdoor for encrypted voice calls was rebuffed. “If they couldn’t pull it off at the end of the Cold War, they sure as hell aren’t going to pull it off now,” he said.
Tomi Engdahl says:
Train safety technology could have saved lives
http://www.edn.com/electronics-blogs/anablog/4439471/Train-safety-technology-could-have-saved-lives?_mc=NL_EDN_EDT_EDN_today_20150518&cid=NL_EDN_EDT_EDN_today_20150518&elq=54132f51f1d24b30a9e4872ed6c4031b&elqCampaignId=23031&elqaid=25931&elqat=1&elqTrackId=4f9a1d31e8074664b9b5704dd0de1e73
In light of the Amtrak incident that killed 8 people and injured over 200, I have to complain that the US authorities should have expedited a technological solution that will be mandated at the end of 2015 to greatly improve safety on the rails.
Positive Train Control (PTC) was known about in 2008 when the Rail Safety Improvement Act (RSIA) mandated that it be implemented by December 31, 2015.
What are we waiting for??
GE Electric Transportation Systems (GETS) also has had a system called Incremental Train Control System (ITCS) which is a class of PTC that can prevent overspeed derailments and train collisions. So what is the delay? This system has been in revenue service since 2000! Too little, too late.
Tomi Engdahl says:
GCHQ denies hacking immunity and back-door government shenanigans
All’s fair in surveillance, presumably
http://www.theinquirer.net/inquirer/news/2408998/gchq-denies-hacking-immunity-and-back-door-government-shenanigans
GCHQ HAS DENIED that it was quietly given extra hacking powers in March under the Computer Misuse Act.
This is the claim of rights group Privacy International, which said that it was notified of amendments just this week, and is appalled by them. GCHQ has denied any such changes, saying that it has no new powers.
Tomi Engdahl says:
FBI: Plane hacker claims he hacked hard and often
Admitted to making plane change course
http://www.theinquirer.net/inquirer/news/2408938/fbi-plane-hacker-claims-he-hacked-hard-and-often
DOCUMENTS PULLED from the FBI reveal that Chris Roberts, the security researcher who was removed from a flight over security concerns, carried out a number of attacks and even managed to make a plane change course.
The FBI interviewed Roberts at the time, and got him to reveal exactly what sort of stuff he was getting up to. He admitted to as many as 20 attacks, including one that really concerned the intelligence agency.
“We believe Roberts had the ability and the willingness to use the equipment then with him to access or attempt to access the [inflight entertainment system] and possibly the flight control systems on any aircraft equipped with an [inflight entertainment system] and it would endanger the public safety to allow him to leave the Syracuse airport that evening with that equipment.”
Research is one thing, endangering life is another, and the security industry has not exactly embraced the ad hoc research by Roberts.
Alex Stamos, CISO at Yahoo, was critical. “You cannot promote the idea that security research benefits humanity while defending research that endangered hundreds of innocents,” he said.
United Airlines, which was the airline from which Roberts was removed, said at the time that it would prefer not to offer him carriage.
Tomi Engdahl says:
It’s the end of life as we know it for Windows Server 2003
Can you survive without support?
http://www.theregister.co.uk/2015/05/18/its_the_end_of_life_as_we_know_it_for_windows_server_2003/
Windows Server 2003 will pass out of Microsoft support on July 14, 2015. Different organisations report different numbers, but all agree that there are millions of Server 2003 servers still running in the wild.
Microsoft says there are 11 million Server 2003 servers still running. Gartner says eight million. Several internet searches bring up various other numbers, but I think it is safe to say somewhere between five and 15 million Server 2003 servers are still out there.
My hunch is that Gartner is under-estimating here. The analyst focuses on enterprises and on the whole wouldn’t care if small businesses were all to get flushed into the sun. A Spiceworks poll of workplaces reports that 57 per cent of respondents have at least one Server 2003 instance still running.
There are a number of reasons why people don’t want to migrate: familiarity with the older operating system; money; and in many cases the complexity of the workloads running on those Server 2003 instances.
Tomi Engdahl says:
SDN to bring new round of internecine office wars to IT shops
Security to agile chaps: You want me to lock that down HOW EXACTLY?
http://www.theregister.co.uk/2015/05/19/sdn_to_bring_new_round_of_internecine_office_wars_to_it_shops/
Software-defined networking (SDN) will give IT teams a new reason for internecine conflict, as those looking to build automated, software-defined data centres come up against the hard-headed trust nobody pragmatism of security teams.
So says Gartner’s Eric Ahlm, a research director at the analyst firm, who today delivered a session titled “The Impact of Data Center Automation on Security” at the IT Infrastructure, Operations & Data Center Summit in Sydney today.
“When I look at security technologies, they are not designed to have external things tell them what to do,” Ahlm said. “They are designed to be isolated systems” for lots of good reasons. Of course SDN is all about having a control plane tell hardware what to do, as often as it wants to in the name of agility and more effective resource utilisation. For security teams accustomed to taking great care over even the smallest configuration change, SDN therefore represents a challenge.
Data centre operations teams that drink the SDN – or Sdx – Kool Aid aren’t going to stand for security teams that move at their current pace. They’ll therefore demand security tools that are easier to automate and require less oversight.
Security teams will need to catch up once they do so. Today, security teams know where assets are, what they’re doing how to monitor them and how to make sure they can collect data for compliance and forensics purposes.
Ahlm sees two ways around the potential conflict.
