Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.
3,110 Comments
Tomi Engdahl says:
Susie Cagle / Pacific Standard:
Tech companies support free speech only when it doesn’t endanger their ability to make a profit
Do Tech Companies Really Support Free Speech?
http://www.psmag.com/navigation/nature-and-technology/tech-companies-really-support-free-speech-98116/
Tech companies are companies first, and their politics shift to best serve their business. For platforms like Facebook and Google, “free speech” protection is only a central principle when and where it is convenient. And even when it does serve their profit models, it is arguably doing so at the expense of the modern press, the work of cartoonists and other image-makers, and the actual making of “free” speech online.
Tech’s dedication to “free speech” is apparently a quite serendipitous phenomenon.
EVEN WHEN THEY ARE not implicitly supporting assaults on free political speech, tech companies are “democratizing” speech in a way that builds wealth for themselves and strips it from creators. By its nature, the network dilutes authorship.
Tech platforms seeking as much “free” and high-quality content as possible are now in some cases actually preventing the actual making of it. One magazine editor said he doesn’t publish many cartoons because “comics tend to get thrown on Imgur or another source and circulated without credit.”
Modern technology is both useful and dangerous for visual artists.
Tomi Engdahl says:
Deborah Gage / Wall Street Journal:
Ionic Security Raises $40 Million to Secure Data Against Cyberthieves … The cost of cybercrime in the U.S. is rising for companies in all industries, according to a study last year by the Ponemon Institute, and more companies are starting to assume they have been hacked, even if they don’t know for sure.
Ionic Security Raises $40 Million to Secure Data Against Cyberthieves
http://blogs.wsj.com/venturecapital/2015/01/13/ionic-security-raises-40-million-to-secure-data-against-cyberthieves/
The cost of cybercrime in the U.S. is rising for companies in all industries, according to a study last year by the Ponemon Institute, and more companies are starting to assume they have been hacked, even if they don’t know for sure.
Ionic Security Inc. raised another $40 million to help companies think that way, offering software that focuses on protecting a customer’s data rather than trying to play catch-up with an ever-changing stream of cyberthreats.
“Imagine a bank robber broke into a vault and there was no money,” said founder and Chief Technology Officer Adam Ghetti. “Your money is in the vault of the bank next door, and he breaks into that vault, grabs the first $10,000 off the shelf and the money is gone, and all he has is red paint in his bag. We protect that actual asset—the data.”
Although Mr. Ghetti declined to say exactly how the software works—the company is in stealth mode and expects to release a product this year—he said data is encrypted both in motion and at rest and is decrypted “for the right user at the right time in the right context,” a hard engineering challenge to solve.
The company says it uses “massive-scale machine learning and streaming graph analytics” to eliminate the need for running data through security gateways, an approach used by some other security vendors.
“The starting point for Ionic is to assume the company has been breached or will be shortly. All other solutions are still on the defense, trying to prevent the bad actors from getting in or information going out. The only way to do that is to start at the source, with data. The details are managed automatically,”
Tomi Engdahl says:
Washington Post:
Obama proposes legislation to protect firms that share cyberthreat data with the government, criminalize sale of botnets and stolen financial info, more
Obama to propose legislation to protect firms that share cyberthreat data
http://www.washingtonpost.com/politics/obama-proposes-legislation-to-protect-consumer-data-student-privacy/2015/01/12/539c4a06-9a8f-11e4-bcfb-059ec7a93ddc_story.html
President Obama plans to announce legislation Tuesday that would shield companies from lawsuits for sharing computer threat data with the government in an effort to prevent cyberattacks.
On the heels of a destructive attack at Sony Pictures Entertainment and major breaches at JPMorgan Chase and retail chains, Obama is intent on capitalizing on the heightened sense of urgency to improve the security of the nation’s networks, officials said.
“He’s been doing everything he can within his executive authority to move the ball on this,” said a senior administration official
The legislation is part of a broader package, to be sent to Capitol Hill on Tuesday, that includes measures to help protect consumers and students against cyberattacks and to give law enforcement greater authority to combat cybercrime.
Some analysts questioned the need for such legislation, saying there are adequate measures in place to enable sharing between companies and the government and among companies.
