Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.
3,110 Comments
Tomi Engdahl says:
SourceForge sorry for adware, promises only opt-in in future
Download site slaps self after GIMP grump, outlines meta-adware loopholes
http://www.theregister.co.uk/2015/06/03/sourceforge_to_offer_only_optin_adware_after_gimp_grump/
Software download service SourceForge has changed its adware-insertion policies after earning users’ ire for wrapping popular FOSS image-wrangling app The GIMP in an adware-riddled downloader.
The tale of how ads came to The GIMP is long and twisted, but the salient bits of the story are that the version of the program on SourceForge was no longer maintained because The GIMP took itself elsewhere. SourceForge took that as a sign that it could apply its own installer, complete with what it calls “third party offers”.
Tomi Engdahl says:
Vanity Fair used heavy security to protect Caitlyn Jenner’s exclusive
http://mashable.com/2015/06/01/caitlyn-jenner-protected-exclusive/
Who knew the gossipy, overexposed, selfie-taking Kardashians could be so good at keeping a secret?
Vanity Fair unleashed one of the biggest cultural stories of the year on Monday with Caitlyn Jenner’s first public interview and photo shoot. The exclusive captivated the media world with a speed and intensity matched by few other articles.
For Vanity Fair, Jenner and her family, it marks the result of months of negotiations and work, as well as beefed up security to keep the story from leaking. The magazine hired security for the shoot and forced people to give up their cell phones to prevent anything from leaking.
The story and pictures were done on a single computer that was never connected to the Internet, with the assets put on a thumb drive every night and then deleted from the computer. The story was even hand-delivered to the printer.
Tomi Engdahl says:
New SOHO Router Security Audit Uncovers Over 60 Flaws In 22 Models
http://it.slashdot.org/story/15/06/02/2235254/new-soho-router-security-audit-uncovers-over-60-flaws-in-22-models
Home and small-office routers have become a hotbed for security research lately, with vulnerabilities and poor security practices becoming the rule, rather than the exception. A new security audit by researchers from Universidad Europea de Madrid only adds to that list, finding 60 distinct flaws in 22 different device models.
New SOHO router security audit uncovers over 60 flaws in 22 models
http://www.itworld.com/article/2930295/new-soho-router-security-audit-uncovers-over-60-flaws-in-22-models.html
In yet another testament of the awful state of home router security, a group of security researchers uncovered more than 60 vulnerabilities in 22 router models from different vendors, most of which were distributed by ISPs to customers.
The flaws, most of which affect more than one router model, could allow attackers to bypass authentication on the devices; inject rogue code into their Web-based management interfaces; trick users into executing rogue actions on their routers when visiting compromised websites; read and write information on USB storage devices attached to the affected routers; reboot the devices, and more.
The vulnerable models listed by the researchers were: Observa Telecom AW4062, RTA01N, Home Station BHS-RTA and VH4032N; Comtrend WAP-5813n, CT-5365, AR-5387un and 536+; Sagem LiveBox Pro 2 SP and Fast 1201; Huawei HG553 and HG556a; Amper Xavi 7968, 7968+ and ASL-26555; D-Link DSL-2750B and DIR-600; Belkin F5D7632-4; Linksys WRT54GL; Astoria ARV7510; Netgear CG3100D and Zyxel P 660HW-B1A.
Past research has shown that the security of ISP-provided routers is often worse than that of off-the-shelf ones. Many such devices are configured for remote administration to allow ISPs to remotely update their settings or troubleshoot connection problems. This exposes the routers’ management interfaces along with any vulnerabilities in them to the Internet, increasing the risk of exploitation.
Even though ISPs have the ability to remotely update the firmware on the routers they distribute to customers, they often don’t and in some cases the users can’t do it either because they only have restricted access on the devices.
More than 60 undisclosed vulnerabilities affect 22 SOHO routers
http://seclists.org/fulldisclosure/2015/May/129
Tomi Engdahl says:
100kb of Unusual Code Protecting Nuclear, ATC and United Nations Systems
http://it.slashdot.org/story/15/06/03/0442226/100kb-of-unusual-code-protecting-nuclear-atc-and-united-
nations-systems
For an ex-academic security company still in the seeding round, startup Abatis has a small but
interesting roster of clients, including Lockheed Martin, the Swiss military, the United Nations and
customers in the civil nuclear and air traffic control sectors. The company’s product, a kernel driver
compatible with Windows, Linux and Unix, occupies just 100kb with no dependencies, and reportedly
achieves a 100% effectiveness rate against intruders by preventing unauthorized I/O activity.
100kb of unusual code protecting nuclear, ATC and United Nations systems
http://thestack.com/abatis-hdf-united-nations-020615
Abatis CEO Kerry Davis likens the company’s kernel driver to “the invention of the wheel – it’s really
significant,” The product – since we cannot see the code – seems indistinguishable from magic, digital
snake oil, as one hears the list of claims read out…
It weighs in at under 100kb of discrete and autonomous code, prevents all attackers from writing to
permanent storage, requires no signature files or whitelists, uses no heuristics or sandboxing, saves 7%
of electricity costs, offers a 40% performance improvement over signature-based AV solutions, is
backwards compatible to NT4 on Windows and is also available for Red Hat and other brands of Linux and
Unix, in addition to a forthcoming iteration on Android.
“We can stop zero day malware,” claims Davis. “The known unknowns and the unknown unknowns,”
The company’s most powerful known client, Lockheed Martin, have released a partial report of their
findings with the Abatis system, which finds the potential for scalable savings in data centres ‘highly
significant’, observing ‘a potential annual cost saving in excess of £12 at server level’ – scaling up to
£125,000 in a data centre with 10,000 servers.
Rogan admits that in server environments that may not reboot for months, or even years, HGF’s write-
prohibitions may not be so meaningful, since malign processes can do a lot of damage without writing to
disk. “It’s not a magic bullet,” he admits. “we still see all those unapproved processes, but because
they’re not actually trying to write to disk, but we could find [the processes] for you and make you
aware of them,”
The company sees the future of the company’s diminutive 100k watchdog especially in the exploding IoT
field, and in the mobile space. “I see it in every mobile,”
Tomi Engdahl says:
Snoopers’ Charter: GCHQ says it doesn’t have the manpower to spy on everyone
Cyber security chief says concerns about surveillance are exaggerated
http://www.theinquirer.net/inquirer/news/2411161/snoopers-charter-gchq-says-it-doesnt-have-the-manpower-to-spy-on-everyone
GCHQ HAS HIT BACK at reports that the UK government is turning the nation into a police state, arguing that it does not have the resources to snoop on everyone.
Speaking at InfoSec in London, Ciaran Martin, GCHQ’s director general for cyber security, called for businesses to begin working with the agency, arguing that many concerns about its surveillance activities are largely exaggerated.
“Our intelligence gathering has been the source of controversy recently. I can’t comment on that. The Queen’s Speech laid out the plans,” he said.
“But I would note that we use our powers extremely carefully. One of the things that’s been said flippantly in our defence is that we don’t have the power to do a mass intrusion.”
“We’re simply not big enough to put a big cyber umbrella over the entire country. Our focus has to be on the high-end attacks: risks to national infrastructure, securing defence assets and assisting government departments making the transition to digital services.”
Tomi Engdahl says:
The exponential growth of security threats continues: the security company Check Point’s recent global report on the situation by 2015 seems to be again an excellent year for threats.
The rapid growth indicates that the modified unrecognizable malware tried to corporate networks in 2014, an average of 106 copies per hour. In 2013 the corresponding figure was 2.2 virus per hour.
Soar are especially attacks on and threats to mobile devices. Check Point Software Technologies Country Manager Finland Petri Sonkeri says that 42 percent of companies surveyed have had to suffer through a major mobile device came with the attack or malware.
“Do not now, but imagine that a mobile device management system provides you with enough security, or that a firewall should be adequate protection solution for a mobile phone. If you want to keep safe mobile phones, it requires the correct security solutions.”
Basic security can not be compromised
The companies involved in almost half of its network monitoring received a call incredibly guest in 2014. 41 per cent of the company was downloaded at least one file having an unknown infection to the corporate network during the study period.
Traditional security companies should keep updated and at the same time consider how mobile devices are handled. Risk Applications should not be used. They Sonkeri calculates such file sharing applications and remote applications, with a lot of known vulnerabilities, such as TeamViewer or Dropbox. The most common file type according to a report last year was a pdf containing malware.
In addition, corporate networks is shown a surprising amount of use of peer to peer programs.
“I want to emphasize that, although the new threats is the most serious of the growing problem so it does not detract from the need to keep basic security condition known risks,”
Expert separately
“The attacks are more targeted. There may also be political or military interests. Frequently sought financial gain. Buying a targeted attack on the network is easy. Denial of service attack can be purchased off the shelf as trade and comes with support services. ”
“The focus for penetrator is to into use such methods, which can not be identified or where a previously undiscovered vulnerabilities.”
The report shows that only one percent of businesses used the zero day attacks shielding technology. One option is the traditional sand box technology. Solutions are available cost-effectively as a cloud service.
Source: http://www.tivi.fi/Kaikki_uutiset/2015-06-03/Yritysten-ovelle-koputtavien-haitakkeiden-m%C3%A4%C3%A4r%C3%A4-r%C3%A4j%C3%A4hti-viime-vuonna-2-tunnissa-nyt-106-3322343.html
Report: http://www.checkpoint.com/resources/2015securityreport/?utm_source=pressrelease&utm_medium=hyperlink&utm_campaign=securityreport15&source=pressrelease
Tomi Engdahl says:
Wanna play with IoT toys? Then prepare to be breached
BYOD’s trashier cousin becoming a right tearaway
http://www.theregister.co.uk/2015/06/03/iot_toys_insecurity_byod/
Bring Your Own Device is problematic enough, but now staff are increasingly bringing inherently insecure, internet-connected smart devices into work, making a mockery of established security policies in the process.
Staff and bosses bringing their own smartphones and laptops into enterprises can be managed using mobile device management technology, encryption and segmentation of devices.
But few have thought through the implications of bringing smart TVs into the same environment.
