Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.
3,110 Comments
Tomi Engdahl says:
NSA bulk phone records collection to end despite USA Freedom Act failure
http://www.theguardian.com/us-news/2015/may/23/nsa-bulk-phone-records-collection-usa-freedom-act-senate
Administration has not applied to secret court for 90-day extension
USA Freedom Act fails in early hours after long Senate session
Even as the Senate remains at an impasse over the future of US domestic surveillance powers, the National Security Agency will be legally unable to collect US phone records in bulk by the time Congress returns from its Memorial Day vacation.
The administration decision ensures that beginning at 5pm ET on 1 June, for the first time since October 2001 the NSA will no longer collect en masse Americans’ phone records.
It represents a quiet, unceremonious end to the most domestically acrimonious NSA program revealed by whistleblower Edward Snowden, in a June 2013 exposé in the Guardian
The NSA and the Obama administration have conceded that the bulk domestic phone records collection has never stopped a terrorist attack.
“Those who helm the government’s surveillance apparatus have engaged in craven abuse of already overly-expansive spying powers that do nothing to reduce the threat of terrorism, but pose ongoing threats to privacy, freedom, and democratic governance.”
Tomi Engdahl says:
Pictures that Defeat Key Locks
http://hackaday.com/2015/05/23/pictures-that-defeat-key-locks/
We’re at LayerOne this weekend and one of the talks we were excited about didn’t disappoint. [Jos Weyers] presented Showing Keys in Public — What Could Possibly Go Wrong? The premise is that pictures of keys, in most cases, are as good as the keys themselves. And that pictures of keys keep getting published.
[Jos] spoke a bit about new services that offer things like 3D scanning and storage of your key for printing when you get locked out, or apps that ask you to take a picture of your key and they’ll mail you a duplicate. Obviously this isn’t the best of ideas; you’re giving away your passwords.
We’ve already seen the proof of concept for taking covert images to perfectly duplicate a key.
A master key for the NYC Subway was compromised and available for sale. The news coverage not only shows a picture at the top of the story of a man holding up the key straight on, but this image of it on a subway map which can be used to determine scale. This key, which is still published openly on the news story linked above, opens 468 doors to the subway system and these are more than just the ones that get you onto the platform for free. We were unable to determine if these locks have been changed
Worse, was the availability of fire-department master keys which open lock boxes outside of every building. A locksmith used to cut the original keys went out of business and sold off all their stock.
There was also an example of speed camera control cabinet keys being shown by a reporter.
Some locks are stronger than others, but they’re all meaningless if we’re giving away the keys.
Tomi Engdahl says:
The Ease of Adding Trojans to Major Financial Android Apps
http://hackaday.com/2015/05/24/the-ease-of-adding-trojans-to-major-financial-android-apps/
This was both an amusing and frightening talk. [Sam Bowne] presented How to Trojan Financial Android Apps on Saturday afternoon at the LayerOne Conference. [Sam] calculates that 80-90% of the apps provided by major financial institutions like banks and investment companies are vulnerable and the ease with which trojans can be rolled into them is incredible.
Sam] did a great job of concisely describing the circumstances that make Android particularly vulnerable to the attacks which are the subject of the talk. Android programs are packaged as APK files which are easy to unpack. The “compiled” code itself is called smali and is readable in a similar way as Java. It’s super easy to unpack and search this byte code using grep. Once the interesting parts are located, the smali code can be altered and the entire thing can be repackaged.
So what can be done? This is about information harvesting. [Sam’s] proof of concept uses a python script to insert logging for every local variable.
He demonstrated live on the Bank of America app. From the user side of things it looks exactly like the official app, because it is the official app. However, when you register your account the log reports the card number as you can see here. Obviously this information could easily be phoned-home using a number of techniques.
As mentioned, the vast majority of banking and financial apps are vulnerable to this, but some have made an attempt to make it more difficult.
What is the most troubling is that none of these companies have a means of reporting security vulnerabilities. It was amusing to hear [Sam] recount his struggle to report these issues to Charles Schwab. Online contact forms were broken and wouldn’t post data and several publicly posted email addresses bounced email.
He resorted to a trick he has used many times in the past… Tweeting to the CEO of Charles Schwab to start up a direct-message conversation. This itself is a security problem as @SwiftOnSecurity proves by pointing out that whenever @SamBowne Tweets a CEO it’s because he found a vulnerability in that company’s platform and can’t find a reasonable way to contact the company.
Although very rare, sometimes these apps do get patched.
This may sound like all of us Android users should despair but that’s not the case. Adding verification, even if it’s possible to defeat it, does make the apps safer; attackers may not want to invest the extra time to try to defeat it.
Tomi Engdahl says:
2.8 million victims squared up by malicious Minecraft apps
Cheaters cheated, then fleeced by premium SMS ‘malware’ removal tools
http://www.theregister.co.uk/2015/05/25/28_million_victims_download_malicious_minecraft_apps/
ESET researcher Lukas Stefanko says a whopping 2.8 million users have downloaded malicious Minecraft Android applications.
Stefanko found 30 malicious apps uploaded to the Google Play store over nine months masquerading as Minecraft cheats and tip guides.
“All of the discovered apps were fake in that they did not contain any of the promised functionality and only displayed banners that tried to trick users into believing that their Android system is infected with a ‘dangerous virus’,” Stefanko says.
The apps craft an SMS which sports text masquerading as an anti-virus activation request. Replying to the message results in the victim signing up to the weekly premium SMS subscription.
Tomi Engdahl says:
San Bernardino Sheriff Has Used Stingray Over 300 Times With No Warrant
http://yro.slashdot.org/story/15/05/25/0344206/san-bernardino-sheriff-has-used-stingray-over-300-times-with-no-warrant
“This is astonishing because it suggests the absence of legal authorization (because if there were clear legal authorization you can bet the government would be citing it),”
. “Alternatively, it might suggest that the government just doesn’t care about legal authorization. Either interpretation is profoundly troubling,”
Tomi Engdahl says:
Google Study Shows Security Questions Aren’t All That Secure
http://techcrunch.com/2015/05/21/google-study-shows-security-questions-arent-all-that-secure/
What is your favorite food? What was your first teacher’s name? What’s the name of your first pet? Do those questions sound familiar to you? If they do, it’s probably because you either have really boring and repetitive conversations or you’ve answered them as security questions when you signed up for a new account somewhere. They’re meant to provide an extra layer of security, but according to a new study by Google’s security team, they aren’t all that secure.
Tomi Engdahl says:
Coquitlam teen admits to swatting
http://www.tricitynews.com/news/coquitlam-teen-admits-to-swatting-1.1941402
A Coquitlam teen who prompted numerous “swatting” incidents last year on families around Canada and the U.S. pleaded guilty last week to a dozen more charges.
The 17-year-old, who cannot be identified under a publication ban because of his age, has now admitted to a total of 23 offences of extortion, public mischief and criminal harassment.
He had a consistent pattern of trying to connect with the online gamers — many of them fans of the game League of Legends. But when they denied his requests, he shut down their internet access, posted their personal information online, repeatedly called them late at night and contacted the police in their hometown, posing as someone else.
Often, he would tell the police he was holding a family hostage, had napalm bombs or had killed someone in the house. He would demand a ransom, order a SWAT (Special Weapons and Tactics) team — hence the term “swatting” — to show up with a police helicopter, or say he would kill any law enforcement official who intervened, Bauer said. – See more at: http://www.tricitynews.com/news/coquitlam-teen-admits-to-swatting-1.1941402#sthash.gf8pZCSE.dpuf
Tomi Engdahl says:
Did this cybersecurity firm use a data breach for extortion?
