Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.
3,110 Comments
Tomi Engdahl says:
European Internet Users Urged To Protect Themselves Against Facebook Tracking
http://tech.slashdot.org/story/15/05/19/0225222/european-internet-users-urged-to-protect-themselves-against-facebook-tracking
Belgium’s Privacy Protection Commission says that Facebook tramples on European privacy laws by tracking people online without their consent and dodges questions from national regulators. They have issued a set of recommendations for both Facebook, website owners and end users.
European Internet users urged to protect themselves against Facebook tracking
http://www.net-security.org/secworld.php?id=18395
Tomi Engdahl says:
Immature Cyber Defense Programs Benefit Quickly From Risk Intelligence
http://www.securityweek.com/immature-cyber-defense-programs-benefit-quickly-risk-intelligence
Graphing this data on an imaginary bell curve in my head draws an interesting picture: over 80% of the companies I’ve met with fall into the big fat part of the curve over a label “Immature.”
I’m not using the word “immature” in a negative sense. Instead, it’s simply an apt description arrived at from measuring companies against certain accepted criteria usually associated with well-positioned against the cyber threat.
Among other things, to be cyber “immature” typically means that your company has:
• No (or nominal) “top level” distinct cyber defense organization (e.g. CSO org or other similar division run by appropriate leadership)
• Few or no professional INFOSEC or other security staff members and management (i.e. Instead they have IT personnel who wear the “other duties as assigned” hat)
• Small or no cybersecurity defense operations (e.g. SOC or NOC)
• No (or nominal) Industry-based governance, compliance and regulation program
• No SIEM, Threat Intelligence or similar data analysis function distinct from IT management
• Small or nominal cyber defense budget
In most cases, the companies I meet with openly label themselves as immature when it comes to cyber defense. In fact, across the market, cyber is only now truly getting noticed as the major “top level” threat to a company’s employees, products, customers, brand and reputation, partners, etc. that it actually represents (and deserves).
It sounds frustrating and, for sure, gnashing of teeth abounds, but there’s at least one thing businesses can do with relative ease that is a big bootstrap in lessening some of the immaturity impact and helping climb the hill:
Adopt a risk intelligence-driven situational awareness approach to knowing the enemy and yourself.
Expressing it as an abstract formula:
Risk Intelligence = (High-Level Threat Intelligence + Context) * Continuous Data Collection/Intuitive KPIs
Cyber defense is just one important part of guaranteeing the success of a business. Just like anything else a business does, it has to develop from a solid foundation in verifiable data into repeatable, measurable processes that mitigate or eliminate risk. With simple risk intelligence, any business can go from nothing to something much, much faster.
Tomi Engdahl says:
The Network is the Security Device
http://www.securityweek.com/network-security-device
More than thirty years ago, John Gage of Sun Microsystems coined the now famous phrase: “The network is the computer.” Indeed the true power of the computer comes from being connected, and with more devices connected the power grows exponentially. We see this today with cloud computing and increasingly with the Internet of Everything (IoE) which is creating unprecedented opportunities for networked connections among people, processes, data, and things.
Largely because of this exciting evolution, we are now facing a similar inflection point with respect to security. To capture opportunities made possible by ever-expanding connectivity, security must evolve in lock-step. In effect: “The network must become the security device.” Let me explain.
The widespread adoption of the cloud and the IoE brings new business opportunities in the form of greater speed, efficiency, and agility, while also changing the game on where data is stored, moved, and accessed. Further, mobility and the cloud have dramatically increased employee productivity and satisfaction but also replaced the traditional network perimeter with a constantly morphing set of users, locations, applications, access methods, and devices. This creates the dual challenge of defending a dynamic perimeter and creating a near infinite number of points of vulnerability. All of these considerations create greater opportunities for attackers.
So how have we evolved our approach to security as defenders? The truth is, not nearly enough. Caught in a cycle of layering on the latest security tool, it isn’t unusual to find organizations with 40 to 60+ different security solutions that don’t – and can’t – work together or interoperate.
When the network is the security device, our approach to security can be:
• Pervasive – to persist across all attack vectors
• Integrated – to share information and capabilities with a rich ecosystem of applications and services
• Continuous – to allow for ongoing protection across the full attack continuum – before, during, and after an attack
• Open – to integrate with third parties, including complementary security technologies and threat intelligence feeds
This requires that we build technologies into network infrastructure that increase visibility across all network activity, provide context based on local and global threat intelligence, and allow control using analysis and automation to dynamically protect against detected threats.
Tomi Engdahl says:
I Told You SSO
http://www.securityweek.com/i-told-you-sso
Last month the French TV network, TV5Monde, had 11 of its stations’ signals disrupted by an Islamist group. Its websites and social media pages were also defaced, but the biggest immediate impact was loss of advertising revenue during the blackout.
And what security failure led to this embarrassing and costly security breach? One source reported that the network’s highest-level password was “azerty12345,” the French-keyboard equivalent of “qwerty12345″, making it easy for attackers to guess.
But this story gets better (or worse, depending on your perspective). While reporting on their own incident, they actually filmed a staffer in their offices with user names and passwords written down and visible in the background. Then they aired that footage for all the world to see.
IPasswords on Papert’s the security equivalent of an “own goal” in soccer.
Not just a French problem
Lest you think that this form of security self-sabotage is uniquely Gallic, last week, a BBC documentary inadvertently exposed passwords used at a British rail network’s control center.
How do we stop handing attackers our credentials?
One way would be to stop allowing TV crews to film inside of private areas. Human nature being what it is, though, we will likely continue to want to show off our offices and control centers.
Clearly, an obvious solution is that users should be dissuaded from displaying their credentials on stickers, banners, white boards and sticky notes as well. But putting the responsibility entirely on users is a fool’s errand.
Whose responsibility is it?
We like to say that security is everyone’s responsibility, and there is truth to that. Users are understandably at an impasse, though, when we ask them to use unique, complex passwords for every application, and to rotate them every 90 days without repetition. This makes for good security policy, while boosting the sales of Post-It Notes – in reality, this is security-driven self-sabotage.
Security teams must bear equal, if not more responsibility, for reducing the risk of credential fatigue leading to inadvertent exposure.
Reducing reliance on passwords
It should be no surprise that single-sign on (SSO) is an important part of reducing this risk, given the maturity of SSO technology. SSO reduces the number of unique passwords that users have to remember, implements far more complex passwords than users typically employ and rotates them automatically according to policy.
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Logjam crypto vulnerability affects tens of thousands of web and mail servers, browsers being updated with fix — HTTPS-crippling attack threatens tens of thousands of Web and mail servers — Diffie-Hellman downgrade weakness allows attackers to intercept encrypted data.
HTTPS-crippling attack threatens tens of thousands of Web and mail servers
http://arstechnica.com/security/2015/05/https-crippling-attack-threatens-tens-of-thousands-of-web-and-mail-servers/
Tens of thousands of HTTPS-protected websites, mail servers, and other widely used Internet services are vulnerable to a new attack that lets eavesdroppers read and modify data passing through encrypted connections, a team of computer scientists has found.