IoT devices are penetrating some of the world’s most regulated industries, including healthcare, energy, government and financial services. These devices introduce new avenues to attack enterprise networks, a new study by OpenDNS warns.
The internet infrastructure used to enable IoT devices is beyond both the user and IT department’s control. IT’s often casual approach to IoT device management can leave devices unmonitored and unpatched against vulnerabilities, including Heartbleed and others.
Consumer devices such as Dropcam internet video cameras, Fitbit wearable fitness devices, Western Digital “My Cloud” storage systems, various connected medical devices, and Samsung Smart TVs continuously poll servers in the US, Asia and Europe, even when not in use.
OpenDNS’s study is based on real-world but anonymised data from customers. The firm is talking to vendors of IoT kit as part of its on ongoing research into the subject. “The security of these devices is based on nobody knowing the URLs they contact – it’s security through obscurity,” Hay added.
Consumer-grade IoT devices are often developed with little or no thought for security. The insecurity of theses devices – along with threat intelligence – were both key themes of Infosecurity Europe 2015.
Ken Munro, a director at security consultancy Pen Test Partners, added: “Every time we look at IoT we see security flaws from 2001.”
Convenience and wow factor are driving the consumer market for IoT gizmos. In this rush, little thought has been put into security, which is a problem because it’s always more expensive to bolt security on after the fact than build it in during the design process.
Tomi Engdahl says:
Typing ‘http://:’ Into a Skype Message Trashes the Installation Beyond Repair
http://it.slashdot.org/story/15/06/03/1237208/typing-http-into-a-skype-message-trashes-the-installation-beyond-repair
A thread at the Skype community forums has brought to light a critical bug in Microsoft’s Skype clients for Windows, iOS and Android: typing the incorrect URL initiator http://: into a text message on Skype will crash the client so badly that it can only be repaired by installing an older version and awaiting a fix from Microsoft.
These 8 characters crash Skype, and once they’re in your chat history, the app can’t start (Update: fixed)
http://venturebeat.com/2015/06/02/these-8-characters-crash-skype-and-once-theyre-in-your-chat-history-the-app-cant-start/
Skype users have discovered a rather nasty bug in the app. Sending the characters “http://:” (without the quotes) crashes Skype, and receiving a message with those characters makes it crash any time you try to sign in again.
The bug works as described on Windows, Android, and iOS.
Skype user “Lazymax” notes that you can get around the bug if the person who sent you the characters deletes the “bad” message. If you then install an older version of Skype, you can use it again.
Update: Skype has confirmed the bug. “We are aware of the problem and are working to provide a resolution,” a Skype spokesperson told VentureBeat.
Update: On some platforms, Skype now filters out the offending characters.
Tomi Engdahl says:
Microsoft: OpenSSH coming to PowerShell for interoperability between Linux and Windows
Not the Power Shell from Mario Kart
http://www.theinquirer.net/inquirer/news/2411425/microsoft-openssh-coming-to-powershell-for-interoperability-between-linux-and-windows
MICROSOFT HAS ANNOUNCED that OpenSSH, the security protocol at the heart of Linux-based systems, is to get support in its products.
The move is the latest in a long string of acts of openness as Microsoft steers towards taking its place in a multi-platform world, rather than attempting to recreate the domination that has slipped through its fingers as the landscape has evolved.
Microsoft has been working to integrate Linux into products like Azure for some time, and it’s getting to the point where it would be pretty idiotic to hold out any further.
Angel Calvo, group software engineering manager for the PowerShell team, said: “A popular request the PowerShell team has received is to use Secure Shell protocol and Shell session (aka SSH) to interoperate between Windows and Linux – both Linux connecting to and managing Windows via SSH and, vice versa, Windows connecting to and managing Linux via SSH.
“Thus, the combination of PowerShell and SSH will deliver a robust and secure solution to automate and remotely manage Linux and Windows systems.”
Tomi Engdahl says:
OpenSSH was hit by a vulnerability known as Logjam last month. A joint statement from US universities investigating the glitch said: “If you use SSH, you should upgrade your server and client installations to the most recent version of OpenSSH, which prefers Elliptic-Curve Diffie-Hellman key exchange.”
Source: http://www.theinquirer.net/inquirer/news/2411425/microsoft-openssh-coming-to-powershell-for-interoperability-between-linux-and-windows
FREAK-like Logjam threat risk hits SSL and weakens encryption
And no one wants it
http://www.theinquirer.net/inquirer/news/2409573/freak-like-logjam-threat-risk-hits-ssl-and-weakens-encryption
THE SECURITY COMMUNITY is currently awash with comment on Logjam, an SSL-targeting threat that could affect a lot of people in a lot of places.
“Diffie-Hellman key exchange is a popular cryptographic algorithm that allows internet protocols to agree on a shared key and negotiate a secure connection,” explained the researchers.
“It is fundamental to many protocols, including HTTPS, SSH, IPsec, SMTPS and protocols that rely on TLS. We have uncovered several weaknesses in how Diffie-Hellman key exchange has been deployed.”
The researchers recommended a number of immediate actions to mitigate the threat, such as to disable, enable, update and upgrade systems.
“If you have a web or mail server, you should disable support for export cipher suites and generate a unique 2,048-bit Diffie-Hellman group,” they said.
“If you use SSH, you should upgrade your server and client installations to the most recent version of OpenSSH, which prefers Elliptic-Curve Diffie-Hellman key exchange.”
“The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and modify any data passed over the connection,” it explained.
“The attack is reminiscent of the FREAK attack, but is due to a flaw in the TLS protocol rather than an implementation vulnerability, and attacks a Diffie-Hellman key exchange rather than an RSA key exchange.
Tomi Engdahl says:
Kevin McCoy / USA Today:
IRS: Cyberthieves stole up to $39M
http://www.usatoday.com/story/money/2015/06/02/irs-data-breach-senate-hearing/28353983/
Cyber-thieves responsible for a large IRS data breach stole as much as $39 million by filing fraudulent tax refunds after gaining access to taxpayer information, the head of the nation’s tax agency told Congress Tuesday.
IRS Commissioner John Koskinen provided the updated damage estimate on the embarrassing data breach initially made public last week and said federal tax officials are working with private tax-preparation firms in an effort to strengthen U.S. tax system security.
However, the federal inspector general who oversees the IRS predicted the agency could face additional computer attacks as preliminary investigation results show the cyber-thieves were part of an effort operated from Internet domains in Russia and other countries.
“For now, our biggest concern is for the affected taxpayers, to make sure they are protected against fraud in the future,”
IRS electronic fraud programs blocked the criminal efforts to file an estimated 23,500 returns. But the cyber-thieves succeeded in obtaining refunds for up to $39 million by filing approximately 13,000 fraudulent returns using stolen taxpayer data
Tomi Engdahl says:
Zack Whittaker / ZDNet:
Terbium Labs’ Matchlight technology aims to find stolen data on the dark net before it is sold
When stolen data turns up on the dark web, this tech can find it fast
http://www.zdnet.com/article/stolen-data-on-the-data-dark-web-matchlight/
The team says that its new technology could have helped prevent the recent data leak at the US government’s tax department.
In more cases than not, it can take companies weeks or months to discover that hackers have stolen critical corporate or customer data.
A new technology launched Wednesday, called Matchlight, built by a Baltimore, MD.-based security startup Terbium Labs, can trace the source of a data breach — even on the dark web which accessible through anonymity networks such as Tor. The aim is to cut down response times, seal leaks in company systems, and get a recovery plan in place sooner rather than later.
“There will always be a path out of your network through an advanced or insider threat,” said co-founder Danny Rogers in a phone call last week. “There is no defense that’s perfect. If you can’t stop everything, what else can you do? That’s when we started to focus on immediate threat detection,” he said.
Rarely do like red flags appear on a screen inside a company’s firewall warning that its systems have been breached. In reality, most data breaches are discovered because someone stumbles across stolen data in an underground forum, up for sale to the highest bidder.
Here’s how it works:
The customer, such as a retailer or a bank, has a database of sensitive data, from credit card numbers to usernames and passwords. With an appliance, they can generate in-house unique fingerprints of that data. Those fingerprints go into Matchlight’s cloud, without any sensitive data leaving that company’s systems. Combined with an advanced web crawler that’s able to index sites on the dark web, the company can be immediately informed when a fingerprint is found.
And that happens near-instantaneously, and regardless of the type of attack that led to the data theft in the first place.
“We can look inside marketplaces where there may be credentials required — we’re accessing the same way humans do, but thousands of times larger,” said Moore.
During advanced testing prior to its launch, the two co-founders said they identified 30,000 new credit cards go up for sale on the dark web, as well as 6,000 email addresses and passwords in a single day.
“There’s a lot that can be done once the data is out there,” said Rogers. “The hardest part is finding out the data is out there in the first place.”
Tomi Engdahl says:
Patrick McGreevy / Los Angeles Times:
California Senate OKs requiring warrants to search smartphones, tablets
http://www.latimes.com/local/political/la-me-pc-senate-warrants-search-smartphones-20150603-story.html
The state Senate on Wednesday approved a bill that would require law enforcement in California to obtain a search warrant or wiretap order before searching a person’s smartphone, laptop or other electronic device or accessing information stored on remote servers.
Tomi Engdahl says:
David Kravets / Ars Technica:
Obama signs USA Freedom Act into law, surveillance measures of Patriot Act now resume
Let the snooping resume: Senate revives Patriot Act surveillance measures
Lawmakers approve a variation of the phone-records spy program Snowden revealed.
http://arstechnica.com/tech-policy/2015/06/let-the-snooping-resume-senate-revives-patriot-surveillance-measures/
The Senate on Tuesday revived three surveillance provisions of the Patriot Act that had expired early Monday because of Senate discord.
The legislation, the USA Freedom Act, was approved two weeks ago in the House. President Barack Obama signed the Senate-House package later in the day.
Here is a look at the three renewed provisions:
The “business records” section enabled the NSA’s bulk telephone metadata program. It grants the government powers to seize most any record, even banking and phone records, by getting a warrant from the Foreign Intelligence Surveillance Act (FISA) Court. The nation’s spies must assert that the records are “relevant” to a terrorism investigation to get the warrant from the secret court.