A whistleblower claims his company fabricated evidence in retaliation for a lost contract
http://www.theverge.com/2015/5/19/8622631/labmd-data-breach-tiversa-security-ftc-lawsuit
Tomi Engdahl says:
The Scrap Value of a Hacked PC, Revisited
http://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/
Tomi Engdahl says:
Starbucks Hacked? No, But You Might Be
http://krebsonsecurity.com/2015/05/starbucks-hacked-no-but-you-might-be/
When it comes to reporting on breaches involving customer accounts at major brands, the news media overall deserves an F-minus. Hardly a week goes by when I don’t hear from readers about a breathless story proclaiming that yet another household brand name company has been hacked. Upon closer inspection, the stories usually are based on little more than anecdotal evidence from customers who had their online loyalty or points accounts hijacked and then drained of value.
To be sure, password re-use is a major problem, and it’s a core driver of fraud like this.
But it works both ways: consumers who re-use passwords for sites holding their payment data are asking for trouble, and will get it eventually.
For helpful hints on picking strong passwords (or outsourcing that to third-party software and/or services), check out this primer.
Password Do’s and Don’ts
http://krebsonsecurity.com/password-dos-and-donts/
Here are a few tips for creating strong passwords. Take a moment to review these, and consider strengthening some of your passwords if they fall short.
-Create unique passwords that that use a combination of words, numbers, symbols, and both upper- and lower-case letters.
-Do not use your network username as your password.
-Don’t use easily guessed passwords, such as “password” or “user.”
Tomi Engdahl says:
Immature Cyber Defense Programs Benefit Quickly From Risk Intelligence
http://www.securityweek.com/immature-cyber-defense-programs-benefit-quickly-risk-intelligence
Graphing this data on an imaginary bell curve in my head draws an interesting picture: over 80% of the companies I’ve met with fall into the big fat part of the curve over a label “Immature.”
Among other things, to be cyber “immature” typically means that your company has:
• No (or nominal) “top level” distinct cyber defense organization (e.g. CSO org or other similar division run by appropriate leadership)
• Few or no professional INFOSEC or other security staff members and management (i.e. Instead they have IT personnel who wear the “other duties as assigned” hat)
• Small or no cybersecurity defense operations (e.g. SOC or NOC)
• No (or nominal) Industry-based governance, compliance and regulation program
• No SIEM, Threat Intelligence or similar data analysis function distinct from IT management
• Small or nominal cyber defense budget
In most cases, the companies I meet with openly label themselves as immature when it comes to cyber defense. In fact, across the market, cyber is only now truly getting noticed as the major “top level” threat to a company’s employees, products, customers, brand and reputation, partners, etc. that it actually represents (and deserves).
Risk Intelligence = (High-Level Threat Intelligence + Context) * Continuous Data Collection/Intuitive KPIs
Tomi Engdahl says:
Hundreds of Cloud Services Potentially Vulnerable to Logjam Attacks: Skyhigh
http://www.securityweek.com/hundreds-cloud-services-potentially-vulnerable-logjam-attacks-skyhigh
The recently disclosed Transport Layer Security (TLS) vulnerability dubbed Logjam affects numerous cloud services, cloud security company Skyhigh Networks reported on Wednesday.
The Logjam vulnerability, which is similar to the FREAK bug, is caused due to the way the Diffie-Hellman (DHE) key exchange has been deployed. The flaw can be exploited by a man-in-the-middle (MitM) attacker to downgrade TLS connections to weak, export-grade crypto, and gain access to the data passing through the connection.
Logjam (CVE-2015-4000) affects all servers that support 512-bit export-grade cryptography and all modern web browsers, for which patches are being released. The vulnerability initially affected over 8 percent of the top 1 million HTTPS websites, and more than 3 percent of the browser trusted sites.
Tomi Engdahl says:
Threat Intelligence Sharing Valued, But Many Not Doing it: Survey
http://www.securityweek.com/threat-intelligence-sharing-valued-many-not-doing-it-survey
Enterprises may largely agree that threat intelligence is important, but few are doing any actual sharing themselves, according to a new survey.
According to a survey by Enterprise Strategy Group (ESG), while 94 percent of the more than 300 IT professionals surveyed believe it is either highly or somewhat valuable to share threat intelligence between federal agencies and the private sector, only 37 percent actually share internally-driven threat intelligence with other companies or Information Sharing and Analysis Centers (ISACs).
“There is clearly an understood value in leveraging threat data, but organizations are finding it difficult to collect, analyze and pinpoint critical threats,” said Jon Oltsik, ESG senior principal analyst, in a statement.
“According to our research, automation is needed for organizations to wade through the mass of alerts they receive, and standards are needed for the secure sharing of threat intelligence,” Oltsik said.
Tomi Engdahl says:
The Need for Security Frameworks
http://www.securityweek.com/need-security-frameworks
One of the things I have observed that is missing the most in the security field is structure. Security leaders struggle to replicate successes from one enterprise to another largely because they are starting from scratch at every new turn. However, anecdotal evidence from client engagements shows that a rigid structure won’t fit all use cases which is absolutely true as each enterprise has its unique quirks and nuances that makes it just different enough to buck the pattern.
Tomi Engdahl says:
Coming into Focus: Cyber Security Operational Risk
http://www.securityweek.com/coming-focus-cyber-security-operational-risk
As news of more data breaches and third-party originated cyber-attacks continue to make the news, businesses and regulators alike are sharpening their focus on how to report on and mitigate these risks. Board members are demanding quantitative risk data that spans all business operations, while business units need to neutralize the impact of cyber-attacks. So how can companies deal with this challenge and transition to a model that uses more data to assess risks? One way is to implement cyber security operational risk management best practices.
Tomi Engdahl says:
Firefox to serve up Suggested Tiles based on your browsing history
Claims it involves less sharing of data with advertisers
http://www.theinquirer.net/inquirer/news/2409825/firefox-to-serve-up-suggested-tiles-based-on-your-browsing-history
MOZILLA IS ABOUT to piss off its more militant users with the arrival of Suggested Tiles in Firefox, the company’s solution to the problem of advertising without calling it advertising.
Suggested Tiles will serve a tailored start menu of suggested content based on the user’s browser history.
The concept behind it is that it involves less sharing of data with advertisers, and less obtrusive advertising mid-session, by remaining on the start page.
Tomi Engdahl says:
Firefox’s Optional Tracking Protection Reduces Load Time For News Sites By 44%
http://news.slashdot.org/story/15/05/25/1149220/firefoxs-optional-tracking-protection-reduces-load-time-for-news-sites-by-44
The duo found that with Tracking Protection enabled, the Alexa top 200 news sites saw a 67.5 percent reduction in the number of HTTP cookies set. Furthermore, performance benefits included a 44 percent median reduction in page load time and 39 percent reduction in data usage.
monica-at-mozilla.blogspot.ca/2015/05/tracking-protection-for-firefox-at-web.html
Tomi Engdahl says:
Covert Remote Protest Transmitters
http://hackaday.com/2015/05/25/covert-remote-protest-transmitters/
As a piece of protest art, “Covert Remote Protest Transmitters” ticks all the boxes. An outdoor covert projector that displayed anti-globalization messages at a G20 summit is protest. To disguise it inside a surveillance camera body housing — sticking it to the man from inside one of his own tools — is art. And a nice hack.
http://michaelcandy.com/SELECTED-WORKS/CRPT
Tomi Engdahl says:
Full Adult Friend Finder database offered up for $17k worth of bitcoins
http://www.computerworld.com/article/2925849/malware-cybercrime/full-adult-friend-finder-database-offered-up-for-17k-worth-of-bitcoins.html
An unredacted version of a database said to be stolen from Adult Friend Finder is being offered for sale for 70 bitcoins, or around $17,000.