The vulnerability affects an estimated 8.4 percent of the top one million websites and a slightly bigger percentage of mail servers populating the IPv4 address space, the researchers said. The threat stems from a flaw in the transport layer security protocol that websites and mail servers use to establish encrypted connections with end users. The new attack, which its creators have dubbed Logjam, can be exploited against a subset of servers that support the widely used Diffie-Hellman key exchange, which allows two parties that have never met before to negotiate a secret key even though they’re communicating over an unsecured, public channel.
The weakness is the result of export restrictions the US government mandated in the 1990s on US developers who wanted their software to be used abroad.
“Logjam shows us once again why it’s a terrible idea to deliberately weaken cryptography, as the FBI and some in law enforcement are now calling for,”
It wasn’t supposed to be this way
Ironically, Diffie-Hellman is supposed to provide an additional layer of protection because it allows the two connected parties to constantly refresh the cryptographic key securing Web or e-mail sessions. The so-called perfect forward secrecy that Diffie-Hellman makes possible significantly increases the work of eavesdropping because attackers must obtain the key anew each time it changes, as opposed to only once with other encryption schemes, such as those based on RSA keys. Logjam is significant because it shows that ephemeral Diffie-Hellman—or DHE—can be fatal to TLS when the export-grade ciphers are supported. Logjam is reminiscent of the FREAK attack that also allowed attackers to downgrade HTTPS connections to 512-bit cryptography.
Tomi Engdahl says:
‘Logjam’ Vulnerability Threatens Encrypted Connections
http://it.slashdot.org/story/15/05/20/1258251/logjam-vulnerability-threatens-encrypted-connections
A team of security researchers has revealed a new encryption vulnerability called ‘Logjam,’ which is the result of a flaw in the TLS protocol used to create encrypted connections. It affects servers supporting the Diffie-Hellman key exchange, and it’s caused by export restrictions mandated by the U.S. government during the Clinton administration.
Internet Explorer is the only browser yet updated to block such an attack — patches for Chrome, Firefox, and Safari are expected soon. The researchers add, “Breaking the single, most common 1024-bit prime used by web servers would allow passive eavesdropping on connections to 18% of the Top 1 Million HTTPS domains. A second prime would allow passive decryption of connections to 66% of VPN servers and 26% of SSH servers. A close reading of published NSA leaks shows that the agency’s attacks on VPNs are consistent with having achieved such a break.”
Imperfect Forward Secrecy:
How Diffie-Hellman Fails in Practice
https://weakdh.org/imperfect-forward-secrecy.pdf
Tomi Engdahl says:
Survey: 2/3 of Public Sector Workers Wouldn’t Report a Security Breach
http://it.slashdot.org/story/15/05/19/2341259/survey-23-of-public-sector-workers-wouldnt-report-a-security-breach
An anonymous reader sends news of a survey of workers in the public sector conducted by Daisy Group, a British IT firm, which found that 64% of them would stay quiet about a security breach they noticed. The survey also found that 5% of workers admitted to disabling the password protection features on their work devices, and 20% said they don’t update their passwords regularly.
Two thirds of public sector workers keep quiet on major security breaches
http://thestack.com/daisy-group-public-sector-keep-quiet-security-breach-190515
A cybersecurity survey conducted by British IT and telecom firm Daisy Group has revealed that almost two thirds of public sector employees would not report a serious data breach that they thought would cause problems in the workplace.
The research, which was based on a study involving 2,000 public sector staff, also discovered that many workers held a negligent attitude toward sufficient password protection. It found that respondents were willing to sidestep corporate security policies to ease their work life.
The survey showed that 64% of employees in the public sector would keep quiet about major security breaches, and that 5% had disabled password protection features on a laptop, mobile or other mobile devices.
20% confirmed that they do not regularly update their passwords, while a further 8% answered that they used ‘simple’ passwords that could be easily guessed.
“Procedures that are complicated or disrupt the working environment often result in employees finding ways to circumnavigate them or taking matters in their own hands,” he said.
“When it comes to data security, all too often organisations focus purely on IT processes and forget about the staff that will be using them. Human error is one of, if not the most likely source for data security issues, and fear of reprisal is a powerful force.”
Tomi Engdahl says:
Australian Law Could Criminalize the Teaching of Encryption
http://it.slashdot.org/story/15/05/20/0536206/australian-law-could-criminalize-the-teaching-of-encryption
According to Daniel Mathews, new laws passed in Australia (but not yet in effect) could criminalize the teaching of encryption. He explains how a ridiculously broad law could effectively make any encryption stronger than 512 bits criminal if your client is not Australian. He says, “In short, the DSGL casts an extremely wide net, potentially catching open source privacy software, information security research and education, and the entire computer security industry in its snare. Most ridiculous, though, are some badly flawed technicalities.”
Paranoid defence controls could criminalise teaching encryption
http://theconversation.com/paranoid-defence-controls-could-criminalise-teaching-encryption-41238
You might not think that an academic computer science course could be classified as an export of military technology. But under the Defence Trade Controls Act – which passed into law in April, and will come into force next year – there is a real possibility that even seemingly innocuous educational and research activities could fall foul of Australian defence export control laws.
Under these laws, such “supplies of technology” come under a censorship regime involving criminal penalties of up to ten years imprisonment. How could this be?
Regulation of military weapons is not a particularly controversial idea. But the DSGL covers much more than munitions. It also includes many “dual-use” goods, which are goods with both military and civilian uses. This includes substantial sections on chemicals, electronics and telecommunications, among other things.
Disturbingly, the DSGL risks veering wildly in the direction of over-classification, covering activities that are completely unrelated to military or intelligence applications.
Encryption: an essential tool for privacy
Encryption is the process of encoding a message so that it can be sent privately. Decryption is the process of decoding it, so that it can be read. Encryption and decryption are two aspects of cryptography, the study of secure communication.
As with many technologies subject to dual-use regulation, the first question is whether encryption should be covered at all.
Once the preserve of spies and governments, encryption algorithms have now become an essential part of modern life. We use them almost every time we go online.
Tomi Engdahl says:
Security Takes a MIPS Twist
Imagination OmniShield clashes with ARM
http://www.eetimes.com/document.asp?doc_id=1326654&
Imagination Technologies announced a new security architecture that will cover its MIPS, graphics and radio cores. OmniShield aims to enable multiple secure domains on any virtualized hardware block using open software interfaces.
The technology could help Imagination differentiate its cores in an industry increasingly dominated by ARM and the x86. It already has helped fuel participation in a working group in its prpl Foundation developing open APIs for OmniShield.
Imagination will release a reference platform by the end of the year that implements its approach which includes a hardware root of trust and secure boot capability. The APIs will take longer given they are being defined by an industry group that includes representatives of Broadcom, Qualcomm, Lantiq and others.
OmniShield will be able to create up to 255 separate secure domains. Existing PowerVR graphics and MIPS series 5 and 6 cores have the hardware virtualization support it requires. Future PowerVR video and vision and Enigma radio cores will be designed to support it, too.
Tomi Engdahl says:
Software Glitch Caused Crash of Airbus A400M Military Transport Aircraft
http://tech.slashdot.org/story/15/05/19/2033201/software-glitch-caused-crash-of-airbus-a400m-military-transport-aircraft
A software glitch caused the crash of an Airbus A400M military transport aircraft, claims German newspaper Der Spiegel
Airbus orders checks on A400M engine system after crash
http://www.reuters.com/article/2015/05/19/us-airbus-a400m-idUSKBN0O417720150519
Airbus (AIR.PA) on Tuesday ordered engine software checks on the A400M military aircraft following the first crash of Europe’s new troop and cargo carrier.