The proposal, which builds on a 2011 administration bill, grants liability protection to companies that provide indicators of cyberattacks and threats to the Department of Homeland Security.
But in a provision likely to raise concerns from privacy advocates, the administration wants to require DHS to share that information “in as near real time as possible” with other government agencies that have a cybersecurity mission, the official said.
Those include the National Security Agency, the Pentagon’s Cyber Command, the FBI and the Secret Service.
“DHS needs to take an active lead role in ensuring that unnecessary personal information is not shared with intelligence authorities,”
Efforts to pass information-sharing legislation have stalled in the past five years, blocked primarily by privacy concerns.
The package also contains provisions that would allow prosecution for the sale of botnets or access to armies of compromised computers that can be used to spread malware, would criminalize the overseas sale of stolen U.S. credit card and bank account numbers, would expand federal law enforcement authority to deter the sale of spyware used to stalk people or commit identity theft, and would give courts the authority to shut down botnets being used for criminal activity, such as denial-of-service attacks.
It would reaffirm that federal racketeering law applies to cybercrimes and amends the Computer Fraud and Abuse Act by ensuring that “insignificant conduct” does not fall within the scope of the statute.
Tomi Engdahl says:
Babar-ians at the Gate: Data Protection at Massive Scale
https://www.blackhat.com/html/webcast/01222015-babar-ians-at-the-gate.html
We are meant to measure and manage data with more precision than ever before. Now companies often are getting Hadoopy with little or no consideration of security. Are we taking on too much risk too fast?
Better predictions and more intelligent decisions are expected, yet can we really trust systems that are secured the least? And do we really know why “learning” machines sometimes make amusing and even tragic mistakes? Infosec is in this game but with the fast pace of Big Data we risk being left on the sidelines. What can be done about emerging vulnerabilities and threats to Hadoop as it leaves many traditional data paradigms behind?
The Realities of Securing Big Data
http://www.amazon.com/The-Realities-Securing-Big-Data/dp/1118559215
More data is collected, at a higher speed, in more formats than ever before. Traditional information security simply has been unable to keep up with this transformation, which presents IT managers with a difficult dilemma. On the one hand everyone from the smallest company to the largest government is beginning to make use of giant lakes of information. The value proposition is clear. On the other hand, more harm than benefit looms when considering many of the realities of big data security. Even without specific solutions there may be workarounds and compensating controls to consider. The Realities of Big Data helps IT leaders identify how and where to best protect Big Data environments from disclosure, disruption or loss.
Organizations need to carefully manage risks to their data as more important decisions are based on it.
Tomi Engdahl says:
Russia blocks bitcoin websites over “shadow economy” fears
https://gigaom.com/2015/01/13/russia-blocks-bitcoin-websites-as-potential-ban-looms/
The Russian telecommunications regulator Roskomnadzor has blocked access to five bitcoin-related websites because the cryptocurrency “contributes to the growth of the shadow economy.”
The sites include Bitcoin.org, a primary community resource for the cryptocurrency that’s run by the Bitcoin Foundation, the Bitcoin.it community wiki, the Russian-language BTCsec.com security site, the London-incorporated Indacoin exchange, and Russian bitcoin community site Coinspot.ru — although the same service’s Coinspot.io address is not blocked, according to Roskomnadzor’s handy site-block checker.
Roskomnadzor has the power to order ISPs to restrict access to certain sites.
Tuesday’s blockages stem from a court order dating back to September 30th last year, although they were only enforced today.
Bitcoin’s legal status in Russia is actually quite complicated. The authorities there said last February that it would be illegal to use it as a money substitute, highlighting its potential for criminal use by money-launderers and terrorists.
Tomi Engdahl says:
Scott Rosenberg / Backchannel:
How Bitcoin’s Blockchain Could Power an Alternate Internet — The code that secures Bitcoin could also power an alternate Internet. First, though, it has to work. … That is exactly how the Web looked back in 1994—right before it exploded. Two decades later, it’s beginning to feel like we might be at a similar liminal moment.
There’s a blockchain for that!