ROR[RG], the nickname of the person who claims to have breached the large online hookup site, wrote on Saturday in an underground forum that “I have had so many people ask me to buy the db today.”
Seeking to capitalize on the momentum, ROR[RG] — who claims to live in Thailand — also offered to break into any company or website for 750 bitcoins, worth about $170,000.
Fifteen files of data purported to come from Adult Friend Finder were posted to an underground forum in March. The files contained 3.9 million email addresses and in some cases the partner preference, gender, birth date, state, post code, language preference and IP address of users.
There are a variety of ways for cybercriminals to monetize data. Since email addresses have been released, it is possible for spammers to begin targeting people by incorporating the Adult Friend Finder email addresses into their mailing lists.
The Adult Friend Finder data is also sensitive since it’s easy now to figure out who has subscribed or registered with the site at one time.
Adult dating site hack exposes millions of users
http://www.channel4.com/news/adult-friendfinder-dating-hack-internet-dark-web
Hackers have struck one of the world’s largest internet dating websites, leaking the highly sensitive sexual information of almost four million users onto the web.
The stolen data reveals the sexual preferences of users, whether they’re gay or straight, and even indicates which ones might be seeking extramarital affairs. In addition, the hackers have revealed email addresses, usernames, dates of birth, postal codes and unique internet addresses of users’ computers.
Spam emails
Within hours of the data being leaked, hackers on the forum said they intended to hit victims with spam emails, and Mr Harper has been targeted with virused emails since his information was made public.
Online crime experts believe the after the initial spam email campaign, hackers will now begin trawling through the data for potential blackmail targets. The spreadsheets contain addresses linked to dozens of government and armed services personnel, including members of the British Army.
“Where you’ve got names, dates of birth, ZIP codes, then that provides an opportunity to actually target specific individuals whether they be in government or healthcare for example, so you can profile that person and send more targeted blackmail-type emails,” says Charlie McMurdie, a cybercrime specialist for PwC and former head of the Metropolitan Police’s electronic crime unit.
Among the 26,939 users with a UK email address, for example, there are just 1,596 who identified as female: a ratio of one woman to every 16 men.
Tomi Engdahl says:
Blackhat hack trick wallops popular routers
Sneaky DNS change doesn’t need remote management.
http://www.theregister.co.uk/2015/05/26/new_dns_router_attack/
A cybercrime vigilante known as Kafeine says criminals are hitting thousands of victims with a hacking tool that targets more than 40 router models.
The well-known hacker says the novel attacks use cross-site request forgery and exploits against new and old bugs to change router DNS settings.
This bypasses the need to target only routers with vulnerable remote services. Kafeine says the most popular routers can be targeted including Netgear, D-Link, and Asus to name a few.
The hacker says the attackers’ have set up a dodgy DNS service that doesn’t direct traffic faithfully. Instead, Kafeine says victims are pointed to phishing sites whenever, for example, they attempt to log into internet banking portals.
One such dodgy DNS server received up to a million unique hits on 9 May, he says.
“Knowing that CVE-2015-1187 has been released on 2 March I guess this attack is pretty effective since the percentage of routers updated in the past two months is probably really low,” he says
Tomi Engdahl says:
Attackers Use Email Spam To Infect Point-of-Sale Terminals
http://it.slashdot.org/story/15/05/26/0252254/attackers-use-email-spam-to-infect-point-of-sale-terminals
Point-of-sale software has meant that in many cases where once you’d have seen a cash register, you now see a general-purpose PC running point-of-sale (PoS) software. Unfortunately, those PCs have all the usual vulnerabilities
Attackers use email spam to infect point-of-sale terminals with new malware
http://www.itworld.com/article/2926355/attackers-use-email-spam-to-infect-pointofsale-terminals-with-new-malware.html
Cybercriminals are targeting employees who browse the Web or check their email from point-of-sale (PoS) computers, a risky but unfortunately common practice.
ted talks logo
Six TED Talks that can change your career
These talks will help you reshape how you approach work and see your career in a new light.
Read Now
Researchers from security firm FireEye recently came across a spam campaign that used rogue email messages masquerading as job inquiries.
The emails had fake resumes attached that were actually Word documents with an embedded malicious macro. If allowed to run, the macro installed a program that downloaded additional malware from a remote server.
Among those additional programs, the FireEye researchers identified a new memory-scraping malware threat that steals payment card data from PoS terminals. They’ve dubbed the new threat NitlovePOS.
PoS malware has become commonplace over the past few years and has led to some of the largest credit card breaches to date.
Tomi Engdahl says:
Sniffing and Tracking Wearable Tech and Smartphones
http://yro.slashdot.org/story/15/05/25/2147252/sniffing-and-tracking-wearable-tech-and-smartphones
Senior researcher Scott Lester at Context Information Security has shown how someone can easily monitor and record Bluetooth Low Energy signals transmitted by many mobile phones, fitness monitors, and iBeacons. The findings have raised concerns about the privacy and confidentiality wearable devices may provide. “Many people wearing fitness devices don’t realize that they are broadcasting constantly and that these broadcasts can often be attributed to a unique device,”
“Using cheap hardware or a smartphone, it could be possible to identify and locate a particular device”
Sniffing and tracking wearable tech and smartphones
http://www.net-security.org/secworld.php?id=18422
The researchers have even developed an Android app that scans, detects and logs wearable devices.
The Context findings follow recent reports that soldiers in the People’s Liberation Army of China have been warned against using wearables to restrict the possibility of cyber-security loopholes. “Many people wearing fitness devices don’t realize that they are broadcasting constantly and that these broadcasts can often be attributed to a unique device,” said Scott Lester, a senior researcher at Context.
“Using cheap hardware or a smartphone, it could be possible to identify and locate a particular device – that may belong to a celebrity, politician or senior business executive – within 100 meters in the open air. This information could be used for social engineering as part of a planned cyber attack or for physical crime by knowing peoples’ movements.”
Bluetooth Low Energy (BLE) was released in 2010 specifically for a range of new applications that rely on constantly transmitting signals without draining the battery. Like other network protocols it relies on identifying devices by their MAC addresses; but while most BLE devices have a random MAC address, Context researchers found that in most cases the MAC address doesn’t change.
BLE is also increasingly used in mobile phones and is supported by iOS 5 and later, Windows Phone 8.1, Windows 8, Android 4.3 and later, as well as the BlackBerry 10.
“By 2018, more than 90 percent of Bluetooth enabled smartphones are expected to be Smart Ready devices,”
iBeacons, which also transmit BLE packets in order to identify a location, are already used in Apple Stores to tailor notifications to visiting customers
The current version 4.2 of the Bluetooth Core Specification makes it possible for BLE to implement public key encryption and keep packet sizes down, while also supporting different authentication schemes. “Many BLE devices simply can’t support authentication and many of the products we have looked at don’t implement encryption, as this would significantly reduce battery life and increase the complexity of the application,” said Lester.