Tomi Engdahl says:
Robots.txt tells hackers the places you don’t want them to look
When you say ‘move along, nothing to see here’, the bad guys get interested
http://www.theregister.co.uk/2015/05/19/robotstxt/
Melbourne penetration tester Thiebauld Weksteen is warning system administrators that robots.txt files can give attackers valuable information on potential targets by giving them clues about directories their owners are trying to protect.
Robots.txt files tell search engines which directories on a web server they can and cannot read.
Weksteen, a Securus Global hacker, thinks they offer clues about where system administrators store sensitive assets because the mention of a directory in a robots.txt file screams out that the owner has something they want to hide.
“In the simplest cases, it (robots.txt) will reveal restricted paths and the technology used by your servers,” Weksteen says.
Tomi Engdahl says:
IEEE’s prescription for med-tech crowd: preventing hacks is better than a cure
Take these coding standards and, if pain persists, consult your doctor
http://www.theregister.co.uk/2015/05/19/ieee_to_medtech_security_is_not_an_afterthought/
Medical devices shouldn’t be hackable, so the IEEE has published the first steps towards laying down decent security practise for the sector.
From the late Barnaby Jack’s work on insulin pumps through to this month’s “hackable infusion pump”, this decade has seen growing interest in medical device vulns.
Working with the IEEE’s Cybersecurity Initiative, a group of researchers has laid down both a set of recommendations for current practise, as well as research priorities for medical technology. The paper is a summary of a two-day workshop held last November.
Building Code for Medical Device Software Security (PDF) includes the sensible – and to regular readers of El Reg, obvious – recommendation that proprietary crypto implementations are a bad idea.
“Cryptographic algorithms that resist serious analysis are notoriously difficult to invent and to program correctly”, the paper states, so “externally developed and certified implementations should be sought; custom implementations of cryptographic components require careful vetting by experts.”
Tomi Engdahl says:
Your metadata and the cost of collecting it belong on your phone and internet bill
Carbon tax protest shows protests putting prices in punters’ faces pay off
http://www.theregister.co.uk/2015/05/17/your_metadata_and_the_cost_of_collecting_it_belongs_on_your_phone_and_internet_bill/
When Australia’s federal government legislated a carbon tax, some electricity companies tweaked their bills so that customers could see it as a line item.
The motivation was purely political: companies that did so were owned by States of Australia whose governments were of a different political hue to the Federal government of the day. Adding the carbon tax to the bill was a political act calculated to make sure punters could see just how far into their pockets the feds were reaching.
It’s now time to bring the tactic back, to make the cost and impact of of metadata retention plain for all to see. Last week’s budget revealed that Australia’s carriers of voice and/or data will be offered $131m to implement their mandatory metadata retention infrastructure. Most feel that’s not going to cover their implementation costs.
Faced with that intransigence, telcos would not be unreasonable if they decided to add a line item for metadata retention to their bills so that their punters can understand the costs they’re being made to meet.
Tomi Engdahl says:
Domestic cyber-crime – no more tinkering
Information and cyber safety may sound like a distant cyberspace fictional story when it reads online news headlines. But I do not feel like it after losing money through online scam.
The crime – either online criminal – not worth! Then why do so many people think that the use of the internet crimes and various types of wild experiments online would be extenuating circumstances?
One reason is probably the fact that online crime, which does not use guns or knives, and which can engage in a home on the couch tablets hiplaten in broad daylight, does not seem so real. Found online Google instructions can affect and even declares that in fact is it is nothing criminal here.
Wake – just like when operating online anyway, if one of the economic offer or advantage seems too good to be true, it usually is a hoax.
Why cybercrime is growing?
Net increase in crime may be due to its “odors and distaste,” but also ignorance. The second reason is its ease; the web can be found in the instructions for implementing various cyber crimes, and to top it all of these guidelines are promised non-existent caught. In addition, if the user does not have the necessary know-how themselves, and it is possible to buy a simple and cheap online the necessary services.
Implementation Denial of Service attack does not require its own botnet network or large-scale data centers, but they can all be rented. Network criminals have even more modern and more sophisticated tools available and facilities on offer than in most organizations.
Every time you are about to give online any personal information or passwords, not to mention information related to bank accounts or other payment activities, think twice, so you do not get scammed. If you are not 100% sure about it, where and why you have information to give, do not give up on them! You must first activate the phone even if the connection body, in which data queries to ensure its existence and the reasons for the inquiry.
Source: http://www.tivi.fi/blogit/2015-05-19/Kotimainen-kyberrikollisuus-%E2%80%93-ei-en%C3%A4%C3%A4-harrastelijamaista-puuhastelua-3221913.html
Tomi Engdahl says:
UK Criminals Use Drones To Case Burglary Prospects
http://news.slashdot.org/story/15/05/19/0029258/uk-criminals-use-drones-to-case-burglary-prospects
Burglars in the UK are sending unmanned drones over houses in order to identify potential targets, police have warned. Suffolk Constabulary confirmed it had received at least one report of drones being used by burglars to for surveillance of properties. Paul Ford, secretary of the Police Federation National Detectives Forum, said: “Drones can be noisy and very visible so hopefully criminals risk giving themselves away. If members of the public observe drones being used in areas which make them suspicious they should contact police using the 101 non-emergency number to report it.”
Burglars use drone helicopters to target homes
Police warn thieves are piloting the mini-helicopters carry out surveillance on homes to burgle
http://www.telegraph.co.uk/news/uknews/crime/11613568/Burglars-use-drone-helicopters-to-identify-targe-homes.html