The code that secures Bitcoin could also power an alternate Internet. First, though, it has to work.
https://medium.com/backchannel/how-bitcoins-blockchain-could-power-an-alternate-internet-bb501855af67
There’s this hopelessly geeky new technology. It’s too hard to understand and use. How could it ever break the mass market? Yet developers are excited, venture capital is pouring in, and industry players are taking note. Something big might be happening.
That is exactly how the Web looked back in 1994 — right before it exploded. Two decades later, it’s beginning to feel like we might be at a similar liminal moment. Our new contender for the Next Big Thing is the blockchain — the baffling yet alluring innovation that underlies the Bitcoin digital currency.
Tomi Engdahl says:
Dani Grant / Medium:
On Macs, Apple’s two-factor authentication still doesn’t protect iMessage, iTunes, FaceTime, or the App Store — Why Two-Factor Authentication Isn’t Protecting Your iCloud Account — Users that turn on Two Factor Authentication (2FA) have the expectation that every access point …
Why Two-Factor Authentication Isn’t Protecting Your Apple Account
https://medium.com/@da/login-to-2fa-protected-apple-accounts-without-doing-2fa-7f62813c5fe1
Tomi Engdahl says:
Are you running a Telnet server on Windows? Oh thank God. THANK GOD
Microsoft fixes Google’s 0-day Windows bug – plus six more. Adobe patches nine Flash flaws
http://www.theregister.co.uk/2015/01/13/microsoft_fixes_googles_zeroday_windows_vulns_ndash_plus_six_more/
It’s that time of the month again, when Microsoft scrambles to plaster over the latest crop of vulnerabilities in Windows and Internet Explorer.
The first Patch Tuesday of 2015 brings eight security updates, one of which is rated Critical in severity, while the rest are rated Important.
The Critical patch (MS15-002) addresses a vulnerability in the Telnet server component of Windows that can allow an attacker to execute code remotely by sending specially crafted packets to the Telnet port.
Mind you, most Windows systems aren’t running the Telnet server. It comes installed but not enabled by default on Windows Server 2003. It also ships as an option for Windows Vista and later, but it must be explicitly installed via the “Turn Windows features on or off” control panel.
Tomi Engdahl says:
Google No Longer Provides Patches for WebView Jelly Bean and Prior
https://community.rapid7.com/community/metasploit/blog/2015/01/11/google-no-longer-provides-patches-for-webview-jelly-bean-and-prior
Tomi Engdahl says:
Google No Longer Provides Patches for WebView Jelly Bean and Prior
https://community.rapid7.com/community/metasploit/blog/2015/01/11/google-no-longer-provides-patches-for-webview-jelly-bean-and-prior
WebView is the core component used to render web pages on an Android device. It was replaced in Android KitKat (4.4) with a more recent Chromium-based version of WebView, used by the popular Chrome browser.
Metasploit ships with 11 such exploits, thanks to Rafay, Joe, and the rest of the open source security community. Generally speaking, these exploits affect “only” Android 4.3 and prior — either native Android 4.3, or apps built with 4.3 WebView compatibility.
“If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.”
Tomi Engdahl says:
Patrick Howell O’Neill / The Daily Dot:
Ross Ulbricht admits he created Silk Road, but says he’s not Dread Pirate Roberts
http://www.dailydot.com/crime/ross-ulbricht-trial-silk-road-inventor-not-dpr/
For the first time, Ross Ulbricht has admitted that he invented the Silk Road.
Ulbricht’s defense, which entered a plea of not guilty to seven felony charges, claimed that he came up with the idea as “an economic experiment” beginning in 2009. Silk Road launched two years later.
According to Ulbricht’s defense attorney, however, he gave the site up just months after it launched in 2011 and was not ultimately responsible for growing it into the largest illegal drug market to ever exist on the Internet.
Dratel said, running the digital blackmarket, which operated for more than two years before the FBI shuttered it in late 2013, was “too stressful after a few months, and he handed off to others.”
In Dratel’s version, Ulbricht was a “naive” idealist who was duped into rejoining the Silk Road team prior to the FBI bust.
Tomi Engdahl says:
DANGER: Is that ‘hot babe’ on Skype a sextortionist?