Under the new legislation, however, the bulk phone metadata stays with the telecoms and is removed from the hands of the NSA. It can still be accessed with the FISA Court’s blessing as long as the government asserts that it has a reasonable suspicion that the phone data of a target is relevant to a terror investigation and that at least one party to the call is overseas.
The second provision revived Tuesday concerns roving wiretaps. Spies may tap a terror suspect’s communications without getting a renewed FISA Court warrant, even as a suspect jumps from one device to the next. The FISA Court need not be told who is being targeted when issuing a warrant.
Tomi Engdahl says:
How CIOs can reduce shadow IT in government
http://www.cio.com/article/2929782/it-management/how-cios-can-reduce-shadow-it-in-government.html
A new study highlights rise of shadow IT, unauthorized applications in government agencies, arguing for greater involvement with the business lines of the enterprise and better understanding of users’ needs.
If government CIOs want to bring IT out of the shadows, they need to start by understanding what kind of tools agency personnel need to do their jobs.
That’s one of the chief takeaways from a new study looking at shadow IT in the government — those unauthorized applications and services that employees use without the permission of the CIO and the tech team.
he new analysis, conducted by cloud security vendor Skyhigh Networks, identifies a startling amount of applications in use in public-sector organizations. According to an analysis of log data tracking the activities of some 200,000 government workers in the United States and Canada, the average agency uses 742 cloud services, on the order of 10 to 20 times more than the IT department manages.
“The first thing I would say is yes, it’s alarming, but it’s not unique. Some of these issues are what we see in the commercial sector, as well,”
So the use of unauthorized applications, though a potentially severe security risk, often results simply from employees trying to do their work more efficiently, Gupta says, urging CIOs to connect with the business units of their enterprise to get a better sense of where the needs lie.
By category, collaboration tools like Microsoft 365 or Gmail are the most commonly used cloud applications, according to Skyhigh’s analysis, with the average organization running 120 such services. Cloud-based software development services such as GitHub and SourceForge are a distant second, followed by content-sharing services. The average government employee runs 16.8 cloud services, according to the report.
Lack of awareness creates Shadow IT problem
One of the challenges is that not all storage or collaboration services are created equally, and users, without guidance from the CIO, might opt for an application that has comparatively lax security controls, claims ownership of users’ data, or one that might be hosted in a country that the government has placed trade sanctions on.
“The problem is our employees are not aware of that and they just use the service that seems most appropriate,” Gupta says.
“The mindset shift has to move from shadow IT being a real threat and a problem to shadow IT giving me insight,” Gupta says. “Rather than become the department of no, how do I become the department of yes?”
Tomi Engdahl says:
Google’s ATAP Wants To Eliminate Passwords For Good
http://techcrunch.com/2015/05/29/googles-atap-wants-to-eliminate-passwords-for-good/?ncid=rss&cps=gravity_1730_-2358725272127200076#.7thvn3:5ATy
ATAP, Google’s advanced research unit, showed a new project at the company’s I/O developer conference today that aims to replace mobile passwords with a new system that looks at your typing patterns and other signals as you go through the day.
The idea here is to move the burden of PINs and passwords from the user to the device, which generates a continuous trust score as you go through the day to ensure that you’re indeed the person who is using it.
To improve this, Google partnered with numerous universities
If that’s true, then that’s a major achievement, indeed, and could soon replace existing security mechanisms. You’ll probably still want to use two-factor authentication when you log in to your bank’s mobile apps, though. All it would take to enable this is a software update, so ATAP hopes that it will be able to bring this system to millions of Android phones in the future.
Tomi Engdahl says:
“Troldesh” – New Ransomware from Russia
http://webcache.googleusercontent.com/search?q=cache:dTrZBfE0kTwJ:blog.checkpoint.com/2015/06/01/troldesh-new-ransomware-from-russia/+&cd=8&hl=en&ct=clnk&gl=fi
“Troldesh”, aka Encoder.858 or Shade, is a Trojan and a crypto-ransomware variant created in Russia and spread all over the world.
Troldesh is based on so-called encryptors that encrypt all of the user’s personal data and extort money to decrypt the files. Troldesh encrypts a user’s files with an “.xtbl” extension. Troldesh is spread initially via e-mail spam.
A distinctive feature of the Troldesh attack is direct communication with the victim. While the most Ransom-Trojan attackers try to hide themselves and avoid any direct contact, Troldesh’s creators provide their victims with an e-mail address. The attackers use this email correspondence to demand a ransom and dictate a payment method.
Tomi Engdahl says:
Russian hacker drives hard bargain with Troldash scam
http://www.bbc.com/news/technology-32996008
A security software firm has warned about a new strain of “ransomware” – while finding that even Russian hackers can be haggled down.
Ransomware is software which locks you out of your files until a fee is paid to the criminals behind the attack.
Checkpoint researcher Natalia Kolesova detailed information about Troldash, a newly-discovered strain.
Once it infects a machine, Troldash provides an email address with which to contact the attackers.
“Perhaps if I had continued bargaining, I could have gotten an even bigger discount,” Ms Kolesova concluded.
Ransomware is a particularly vicious problem for many victims around the world. One strain, Cryptolocker, was said to have infected more than 250,000 computers worldwide.
Another variant locked users out of their favourite games unless they paid a fee.
The company did not pay the ransom – and recommended that up-to-date security software designed to protect against ransomware and other attacks was a better approach.
Tomi Engdahl says:
New York Times:
NSA documents: Justice Department authorized expansion of NSA surveillance to enable search of US Internet traffic for evidence of hacking originating abroad — Hunting for Hackers, N.S.A. Secretly Expands Internet Spying at U.S. Border — WASHINGTON — Without public notice or debate …
Hunting for Hackers, N.S.A. Secretly Expands Internet Spying at U.S. Border
http://www.nytimes.com/2015/06/05/us/hunting-for-hackers-nsa-secretly-expands-internet-spying-at-us-border.html?_r=0
Without public notice or debate, the Obama administration has expanded the National Security Agency‘s warrantless surveillance of Americans’ international Internet traffic to search for evidence of malicious computer hacking, according to classified N.S.A. documents.
In mid-2012, Justice Department lawyers wrote two secret memos permitting the spy agency to begin hunting on Internet cables, without a warrant and on American soil, for data linked to computer intrusions originating abroad — including traffic that flows to suspicious Internet addresses or contains malware, the documents show.
The disclosures, based on documents provided by Edward J. Snowden
Government officials defended the N.S.A.’s monitoring of suspected hackers as necessary to shield Americans from the increasingly aggressive activities of foreign governments. But critics say it raises difficult trade-offs that should be subject to public debate.
The effort is the latest known expansion of the N.S.A.’s warrantless surveillance program, which allows the government to intercept Americans’ cross-border communications if the target is a foreigner abroad. While the N.S.A. has long searched for specific email addresses and phone numbers of foreign intelligence targets, the Obama administration three years ago started allowing the agency to search its communications streams for less-identifying Internet protocol addresses or strings of harmful computer code.
Tomi Engdahl says:
Josh Constine / TechCrunch:
Facebook Messenger removes always-on location sharing feature, replaces it with one-time sharing via pin drop; head of product teases future location features — Facebook Messenger Ditches Constant Mapping To Lay Groundwork For More Location Features — Facebook is removing the confusing …
Facebook Messenger Ditches Constant Mapping To Lay Groundwork For More Location Features
http://techcrunch.com/2015/06/04/foursquessenger/
Facebook is removing the confusing, slightly creepy always-on location sharing feature in Messenger for a more explicit, one-time way to share where you are or will be. Location will no longer be a “second class citizen”, Messenger Head Of Product Stan Chudnovsky tells me. Instead, Messenger has big plans for GPS features, saying “What we’re launching is the foundation of everything that’s coming.”
For example, “You might want to make reservations. How are we all getting there? Maybe there’s a transportation service somehow” Chudnovsky hints.
Tomi Engdahl says:
Hack exposes personal data of 4 million federal workers
http://www.cnet.com/news/hack-exposes-personal-data-of-4-million-federal-workers/
The FBI says it’s probing a data breach at the US agency responsible for conducting security clearance background checks.
The FBI said it is investigating a hack of network security at the Office of Personnel Management. Federal officials suspect Chinese hackers are behind the data breach, according to The Wall Street Journal.
“The FBI is working with our interagency partners to investigate this matter,”
Investigators told the Journal that the hack, detected in April, is believed to be separate from an attack detected last year. The New York Times reported last year that Chinese hackers worked their way into US government servers in March 2014 in an attempt to steal information on thousands of federal employees with top-secret clearance.
Computer hacking is a sore subject between the US and China. Both countries have publicly accused each other of breaking in to servers to steal information.
The Office of Personnel Management is the federal government’s human resources department, responsible for conducting the majority of the government’s background checks for security clearances, among other responsibilities. The agency said it detected the intrusion in April and has since added additional security defenses to its network.
“The intrusion predated the adoption of the tougher security controls,” the OPM said in a statement.
Tomi Engdahl says:
Intel Security Scares Ransomware Script Kiddie Out of Business
http://it.slashdot.org/story/15/06/04/2311205/intel-security-scares-ransomware-script-kiddie-out-of-business
A criminal coder wrote a kit for ransomware that made it easy for others to encrypt victims’ hard drives and then extort money from them in order to get the decryption keys. But when Intel Security wrote about the kit — called Tox — the author got cold feet. Now he or she is trying to sell the whole business.
Intel Security scares ransomware script kiddie out of business
http://www.networkworld.com/article/2931814/security0/intel-security-scares-ransomware-script-kiddie-out-of-business.html
Part criminal entrepreneur, part naïve coding enthusiast, maker of Tox ransomware kit calls it quits.
Tomi Engdahl says:
Microsoft Lets EU Governments Inspect Source Code For Security Issues
http://yro.slashdot.org/story/15/06/05/017229/microsoft-lets-eu-governments-inspect-source-code-for-security-issues
Microsoft has agreed to let European governments review the source code of its products to assure that they don’t contain security backdoors, at a transparency center in Brussels. The second of its kind, the new center follows on the heels of the first built last June in Redmond, Washington. Part of Microsoft’s Government Security Program, the compnay hopes the centers will create trust with governments that want to use Microsoft products.