“It is clear that BLE is a powerful technology, which is increasingly being put to a wide range of uses,” concludes Context’s Lester. “While the ability to detect and track devices may not present a serious risk in itself, it certainly has the potential to compromise privacy and could be part of a wider social engineering threat. It is also yet another demonstration of the lack of thought that goes into security when companies are in a rush to get new technology products to market.”
RaMBLE
https://play.google.com/store/apps/details?id=com.contextis.android.BLEScanner
RaMBLE is a proof of concept application for scanning, logging and mapping Bluetooth Low Energy devices such as iBeacons and fitness trackers.
The scanner runs in the background and logs all advertising packets and scan responses received from BLE devices. All data is logged into a database that can be exported to the SD card. It does not connect to, or exchange any information with any devices.
Tomi Engdahl says:
Will Obama’s cybersecurity executive order make a difference?
http://www.csoonline.com/article/2900872/malware-cybercrime/will-obama-s-cybersecurity-executive-order-make-a-difference.html?utm_source=taboola&utm_medium=referral
Will Obama’s Cybersecurity Executive Order Make a Difference?
We continue to live in a world that is exciting with new, easy-to-use technology that allows all of us to be more effective and efficient in our business and personal lives. Yet the ease of use of this technology also puts all of us at risk.
President Obama and many in government and the private sector realize there is so much more that all of us could and should do to ensure we can be confident that our most sensitive personal data is safe. It is our right and we need to take action against the cyber adversaries that wish to do us harm.
The EO and the legislation previously passed by Congress is a great start. But in order for the actions taken to increase information sharing among the public and private sectors to really be effective, additional legislation is necessary. We need to see liability relief along with codified roles and responsibilities for the public and private sector regarding information sharing. In addition, the President has called for a national breach process and updated criminal laws to support today’s security needs and the future environment. We support that. With this approach, information sharing can, in fact, truly become actionable and allow the good guys to operate inside the bad guy’s decision cycle.
Tomi Engdahl says:
Malware is not only about viruses – companies preinstall it all the time
Richard Stallman
http://www.theguardian.com/technology/2015/may/22/malware-viruses-companies-preinstall
In 1983, when I started the free software movement, malware was so rare that each case was shocking and scandalous. Now it’s normal.
To be sure, I am not talking about viruses. Malware is the name for a program designed to mistreat its users. Viruses typically are malicious, but software products and software preinstalled in products can also be malicious – and often are, when not free/libre.
How far things have sunk. Developers today shamelessly mistreat users; when caught, they claim that fine print in EULAs (end user licence agreements) makes it ethical. (That might, at most, make it lawful, which is different.) So many cases of proprietary malware have been reported, that we must consider any proprietary program suspect and dangerous. In the 21st century, proprietary software is computing for suckers.
What kinds of programs constitute malware? Operating systems, first of all. Windows snoops on users, shackles users and, on mobiles, censors apps; it also has a universal back door that allows Microsoft to remotely impose software changes. Microsoft sabotages Windows users by showing security holes to the NSA before fixing them.
Apple systems are malware too: MacOS snoops and shackles; iOS snoops, shackles, censors apps and has a back door. Even Android contains malware in a nonfree component: a back door for remote forcible installation or deinstallation of any app.
What about nonfree apps? Plenty of malware there.
Apps for streaming services tend to be the worst, since they are designed to shackle users against saving a copy of the data that they receive, as well as making users identify themselves so their viewing and listening habits can be tracked.
What about other digital products? We know about the smart TV and the Barbie doll that transmit conversations remotely. Proprietary software in cars that stops those we used to call “car owners” from fixing “their” cars. If the car itself does not report everywhere you drive, an insurance company may charge you extra to go without a separate tracker.
Amazon’s Kindle e-reader reports what page of what book is being read, plus all notes and underlining the user enters;
Tomi Engdahl says:
Juliette Garside / Guardian:
Philip Zimmermann moves his mobile encryption startup Silent Circle from US to Switzerland to avoid surveillance
http://www.theguardian.com/technology/2015/may/25/philip-zimmermann-king-encryption-reveals-fears-privacy
Tomi Engdahl says:
Fake Android Minecraft apps scammed million users
http://securityaffairs.co/wordpress/37163/cyber-crime/fake-android-minecraft-apps.html
Experts at ESET have discovered over 30 scareware uploaded to the Google Play store over nine months masquerading as Minecraft cheats and tip guides.
Do you completely trust mobile applications available on the official app store like Google Play? If your answer is yes, you’re wrong.
ESET security researcher Lukas Stefanko has discovered 30 malicious apps uploaded to the Google Play store over nine months, the bogus apps pretend be Minecraft cheats and tip guides. This kind of attack is very dangerous due to the large audience of the official Google Play, in the specific case Stefanenko confirmed that nearly 2.8 million users have already downloaded malicious Minecraft Android apps.
“All of the discovered apps were fake in that they did not contain any of the promised functionality and only displayed banners that tried to trick users into believing that their Android system is infected with a ‘dangerous virus’,” Stefanko says. “Users were then directed to remove viruses by activating a premium-rate SMS subscription that would cost them €4.80 per week.
Unfortunately, it is not simple to avoid similar incidents, Google’s Play Store adopts an anti-malware Bouncer framework to avoid the publication of malicious applications and integrated it with manual review done by human operators. In same cases to avoid this checking mechanism, bad actors upload benign applications and later push malicious updates.
Tomi Engdahl says:
Firefox’s optional Tracking Protection reduces load time for top news sites by 44%
http://venturebeat.com/2015/05/24/firefoxs-optional-tracking-protection-reduces-load-time-for-top-news-sites-by-44/
Former Mozilla software engineer Monica Chew and Computer Science researcher Georgios Kontaxis recently released a paper that examines Firefox’s optional Tracking Protection feature. The duo found that with Tracking Protection enabled, the Alexa top 200 news sites saw a 67.5 percent reduction in the number of HTTP cookies set. Furthermore, performance benefits included a 44 percent median reduction in page load time and 39 percent reduction in data usage.
Tracking Protection allows Firefox users to avoid many forms of online tracking. Originally based on the blocklist from antitracking startup Disconnect, the feature offers better privacy while also speeding up page loads by blocking requests to tracking domains.
Tomi Engdahl says:
Boffins silently track train commuters without tripping Android checks
Smartmobe accelerometer data reveals your movements, isn’t secured in any way
http://www.theregister.co.uk/2015/05/26/tracking_metro_riders_using_accelerometers_on_smartphones/
Nanjing University boffins Jingyu Hua, Zhenyu Shen, and Sheng Zhong have tracked commuter train trips with 92 percent accuracy using stolen phone accelerometer data.
The trio says tracking users on Android phones is possible in part because the platform does not require permission or consent to access the dataset.
“We believe this finding is especially threatening for three reasons. First … it is extremely easy for attackers to create stealthy malware to eavesdrop on the accelerometer. Second, metro is the preferred transportation means for most people in major cities [which] means a malware based on this finding can affect a huge population. Last and the most importantly, metro-riding traces can be used to further infer a lot of other private information. For example, if an attacker can trace a smartphone user for a few days, he may be able to infer the user’s daily schedule and living and working areas, and thus seriously threaten her physical security.”