Give me some money for my wrinkly, or your winky goes online
http://www.theregister.co.uk/2015/01/14/skype_smut_pics_extortion_scam/
North Yorkshire police have issued a general warning after three men in the York area fell victim to sextortionists.
During the online chat session, she enticed each of them into performing an indecent act, which was recorded on video.
She then proceeded to ask the men, who are all students, to send £3,000 via money transfer for her sick grandmother.
“This scam is causing considerable distress to the victims and I urge anyone who uses any kind of social networking site to be very wary of what they are getting into.”
As noted on Sophos’s Naked Security blog, sextortion is often under-reported due to a level of embarrassment that can lead to horrible consequences for some victims.
Sextortion refers to sexual blackmail in which sexual information or images are used to extort sexual favours and/or money from the victim. It’s the stock-in-trade of organised crime groups operating out of the Philippines, in particular, say researchers.
Groups are known to operate on an almost industrial scale from call centre-style offices, with cyber-blackmail agents provided with training and offered bonus incentives such as holidays, cash or mobile phones for reaching their financial targets, Interpol reports.
Despite a number of international police busts, there’s no good reason to think the lucrative scam will die out any time soon.
INTERPOL-coordinated operation strikes back at ‘sextortion’ networks
http://www.interpol.int/News-and-media/News/2014/N2014-075
Criminal network linked to Daniel Perry death disrupted in the Philippines
An INTERPOL-coordinated operation targeting organized crime networks behind ‘sextortion’ cases around the world has resulted in the arrest of 58 individuals, including three men linked to the group which harassed Scottish teenager Daniel Perry.
Perry, a 17-year-old victim of an online blackmail attempt, died after jumping off the Forth Road Bridge near Edinburgh in July last year.
Tomi Engdahl says:
FBI opens Malware Investigator portal to industry
Agency trades malware samples for intel reports
http://www.theregister.co.uk/2014/09/30/fbi_opens_malware_investigator_portal_to_industry/
The Federal Bureau of Investigations has released a formerly in-house malware-analysing portal to help speed up incident responses and help industry and law enforcement with investigations.
The G-men hope the Malware Investigator portal can let businesses build responses to new malware without such heavy reverse-engineering loads.
Information crime unit chief Steve Pandelides said during the portal’s initial launch it would benefit the agency and the private sector.
“After submission, the report can get turned around in a matter of minutes to a matter of hours,” Pandelides said.
Windows malware submitted to the portal would be correlated against other submissions and the FBI’s intelligence to produce reports. It would be expanded to cater for other virus types.
Tomi Engdahl says:
Don’t use Charlie Hebdo to justify Big Brother data-slurp – Data protection MEP
Plans to monitor all flight passengers should be ditched
http://www.theregister.co.uk/2015/01/14/dont_use_charlie_hebdo_to_justify_your_orwellian_aims_says_data_protection_mep/
The European Parliament’s data protection supremo says calls from national leaders to monitor all airline passengers are “playing into terrorists’ hands”.
German MEP Jan Philipp Albrecht, who heads the Parliament’s overhaul of EU data protection laws, described the plans for mass storage of PNR (passenger name record) data as Orwellian.
“EU home affairs ministers are demanding Big Brother measures entailing blanket data retention without justification,” he said. “This approach is a distraction from the actual measures needed to deal with security and terrorist threats and provides a false sense of security for citizens, at the expense of their civil liberties.”
According to Albrecht, the scheme is actually illegal, as the European Court of Justice (ECJ) ruled last April that the mass storage of private data, without specific grounds or time limit, is contrary to the EU charter of fundamental rights.
The EU already operates a PNR (Passenger Name Record) data-sharing scheme with the United States
Albrecht says this is the wrong approach. “Far-reaching data collection in France would not have prevented the odious attacks in Paris. As with previous attacks, the perpetrators of the Paris attacks were already known to security authorities and had been the subject of investigations and supervision measures.”
Tomi Engdahl says:
David Cameron: I’m off to the US to get my bro Barack to ban crypto – report
Plans to pressure President for tighter surveillance controls, sources say
http://www.theregister.co.uk/2015/01/15/cameron_wants_obama_to_back_crypto_ban/
UK Prime Minister David Cameron is hoping to gain the support of US President Barack Obama in his campaign-year crusade to outlaw encrypted communications his spies can’t break, sources claim.