The request comes after data compiled by the planemaker after the fatal May 9 accident pointed to a possible anomaly in a system running the plane’s turboprop engines.
Two people familiar with the matter said the investigation was expected to focus on possible flaws in the way the system had been installed, rather than a design problem.
Airbus said it had issued an alert asking air forces to examine the plane’s ‘Electronic Control Unit’.
The unit controls the powerplants and is part of a suite of software systems that process commands and monitor the performance of the West’s largest turboprop engines.
Problems in certifying the complex engine software, which originally fell under the responsibility of MTU, made headlines in 2009 when they were partially blamed for costly delays.But the plane has also faced a litany of other technical problems from refueling to cargo loading.
The engines and software of the crashed plane were delivered in February after passing factory inspections.
Tomi Engdahl says:
Hi! You’ve reached TeslaCrypt ransomware customer support. How may we fleece you?
Infosec bods tear into the belly of the beast
http://www.theregister.co.uk/2015/05/20/teslacrypt_ransomware_scam_dissected/
The TeslaCrypt ransomware gang raked in $76,500 in around 10 weeks, according to new research into the scam.
TeslaCrypt, which was distributed through the widely-used Angler browser exploit kit, was first spotted in February 2015 by security researchers at Dell SecureWorks.
After encrypting popular file types on compromised machines, TeslaCrypt demanded a ransom of $150 or more, payable in Bitcoin. The malware uses the Tor anonymity network for command and control. TeslaCrypt was also notable for its encryption of filetypes associated with popular online games.
Security researchers at Cisco were able to analyse and break the TeslaCrypt ransomware before releasing a decryption utility in late April. The release of the recovery tool thwarted the whole basis of the scam.
Ransomware scams have been going on for years, progressing from simple PC lock-up threats and bogus claims that victims needed to pay a fine to the authorities after unsavoury material was uncovered on their machines, right up to full-blooded file encryption nasties.
CryptoLocker pioneered this area but TeslaCrypt took the support aspects much further, even setting up a fully fledged “tech support” network.
Tomi Engdahl says:
Millions of Routers Vulnerable to Attacks Due to NetUSB Bug
http://www.securityweek.com/millions-routers-vulnerable-attacks-due-netusb-bug
A serious vulnerability affecting the NetUSB kernel driver developed by Taiwan-based tech company KCodes exposes millions of routers to hack attacks, researchers have warned.
According to its website, KCodes is one of the leading developers and suppliers of USB over IP solutions. The company says over 20% of world’s networking devices include KCodes technology.
The NetUSB (USB over IP) kernel driver developed by the company is designed to allow users to connect over their network to USB devices plugged into a router, access point, or other Linux-based embedded system. Users can access speakers, printers, hard drives, webcams and other USB devices by connecting to a NetUSB server via the Windows or OS X client.
Researchers at SEC Consult discovered that the NetUSB driver is plagued by a kernel stack buffer overflow vulnerability (CVE-2015-3036) that can be exploited by an unauthenticated attacker to execute arbitrary code or cause a denial-of-service (DoS) condition. The flaw, caused by insufficient input validation, can be triggered by specifying a computer name that is longer than 64 characters when the client connects to the server.
KCodes’ NetUSB driver is integrated into products from several vendors, including Netgear, TP-Link, ZyXEL, and TRENDnet. The feature is advertised with various names, such as “print sharing,” “USB share port” and “ReadySHARE.”
The vulnerability can be exploited by an attacker on the local network, but in some cases exploitation over the Internet might also be possible through TCP port 20005, the port used by the server for client connections.
Tomi Engdahl says:
Attackers Use Trojanized Version of PuTTY to Steal SSH Credentials
http://www.securityweek.com/attackers-use-trojanized-version-putty-steal-ssh-credentials
Malicious actors are using a trojanized version of PuTTY, the popular open-source Secure Shell (SSH) and telnet client, to gain access to remote computers and steal valuable data, Symantec warned on Monday.
According to experts, the attackers created the malicious PuTTY back in late 2013, when they uploaded a sample to VirusTotal. Symantec says this trojanized version disappeared until recently.
Cybercriminals are distributing the malware by hijacking websites that appear in search engine results when users look for PuTTY. When users access the compromised site, they are taken through several redirects to a website hosted in the United Arab Emirates that is set up to serve the fake version.
“Our telemetry reveals that the current distribution of the Trojanized version of PuTTY is not widespread and is not specific to one region or industry,” Symantec said in a blog post.
Tomi Engdahl says:
Tech Firms, Activists Press US on Encryption
http://www.securityweek.com/tech-firms-activists-press-us-encryption
Some 140 tech companies, civil liberties and privacy activists urged the White House Tuesday to pull back efforts to weaken encryption or include law enforcement “backdoors” on technology products.
The effort marked the latest turn of events in a dispute between Silicon Valley firms and the US government, which is seeking ways to access encrypted phones and other devices to root out criminals and terrorists.
Tomi Engdahl says:
Airline Chief Casts Doubt on Plane Hacking Claim
http://www.securityweek.com/airline-chief-casts-doubt-plane-hacking-claim
The chief executive of United Airlines cast doubt Tuesday on claims by a security researcher about hacking the controls of a jetliner from its entertainment system.
“There are clear firewalls between a Wi-Fi system and any kind of control,” United president and CEO Jeff Smisek told a US Senate hearing.
Smisek said however the matter was “of great concern to us” and that the carrier was cooperating with an FBI investigation into the matter.
A story circulating in security circles in recent days is based on a claim by researcher Chris Roberts of One World Labs that he briefly took control of a United aircraft from his passenger seat by hacking into the in-flight entertainment network.
Smisek told the Senate panel of the alleged hacking, “We are unaware of whether or not this is possible (but) the original equipment manufacturers, from at least what I understand, have stated this is not possible today.”
In-flight cybersecurity is “an increasingly important issue” that the Federal Aviation Administration (FAA) is just starting to address in earnest, said the audit and investigative arm of the US Congress.
“We’re working closely with the manufacturers to understand how the threat”
Tomi Engdahl says:
DDoS Attacks Spiked in Q1 2015: Akamai
http://www.securityweek.com/ddos-attacks-spiked-q1-2015-akamai
The state of affairs when it comes to dealing with distributed denial-of-service attacks is not particularly rosy, according to Akamai Technologies’ ‘Q1 2015 State of the Internet – Security Report’.
The first quarter of the year set a record for the number of DDoS attacks observed across Akamai’s Prolexic network, with the total number of attacks being more than double the number recorded in the first quarter of 2014. The number of attacks also represented a jump of more than 35 percent compared to the final quarter of last year.
Eric Kobrin, Akamai’s director of information security responsible for adversarial resilience, tied the increase to the continued exploitation of network devices and associated protocols for reflection attacks, as well as the growing popularity of DDoS-for-hire sites.
“(It’s) very inexpensive to launch attacks DDoS being used as a preferred attack method for malicious actors,” he said. “As a result, we have noticed an increase within our customer base as well an overall higher demand for cloud-based DDoS mitigation services.”