Tomi Engdahl says:
High schooler allegedly hired third party to DDoS his school district
https://nakedsecurity.sophos.com/2015/05/22/high-schooler-allegedly-hired-third-party-to-ddos-his-school-district/
A 17-year-old high school boy may face state and federal charges for allegedly having paid a third party to launch a distributed denial of service (DDoS) attack that crippled the West Ada school district in Idaho, US, for a week and a half earlier this month.
Because he’s a minor, he can’t be named.
A DDoS is an attack wherein the servers of a targeted online service are slowed to a crawl with loads of pointless data like email or file uploads that clog up their processing ability.
KTVB reports that West Ada students suffered assorted misery because of the attack, including losing their work on the Idaho Standard Achievement tests.
Some students had to take the tests multiple times.
Meanwhile, online classes and textbooks weren’t available for much of the week, and faculty and staff had problems accessing administrative and business systems, including payroll.
The school district’s IT staff eventually traced an IP address back to the 17-year-old, who was suspended from Eagle High. School officials are recommending that he be expelled.
We can assure students and parents that the consequences associated with a DDoS attack are far from trivial.
When it comes to DDoS, the law doesn’t spare you if you’re a kid.
Tomi Engdahl says:
IT bosses worried about the security of customer data
According to recent research 90 percent of higher-level IT managers afraid, in particular customer data to disappear into the cloud.
HDS (Hitachi Data Systems) study involved 232 senior IT executives in different countries.
Of these, 46 percent thought that customer data loss is the company’s biggest risk. 40 per cent of the respondents were worried about the fall in net sales.
Customer privacy was concerned 36 per cent of respondents.
Two-thirds of respondents said that their organization had suffered losses intrusions are generated through cloud services.
Among them, nine per cent though losses were significant. One-third of data breaches had to mid-level risks.
Safety Problems experienced a quarter said their was due specifically to the public cloud integration difficulties. On the other hand 36 per cent admitted that their own organization lacks adequate technical knowledge.
The best ways:
Among the most important are the right choice for the service of the seller and the most appropriate applications.
Source: http://www.tivi.fi/CIO/2015-05-26/It-pomot-huolissaan-asiakasdatan-turvasta-3321082.html
More:
Two-thirds of IT execs ‘suffer cloud outage’
http://www.cloudpro.co.uk/cloud-essentials/cloud-security/5098/two-thirds-of-it-execs-suffer-cloud-outage
Tomi Engdahl says:
NATS ignored previous recommendations – IT cock-up report
Since privatisation, investment ‘somewhat less than had been planned overall’
http://www.theregister.co.uk/2015/05/26/nats_ignored_previous_recommendations_it_cockup_report/
The National Air Traffic Services failed to implement recommendations to mitigate IT risks, according to an independent report into the mega systems failure in December which left thousands of passengers stranded in Blighty.
In December 2014, 120 flights were cancelled and 500 delayed for 45 minutes, affecting 10,000 passengers in total.
According to the NATS System Failure 12 December 2014: Final Report (PDF), previous recommendations from a major outage only a year earlier had not been addressed by the body.
These included a review of the industry’s ability to respond to service failures and identify required changes to NATS’ crisis management capabilities, resilience of systems, procedures and service continuity plans.
Responding to the report, NATS said: “We agree with the panel that it is unrealistic to expect that complex systems such as ours will never fail.”
Tomi Engdahl says:
Maybe Online Voting Isn’t A Pipe Dream After All
Researchers devise a system that looks secure, but isn’t remotely easy to use.
http://readwrite.com/2015/05/22/du-vote-secure-online-voting
A team of British and American researchers have developed a hacker resistant process for online voting (PDF) called Du-Vote. The technique could theoretically allow citizens to securely cast online ballots in public elections, even if their computer is infected with malicious software.
The development is be a significant step forward for the prospect of secure online voting, one of those ideas that seems like a no-brainer until you start thinking about how to ensure that the system couldn’t be tampered with. (Say what you like about paper ballots, at least they can be recounted.)
The specific method used by Du-Vote, however, is clearly a first-generation prototype that’s cumbersome and thus possibly not well suited for general use.
Tomi Engdahl says:
United Kingdom Government Your Rights Online Politics
British Politicians Delete Negative Wikipedia Descriptions Before Election
http://yro.slashdot.org/story/15/05/26/1223252/british-politicians-delete-negative-wikipedia-descriptions-before-election
The Wikipedia pages of dozens of UK politicians had references to sex scandals, fraud and opposition to same sex marriage removed in the run up to the UK general election. Dozens of MPs had negative aspects of their online biographies removed or altered prior to the election in a bid to make them more electable.
Tomi Engdahl says:
Android ransomware poses as FBI smut warning
Call the cops! Erm, actually don’t
http://www.theregister.co.uk/2015/05/26/android_ransomware_mobile_scam_fbi/
Cybercrooks have launched a new wave of Android ransomware that poses as a pretty convincing FBI-imposed porn-surfing warning.
Over 15,000 spam emails, including zipped files, have hit the inboxes of Android users in recent days, according to Romanian security software firm Bitdefender.
If activated, the ransomware demands $500 to restore access. Users that try to independently unlock their devices will see the amount increase to $1,500, with payment demanded via Money Pak and PayPal My Cash transfers.
The malware poses as an Adobe Flash Player update, a common malware slinging ruse.
“The device’s home screen delivers an alarming fake message from the FBI telling users they have broken the law by visiting pornographic websites. To make the message more compelling, hackers add screenshots of the so-called browsing history.”
Tomi Engdahl says:
Stephen Ohlemacher / Associated Press:
IRS says hackers gained access to tax returns, other info of more than 100K taxpayers by targeting “Get Transcript” service and using SSNs, birth dates, more
APNewsBreak: IRS says thieves stole tax info from 100,000
http://bigstory.ap.org/article/34539a748b3745ffb92451472f814ffa/apnewsbreak-irs-says-thieves-stole-tax-info-100000
WASHINGTON (AP) — Thieves used an online service provided by the IRS to gain access to information from more than 100,000 taxpayers, the agency said Tuesday.
The information included tax returns and other tax information on file with the IRS.
Koskinen said the agency was alerted to the thieves when technicians noticed an increase in the number of taxpayers seeking transcripts.
thieves can use the information to claim fraudulent tax refunds in the future.
Tomi Engdahl says:
Help Net Security:
Security researchers say mobile and wearable devices can be tracked by monitoring Bluetooth Low Energy (BLE) signal transmissions — Sniffing and tracking wearable tech and smartphones — Researchers at Context Information Security have demonstrated how easy it is to monitor …
Sniffing and tracking wearable tech and smartphones
http://www.net-security.org/secworld.php?id=18422
Tomi Engdahl says:
DDoS Impact Survey Reveals the Actual Cost of DDoS Attacks – See more at: https://www.incapsula.com/blog/ddos-impact-cost-of-ddos-attack.html#sthash.yVSNjLMA.dpuf
Tomi Engdahl says:
UK pornography industry proposes user ID checks for adult websites
http://www.theguardian.com/culture/2015/may/26/pornography-industry-user-id-checks-adult-websites-privacy
Scheme to verify visitors’ identity with organisations such as banks and mobile providers has support but critics say there are privacy concerns
Britons may soon face identity checks to access adult material on the internet, according to discussions between Whitehall and the private sector.
A scheme proposed by the pornography industry would see adult sites verifying visitors’ identity with organisations such as banks, credit reference agencies or even the NHS.