Microsoft lets EU governments inspect source code for security issues
http://www.itworld.com/article/2931215/security/microsoft-lets-eu-governments-inspect-source-code-for-security-issues.html
At transparency center, Microsoft lets governments verify its products are safe to use
The center will give governments the chance to review and assess the source code of Microsoft enterprise products and to access important security information about threats and vulnerabilities in a secure environment, said Matt Thomlinson, Vice President of Microsoft Security in a blog post. By opening the center, Microsoft wants to continue building trust with governments around the world, he added.
“Today’s opening in Brussels will give governments in Europe, the Middle East and Africa a convenient location to experience our commitment to transparency and delivering products and services that are secure by principle and by design,” said Thomlinson.
Tomi Engdahl says:
Governments of the World Agree: Encryption Must Die!
http://yro.slashdot.org/story/15/06/04/2132246/governments-of-the-world-agree-encryption-must-die
Finally! There’s something that apparently virtually all governments around the world can actually agree upon.
Around the world, in testimony before national legislatures and in countless interviews with media, government officials and their surrogates are proclaiming the > immediate need to ‘do something’ about encryption that law enforcement and other government agencies can’t read on demand.
Apropos: This IT World story (and the New York Times piece it draws from — also published today) about a newly disclosed NSA program
June 04, 2015
Governments of the World Agree: Encryption Must Die!
http://lauren.vortex.com/archive/001104.html
If the drumbeat isn’t actually coordinated, it might as well be. Around the world, in testimony before national legislatures and in countless interviews with media, government officials and their surrogates are proclaiming the immediate need to “do something” about encryption that law enforcement and other government agencies can’t read on demand.
That argument is a direct corollary to governments’ decidedly mixed feelings about social media on the Internet. On one hand, they’re ecstatic over the ability to monitor the public postings of criminal organizations like ISIL (or ISIS, or Islamic State, or Daesh — just different labels for the same fanatical lunatics) that sprung forth from the disastrously misguided policies of Bush 1 and Bush 2 era right-wing neocons — who not only set the stage for the resurrection of long-suppressed religious rivalries, but ultimately provided them with billions of dollars worth of U.S. weaponry as well. Great job there, guys.
Since it’s also the typical role of governments to conflate and confuse issues whenever possible for political advantage, when we dig deeper into their views on social media and encryption we really go down the rabbit hole.
In particular, it’s the ability of radical nutcases overseas to recruit ignorant (especially so-called “lone wolf”) nutcases in other countries that is said to be of especial concern, notably when these communications suddenly “go dark” off the public threads and into private, securely encrypted channels.
While governments generally seem to realize that stopping all crypto that they can’t access on demand is not practical, they also realize that the big social media platforms (of which I’ve named only a few) — where most users do most of their social communicating — are the obvious targets for legislative, political, and other pressures.
And this is why we see governments subtly (and often, not so subtly) demonizing these firms as being uncooperative or somehow uncaring about fighting evil, about fighting crime, about fighting terrorism. How dare they — authorities repeat as a mantra — implement encryption systems that governments cannot access at the click of a mouse, or sometimes access at all under any conditions.
Well, welcome to the 21st century, because the encryption genie isn’t going back into his bottle, no matter how hard you push.
Strong crypto is critical to our communications, to our infrastructures, to our economies, and increasingly to many other aspects of our lives.
Strong crypto is simply not possible — let’s say that once more with feeling — not possible, given key escrow or other government backdoors designed into these systems. There is no practical or even theoretically accepted means for including such mechanisms without fatally weakening the entire associated encryption ecosystem, and opening it up to all manner of unauthorized access via hacking and various subversions of the key escrow process.
But governments just don’t seem willing to accept the science and reality of this, and keep pushing the key escrow meme. It’s like the old joke about the would-be astronaut who wanted to travel to the sun, and when reminded that he’d burn up, replied that it wasn’t a problem, because he’d go at night. Right.
Notably, just as we had governments who ignored realistic advice and unleashed the monsters of religious fanatical terrorism, we now have many of the same governments on the cusp of trying to hobble, undermine, and decimate the strong encryption systems that are so very vital.
Tomi Engdahl says:
In the exploit biz? FULL DISCLOSURE is your best friend, boffin says
You don’t need no broker, you just need game (theory)
http://www.theregister.co.uk/2015/06/05/in_the_exploit_biz_full_disclosure_is_your_best_friend_boffin_says/
Security bod Alfonso De Gregorio says buyers and sellers in the cut-throat exploit marketplace should release their zero-days to the public if they are fleeced.
The BeeWise founder says full disclosure of security vulnerabilities helps punish both buyers who fail to pay or on-sell zero-days, and sellers who break contracts and re-sell exclusive exploits to multiple parties.
De Gregorio derives his conclusions from a series of game theories which he outlined at the AusCERT 2015 conference this week.
“Zero-day markets can achieve cooperation even in absence of trusted-third parties,” De Gregorio says, referring to the current system of exploit brokers and vulnerability research firms like Vupen.
“Buyers and sellers should consider punishing defection to promote cooperation by either closing alternative deals for the zero day or publishing the zero day in order to negate the value to the exploiter.
“In order to place these recommendations on firmer scientific grounds experimental verification needs to be carried out.”
Tomi Engdahl says:
Wikileaks publishes TiSA: A secret trade pact between US, Europe and others for big biz pals
This one covers Western countries and telecoms, e-commerce, foreign workers
http://www.theregister.co.uk/2015/06/04/wikileaks_publishes_tisa_trade_agreement/
Fresh from offering $100,000 to anyone that leaks the still-secret parts of the Trans-Pacific Partnership (TPP), Wikileaks has published large chunks of the related Trade In Services Agreement (TiSA).
TiSA is one of a triumvirate of trade treaties being negotiated across the world, except this one does not include the so-called BRICS countries (Brazil, Russia, India, China and South Africa).
It does however includes the US, European Union and 23 other countries (such as Australia, Canada, Israel, Mexico) that together represent more than two-thirds of the world’s trade. So it is a huge deal.
Like the other two treaties, the Trans-Pacific Partnership (TPP) and the the Transatlantic Trade and Investment Partnership (TTIP), this accord has been negotiated in secret, with governments going to extraordinary lengths to keep them so, and the overall upshot is to benefit multinational corporations.
TiSA is, as its name suggests, focuses on trade in services i.e. in professional services, e-commerce, delivery, air traffic and so on. It also, ironically, includes a section on transparency.
Ok, so what’s in it?
Wikileads has published 17 documents, including drafts and annexes. The one of most interest for El Reg is likely to be the e-commerce annex, which includes:
Article 2 covers “Movement of Information” or more accurately “Cross-Border Information Flows”.
There is general agreement that countries should not be allowed to prevent a company from transferring information outside that country.
No Party may prevent a service supplier of another Party from transferring, [accessing, processing or storing] information, including personal information, within or outside the Party’s territory, where such activity is carried out in connection with the conduct of the service supplier’s business.
More accurately, this text means that countries can’t make companies store information on their citizens in their country – an issue that has been in the forefront of people’s minds following the NSA revelations that showed the US government stores and searches such information all the time.
Non-controversial elements
Many parts of the treaty are good and useful.
Article 3 is about Online Consumer Protection and basically just lays own the fact that people should have access to their own consumer protection agencies when purchasing goods or services online. It’s important and probably difficult to implement, but not controversial.
Article 4 deals with Personal Information Protection and obliges countries to come up with ways of protecting their citizens’ personal information in law, publishing them and making those laws fit with international norms.
Article 5 covers spam. It obliges countries to make it possible to stop spam and include such things as consumer consent, a way to punish companies that send spam and to work cooperatively with other countries to reduce or limit spam. The only people that won’t like this part are spammers.
Article 7 is very short and covers interoperability. Basically it says that countries should make sure their systems government services work online.
Article 8 ensures open networks – basically letting the internet do its job. Citizens should be allowed to use services and applications online, connect to the internet, and be told if their ISP is restricting anything.
Article 6 seems innocuous but may have a significant side-effect:
1. No Party may require the transfer of, or access to, source code of software owned by a person of another Party, as a condition of providing services related to such software in its territory.
2. For purposes of this Article, software subject to paragraph 1 is limited to mass-market software, and does not include software used for critical infrastructure.
And lastly Article 9 is, like Article 2, about storing local data in a particular country.
No Party may require a service supplier, as a condition for supplying a service or investing in its territory, to:
(a) use computing facilities located in the Party’s territory;
(b) use computer processing or storage services supplied from within the Party’s territory; or
(c) otherwise store or process data in its territory.
Nothing in here is as troubling as the stuff that is in the other two treaties – like giving corporations the ability to sue governments, or extending intellectual property rights far beyond what many will feel is reasonable.
Tomi Engdahl says:
EU-US safe harbour talks are lingering just outside port, says US
EU: Look, look, there’s a storm coming!
http://www.theregister.co.uk/2015/06/05/eu_us_publicly_upbeat_on_progress_of_data_protection_talks_but_underlying_sticking_points_remain/
In a visit to Brussels this week, US Under Secretary Catherine Novelli told reporters that an agreement on a revised Safe Harbor framework was just weeks away. But the European Commissioner responsible for data protection, Vera Jourova, said there were still obstacles to be overcome.
The Safe Harbor agreement is a legally enforceable but voluntary code of conduct for US businesses that process European citizens’ data. The bilateral deal was reached in 2000 and is supposed to guarantee Europeans data privacy in line with the 1995 EU Data Protection Directive.
Following the Snowden revelations last year many don’t believe it is worth the paper it’s printed on and the European Parliament has called for it to be suspended.
Instead of suspension, however, the European Commission has sought to renegotiate certain aspects of it including getting judicial redress rights for European citizens equivalent to those enjoyed by Americans.
“We have achieved solid commitments on the commercial aspects,” said Jourova, “However, work still needs to continue as far as national security exemptions are concerned. Discussions will continue.”
Tomi Engdahl says:
Why should cyber security matter to me?