The typical DDoS attack during the first quarter of 2015 was less than 10 gigabits per second (Gbps) and lasted for more than 24 hours. There were also eight “mega-attacks” during the quarter that exceeded 10 Gbps, the report noted.
The gaming sector was the hardest hit with DDoS attacks during the quarter, accounting for more than 35 percent of all DDoS attack victims.
Attackers frequently turned to the Simple Service Discovery Protocol (SSDP), which accounted for more than 20 percent of the attack vectors used during the first few months of the year.
While challenges remain in the present, organizations should also consider the hurdles that will have to be jumped in the future due to the growth of IPv6 adoption. While IPv6 DDoS is not yet a common occurrence, there are indications attackers have started testing and researching IPv6 DDoS methods, according to Akamai.
“Because IPv6 grants each user a large address space…security solutions may be bypassed by attackers appearing to come from multiple addresses without needing to purchase or steal more connectivity,”
Tomi Engdahl says:
akamai’s [state of the internet] / security
http://www.stateoftheinternet.com/downloads/pdfs/2015-internet-security-report-q1.pdf
Tomi Engdahl says:
If you cannot afford an Einstein to protect the network, try a canary
http://www.controleng.com/single-article/if-you-cannot-afford-an-einstein-to-protect-the-network-try-a-canary/d988c78396570a443226713c2a81cc69.html
By using what is known as a “canary,” companies can take an active defense against cyber attackers. The canary will alert IT when there have been changes to the system and actions can be taken to shore up the system and block the attackers. The time between system compromise and detection is more than seven months, too long to know that the manufacturing IT system has been hacked.
Tomi Engdahl says:
Pew Internet:
Pew Report: 69% of US adults are not confident social networks will keep their data private and secure
Americans’ Attitudes About Privacy, Security and Surveillance
http://www.pewinternet.org/2015/05/20/americans-attitudes-about-privacy-security-and-surveillance/
The cascade of reports following the June 2013 government surveillance revelations by NSA contractor Edward Snowden have brought new attention to debates about how best to preserve Americans’ privacy in the digital age. At the same time, the public has been awash with news stories detailing security breaches at major retailers, health insurance companies and financial institutions. These events – and the doubts they inspired – have contributed to a cloud of personal “data insecurity” that now looms over many Americans’ daily decisions and activities. Some find these developments deeply troubling and want limits put in place, while others do not feel these issues affect them personally. Others believe that widespread monitoring can bring some societal benefits in safety and security or that innocent people should have “nothing to hide.”
Americans’ views about privacy and surveillance are relevant to policymaking on these matters. Key legal decisions about the legitimacy of surveillance or tracking programs have hinged on the question of whether Americans think it is reasonable in certain situations to assume that they will be under observation, or if they expect that their activities will not be monitored. A federal appeals court recently ruled that a National Security Agency program that collects Americans’ phone records is illegal.
While some Americans have taken modest steps to stem the tide of data collection, few have adopted advanced privacy-enhancing measures. However, majorities of Americans expect that a wide array of organizations should have limits on the length of time that they can retain records of their activities and communications. At the same time, Americans continue to express the belief that there should be greater limits on government surveillance programs. Additionally, they say it is important to preserve the ability to be anonymous for certain online activities.
Most Americans hold strong views about the importance of privacy in their everyday lives.
The majority of Americans believe it is important – often “very important” – that they be able to maintain privacy and confidentiality in commonplace activities of their lives. Most strikingly, these views are especially pronounced when it comes to knowing what information about them is being collected and who is doing the collecting.
Survey results from early 2015 show:
93% of adults say that being in control of who can get information about them is important; 74% feel this is “very important,” while 19% say it is “somewhat important.”
90% say that controlling what information is collected about them is important—65% think it is “very important” and 25% say it is “somewhat important.”
Permission and publicness are key features that influence views on surveillance.
Americans say they do not wish to be observed without their approval; 88% say it is important that they not have someone watch or listen to them without their permission (67% feel this is “very important” and 20% say it is “somewhat important”).
Americans have little confidence that their data will remain private and secure.
Just 6% of adults say they are “very confident” that government agencies can keep their records private and secure, while another 25% say they are “somewhat confident.”
Only 6% of respondents say they are “very confident” that landline telephone companies will be able to protect their data and 25% say they are “somewhat confident” that the records of their activities will remain private and secure.
Credit card companies appear to instill a marginally higher level of confidence; 9% say they are “very confident” and 29% say they are “somewhat confident” their data will stay private and secure.
A very small number say they have changed their behavior to avoid being tracked recently, but many were already engaged in more common or less technical privacy-enhancing measures.
Tomi Engdahl says:
Elizabeth Weise / USA Today:
Birth dates, names, emails, and addresses of 1.1M DC-area customers of health insurer CareFirst potentially accessed in a June 2014 cyberattack
http://www.usatoday.com/story/tech/2015/05/20/1-million-carefirst-blueshield-cyberattack-fireeye-mandiant/27587659/
Tomi Engdahl says:
Airbus A400M plane crash linked to software fault
http://www.bbc.com/news/technology-32810273
Investigators have found evidence a military plane crash in Spain may have been caused by software problems.
It has sent out an alert to other air forces that have taken deliveries of the propeller aircraft, saying that they should carry out checks of the Electronic Control Units (ECU) on board.
“For practical purposes, these are computers, and there is one on each engine,” the spokesman said.
“What the ECU does is take the pilot’s inputs on the controls and then makes the engines perform in the optimum way to achieve what the pilot is asking it to do, taking a whole number of things into account.
He added that problems had only been found after the company’s investigators had checked both the maintenance data gathered by Airbus’s flight-operations team and the logs that had been generated during ground tests of flight MSN23.
“The maintenance data is vast streams of data showing everything going on all over the aeroplane, and one of the things we saw seems as if it could be pertinent to the accident,” he said.
“Until more detail about the cause of the recent A400M crash in Seville is known, the RAF has paused flying of its A400M Atlas aircraft,”
Tomi Engdahl says:
Feds Say That Banned Researcher Commandeered a Plane
http://www.wired.com/2015/05/feds-say-banned-researcher-commandeered-plane/
A security researcher kicked off a United Airlines flight last month after tweeting about security vulnerabilities in its system had previously taken control of an airplane and caused it to briefly fly sideways, according to an application for a search warrant filed by an FBI agent.
Tomi Engdahl says:
Choose Deutsche Telekom for all your bargain spying needs
Cable company helped NSA spy on Vienna for a decade, says Austrian MP
http://www.theregister.co.uk/2015/05/21/deutsche_telekom_accused_helping_decade_long_nsa_spying_campaign/
An Austrian newspaper has published what it claims is evidence that Deutsche Telekom spied on Vienna for German spooks for the miserly sum of just €6,500 a year.
On Tuesday, Peter Pilz publicly accused Deutsche Telekom of listening in on telephone and internet lines from Vienna, Luxembourg, Prague, Moscow and Ankara and passing the information on to the German national intelligence agency, the BND.
The document, secured by Pilz and published by Kronen Zeitung (known locally as “the Krone”), dates from March 2004. In it, Deutsche Telekom undertakes to pass on information “originating outside the Federal Republic of Germany” to the BND.