It comes ahead of an expected new law demanding age checks for online pornography and threatening a block on any sites which don’t comply. It is a key Conservative pledge and has widespread support. But critics say the plans are a privacy nightmare. Some warn they are a step towards Chinese-style internet restrictions.
“This is cutting-edge censorship,” said Myles Jackman, a lawyer specialising in obscenity law. “We are now becoming the world leaders in censorship. And we are being watched very closely from abroad.”
“Nobody in the UK wants a centralised identity database,” said Dr Rachel O’Connell, an online child safety expert advising the DPA. “The way around that is that Royal Mail knows who you are, your mobile operator knows who you are.”
Adult websites would offer visitors a choice of identity providers – from Vodafone to the Department for Work and Pensions – to vouch for their age, O’Connell said.
To boost privacy, checks would pass through an “anonymising hub”.
British-based sites have had to make stringent age checks since 2010, using credit cards
But critics warn against any system linking use of pornography websites to identity. Jerry Barnett, a free-speech campaigner and author of the Sex & Censorship blog, said any such system must make detailed records of web-browsing history.
“And we know that privacy in such cases is often breached by accident, by hackers, or secretly by the police and intelligence services,” Barnett said. “This is the state, yet again, intervening in people’s private lives for no reason other than good old British prurience and control-freakery.”
The law will be an easy win for the new government, even with a slim majority. Few politicians would oppose child protection.
Tomi Engdahl says:
Linux/Moose Worm Targets Routers, Modems, and Embedded Systems
http://linux.slashdot.org/story/15/05/26/1854207/linuxmoose-worm-targets-routers-modems-and-embedded-systems
Security firm ESET has published a report on new malware that targets Linux-based communication devices (modems, routers, and other internet-connected systems) to create a giant proxy network for manipulating social media. It’s also capable of hijacking DNS settings. The people controlling the system use it for selling “follows,” “likes,” and so forth on social media sites like Twitter, Instagram, Vine, Facebook, and Google+.
The Moose is loose: Linux-based worm turns routers into social network bots
Malware can infect IoT devices—including medical devices—with weak authentication.
http://arstechnica.com/security/2015/05/the-moose-is-loose-linux-based-worm-turns-routers-into-social-network-bots/
A worm that targets cable and DSL modems, home routers, and other embedded computers is turning those devices into a proxy network for launching armies of fraudulent Instagram, Twitter, and Vine accounts as well as fake accounts on other social networks. The new worm can also hijack routers’ DNS service to route requests to a malicious server, steal unencrypted social media cookies such as those used by Instagram, and then use those cookies to add “follows” to fraudulent accounts. This allows the worm to spread itself to embedded systems on the local network that use Linux-based operating systems.
The malware, dubbed “Linux/Moose” by Olivier Bilodeau and Thomas Dupuy of the security firm ESET Canada Research, exploits routers open to connections from the Internet via Telnet by performing brute-force login attempts using default or common administrative credentials. Once connected, the worm installs itself on the targeted device.
The worm begins to scan both other Internet addresses within the same ISP network, other random IP addresses, and local network addresses for other vulnerable devices. Infected devices advertise themselves on port 10073; the worm attempts to connect to this port first before launching Telnet attacks, and it moves on if it gets a successful connection. The malware also attempts to use shell commands on the infected router to change DNS settings, replacing existing domain name servers with malicious ones that could route Web requests by the router’s users to lookalike sites—or sites laden with exploit malware.
The main purpose of Moose, however, appears to be to create a network of covert HTTP proxies that can be used by the worm’s command and control (C&C) servers to communicate with social networks.
While not intended to target Internet of Things devices specifically, Bilodeau and Dupuy found that Moose could infect a number of such devices, including medical ones. “Based on recent security research, we have evidence to state that even medical devices like the Hospira Drug Infusion Pump could be infected with Linux/Moose,” the pair wrote. While these infections were essentially just “collateral damage,” the worm could have an impact on the safe operation of these devices.
Fortunately, Linux/Moose apparently has no persistence on a router or other embedded computing device. Once the router is powered off, it restarts without the worm present. But if left poorly configured, routers that are reset could quickly be re-infected by other routers or devices on the local network that have been compromised.
Tomi Engdahl says:
Kali Linux launches for Docker
Hacker whacker comes to server fervor
http://www.theregister.co.uk/2015/05/27/kali_linux_launches_for_docker/
Penetration testing gurus Offensive Security have made their popular Kali operating system available for Docker-addicted system administrators.
Developer Mati Aharoni acted on a request from a user who asked for a Dockerised image of the Kali penetration testing system platform.
“Last week we received an email from a fellow penetration tester, requesting official Kali Linux Docker images that he could use for his work,” Aharoni says.
“The beauty [of Docker] is that Kali is placed in a nice, neat container without polluting your guest filesystem.
The hackers bootstrapped a minimal Kali Linux 1.1.0a base under its Docker account providing security bods with access to the platform’s top 10 tools.
Official Kali Linux Docker Images
https://www.kali.org/news/official-kali-linux-docker-images/
Tomi Engdahl says:
Is It Possible for Passengers to Hack Commercial Aircraft?
http://www.wired.com/2015/05/possible-passengers-hack-commercial-aircraft/
When security researcher Chris Roberts was removed from a United fight last month after tweeting a joke about hacking the plane’s inflight entertainment system, the security community was aghast at the FBI’s over-reaction and United’s decision to ban him from a subsequent flight.
But with publication of an FBI affidavit this month asserting that Roberts admitted to hacking a plane inflight, causing it to veer slightly off course, reaction in the community swiftly shifted. Wrath that had been directed at the FBI was now directed at Roberts.
How could a professional security researcher put passengers at risk by doing a live and unauthorized pen-test of a plane’s network while in the air?
“While these systems receive [plane] position data and have communication links, the design isolates them from the other systems on airplanes performing critical and essential functions,” Boeing said in a statement.
The statement seemed a contradiction in terms, though. Were the avionics and infotainment networks connected by communication links or were they isolated? And if connected, how could Boeing be certain a hacker couldn’t leap from the entertainment system to the avionics system and manipulate controls? After all, a report released last month by the Government Accountability Office raised this very concern, as did an FAA document issued to Boeing in 2008.
According to the affidavit, Roberts was able to issue a “climb command”, which “caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane.”
Whether it’s possible to create this condition by issuing a command from a passenger seat is a different matter, however. Soucie and others who WIRED spoke to agree with Boeing that this isn’t possible. But unlike Boeing, they provided clearer details explaining why.
“The auto-throttle wants to keep the engines together. It does not want to split the engines,” he says. “The only command [available] is to drive them together, not to drive them apart.”
The only way someone could hack the system to throttle one engine would be if they were able to gain access to the box housing the system and reprogram the software for the throttles. “But you can’t just reprogram a box. There are all sorts of interlocks to make sure that software can’t change inflight,”
Soif Roberts wasn’t able to alter the thrust of an engine, would he have at least been able to access the avionics system to do other things? Soucie and Lemme say no.
In-Flight Entertainment Systems
According to the FBI affidavit, Roberts got access to the thrust-management system through the in-flight entertainment system. The affidavit indicates that he found vulnerabilities in two models of IFE made by Panasonic and Thales, a French electronics firm that makes a variety of components and security products for the defense and aerospace industries and others.