If you own a website, chances are it contains some useful – and personal – information. Whether it be logins, usernames, passwords, emails, phone numbers, addresses, ids, pictures, anything, you should want to make sure that information is private. But is it always? The answer to that, no. Believe it or not, there are people who can find that information, and they target websites like yours, ones that may be vulnerable to attack. So why sit and wait? Make sure your Database Management System (DBMS) is secure.
Here’s a list of things that hackers obtain if your website is vulnerable:
Social Security numbers
Credit card information
Home address’s and/or street numbers
First and last names
Phone numbers
Usernames and passwords
and a whole lot more!
Source: http://www.smithsontechnologies.com/
Tomi Engdahl says:
This code can hack nearly every credit card machine in the country
http://money.cnn.com/2015/04/29/technology/credit-card-machine-hack/index.html
Get ready for a facepalm: 90% of credit card readers currently use the same password.
The passcode, set by default on credit card machines since 1990, is easily found with a quick Google searach and has been exposed for so long there’s no sense in trying to hide it. It’s either 166816 or Z66816, depending on the machine.
With that, an attacker can gain complete control of a store’s credit card readers, potentially allowing them to hack into the machines and steal customers’ payment data (think the Target (TGT) and Home Depot (HD) hacks all over again). No wonder big retailers keep losing your credit card data to hackers. Security is a joke.
This latest discovery comes from researchers at Trustwave, a cybersecurity firm.
Trustwave examined the credit card terminals at more than 120 retailers nationwide.
The vast majority of machines were made by Verifone (PAY). But the same issue is present for all major terminal makers, Trustwave said.
A spokesman for Verifone said that a password alone isn’t enough to infect machines with malware. The company said, until now, it “has not witnessed any attacks on the security of its terminals based on default passwords.”
Just in case, though, Verifone said retailers are “strongly advised to change the default password.” And nowadays, new Verifone devices come with a password that expires.
Trustwave, which helps protect retailers from hackers, said that keeping credit card machines safe is low on a store’s list of priorities.
“Companies spend more money choosing the color of the point-of-sale than securing it,” Henderson said.
This problem reinforces the conclusion made in a recent Verizon cybersecurity report: that retailers get hacked because they’re lazy.
Why was your credit card number stolen? Retailers are lazy.
http://money.cnn.com/2015/03/11/technology/security/credit-card-hack/index.html?iid=EL
Tomi Engdahl says:
Why was your credit card number stolen? Retailers are lazy.
http://money.cnn.com/2015/03/11/technology/security/credit-card-hack/index.html?iid=EL
Companies are losing your data to hackers because they get lazy about protecting it.
If a shop wants to accept credit cards, it needs to abide by strict payment card industry (PCI) rules and pass a test. But a new Verizon cybersecurity report shows that companies act like high school students cramming for an exam.
Companies will bulk up IT security just in time for their PCI inspection. But only 29% keep it up afterward, according to Verizon’s 2015 PCI compliance report.
So, while businesses claim you’re safe because they’ve met credit card industry standards, your data isn’t as protected as it seems.
“Officially they remain compliant, but only two or three weeks a year,”
The holiday shopping season is the worst, he explained. Companies are supposed to watch for break-ins into their payment network, restrict employee access to sensitive data and make sure new machines are properly secured. All of these priorities take a backseat as retailers shift their entire focus to flashy new website features and the barrage of purchases, Simonetti said.
The 2013 Target (TGT) hack, which hit 110 million customers, is one example. The company reportedly ignored cybersecurity alarms it had in place just in case of a hack.
Companies routinely fail to patch systems for bugs, swap out old passwords and maintain an updated firewall that scans company Internet traffic.
Why is this happening? It’s all about the tension between conducting smooth business and playing it safe. It’s easier for a company to sell products and please customers if the system is relaxed. But that opens up holes for criminal hackers to get in.
Adding a new feature on the company website might create a pathway into the corporate network. Letting mid-level employees access customer data means that, if any of them open up a malware-laced email, all that data is as good as stolen.
This problem applies to retailers, hospitals and any other company that lets you pay by credit card — anywhere. The Verizon report reviewed companies worldwide.
Verizon also found some pretty lame excuses for the lax security.
This kind of lazy behavior could backfire. Verizon found that insurance companies that offer cybersecurity policies are rejecting retailer’s claims “because they have failed to take adequate security measures,” the report said.
Verizon 2015 PCI Compliance Report
Explore the link between
PCI COMPLIANCE
AND SECURITY.
http://www.verizonenterprise.com/pcireport/2015/
The scale of recent payment-data breaches makes it clear that many organizations’ security measures aren’t slowing attackers down. In this year’s PCI Compliance Report, we take a critical look at whether the problem is a result of current security standards or the way compliance is being approached, and what organizations can do to better manage the risk.
Tomi Engdahl says:
The weapons pact threatening IT security research
We speak to infosec experts worried by treaty changes
http://www.theregister.co.uk/2015/06/06/whats_up_with_wassenaar/
The US government has rewritten chunks of an obscure weapons trade pact between itself, Europe, Russia, and other nations – a pact that is now casting its shadow over today’s computer security tools.
Dubbed the Wassenaar Agreement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, the treaty limits who can buy the really nasty and secret stuff that makes tanks, planes and ships so effective in combat.
Over the past decade, the agreement has been widened to include computer technology. The latest revision of the text, which is now up for discussion prior to approval, has people in the IT security industry severely worried.
The US Commerce Department, via its Bureau of Industry and Security (BIS), is proposing a blanket ban on the export of:
Software ‘specially designed’ or modified to avoid detection by ‘monitoring tools,’ or to defeat ‘protective countermeasures,’ of a computer or network-capable device, and performing any of the following:
(a) The extraction of data or information, from a computer or network-capable device, or the modification of system or user data; or (b) The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.
Taken in its broadest sense, it may cover a multitude of legitimate software tools, including basic things like antivirus packages, that cannot be exported without a government-approved license, if that’s even possible.
And by exported, we mean, downloaded anywhere outside its country of origin, or installed on a laptop and taken abroad.
Security researchers are worried that the programming, debugging and reverse-engineering utilities they rely on will be export-controlled, preventing them from using the software unless a government grants them permission.
So what exactly has happened to cause these changes?
Good intentions backfire
The primary reason given for the changes is to stop repressive regimes around the world from buying sophisticated software that can be used to spy on political opponents and others.
This snoop-ware usually exploits security vulnerabilities in the targets’ computers to silently and secretly install itself. Companies like Gamma International and the Italian-based Hacking Team will sell surveillance software to almost all comers.
The updated language tries to crack down on this trade of vulnerability-exploiting super-spyware; as a result, it puts a significant crimp in the sale and exchange of information about exploitable software security flaws.
The market for zero-day vulnerabilities can be a lucrative one; the new language bans the sale of details of unpatched flaws to anyone other than one’s own government.
“There is a policy of presumptive denial for items that have or support rootkit or zero-day exploit capabilities,”
Kids today, eh
“Security research is increasingly a young person’s game,” Katie Moussouris, chief policy officer for vulnerability disclosure specialists HackerOne, told El Reg.
“The soldiers we are enlisting in the security fight are under draftable age. Setting up further hoops for them to jump through will drive people into underground markets.”
But Moussouris said that the new rules were going too far, and said her fears were that the US government is heading into a fight while not understanding the core issues. Other researchers in the field share her concern.
Tomi Engdahl says:
New Facebook Tag Scam Installs Fake Security Add-on, Bitdefender Warns
http://www.hotforsecurity.com/blog/new-facebook-tag-scam-installs-fake-security-add-on-bitdefender-warns-11939.html
Facebook tag scams have re-emerged, Bitdefender warns. Today’s scam starts with an attractive video capture posted on users’ Walls. Twenty of the victims’ Facebook friends are tagged in the post, so those who have not tweaked their privacy settings will be tagged without their consent.
Once users click to see the video, they are redirected to a suspicious-looking URL which displays a spoofed Youtube page. If users click again to access the promised pornographic content, they are asked to download a Chrome browser plugin named mithv1.
A quick search on Google’s official store shows the plugin is posing as an internet security extension designed to encrypt traffic and “unblock websites”.
The ones who install it are prompted with a login window asking them to register or login using a username and password.
After submitting these details, a webpage confirms the successful installation of the new “security” extension. It seems the scam is targeting only Windows or Mac OS X users running Chrome.
Why are some add-ons a security hazard?
The add-ons are propagating the scam to victims. Since they reside in the browser, these extensions can perform any actions on behalf of the user, such as reading and modifying the data on the websites the user accesses.
Remember, don’t click anything that seems suspicious, take a careful look at the URLs! Hackers count on your curiosity to make you part of the scam. Stay safe!
Tomi Engdahl says:
Tesla Rewards Hackers With Bug Bounty
http://it.slashdot.org/story/15/06/07/161246/tesla-rewards-hackers-with-bug-bounty
Tesla Motors is offering up to $1,000 to anyone who uncovers security issues on its website. Forbes reports that the program is not yet available for its vehicles however.
Using a security crowdsourcing company called Bugcrowd, researchers have found 22 bugs for Tesla so far.
Tesla rewards hackers with bug bounty
http://thestack.com/tesla-rewards-hackers-bug-bounty-050615
Electric automaker Tesla has officially launched a bug hunting scheme, through which the company will reward hackers between $25 and $1,000 for finding security flaws in its website. A Forbes report explained that the programme is not yet available for its vehicles.
Security experts have praised the company CEO Elon Musk for encouraging opportunities to work with the hacker community to benefit both parties. Although a rough bug bounty programme was already in place, the new initiative has been designed to follow more formal processes.
Those contributing in the programme and identify any bugs can report it on tesla.com and should leave “reasonable time” for the company to deal with the flaw before making it public.
The current prize offering at Tesla is shadowed by larger tech groups’ bounty, such as Google and Facebook who have offered rewards reaching up to $33,000.
If a glitch is found in a Tesla vehicle, hackers are urged by the firm to report it at [email protected], but it has not mentioned if it will reward for the discovery of these bugs.