Tomi Engdahl says:
Eugene Kaspersky: “Our Business Is Saving the World From Computer Villains”
http://it.slashdot.org/story/15/05/20/1718236/eugene-kaspersky-our-business-is-saving-the-world-from-computer-villains
While the nature of Kaspersky’s relationship with the Kremlin remains, at the very least, a matter of contention, his company’s influence is anything but hazy. On top of their successful antivirus business, Kaspersky Lab researchers have discovered key details about the now-infamous Stuxnet virus, which was deployed by the U.S. and Israel against Iran’s nuclear facilities. Kaspersky analysts later uncovered Flame,
Eugene Kaspersky: ‘Our business is saving the world from computer villains
http://www.dailydot.com/politics/eugene-kaspersky-interview/
When Eugene Kaspersky started Kaspersky Lab in 1997 to build computer antivirus technologies, it’s unlikely he could’ve predicted what 2015 would hold.
As the years have unfolded, the company has morphed into a multi-headed hydra of computer security, with offices in 200 countries around the world. Its technologies touch 300 million security-conscious users globally, and it’s made Kaspersky, the company’s chief executive, into a cybersecurity celebrity.
Tomi Engdahl says:
How 1990s Encryption Backdoors Put Today’s Internet In Jeopardy
http://it.slashdot.org/story/15/05/20/2051251/how-1990s-encryption-backdoors-put-todays-internet-in-jeopardy
While debate swirls in Washington D.C. about new encryption laws, the consequences of the last crypto war is still being felt. Logjam vulnerabilities making headlines today is “a direct result of weakening cryptography legislation in the 1990s,” researcher J. Alex Halderman said.
“Maybe the arguments 20 years ago convinced people this was going to be safe. History has shown otherwise. This is the second time in two months we’ve seen 90s era crypto blow up and put the safety of everyone on the internet in jeopardy.”
How 1990s encryption backdoors put today’s Internet in jeopardy
http://www.dailydot.com/politics/logjam-vpn-top-sites-vulnerability/
What happens when the government deliberately weakens and attacks encryption?
In the midst of a renewed debate on American encryption laws, research released on Tuesday reveals two new cyberattacks collectively known as Logjam that affect tens of thousands of the most popular websites. It also shows how Bill Clinton-era encryption laws and George W. Bush-era NSA attacks on encryption have made the Web less secure today, and it likely disproves the U.S. government’s promise that it makes all crucial Internet vulnerabilities public.
The first part of the Logjam attack, like the Freak bug before it, allows an attacker to downgrade vulnerable connections to relatively weak 512-bit encryption that can be easily eavesdropped on or modified by a third party.
This is a direct consequence of 1990s American laws that limited the strength of exported encryption to 512 bits. The laws were designed so that American spies could more easily eavesdrop on foreign targets. The restrictions were eventually lifted after much resistance, but the consequences are still felt today due to widespread use of the weaker encryption.
Tomi Engdahl says:
Simple Flaw Exposed Data On Millions of Charter Internet Customers
http://yro.slashdot.org/story/15/05/20/226200/simple-flaw-exposed-data-on-millions-of-charter-internet-customers
A security flaw discovered in the website of Charter Communications, a cable and Internet provider active in 28 states, may have exposed the personal account details of millions of its customers.
After Fast Company notified Charter of the issue, the company said it had installed a fix within hours.
Simple Website Flaw Exposed Data Of Charter Internet Customers
http://www.fastcompany.com/3046477/simple-website-flaw-exposed-data-on-charter-internet-customers
The data of thousands of customers was vulnerable to a website hack, according to a researcher who spoke with Fast Company.
A security flaw discovered in the website of Charter Communications, a cable and Internet provider active in 28 states, may have exposed the personal account details of its customers.
Taylor, 18, discovered the issue with his colleague Blake Welsh, after recently finding a similar vulnerability in Verizon’s online customer service system. Luckily for Verizon, he said, that flaw “only exposed user IDs, phone numbers, and device names.” But the amount of user information exposed in Charter’s case, Taylor said, was “way way way more.”
Sensitive account information exposed by the simple hack includes payment details, modem serial numbers, device names, account numbers, home addresses, and more.
With 4.7 million residential Internet customers, Connecticut-based Charter is the nation’s fourth-largest cable operator.
How A Hacker Could Impersonate Subscribers
Charter’s site identified its customers through their IP addresses
Thus, obtaining a subscriber’s IP address is all an attacker would need to see their account details.
Using a lightweight add-on for Firefox to modify HTTP headers, called “X-Forwarded-For Header,” an attacker essentially could pass off a Charter customer’s IP address as their own. The plug-in, as its description explains, “Inserts a X-Forwarded-For field into the HTTP Request header. Some servers look at this field to identify the originating IP address.”
Such a trick can be easily automated
Tomi Engdahl says:
Telstra Says Newly Acquired Pacnet Hacked, Customer Data Exposed
http://it.slashdot.org/story/15/05/21/049245/telstra-says-newly-acquired-pacnet-hacked-customer-data-exposed
Telstra’s Asian-based data center and undersea cable operator Pacnet has been hacked exposing many of the telco’s customers to a massive security breach. The company said it could not determine whether personal details of customers had been stolen, but it acknowledged the possibility.
“Telstra said that an unauthorized third party had been able to gain access to the Pacnet business management systems through a malicious software installed via a vulnerability on an SQL server.”
Asian submarine network operator hit by major system hack
http://thestack.com/asian-submarine-network-operator-major-hack-200515
Undersea cable company Pacnet, recently acquired by Australian telecommunications giant Telstra, confirmed today that it has been the victim of a cyberattack targeting its email and administration systems and potentially exposing sensitive data of thousands of business and government customers.
Telstra said that an unauthorised third party had been able to gain access to the Pacnet business management systems through a malicious software installed via a vulnerability on an SQL server.
Tomi Engdahl says:
FBI: Social Media, Virtual Currency Fraud Becoming a Huge Problem
http://news.slashdot.org/story/15/05/20/2212239/fbi-social-media-virtual-currency-fraud-becoming-a-huge-problem
Criminals taking advantage of personal data found on social media and vulnerabilities of the digital currency system are two of the emerging Internet law-breaking trends identified by the FBI’s Internet Crime Complaint Center (IC3) in its annual look at online crime.
FBI: Social media, virtual currency hit big time scam, fraud club
http://www.networkworld.com/article/2924737/security0/fbi-social-media-virtual-currency-hit-big-time-scam-fraud-club.html
The Internet Crime Complaint Center (IC3) averaged 22,000 overall complaints a month during 2014
The IC3 said 12% of the complaints submitted in 2014 contained a social media trait. Complaints involving social media have quadrupled over the last five years. In most cases, victim’s personal information was exploited through compromised accounts or social engineering.
Some of the most complained about social media fraud methods identified by the IC3 include:
Click-jacking: Concealing hyperlinks beneath legitimate clickable content which, when clicked, causes a user to unknowingly perform actions, such as downloading malware, or sending personal information to a website. Numerous click-jacking scams have employed “Like” and “Share” buttons on social networking websites. Research other ways to use your browser options to maximize security.
Doxing: Publicly releasing a person’s identifying information online without authorization. Caution should be exercised by users when sharing or posting information about themselves, family, and friends.
Pharming: Redirecting users from legitimate websites to fraudulent ones for the purpose of extracting confidential data. Type in an official website, instead of “linking” to it from an unsolicited source.