On at least 15 different flights, Roberts evidently compromised IFE systems by obtaining physical access through the Seat Electronic Box, or SEB, installed beneath passenger seats. After removing the cover to the SEB by “wiggling and Squeezing the box,” the affidavit says Roberts took a Cat6 ethernet cable with a modified plug on the end and attached it to the box and his laptop.
A connection between the avionics system and the IFE does exist. But there’s a caveat.
Soucie and Lemme say the connection allows for one-way data communication only. The systems are connected through an ARINC 429 data bus that feeds information from the avionics to the IFE about the plane’s latitude, longitude and speed.
“On every airplane it’s done a little differently and is done in a proprietary way,” Lemme says. But in each case, the ARINC 429 is an output-only hub that allows data to flow out from the avionics system but not back to it, he says.
But WIRED was able to find a document online (.pdf), which indicates that Boeing’s line of 777 planes use ARINC 629 buses. These buses are designed for two-way communication.
It’s unclear, however, if these are used only for communication between critical components within the avionics system, or if they are also used for communication between the avionics and non-critical systems like the IFE. Boeing did not respond to a request for comment.
“The data exchanges are pre-programmed as a part of their system requirements—each transmitter and receiver is programmed for specific data to be provided at a specific rate,” Lemme says.”Each receiver is checking that the data is being received when it should be received, and that it is receiving valid data.”
The big question in this case would be whether the restrictions programmed into the avionics software were properly coded to reject the communication.
“People suggest that it’s possible there’s unintended ways of using that interface if it wasn’t [implemented] 100 percent [correctly] and they left some gaps. But I don’t believe these gaps exist,”
Lemme says there may be some aircraft that now use ethernet connections in place of ARINC 429 buses to transmit data from the avionics to the entertainment system. But in a design like that, he says, there would be a box sitting between the avionics system and the in-flight system to securely convey information to the latter without allowing a connection back to the avionics from the IFE.
During an interview with WIRED in April, Roberts said he found vulnerabilities that allowed him to jump from the satellite communication system (SATCOM) to the inflight entertainment and cabin-management systems.
The FBI affidavit doesn’t address the SATCOM system, but Lemme says Roberts would not be able to access the avionics in this way, either.
A Teller of Tales?
All of this appears to add up to the conclusion that there’s no way Roberts could have hacked the thrust controls of a plane and manipulated the aircraft, either through the IEF, the SATCOM or anything else. But then how to explain the FBI affidavit?
Roberts told WIRED after the affidavit came out that the FBI took what he said out of context
Tomi Engdahl says:
Waving the Flag
http://www.eetimes.com/author.asp?section_id=36&doc_id=1326682&
Economic espionage in the electronics industry is really the issue?
The U.S. is once again raising the flag against China for economic espionage in the electronics industry.
Several blips appeared on the radar last week. First, there is the case against six Chinese citizens on a charge by the U.S. Department of Justice that they stole trade secrets from U.S. companies Avago Technologies and Skyworks Solutions. In addition, the U.S. Navy has said it aims to replace IBM servers that are made by China’s Lenovo.
Concerns are growing within the U.S. government that China aims to grab American technology, yet Washington appears at times to be working at cross purposes.
Tomi Engdahl says:
SNAFU: Blighty’s judges NOT TRUSTWORTHY, says their own website
M’learned friends’ sysadmins forgot to renew their security cert
http://www.theregister.co.uk/2015/05/27/gov_department_lets_security_cert_expire/
UK.gov’s judiciary website has had its security compromised after bungling administrators failed to renew a security certificate.
This means judiciary.gov.uk lacks a verifiably secure HTTPS connection – meaning communications browser and website is no longer encrypted.
Firefox’s default settings trigger a further warning if you do this: “Even if you trust the site, this error could mean that someone is tampering with your connection.”
Tomi Engdahl says:
Insurer Won’t Pay Out For Security Breach Because of Lax Security
http://it.slashdot.org/story/15/05/27/0344205/insurer-wont-pay-out-for-security-breach-because-of-lax-security
In what may become a trend, an insurance company is denying a claim from a California healthcare provider following the leak of data on more than 32,000 patients. The insurer, Columbia Casualty, charges that Cottage Health System did an inadequate job of protecting patient data.
Among other things, Cottage “stored medical records on a system that was fully accessible to the internet but failed to install encryption or take other security measures to protect patient information from becoming available to anyone who ‘surfed’ the Internet,”
as insurers anxious to get into a cyber insurance market that’s growing by about 40% annually use liberally written exclusions to hedge against “known unknowns” like lax IT practices, pre-existing conditions (like compromises) and so on.
Clueless Clause: Insurer Cites Lax Security in Challenge to Cottage Health Claim
https://securityledger.com/2015/05/clueless-clause-insurer-cites-lax-security-in-challenge-to-cottage-health-claim/
There wasn’t anything particularly surprising about the news, in December, 2013, that confidential data on patients at Cottage Health System had been exposed on the Internet.
Indeed, in light of subsequent attacks on healthcare industry firms like Athena (80 million records exposed) and Premera, the data leak at California-based Cottage, which involved 32,755 patients, looks like a rounding error. But the incident may prove to have an impact that far exceeds the number of individuals affected, now that Cottage’s insurer, Columbia Casualty Insurance is denying an insurance claim linked to the breach and citing Cottage Health’s lax security practices as the reason.
In a complaint filed in U.S. District Court in California, Columbia alleges that the breach occurred because Cottage and a third party vendor, INSYNC Computer Solution, Inc. failed to follow “minimum required practices,” as spelled out in the policy. Among other things, Cottage “stored medical records on a system that was fully accessible to the internet but failed to install encryption or take other security measures to protect patient information from becoming available to anyone who ‘surfed’ the Internet,” the complaint alleges.
Tomi Engdahl says:
Cyber insurance: Only fools rush in
http://www.itworld.com/article/2839393/cyber-insurance-only-fools-rush-in.html
Experts say that the cyber insurance market is still young and, when it comes to insuring against cyber attacks, do your homework
With prominent corporations from across the economy bleeding customer data and paying through the nose for it, “cyber insurance” has become a hot topic in corporate boardrooms and the media. Companies – from the Fortune 10 on down – are looking to hedge their online risks with various kinds of business insurance. That demand, in turn, is fueling a rapid expansion of the cyber insurance industry that was little more than a niche offering five years ago.
But insurance industry experts and corporate security professionals offer words of caution for companies that think they may want to insure their cyber risks. The cyber insurance market, they say, is still new. Companies that want to buy such a product would do well to understand their needs and the limitations of cyber coverage before they put their money on the table.
Insuring ‘everything that everyone does’
At AON PLC, the London-based firm that is the world’s largest reinsurance broker, Kevin Kalinich, AON’s Global Practice Leader for Cyber Risk, says that data from the company’s Global Risk Insight Platform (GRIP) – a repository of insurance placement data – shows the cyber insurance market growing at 38% annually. That is about twice the rate, measured by market sales, of the next fastest growing market that AON tracks, according to Kalinich.
Cyber incidents at private sector firms tend to follow a familiar pattern: law enforcement is contacted and will begin criminal investigations. Cyber forensic investigators are hired to piece together what happened and security consultants will analyze and remove the malware from any affected systems. Finally: customers who were affected will be notified and – typically -offered free credit monitoring services to help watch for fraud linked to their stolen identity or account information. All of these services will come at a cost, of course, as does the business disruption that results. Current cyber insurance policies are structured to recover some or most of those costs.