Tomi Engdahl says:
Phony Tax Refunds: A Cash Cow for Everyone
http://krebsonsecurity.com/2015/06/phony-tax-refunds-a-cash-cow-for-everyone/
When identity thieves filed a phony $7,700 tax refund request in the name of Joe Garrett, Alabama’s deputy tax commissioner, they didn’t get all of the money they requested. A portion of the cash went to more than a half dozen U.S. companies that each grab a slice of the fraudulent refund, including banks, payment processing firms, tax preparation companies and e-commerce giants.
When tax scammers file a fraudulent refund request, they usually take advantage of a process called a refund transfer. That allows the third party firm that helped prepare and process the return for filing (e.g. TurboTax) to get paid for their services by deducting the amount of their fee from the refund. Effectively, this lets identity thieves avoid paying a dime to TurboTax or other providers for processing the return.
In Garrett’s case, as with no doubt countless other fraudulent returns filed this year, the thieves requested that the return be deposited into a prepaid debit card account, which they could then use as a regular debit card to pay for goods and services, and/or use at ATMs to withdraw the ill-gotten gains in cash.
“There are so many people making money off of electronic transfer of funds, it’s ridiculous,”
So, tax refund fraud is clearly lucrative for a great many companies. But how long before Congress or states turn this cash cow out to pasture?
“This is a bit like regulatory whack a mole, and very difficult to track down who’s getting what,” she said. “This has been driver of why it’s so lucrative; Because it shifts so easy for thieves to get the money off the card as soon as it hits the account.”
States Seek Better Mousetrap to Stop Tax Refund Fraud
http://krebsonsecurity.com/2015/06/states-seek-better-mousetrap-to-stop-tax-refund-fraud/
With the 2014 tax filing season in the rearview mirror, state tax authorities are struggling to incorporate new approaches to identifying and stopping fraudulent tax refund requests, a $6 billion-a-year problem that’s hit many states particularly hard this year. But some states say they are encountering resistance to those efforts on nearly every front, from Uncle Sam to online tax vendors and from the myriad of financial firms that profit handsomely from processing phony tax refunds.
Last week, the Internal Revenue Service (IRS) disclosed that thieves had stolen up to $50 million in phony refunds by pulling tax data on more than 100,000 Americans directly from the agency’s own Web site. The thieves were able to do this for the same reason that fraudsters are able to get away with filing and getting paid for bogus refunds: The IRS, the states and the tax preparation firms all try to authenticate filers based on static identifiers about the filer — such as birthdays and Social Security numbers, as well as answers to a handful of easily-guessed or researched “knowledge based-authentication” questions.
So how will Alabama and other states process returns differently next year?
“On a high level, what we’ve determined as of this week is that — unless the lobbyists derail our efforts – we’re going to ask for different authentication measures on a new customer, and different on returning customer, and then we’re going to ask for whole bunch of data elements that we’re not getting now that will allow us to filter the returns on receipt and will allow us to put the returns in various buckets of scores for possible fraud.”
Tomi Engdahl says:
How I Learned to Stop Worrying and Embrace the Security Freeze
http://krebsonsecurity.com/2015/06/how-i-learned-to-stop-worrying-and-embrace-the-security-freeze/
In short, if you have already been victimized by identity theft (fraud involving existing credit or debit cards is not identity theft), it might be worth paying for these credit monitoring and repair services (although more than likely, you are already eligible for free coverage thanks to a recent breach at any one of dozens of companies that have lost your information over the past year). Otherwise, I’d strongly advise you to consider freezing your credit file at the major credit bureaus.
There is shockingly little public knowledge or education about the benefits of a security freeze, also known as a “credit freeze.”
Q: What is a security freeze?
A: A security freeze essentially blocks any potential creditors from being able to view or “pull” your credit file, unless you affirmatively unfreeze or thaw your file beforehand. With a freeze in place on your credit file, ID thieves can apply for credit in your name all they want, but they will not succeed in getting new lines of credit in your name because few if any creditors will extend that credit without first being able to gauge how risky it is to loan to you (i.e., view your credit file). And because each credit inquiry caused by a creditor has the potential to lower your credit score, the freeze also helps protect your score, which is what most lenders use to decide whether to grant you credit when you truly do want it and apply for it.
Q: What’s involved in freezing my credit file?
A: Freezing your credit involves notifying each of the major credit bureaus that you wish to place a freeze on your credit file. This can usually be done online, but in a few cases you may need to contact one or more credit bureaus by phone or in writing. Once you complete the application process, each bureau will provide a unique personal identification number (PIN) that you can use to unfreeze or “thaw” your credit file in the event that you need to apply for new lines of credit sometime in the future.
There are four consumer credit bureaus, including Equifax, Experian, Innovis and Trans Union.
Q: How much is the fee, and how can I know whether I have to pay it?
A: The fee ranges from $0 to $15 per bureau, meaning that it can cost upwards of $60 to place a freeze at all four credit bureaus (recommended).
Q: I’ve heard about something called a fraud alert. What’s the difference between a security freeze and a fraud alert on my credit file?
A: With a fraud alert on your credit file, lenders or service providers should not grant credit in your name without first contacting you to obtain your approval — by phone or whatever other method you specify when you apply for the fraud alert. To place a fraud alert, merely contact one of the credit bureaus via phone or online
Q: Why would I pay for a security freeze when a fraud alert is free?
A: Fraud alerts only last for 90 days, although you can renew them as often as you like. More importantly, while lenders and service providers are supposed to seek and obtain your approval before granting credit in your name if you have a fraud alert on your file, they’re not legally required to do this.
Tomi Engdahl says:
Sophia Tatum / CNN:
US Army’s public website hacked, Syrian Electronic Army claims credit, no breach of Army data
U.S. Army public website compromised
http://edition.cnn.com/2015/06/08/politics/us-army-syrian-electronic-army-hacked/
Washington (CNN)The Syrian Electronic Army is taking credit for hacking the U.S. Army’s public website.
On Monday afternoon, the site was disabled after it displayed messages including, “YOU’VE BEEN HACKED” and “YOUR COMMANDERS ADMIT THEY ARE TRAINING THE PEOPLE THEY HAVE SENT YOU TO DIE FIGHTING,” according to NBC News.
The U.S. Army confirmed to CNN the web page had been compromised.
“Today an element of the Army.mil service provider’s content was compromised. After this came to our attention, the Army took appropriate preventive measures to ensure there was no breach of Army data by taking down the website temporarily,” spokesman Brig. Gen. Malcom B. Frost said in a statement.
The Army’s website, Army.mil, does not contain any confidential information, but acts as an informational tool for the public.
The Syrian Electronic Army is a pro-Assad regime group that has been associated with a number of additional cyber-attacks in the past.
Tomi Engdahl says:
Brian Bennett / Los Angeles Times:
FBI wants data access to encrypting or data-destroying instant messaging apps like WhatsApp, Kik, Wickr, and Surespot that could be used by terrorists
With Islamic State using instant messaging apps, FBI seeks access to data
http://www.latimes.com/world/middleeast/la-fg-terror-messaging-20150608-story.html#page=1
Islamic State militants and their followers have discovered an unnerving new communications and recruiting tool that has stymied U.S. counter-terrorism agencies: instant messaging apps on smartphones that encrypt the texts or destroy them almost immediately.
In many cases, U.S. intelligence and law enforcement agencies can’t read the messages in real time, or even later with a court order, because the phone companies and the app developers say they can’t unlock the coded text and don’t retain a record of the exchanges.
“We’re past going dark in certain instances,” said Michael B. Steinbach, the FBI’s top counter-terrorism official. “We are dark.”
The hole in U.S. surveillance capabilities was not mentioned during the recent congressional battle over the National Security Agency’s bulk collection of U.S. landline and cellphone data. Lawmakers ultimately agreed to scale back that program because of concerns it violated Americans’ privacy.
The FBI estimates that 200,000 people around the world see increasingly sophisticated “terrorist messaging” each day from Islamic State zealots via direct appeals, videos, instruction manuals and other material posted on militant Islamist social media sites.
The group’s recruiters then troll Twitter, Facebook and other sites to see who is re-posting their messages and invite them to text directly on encrypted or data-destroying apps. That’s where FBI agents fear they will miss crucial clues about potential plots.
The issue has created another tense standoff between national security officials and social media companies reluctant to change their software and provide more access to law enforcement and intelligence agencies.
In a June 1 speech, Tim Cook, chief executive at Apple, fiercely defended his company’s decision to encrypt the content of Facetime and iMessage communications. He took aim at government officials who have asked Apple and other companies to create a backdoor key to encrypted messages.
“Let me be crystal clear,” Cook said. “Weakening encryption or taking it away harms good people that are using it for the right reasons. And ultimately, I believe it has a chilling effect on our 1st Amendment rights and undermines our country’s founding principles.”
Cook spoke through a remote video feed at the annual awards dinner for the Electronic Privacy Information Center, a watchdog group based in Washington.
Public demand for apps that guarantee security and anonymity is growing, in part in response to leaks by Edward Snowden, the former NSA contractor who disclosed the government’s bulk collection of emails, phone records and other communications.
Secure apps are popular with business executives concerned about the threat of corporate espionage, human rights activists operating in authoritarian countries, and teenagers simply seeking to evade their parents.
“The text of Kik conversations is ONLY stored on the phones of Kik users involved in the conversation. Kik doesn’t see or store chat message text in our systems, and we don’t ever have access to this information.”
Those features can frustrate law enforcement and intelligence authorities trying to track suspected terrorists and spies.
And in at least one recent case, a social media post exposed an Islamic State target to U.S. warplanes.
Air Force analysts at Hurlburt Field, Fla., recently helped obliterate a command center in Syria after a militant revealed enough information online to give away his position.
“So they do some work. Long story short, about 22 hours later through that very building, three ['smart' bombs] take that entire building out. Through social media. It was a post on social media. Bombs on target in 22 hours,” he said.
Last fall, Islamic State leaders issued an order that forbids fighters to photograph attacks and locations without permission from the group’s general council. The group also distributed a guide to removing geo-location and metadata from cellphone images.