On the digital currency front, the IC3 reported that in 2014 virtual currency schemes more than doubled from the previous year. Bitcoin, Litecoin, and Peercoin, just to name a few
Popular crypto-currency scams reported to the IC3 in 2014:
Victims not receiving their crypto-currency mining equipment or mining contracts after they paid for them.
Crypto-currency mining is the process of producing crypto or virtual currencies using computers. Computers are used to solve mathematical equations, generating crypto-coins.
Victims sending high performance computers to crypto-mining datacenters to join others in a mining pool, only to be scammed by the operators. The losses included damages to computers during transit, receiving little or no crypto-coins from joining the datacenter pool, or having their computer stolen.
Other victims have reported hacking of their virtual wallets, and then being blackmailed to get their money back.
Tomi Engdahl says:
Steve Dent / Engadget:
About 20K secure websites will be unavailable to browsers fixed for Logjam under their current settings
‘Logjam’ browser vulnerability fix will block thousands of websites
http://www.engadget.com/2015/05/20/logjam-browser-vulnerability-fix/
Tomi Engdahl says:
CBC News:
US, Canada, UK, Australia, and New Zealand planned to hijack Google and Samsung app stores to implant spyware on smartphones
— Spy agencies target mobile phones, app stores to implant spyware — Users of millions of smartphones put at risk by certain mobile browser gaps, Snowden file shows
Exclusive
Spy agencies target mobile phones, app stores to implant spyware
Users of millions of smartphones put at risk by certain mobile browser gaps, Snowden file shows
http://www.cbc.ca/news/canada/spy-agencies-target-mobile-phones-app-stores-to-implant-spyware-1.3076546
Canada and its spying partners exploited weaknesses in one of the world’s most popular mobile browsers and planned to hack into smartphones via links to Google and Samsung app stores, a top secret document obtained by CBC News shows.
Electronic intelligence agencies began targeting UC Browser — a massively popular app in China and India with growing use in North America — in late 2011 after discovering it leaked revealing details about its half-billion users.
Their goal, in tapping into UC Browser and also looking for larger app store vulnerabilities, was to collect data on suspected terrorists and other intelligence targets — and, in some cases, implant spyware on targeted smartphones.
The 2012 document shows that the surveillance agencies exploited the weaknesses in certain mobile apps in pursuit of their national security interests, but it appears they didn’t alert the companies or the public to these weaknesses. That potentially put millions of users in danger of their data being accessed by other governments’ agencies, hackers or criminals.
Tomi Engdahl says:
Robin Sidel / Wall Street Journal:
FICO: theft of debit card data from bank ATMs is up 174% YoY, up 317% at nonbank machines
Theft of Debit-Card Data From ATMs Soars
Thieves are stealing information to make counterfeit plastic
http://www.wsj.com/article_email/theft-of-debit-card-data-from-atms-soars-1432078912-lMyQjAxMTE1MjI0MDQyNzAxWj
Criminals are stealing card data from U.S. automated teller machines at the highest rate in two decades, preying on ATMs while merchants crack down on fraud at the checkout counter.
The incidents, in which thieves steal information from debit cards to make counterfeit plastic, are taking place at ATMs that are owned by banks as well as independently owned cash kiosks in shopping centers, convenience stores and restaurants, according to industry executives.
From January to April 9, 2015, the number of attacks on debit cards used at ATMs reached the highest level for that period in at least 20 years, according to FICO, a credit-scoring and analytics firm. The company tracks such incidents through its card- monitoring service for financial institutions that represent more than 65% of all U.S. debit cards.
Tomi Engdahl says:
Train safety technology could have saved lives
http://www.edn.com/electronics-blogs/anablog/4439471/Train-safety-technology-could-have-saved-lives?_mc=NL_EDN_EDT_EDN_weekly_20150521&cid=NL_EDN_EDT_EDN_weekly_20150521&elq=264ebcdc489248cc9b1f09d2a61860c2&elqCampaignId=23108&elqaid=26020&elqat=1&elqTrackId=cc5528c1da544320b985a32416f0869c
Tomi Engdahl says:
Frederic Lardinois / TechCrunch:
Firefox Will Soon Get Sponsored Suggested Tiles Based On Your Browsing History
http://techcrunch.com/2015/05/21/mozilla-will-soon-launch-sponsored-suggested-tiles-based-on-your-browsing-history/
It’s pretty odd hearing a not-for-profit organization like Mozilla talk about how it wants to help advertisers strengthen the conversation between brands and its users — especially given that I’ve never met anybody who wanted to have a conversation with a brand. But that’s the world we live in.
Mozilla today launched its “Suggested Tiles” program, which promises advertisers prime real estate in Firefox’s new tab page. These ads will come to Firefox Beta first — mostly in the form of house ads — and then roll out to the main Firefox release channel soon after.
This move doesn’t come as a major surprise. Mozilla has featured sponsored ‘Directory Tiles‘ in Firefox for a few months now
Tomi Engdahl says:
News & Analysis
Software Secure? Good! But What About the Hardware (FPGAs & SoCs)?
http://www.eetimes.com/document.asp?doc_id=1326659&
As we all know, more and more devices are being designed to be Internet-enabled. It’s also common knowledge that Cisco predicts that 50-billion devices, such as automobiles, home automation devices, consumer electronics, medical devices, and wearables, will be connected to the Internet by 2020.
The sad fact of life, however, is that the creators of these devices often neglect the security aspects of their designs, thereby leaving them potentially susceptible to cyberattacks. Every day, we hear about new examples of things like hacking cars, hacking medical devices, and even a creep hacking a baby monitor to scream abuse at an infant and its parents.
Tomi Engdahl says:
Snowden latest: NSA planned sneak attacks on Android app stores
Agencies also hid major flaws in UC Browser
http://www.theregister.co.uk/2015/05/22/snowden_latest_nsa_planned_sneak_attacks_on_android_app_stores/
The latest package of documents from whistleblower Edward Snowden details how the intelligence services planned to host man-in-the-middle attacks to install tracking and control software onto Android smartphones.
According to a presentation released from the Snowden archive to The Intercept the so-called “5 Eyes” nation’s intelligence agencies – from the US, UK, Canada, Australia, and New Zealand – spent 2011 and 2012 working out ways to subvert connections to popular app stores, such as those run by Google and Samsung, in a project dubbed IRRITANT HORN.
That the intelligence services are working on software that can subvert iOS, Android and other smartphone operating systems isn’t new. But the presentation details how operatives could intercept communications between app servers and customers to install code that could harvest personal information and even display disinformation on handsets.
Tomi Engdahl says:
Hacker uses Starbucks INFINITE MONEY for free CHICKEN SANDWICH
Coffee king finds cheeky exploit a bitter taste
http://www.theregister.co.uk/2015/05/22/hacker_uses_starbucks_infinite_money_for_free_chicken_sandwich/
Sakurity hacker Egor Homakov has found a way to dupe Starbucks into loading free cash onto the “coffee” chain’s payment cards.
Homakov says a race condition within Starbuck’s card purchase system means money can be transferred between cards without it being deducted.
The bug hunter exploited the bug and tested it by purchasing food and drink at Starbucks.