Tomi Engdahl says:
Android’s factory reset has a security problem. Here’s how to fix it
http://www.theverge.com/2015/5/26/8661461/android-factory-reset-disk-encryption-resale
How do you sell a phone without giving away the data on it? If you’ve used a phone even briefly, it’s filled with all kinds of sensitive data, including passwords and login tokens alongside personal texts and photos, all of which need to be erased before you can safely put the phone up for sale. The standard answer is a factory reset, which wipes the memory and restores the phone’s setting, but there’s a growing body of evidence that, for Android phones at least, the factory reset isn’t enough.
A study published last week revealed methods that can dig up incredibly sensitive data from supposedly wiped phones, including the login token used to sign into Google accounts. The core of the problem is flash memory, which limits how often a given block of memory can be overwritten.
Those flash memory issues aren’t new, but combined with the way mobile apps handle logins, they have serious consequences for Android users.
The quick fix for this is simple: encrypt the data on your phone before you get rid of it. (You can find the option at Settings > Security > Encrypt Phone, for any Android version since 3.0.) Adrian Ludwig, the lead engineer for Android security, recommended preemptive disk encryption for anyone giving up their phone. “If you plan to resell or discard your device and you haven’t already, encrypt it and then perform a factory reset,”
Disk encryption is also why, for the most part, iPhones are already protected. iPhones use the same solid-state memory as Android phones, but iOS devices have provided full disk encryption since 2009, when iOS 3.0 was deployed. More importantly, that encryption is supported by Apple’s own hardware.
That’s why, when security companies dive into the problems with factory resets, they generally pick on Android rather than iOS.
It’s a classic security quagmire, playing off the intersection of hardware vendors, application security, and Android at large, with no easy solution from any angle. The good news for users is that harvesting data from factory-reset hard drives is slow work, and most of what’s recovered is low-value data like texts and contact lists. For now, criminals seem to have decided it’s not worth the trouble.
Tomi Engdahl says:
Security Analysis of Android Factory Resets
http://www.cl.cam.ac.uk/~rja14/Papers/fr_most15.pdf
Tomi Engdahl says:
Encrypted network traffic is a new threat
Network traffic encryption is far more common in recent years. It is the privacy and security of a great thing. Not only that: Now also online criminals and government attackers hiding https traffic to protect when they share malware and steal data.
Business SSL / TLS-encrypted traffic is a growing security risk. Unencrypted traffic has long been analyzed firewalls threats, but the encrypted traffic is harder to get a grip – but it is not impossible.
“Encrypted traffic is the easiest way to take malicious in and out data”, the head of Dell’s network security by Patrick Sweeney said the company PeakPerformance event in Germany.
Last year, the number of HTTPS traffic increased according to him, 109 per cent.
“Even an ordinary Google search is currently encrypted”
Dell’s observations According to the SSL / TLS encryption has begun to spread heavily in the use of the attackers. For example, website users, they are cheating with fake encrypted SSL traffic certificates.
Encryption is provided as an invader, even when they find the values of data theft. When data is exported to the outside, covered with traces of traffic ssl encryption. Similarly, the captured traffic, remote management information systems and botnets used for encryption.
How to combat the threat?
“We have full-time network packet from the well-established security disaster,” Sweeney summed up.
How, then dig into the risk of the company? At the very least need to find out who the user which device is operated to which network addresses and how often.
One way is to direct all traffic to the proxy server, which is placed in connection with any SSL traffic scan solution. It must be very efficient, so that traffic does not get stuck. There is, for example, UTM-boxes, which are used especially in large companies.
Dell has, incidentally, specifically targeted at smaller businesses, the solution to the encrypted traffic to the threat, the new SonicWALL TZ Firewall.
The device is able to analyze the encrypted traffic. Decrypted, and then before the transport continues to mediation, it is encrypted again. The idea is primarily to check every SSL connection, respectively, for ssl-certificate is actually valid. The intranet side, it requires users to accept the SonicWALL your encryption certificate, otherwise the result is warnings.
Enterprise users should be informed if the encrypted traffic unloaded. On the other hand, the maintenance can subscribe trusted web addresses whose traffic does not need to break the prospecting threats whitelist.
Snooping can even restricted to such IP address space, which none of the employee should not be the issue.
“The bank found himself targeted attack only thanks to that it found out passing encrypted traffic to Azerbaijan, although the Bank did not have any contacts there,” Sweeney said. “Soon, the bank found in its network colonization botnet.”
Source: http://www.tivi.fi/Kaikki_uutiset/2015-05-27/Salattu-verkkoliikenne-onkin-uusi-uhka-3321172.html
Tomi Engdahl says:
Security software’s a booming market. Why is Symantec stumbling?
Data breaches drive increased security spend
http://www.theregister.co.uk/2015/05/27/gartner_survey_security_software_market_symantec/
Worldwide security software revenue totalled $21.4bn in 2014, a 5.3 per cent increase from 2013′s revenue of $20.3bn, according to the serious bean counters at Gartner.
A decline in consumer security software and endpoint protection — areas that together account for 39 per cent of the market — was more than offset the strong performance of high-growth areas, such as security information and event management (SIEM), secure web gateways, identity governance and data loss prevention.
Symantec was once again the largest security software vendor by revenue, even though the company suffered its second consecutive year of revenue decline, down 1.3 per cent to $3.7bn, according to Gartner’s numbers.
A 6.2 per cent decrease in the consumer security software segment (which accounts for 53 per cent of Symantec’s security software revenue) was the primary cause of the decline in overall revenue growth.
By contrast, IBM in particular showed solid growth in 2014, with revenues growing 17 per cent in 2014 to reach $1.5bn.
Big Blue’s SIEM software products (aka security dashboards) grew 21 per cent, driven by strong adoption of this category of products by organisations and managed security service providers alike.
Garner predicted the days of double-digit growth are over for the market segment. The SIEM market grew 11 per cent in 2014 to reach $1.6bn in revenue.
The strong focus on threat detection and response from security buyers contributed to the strong showing of this market segment, according to Gartner.
Tomi Engdahl says:
EU net neutrality could kneecap the Tories’ opt-out pr0n filter plans
Leaked doc reveals massive bunfight ahead if Cameron forces the issue
http://www.theregister.co.uk/2015/05/27/eu_net_neutrality_trumps_uk_smut_filter_plans/
David Cameron’s plans to treat us all like children unless we opt out looks likely to be scuppered by new EU rules on net neutrality.
Two years ago the PM vowed to stop children stumbling across online pornography by making parental filters the default standard for internet service providers (ISPs). Sky Broadband introduced its “shield by default” to more than five million customers in January.
But as talks over the EU’s proposed net neutrality law limp on, a new leaked draft document (10 pages, PDF) from the EU’s council of national ministers says that parental controls should only be allowed “subject to a prior explicit consent of the end-users concerned.”
In other words, ISPs can’t just switch on the blockers without asking.
And, according to the text, even if a user gives parental controls the thumbs up, they should be able to “withdraw this consent at any time”.
It looks as though the net neutrality proposals as put forward by the EU parliament will also be ripped about by national ministers. The leaked text allows exceptions to the ban on blocking and throttling of content if it is “to comply with legal obligations, to preserve the integrity and security of the network, to prevent impending network congestion and or mitigate the effects of temporary and or exceptional network congestion, and to prevent the transmission of unsolicited communications within the meaning of Article 13 of Directive 2002/58/EC” – that’s spam to you and me.