As reported by the Wall Street Journal, the Conservative Cameron would like to see left-leaning Obama publicly criticize major US internet companies like Facebook and Google, many of which have made strong encryption the default on their online services.
The President hasn’t taken a public position on the issue so far, but several prominent federal law enforcement officials have given internet firms lashings over their use of encryption tech, which they claim undermines national security interests.
Last September, Federal Bureau of Investigation Director James Comey went as far as to describe encrypted communications as “something expressly to allow people to place themselves above the law.”
According to the WSJ’s sources, Cameron plans to try to nudge Obama “in the direction of what the FBI has said about this.”
Those talks will more than likely include discussions on how to avoid future network security breaches like the one that hammered Sony Pictures in December, but you can bet Cameron’s anti-encryption hobbyhorse will figure prominently, as well.
Tomi Engdahl says:
Microsoft vs US.gov, Internet of Stuff, Big Data: Some of 2015′s legal cloudy issues
Strolling through a data privacy minefield
http://www.channelregister.co.uk/2015/01/15/frank_jennings_microsoft_us_govt_iot_big_data_2015_legal_cloudy_issues/
Cloud, Big Data, the Internet of Things are among the hottest topics that vendors are driving in 2015, but there are five legal developments in each that are worth tracking.
1. Microsoft and US government go to court
Again, Microsoft is resisting attempts by the US government to get access to the user data it is holding outside the US. Microsoft has been storing user data geographically closer to said user, as this not only reduces lag (improving the user experience) but, in theory at least, reduces the ability of governments to get access to that data.
2. Internet of Things will cause private concerns
We are all used to making some form of compromise over access to information about our private lives as the cost of living in modern society. For example, we accept surveillance via proliferated CCTV, analysis of our spending habits via store loyalty cards, or the tracking of our movements and data on our smart phones. The Internet of Things expands this on a grand scale. Gartner forecasts there will be nearly five billion connected devices by the end of this year, and 25bn in 2020.
IoT massively increases the opportunity for hackers to get access to our personal data. This prompted the Chair of the US Federal Trade Commission to air her concerns at CES 2015.
3. Massive data security fines get closer
Every month there seems to be another story of data leaks or hacking. Or both. Aside from damage to reputation, it is sometimes cheaper for a business to suffer a data breach than to introduce properly secure systems. But with new, increased data breach fines jumping to up to €100m (or five per cent of global turnover under the new EU Data Protection Regulation) data security is likely to jump up the priority list for budget expenditure.
4. Google Spain case will get greater scrutiny
Last year Mr Costeja unintentionally achieved international fame, infamy even. The Court of Justice of the European Union ruled that Google had to remove links from search results about Costeja that were accurate but out-of-date. This was dubbed the “right to be forgotten”, reflecting the ‘right’ about to be introduced under the new EU Data Protection Regulation. In fact, it is based on the existing law that data must be kept accurate and up-to-date.
5. Cloud standards get closer
There are numerous attempts to introduce cloud standards. There are initiatives from the European Union, official standard-setting organisations such as the International Telecommunications Union and the International Standards Organisation. There are also private standard-setting organisations (such as the UK Cloud Industry Forum with whom I have an association) and government-imposed standards. In all, the European Telecommunications Standards identified 20 bodies producing 150 documents in this area.
A definitive set of standards is some way off, as is a standard cloud contract, and cloud providers have little enthusiasm for one. The European Commission is attempting to introduce a standard approach to cloud SLAs.
Tomi Engdahl says:
How sloppy security exposed Apple’s super-secret product plans
http://www.cultofmac.com/308478/confidential-apple-product-plans-quanta/
This login screen for a Quanta Computer database led to sensitive documents containing details on upcoming Apple products.
Incredibly sloppy security at one of Apple’s key suppliers exposed some of Cupertino’s most closely guarded secrets to anybody who could conduct a simple Google search.
For months, one of Quanta Computer‘s internal databases could be accessed using usernames and a default password published in a PowerPoint presentation easily found on the Web.