Tomi Engdahl says:
CareFirst Admits More Than a Million Customer Accounts Were Exposed In Security Breach
http://yro.slashdot.org/story/15/05/21/1657238/carefirst-admits-more-than-a-million-customer-accounts-were-exposed-in-security-breach
An anonymous reader writes with news, as reported by The Stack, that regional health insurer CareFirst BlueCross BlueShield, has confirmed a breach which took place last summer, and may have leaked personal details of as many as 1.1 million of the company’s customers
More than a million CareFirst customer accounts exposed in security breach
http://thestack.com/more-million-carefirst-customer-exposed-security-breach-210515
CareFirst BlueCross BlueShield, one of the largest regional health insurers in the U.S., has confirmed a major security breach which is thought to have affected as many as 1.1 million customers.
The Washington D.C.-based firm announced yesterday that the hack had taken place in June last year. CareFirst said that the breach had been a “sophisticated cyberattack” and that those behind the crime had accessed and potentially stolen sensitive customer data including names, dates of birth, email addresses and ID numbers.
However the health insurance group did assure that usernames must be used in tandem with a password created by the members themselves to gain access to the personal account data stored on the website.
Tomi Engdahl says:
MSpy admits hacking and data theft
http://www.bbc.com/news/technology-32826678
A company offering software that allows people to spy on others has admitted it has been hacked and had thousands of customer records leaked online.
The admission comes a day after mSpy told BBC News it had not been hacked and no data had been stolen.
It has also emerged that the UK’s Information Commissioner is investigating the company.
It told the BBC it was “aware of the breach and is trying to find out where the company is based”.
MSpy offers software it says is aimed at parents worried about what their children are up to online and employers who want to legitimately track their employees.
But it is also used for more nefarious purposes, such as spouses spying on their partners.
Tomi Engdahl says:
Netgear and ZyXEL Confirm NetUSB Flaw, Are Working On Fixes
http://it.slashdot.org/story/15/05/21/224212/netgear-and-zyxel-confirm-netusb-flaw-are-working-on-fixes
Tomi Engdahl says:
Adult FriendFinder data hack leaves millions of members exposed
Users with a fetish for risky encounters in public spaces will be thrilled
http://www.theregister.co.uk/2015/05/22/adult_hookup_site_breach_data/
Hackers have exposed the personal details and sexual preferences of 3.9 million users of hook-up site Adult FriendFinder.
Users, including those who asked for their account to be deleted, have been left in an awkward position after hackers broke into systems before uploading the details to the dark web.
Email addresses, usernames, postcodes, dates of birth and IP addresses of 3.9 million members have been exposed.
The UK’s Channel 4 News, which came across the leak during a wider investigation into the dark web, broke the story of the breach on Thursday.
FriendFinder Networks admitted the breach and told Channel 4 that it had launched a “comprehensive investigation with the help of a leading third-party forensics expert”.
Adult dating site hack exposes millions of users
http://www.channel4.com/news/adult-friendfinder-dating-hack-internet-dark-web
Hackers have struck one of the world’s largest internet dating websites, leaking the highly sensitive sexual information of almost four million users onto the web.
The stolen data reveals the sexual preferences of users, whether they’re gay or straight, and even indicates which ones might be seeking extramarital affairs. In addition, the hackers have revealed email addresses, usernames, dates of birth, postal codes and unique internet addresses of users’ computers.
Channel 4 News has been investigating the cyber underworld, discovering which websites have been hacked and exposing the trade in personal information of millions of people through so-called “dark web” sites.
Tomi Engdahl says:
Academics Build a New Tor Client Designed To Beat the NSA
http://yro.slashdot.org/story/15/05/21/1946238/academics-build-a-new-tor-client-designed-to-beat-the-nsa
In response to a slew of new research about network-level attacks against Tor, academics from the U.S. and Israel built a new Tor client called Astoria designed to beat adversaries like the NSA, GCHQ, or Chinese intelligence who can monitor a user’s Tor traffic from entry to exit.
Hackers build a new Tor client designed to beat the NSA
http://www.dailydot.com/politics/tor-astoria-timing-attack-client/
Anonymity’s toughest adversaries are hackers with the full-force and backing of Beijing, London, and Washington, D.C.
With the threat of powerful intelligence agencies, like the NSA, looming large, researchers have built a new Tor client called Astoria designed specifically to make eavesdropping harder for the world’s richest, most aggressive, and most capable spies.
The website on the receiving end doesn’t know who is visiting, only that a faceless Tor user has connected.
An eavesdropper shouldn’t be able to know who the Tor user is either, thanks to the encrypted traffic being routed through 6,000 nodes in the network.
But something called “timing attacks” change the situation. When an adversary takes control of both the entry and exit relays, research shows they can potentially deanonymize Tor users within minutes.
A full 58 percent of Tor circuits are vulnerable to network-level attackers
Even though Tor is designed to provide complete anonymity to its users, the NSA’s position means they can potentially see and measure both traffic entering the Tor network and the traffic that comes out. When an intelligence agency can see both, simple statistics help an autonomous system at their control match the data up in a timing attack and discover the identity of the sender.
Anonymity over.
This kind of threat has been known to Tor developers for over a decade. They’ve been trying to make eavesdropping difficult for spy agencies for just as long.
Astoria reduces the number of vulnerable circuits from 58 percent to 5.8 percent, the researchers say. The new solution is the first designed to beat even the most recently proposed asymmetric correlation attacks on Tor.
Designed to beat such attacks, Astoria differs most significantly from Tor’s default client in how it selects the circuits that connect a user to the network and then to the outside Internet. The tool, at its foundation, is an algorithm designed to more accurately predict attacks and then securely select relays that mitigate timing attack opportunities for top-tier adversaries.
Tomi Engdahl says:
Imagination renewed the system of circuit protection
Imagination Technologies is primarily known PowerVR GPU. Now the company has introduced a new technology that will revolutionize the different system circuits, protection and security. The technology it calls Omnishield.
Omnishieldin enables engineers to software IP-finished iron and lets design a system circle, so that all the protection you require applications are isolated from each other. In addition, they are protected from unsafe applications.
Omnishiled be scaled freely, so protected block can be implemented in all the different departments: central processor, GPU, as well as a variety of application processors.
In many current architectures, CPU and other processors share the application data, memory, and other resources, so they all have to give the same high safety.
Source: http://etn.fi/index.php?option=com_content&view=article&id=2862:imagination-uudisti-jarjestelmapiirien-suojauksen&catid=13&Itemid=101
More info: http://www.imgtec.com/platforms/omnishield.asp
Tomi Engdahl says:
DDoS attack downs University of London learning platform
A harsh lesson, now stand in corridor for four hours
http://www.theregister.co.uk/2015/05/22/university_of_london_ddos_attack/
The University of London Computer Centre fell victim to a cyber-attack on Thursday.
The assault left Moodle – an open-source learning platform – out of action for several hours on Thursday morning before normal service was restored.
Technicians initially estimated problems were down to firewall configuration issues
George Anderson, director at security software firm Webroot, said that the timing of the attack just before students sit their finals is unlikely to be a coincidence.
“This attack was clearly implemented to have maximum impact on a system that would have been at peak usage around exam time,” Anderson said.