Tomi Engdahl says:
Todd Bishop / GeekWire:
Amazon wants to be your SSL certificate provider, applies to be a root Certificate Authority
http://www.geekwire.com/2015/amazon-wants-to-be-your-ssl-certificate-provider-applies-to-be-a-root-certifcate-authority/
Amazon Web Services continues to extend its reach into IT products, applying today to Mozilla and the Android Open Source Project to become a root Certificate Authority, also known as a CA. The move will allow Amazon to sell Secure Sockets Layer (SSL) certificates to developers looking to encrypt their website or application traffic.
aws2By becoming a root CA, Amazon can sell SSL certificates that are automatically trusted by common web browsers and operating systems. SSL certificates are commonly used to encrypt web traffic on banking, e-commerce or other sites that contain sensitive data.
Tomi Engdahl says:
Kim Zetter / Wired:NEW
Hospira hospital drug pump vulnerability lets hacker remotely send fatal dose — Hacker Can Send Fatal Dose to Hospital Drug Pumps — When security researcher Billy Rios reported earlier this year that he’d found vulnerabilities in a popular drug infusion pump that would allow a hacker …
Hacker Can Send Fatal Dose to Hospital Drug Pumps
http://www.wired.com/2015/06/hackers-can-send-fatal-doses-hospital-drug-pumps/
When security researcher Billy Rios reported earlier this year that he’d found vulnerabilities in a popular drug infusion pump that would allow a hacker to raise the dosage limit on medication delivered to patients, there was little cause for concern.
Altering the allowable limits of a particular drug simply meant that if a caregiver accidentally instructed the pump to give too high or too low a dosage, the pump wouldn’t issue an alert. This seemed much less alarming than if the pumps had vulnerabilities that would allow a hacker to actually alter the dosage itself.
Now Rios says he’s found the more serious vulnerabilities in several models of pumps made by the same manufacturer, which would allow a hacker to surreptitiously and remotely change the amount of drugs administered to a patient.
The vulnerabilities are known to affect at least five models of drug infusion pumps made by Hospira—an Illinois firm with more than 400,000 intravenous drug pumps installed in hospitals around the world.
These are the systems that Rios knows are vulnerable because he’s tested them.
This one involved drug libraries used with the pumps, which help set upper and lower boundaries for dosages of intravenous drugs a pump can safely administer. Because the libraries don’t require authentication, Rios found that anyone on the hospital’s network—including patients in the hospital or a hacker accessing the pumps over the Internet—can load a new drug library that alters the limits for a drug.
The problem lies with a communication module in the LifeCare and Plum A+ pumps. Hospitals use the communication modules to update the libraries on the pumps. But the communication modules are connected via a serial cable to a circuit board in the pumps, which contains the firmware. Hospira uses this serial connection to remotely access the firmware and update it. But hackers can use it for the same purpose.
“And if you can update the firmware on the main board, you can make the pump do whatever you like,” Rios says.
A hacker could not only change the dosage of drugs delivered to a patient but also alter the pump’s display screen to indicate a safe dosage was being delivered.
Hospira Denied Problem With Pumps
Rios says when he first told Hospira a year ago that hackers could update the firmware on its pumps, the company “didn’t believe it could be done.” Hospira insisted there was “separation” between the communications module and the circuit board that would make this impossible. Rios says technically there is physical separation between the two. But the serial cable provides a bridge to jump from one to the other.
“From an architecture standpoint, it looks like these two modules are separated,” he says. “But when you open the device up, you can see they’re actually connected with a serial cable, and they’re connected in a way that you can actually change the core software on the pump.”
An attacker wouldn’t need physical access to the pump. The communication modules are connected to hospital networks, which are in turn connected to the Internet. “You can talk to that communication module over the network or over a wireless network,” Rios warns.
He plans to demonstrate a proof-of-concept attack next month at the SummerCon security conference in Brooklyn, New York.
Rios contacted the FDA last week to tell the agency that the vulnerability extended to Hospira’s Plum A+ line as well, but he says the federal agency asked him to withhold the finding from the public until Hospira had time to verify the issue. But Rios declined, saying Hospira had already had a year to test the Plum A+ pumps and determine if the problem extended to them, but had declined to do so. He said hospitals needed to know now that the pumps are putting patients at risk.
The FDA did not respond to a request for comment.
Rios is planning to obtain models from Hospira’s Sapphire line of pumps as well to prove that they’re equally vulnerable to the issue.
Tomi Engdahl says:
Hard Drive Rootkit Is Frighteningly Persistent
http://hackaday.com/2015/06/08/hard-drive-rootkit-is-frighteningly-persistent/
There are a lot of malware programs in the wild today, but luckily we have methods of detecting and removing them. Antivirus is an old standby, and if that fails you can always just reformat the hard drive and wipe it clean. That is unless the malware installs itself in your hard drive firmware. [MalwareTech] has written his own frightening proof of concept malware that does exactly this.
The core firmware rootkit needs to be very small in order to fit in the limited memory space on the hard drive’s memory chips. It’s only a few KB in size, but that doesn’t stop it from packing a punch. The rootkit can intercept any IO to and from the disk or the disk’s firmware. It uses this to its advantage by modifying data being sent back to the host computer. When the computer requests data from a sector on the disk, that data is first loaded into the disk’s cache. The firmware can modify the data sitting in the cache before notifying the host computer that the data is ready. This allows the firmware to trick the host system into executing arbitrary code.
[MalwareTech] uses this ability to load his own custom Windows XP bootkit called TinyXPB. All of this software is small enough to fit on the hard drive’s firmware. This means that traditional antivirus cannot detect its presence
MalwareTech SBK – A Bootkit Capable of Surviving Reformat
http://www.malwaretech.com/2015/06/hard-disk-firmware-rootkit-surviving.html
MalwareTech SBK
(Superpersistent Bootkit)
http://malwaretech.net/MTSBK.pdf
Sector Spoofing Example – Youtube
https://www.youtube.com/watch?v=0gc-VF6bi3g
An example showing that the MBR can be spoofed from the firmware by overwriting sectors in the disk’s cache.
Tomi Engdahl says:
Three Reasons Mobile DDoS Never Materialized
http://www.securityweek.com/three-reasons-mobile-ddos-never-materialized
In my previous SecurityWeek column “Where is the Android DDoS Armageddon,” I looked at the reports that showed that mobile DDoS just isn’t a thing. Malicious mobile malware (say that three times fast with a cracker in your mouth) is barely a thing, either, once annoyance adware is removed.
But why aren’t the one billion Android mobile handsets being leveraged as attack clients? I
“For my own experience in DDoS, I’d say the real reason there isn’t a huge number of infections is that mobile phones are used to run apps as opposed to desktops running browsers. Browsers are exposed to many, many more sites that can infect them. Even if you just go to one site, their rotating ad network can infect you.
On the other hand, most apps are direct from client to the server with a much higher monetization value on mobile users; therefore you have less shenanigans in mobile ad infections.”
This makes sense when you think about it. When I load my United Airlines application on my iPhone, it is only contacting United Airlines services. The exposure is limited.
Ken also states that “[s]ince there’s no shortage of Desktop and WordPress-style server exploits with direct fiber links, there’s no need to build a bot of phones.”
McHenry says that even users who do use their mobile browsers aren’t likely to get truly malicious malware because mobile browsers have been better sandboxed from the underlying operating system than their desktop counterparts.
Lastly, data connections from mobile handsets nearly always go through the carrier providers’ mobile core network before they hit the Internet. These networks, while not bulletproof, are at least under the control of a single entity.
So while we in the security industry had been busy getting our panties in a bunch about the coming Android DDoS explosion, it never materialized. DDoS continues to wax and wane in unpredictable cycles, but the ecosystem has evolved to keep it out of the mobile space.
Tomi Engdahl says:
Obama issues HTTPS-only order to US Federal sysadmins
‘Browsing should be private’ says NSA overlord
http://www.theregister.co.uk/2015/06/09/obama_issues_https_only_memorandum_to_federal_sysadmins/
Black Hat Barack has issued a Memorandum – an executive order in all but name, and an instrument the president has used more than any of his predecessors – to all Federal website sysadmins, informing them to deprecate HTTP and roll on with HTTPS.
The HTTPS-Only Standard was proposed by the US’ Chief Information Officer Tony Scott, formerly of VMWare.
Though the standard has been criticised by a database admin at NASA as a “top-down solution”, it has also been described as a “great first step” by the American Civil Liberties Union.
The Memorandum [PDF] itself states that “all browsing activity should be considered private and sensitive”.
https://www.whitehouse.gov/sites/default/files/omb/memoranda/2015/m-15-13.pdf
Tomi Engdahl says:
A Machine for Keeping Secrets?
http://www.linuxjournal.com/content/machine-keeping-secrets
Who Does Software Serve?
I would like to posit a fundamental problem in our attitude toward computer security. For a long time we basically have assumed that computers are tools much like any other. Pocket calculators and supercomputer clusters all share the same von Neumann architecture (another artifact of WWII). But the truth is that the computer also has been, from its very first real implementation, a machine for keeping and seeking secrets. This history applies not just to the Enigma machines that the British subverted to help defeat the Nazis, but also to IBM’s Hollerith tabulators, used by the Nazis to identify Jews from census databases.
This is why the general utility model of computing we now use is notoriously difficult to secure. At a conceptual level, all programs are assumed to be direct representatives of the user (or superuser). This is fundamentally a mistake, a conceptual error that cannot be repaired by any number of additional layers piled on top of the fundamental error: software serves its authors, not its users. Richard M. Stallman, of course, understands this clearly but focuses mainly on freeing the source code, giving technical users control of their software. But beyond the now-rusty saw of “with enough eyes, all bugs are shallow”, the security community as a whole has not gone back to basics and assigned the intentionality of software correctly: to its authors, rather than to its users. Once we admit that software works for those who wrote it, rather than the hapless ones running it, many of the problems of managing computer security get much clearer, if not easier! Furthermore, there is always the gremlin: discordia manifested as bugs. Software behaviors that no human intended are not only common, but ubiquitous. In these cases, software serves neither the user nor the author, but silently adds to the entropy of the universe all by itself.