Tomi Engdahl says:
mSpy: We haven’t been breached. Customers: Oh yes you have
In fact, we’re victim of a ‘predatory attack’, says snooper
http://www.theregister.co.uk/2015/05/22/mspy_denies_breach_hack_spyware/
Controversial commercial spyware firm mSpy has denied it’s been hacked, following an apparent breach of its systems several days ago.
However, its contention that the incident is just the latest in a series of extortion attempts is seemingly undermined by confirmation that some of the private information leaked is genuine.
mSpy’s “mobile monitoring software” is marketed as a means for parents and employers to surreptitiously snoop on family members or employees.
So, it was bad news when mSpy’s database appeared on the dark web, following an apparent hack on its systems around a fortnight ago.
Tomi Engdahl says:
Attacking ECMAScript Engines with Redefinition
https://www.blackhat.com/us-15/briefings.html#attacking-ecmascript-engines-with-redefinition
The dynamic nature of ECMAScript allows for functions and properties to be redefined in a variety of ways – even functions that are vital for internal functionality of the ECMAScript engine.
Tomi Engdahl says:
Ryan Gallagher / The Intercept:
Spy summit attended by Apple, Google, Vodafone, head of GCHQ, other intel notables tackled questions like “Are we being misled by the term ‘mass surveillance’?” — Apple and Google Just Attended a Confidential Spy Summit in a Remote English Mansion
Apple and Google Just Attended a Confidential Spy Summit in a Remote English Mansion
https://firstlook.org/theintercept/2015/05/22/apple-google-spy-summit-cia-gchq-ditchley-surveillance/
At an 18th-century mansion in England’s countryside last week, current and former spy chiefs from seven countries faced off with representatives from tech giants Apple and Google to discuss government surveillance in the aftermath of Edward Snowden’s leaks.
The three-day conference, which took place behind closed doors and under strict rules about confidentiality, was aimed at debating the line between privacy and security.
According to an event program obtained by The Intercept, questions on the agenda included: “Are we being misled by the term ‘mass surveillance’?” “Is spying on allies/friends/potential adversaries inevitable if there is a perceived national security interest?” “Who should authorize intrusive intelligence operations such as interception?” “What should be the nature of the security relationship between intelligence agencies and private sector providers, especially when they may in any case be cooperating against cyber threats in general?” And, “How much should the press disclose about intelligence activity?”
Tomi Engdahl says:
Google Study Shows Security Questions Aren’t All That Secure
http://techcrunch.com/2015/05/21/google-study-shows-security-questions-arent-all-that-secure/
What is your favorite food? What was your first teacher’s name? What’s the name of your first pet? Do those questions sound familiar to you? If they do, it’s probably because you either have really boring and repetitive conversations or you’ve answered them as security questions when you signed up for a new account somewhere. They’re meant to provide an extra layer of security, but according to a new study by Google’s security team, they aren’t all that secure.
Looking at ‘hundreds of millions’ of these questions and their answers from Google users who tried to recover their accounts, the team concluded that “secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism.” That’s because they are either too easy to remember (and hence to guess) or too hard to remember (and hence easy to forget). There doesn’t seem to be much of a middle ground.
Chances are, for example, that when you try to guess what an English-speaking user said was his or her favorite food, guessing pizza would get you a long way (almost 20 percent of Google users apparently used this as their answer). Using 10 guesses, there’s also a 21 percent chance of guessing a Spanish speaker’s father’s middle name.
In total, 40 percent of English-speaking users in the U.S. couldn’t recall their questions at all.
Tomi Engdahl says:
Cloud Security Temperature Check
What keeps Reg readers up at night?
http://www.theregister.co.uk/2015/05/20/cloud_security_survey_results/
The democratising effect of cloud is a double-edged sword
Reports of the imminent demise of the corporate data centre might be somewhat exaggerated, but if you work in IT, the chances are that you are seeing more use of cloud services across your organisation. Software as a Service (SaaS) has lowered the barriers to adoption for many business applications. Platform as a Service (PaaS) and Infrastructure as a Service (IaaS), meanwhile, are increasingly seen by developers and operations staff as important keys to streamlining application delivery.
Whether you are an advocate or sceptic, there is no denying that cloud services in their various forms have a strong democratising effect
But while this ease of adoption is highly convenient and great for flexibility and responsiveness, the benefits of rapid cloud adoption often come at a price. The danger is that the organisation ends up accumulating a sprawling mishmash of services that don’t work well together and collectively create a significant data and application management headache. Disjoints between ‘cloud silos’ can even undermine the very efficiency and flexibility gains that were sought in the first place.
Cloud computing is simply an alternative model for application deployment and storage of data.
Distributed and inconsistent landscapes create more problems
As a result of the cloud-related acquisition behaviour we have been discussing, both within the business and within IT, security challenges can arise around trying to coordinate security and identity across boundaries
Tools are available to help, but they aren’t always used
When it comes to security tooling, the survey suggests that most know what they should be using, but they are frequently not acting on this knowledge
Familiar people-related issues remain a problem for many
A frequent lack of understanding and appreciation of the cloud security imperative among senior managers is evident from the survey, and this obviously goes hand-in-hand with some of the previously mentioned funding and resourcing challenges. What also comes across is a clear need in many cases to both educate and motivate users, not just on cloud specific security risks, but also on the more fundamental matter of what constitutes sensitive data
It’s important to act sooner rather than later
Wherever you are in terms of cloud adoption, it’s important to develop a sustainable approach to managing security as soon as you can.
Tomi Engdahl says:
Erin Kelly / USA Today:
Senate blocks USA Freedom Act and extensions to key provisions of Patriot Act, will reconvene May 31, just hours before expiration
Senate blocks extension of Patriot Act provisions
http://www.usatoday.com/story/news/politics/2015/05/23/patriot-act-extension-senate-vote/27717837/
WASHINGTON – Three key sections of the Patriot Act are set to expire on June 1 unless the Senate resolves a stalemate with the House over the future of the sweeping anti-terrorism law.
The Senate early Saturday blocked a bill that would have extended the provisions for another two months, leaving the leadership in a tough spot as the deadline loomed and Congress prepared to take a week-long recess for the Memorial Day holiday.
Democrats and libertarian-leaning Republicans pushed back, arguing that the existing law violates Americans’ privacy rights and has not been effective at catching terrorists.
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Researchers find an estimated 500M+ Android devices may not fully wipe data after factory reset
Flawed Android factory reset leaves crypto and login keys ripe for picking
An estimated 630 million phones fail to purge contacts, e-mails, images, and more.
http://arstechnica.com/security/2015/05/flawed-android-factory-reset-leaves-crypto-and-login-keys-ripe-for-picking/
In the first comprehensive study of the effectiveness of the Android feature, Cambridge University researchers found that they were able to recover data on a wide range of devices that had run factory reset. The function, which is built into Google’s Android mobile operating system, is considered a crucial means for wiping confidential data off of devices before they’re sold, recycled, or otherwise retired. The study found that data could be recovered even when users turned on full-disk encryption.
“It’s going to have a major impact in organizations that have fairly mature established disposal practices because they’re not effective,” Kenn White, a North Carolina-based computer scientist who has read the paper, told Ars. “It’s a staggering number of devices out there that are exposed, and it’s not just somebody’s Gmail password. It’s images, photos, text, chat. It’s all these things that are private that you think if you’ve reset it you’ve reset it.”