Imagine if all the people that wrote the software you use every day were made visible. If you run a fully-free computer, right down to the BIOS, you would generally expect to see a group of people who are fully on your side. But then there is the router, and the firmware in your mouse and your telephone’s baseband processor, and indeed the epic maze of software that powers the electrical grid to which your devices must connect, and so on. In truth, we do not like or trust many of the people writing the software on which our lives depend in so many ways. The fact that in the 21st century we still download and run programs that have arbitrary access to all of our personal files, data and often deep access to our operating systems is frankly madness. I’m not discussing sandboxing or virtual environments—these may be answers, but let us first clearly state the question: who does this machine serve?
The machine serves the authors of the software, not the person choosing to run it. If you have recently handed over permissions you were not entirely happy with while installing software on an Android phone, you have felt a sense of “No, I do not want you to do that—that’s your desire, not mine!” Often we do not entirely trust those authors, their software or the hardware on which it runs. We literally cannot trust our possessions. Nobody wants to carry a snitch in their pocket, and yet we all do.
In an ideal world, all of our systems (and perhaps not only technological ones) would obey the Principle of Least Privilege. Rather than granting large, abstract powers to code (or other systems) and trusting there to be no bugs, we could grant powers in a more narrow way.
Tomi Engdahl says:
Developer Draws Legal Threat For Exposing Indian Telco’s Net Neutrality Violation
http://yro.slashdot.org/story/15/06/09/1328248/developer-draws-legal-threat-for-exposing-indian-telcos-net-neutrality-violation
Indian broadband and cellular operator Airtel was discovered to be injecting third-party JavaScript files into web pages delivered over their wireless networks. A developer was viewing the source of his own blog and noticed the additional script when viewed on a Airtel connection. He traced the file back to Flash Networks, an Israel-based company, which specializes in “network monetization” and posted the source on GitHub.
Israeli Firm Strong-Arms Indian Techie for Exposing Suspicious Code
By Vasudevan Mukunth on 09/06/2015
http://thewire.in/2015/06/09/israeli-firm-strong-arms-indian-techie-for-exposing-suspicious-code/
A brief inspection revealed that the code comprised a few lines of JavaScript that loaded an asset like an advertisement on webpages that Thejesh was visiting. It was called Anchor.js.
According to Vignesh Sundaresan, an Ottawa-based developer, JavaScript injection is a very clumsy technique to add extra functionality to certain programs. “It is often malicious when injected without notifying the user first,” he said. So, Thejesh uploaded the location and other details of the program to GitHub, a collaboration platform on the web for developers, to warn other users.
On June 8, however, he received a cease-and-desist order issued by Flash Networks, Ltd., a company based out of Herzliya, Israel, via their attorneys in Mumbai.
On June 9, the order was followed by a takedown notice
However, since Thejesh did not intend commercial use of Anchor.js (nor did he expose code that wasn’t already confidential), it’s unclear how Flash’s copyright was infringed.
… shall not constitute an infringement of copyright.
More troublingly, the intent of Flash Networks signals that the ISP is violating net neutrality
Sundaresan added that should such dubious instances of JavaScript injection be discovered in the Western world, the inserter could be sued for millions.
Tomi Engdahl says:
Ask Slashdot: Should We Expect Attacks When Windows 2003 Support Ends?
http://it.slashdot.org/story/15/06/09/1332207/ask-slashdot-should-we-expect-attacks-when-windows-2003-support-ends
On July 14th 2015, Microsoft will stop supporting Windows 2003. If your company is anything like mine then they’re in a panic to update Windowns 2003 systems that have been ignored for years. But what will happen to Windows 2003 systems still in use after the cut-off date? Company Security warns us that the world will end, but they said the same thing when Microsoft stopped supporting Windows XP — and yet we survived.
Migration is worth it!
Windows Server 2003 support is ending July 14, 2015
http://www.microsoft.com/en-gb/server-cloud/products/windows-server-2003/
Tomi Engdahl says:
Adobe Flash malware jumps over 300 percent in first quarter of 2015
McAfee report suggests that the holes aren’t being plugged fast enough
http://www.theinquirer.net/inquirer/news/2412279/adobe-flash-malware-jumps-over-300-percent-in-first-quarter-of-2015
MALWARE ATTACKS on the Adobe Flash platform rose by a horrifying 317 percent in the first quarter of 2015.
the number of recorded Flash malware instances was almost 200,000 in Q1 2015, compared with 47,000 in Q4 2014.
Google has already removed Flash from the Play Store, and introduced a new Flash-proofer to the desktop version of the browser last week.
The current beta version, which is likely to go stable next month, means that the browser will detect non-essential Flash elements and offer a stop button for the animations to save system resources.
Security company FireEye confirmed in April that Russian hacking group APT28 was responsible for a number of hacks involving Flash and Windows.
YouTube finally moved over to HTML5 in January as its primary video renderer, kicking Flash to the kerb, while Apple banned older versions of Flash in February after the discovery of yet more zero-day vulnerabilities.
Yet in spite of this, Microsoft has confirmed that the new Edge browser in Windows 10 will include native Flash provision
Tomi Engdahl says:
Is that a graphics driver on your shop’s register – or a RAM-slurping bank card thief?
Keep your eyes peeled for malware on Oracle-powered tills
http://www.theregister.co.uk/2015/06/09/malumpos_retail_malware/
Crooks are infecting sales registers running Oracle-owned MICROS software with malware tailor-fitted to steal bank card information from the machines.
MalumPoS scrapes sensitive data from the RAM inside the tills, which are used in places from shops and restaurants to hotels and bars. The software nasty can be easily modified to target other systems, Trend Micro warns.
MICROS is used in 330,000 places worldwide although the bulk of the companies using this platform are concentrated in the United States. Aside from Oracle MICROS, MalumPoS also targets Oracle Forms and Shift4 systems.
RAM scrapers like MalumPoS are designed to find credit card data in an infected system’s main memory. Every time the magnetic stripe of a credit card is swiped, the malware can locate and steal data such as the cardholder’s name and account number. This unencrypted data is subsequently siphoned off and used to make counterfeit credit or debit cards.
Once installed on a compromised system, MalumPoS disguises itself as “the NVIDIA Display Driver.”
Tomi Engdahl says:
NSA slapdown prompts Privacy Int’l to file new lawsuit against GCHQ
‘Above the law’, spooks? Let’s test that, say campaigners
http://www.theregister.co.uk/2015/06/09/privacy_international_files_suit_v_gchq/
Privacy International has stepped up its battle against GCHQ, and yesterday filed an official legal challenge to the spy agency’s mass snooping on net users.
Emboldened by new restrictions to the similar programme run by America’s National Security Agency (NSA), PI filed the complaint in the UK’s Investigatory Powers Tribunal.
According to PI, the “bulk collection of phone records and harvesting of other databases, from millions of people who have no ties to terrorism, nor are suspected of any crime” must stop.
PI said that GCHQ is starting to see itself as “above the law”.
Tomi Engdahl says:
Macroviruses are BACK and are the future of malware, says Microsoft
It’s 2015 and half a million people will still click on stuff we knew was bad in the ’90s
http://www.theregister.co.uk/2015/06/09/rip_horst_brandstatter_obit/
Macro malware is making a comeback with one nineties nasty infecting half a million computers, Microsoft says.
Macro viruses took a battering over the last decade after Redmond spent a decade boosting security in its Office suites to reduce the likelihood that users would execute malicious macros.
“Just when you think macro malware is a thing of the past, over the past few months, we have seen an increasing macro downloader trend that affects nearly 501,240 unique machines worldwide,” Redmond’s malware boffins say .
“The user opens the document, enables the macro, thinking that the document needs it to function properly – unknowingly enabling the macro malware to run.”
The United Kingdom and the US each soak up about a quarter of the total infections, way above the 20,000 p0wned boxes each in France, Italy, and Germany, and blasting the paltry Aussie total of 14,000.
Attackers do not appear to have reinvented wheels. Microsoft says they are using documents aimed to pique a victim’s interest such as purported sales invoices, tax payments, and courier notifications.
The company says users should stick to its decade-old advice and avoid executing macros while system administrators can block older versions of Office from executing and ensure security things are up to date.
Tomi Engdahl says:
US Tech Companies Expected To Lose More Than $35 Billion Over NSA Spying
http://yro.slashdot.org/story/15/06/09/1235221/us-tech-companies-expected-to-lose-more-than-35-billion-over-nsa-spying
Citing significant sales hits taken by big American firms like Apple, Intel, Microsoft, Cisco, Salesforce, Qualcomm, IBM, and Hewlett-Packard, a new report says losses by U.S. tech companies as a result of NSA spying and Snowden’s whistleblowing “will likely far exceed” $35 billion
U.S. tech companies expected to lose more than $35 billion due to NSA spying
http://www.dailydot.com/politics/nsa-prism-fallout-35-billion-us-tech-firms/
U.S. companies will likely lose more than $35 billion in foreign business as a result of the vast NSA-surveillance operations revealed by Edward Snowden, according to a new report from the Information Technology and Innovation Foundation (ITIF).
“Foreign customers are shunning U.S. companies,” the report asserts, causing American businesses to lose out on foreign contracts and pushing other countries to create protectionist policies that block American businesses out of foreign markets.
ITIF, a nonpartisan Washington, D.C.-based technology think tank founded my members of Congress, first estimated in 2013 that American losses as a result of the National Security Agency’s PRISM program, which centers on the collection of Internet communications from major American technology firms, would tally between $21.5 billion and $35 billion, with the U.S. cloud-computing industry bearing the brunt of the fallout.
The actual losses “will likely far exceed $35 billion,” according to the ITIF report, because the entire American tech industry has performed worse than expected as a result of the Snowden leaks.
The massive financial hit is likely one key reason leading major American tech firms, like Apple and Google, to not only include strong encryption in their smartphones, tablets, and services, but to also publicly oppose the outlawing of strong encryption by law-enforcement authorities like James Comey, director of the Federal Bureau of Investigation, and Manhattan District Attorney Cyrus Vance, Jr.
Since the first Snowden leaks became public in 2013, foreign businesses and civilians around the world have repeatedly said in polls that American surveillance will cause them to abandon (or at least be extremely wary of) American tech products. U.S.-based companies, including Apple, Intel, Microsoft, Cisco, Salesforce, Qualcomm, IBM, and Hewlett-Packard, have reportedly suffered sales hits in Asia, Europe, and North America as a result of blowback against NSA spying.