Quanta, based in Taiwan, is the world’s largest notebook manufacturer. In addition to Apple, Quanta assembles laptops and ultrabooks for dozens of companies, including Dell, Hewlett-Packard, Sharp and Sony.
The security lapse comes at a time of rapidly accelerating hacking incidents and cyberattacks, from credit card breaches and celebrity nude selfie leaks to the damaging theft of Sony’s most sensitive corporate data. The fact that the confidential plans of a company as secretive as Apple can be laid bare through a series of security missteps illustrates just how difficult it is to safeguard information in the digital era.
The path to Quanta’s database started last September when, on the eve of the big Apple Watch launch event, an anonymous Reddit user posted drawings and details of the super-secret device.
The document is not the only one floating around online, either: Several other confidential Quanta documents have been published online, and at least one gives details and login information for an internal Quanta database containing detailed schematics that appear to show other upcoming Apple products. The details can be found with a simple Google search.
A source, who Cult of Mac promised not to identify, demonstrated to us how anyone could log into the system using one of the usernames and the default password named in the document.
Cult of Mac informed Apple and Quanta of the security problem.
it appears Quanta has now disabled the accounts in the PowerPoint document and/or changed the default password.
“All organizations — large and small — should brush up on good security practices, and start using them actively,”
Tomi Engdahl says:
Hollywood vs hackers: Vulture cracks Tinseltown keyboard cornballs
Cracking code was never like Blackhat in my day
http://www.theregister.co.uk/2015/01/15/hollywoods_vs_the_hacker_keyboard_crack_cornballs_fresh_from_tinseltown/
A lot of exciting things are happening online right now. Eye-boggling blocks of code are presently being distilled into art, pornography and weapons of war, and making that distillation look exciting on film would be a challenge for film-makers who thoroughly understood the world of IT.
And, if we’ve learned anything from the recent Sony Studios debacle, and a dozen other Hollywood data haemorrhages, it’s that movie people are as blithely, blissfully uninformed about computers as government ministers, captains of industry, and your nan.
This is probably why most films that feature “hackers” involve an awful lot of very loud, very fast, typing.
Tomi Engdahl says:
Microsoft cracks personalisation without prying
‘Bloom filters’ add flower to Cookies for personal search without tracking
http://www.theregister.co.uk/2015/01/15/remond_makes_odd_bedfellows_of_privacy_and_custom_search/
A Microsoft research trio has developed an algorithm capable of eliminating user tracking in web search without the overheads of existing technology.
The idea, to be presented next month and titled Bloom Cookies: Web Search Personalisation without User Tracking, uses a new type of flowery cookies that can tightly-encode user profiles to preserve privacy without cutting off online personalisation services.
Microsoft Research, would use Bloom filters to score a better tradeoff between privacy, personalisation, and network efficiency.
The filters are space-efficient structures used to confirm elements as parts of a set in a way that eliminates false negatives.
“They provide similar or better personalisation and privacy than noise injection and profile generalisation, but with an order of magnitude lower communication cost and no noise dictionary,” they said.
Tomi Engdahl says:
Oracle alerts firms to bogus malware-laden ‘security patches’
http://www.v3.co.uk/v3-uk/news/2390055/oracle-alerts-firms-to-bogus-malware-laden-security-patches
Hackers are targeting enterprise companies with bogus, malware-laden patches purporting to come from Oracle.
Antonella Giovannetti, Oracle’s Proactive response team engineer, warned in a threat advisory that customers to be vigilant about the attacks.
“Warning. It has come to our attention that there are non-Oracle sites offering Oracle ‘fixes’ for genuine Oracle error messages,” read the advisory.
The malware and the specific attack sites remain unknown
“Given the target-base – Oracle customers – I think I’d categorise this as a type of search engine optimisation [SEO] or watering hole attack. So not common, but not uncommon,” he said.
“We’ve seen lots of industries targeted in the last year or two. Sounds like bad the guys have done some SEO work to lure potential victims to legit-looking sites that offer ‘patches’.”
Tomi Engdahl says:
Adobe Patches Nine Vulnerabilities In Flash
http://it.slashdot.org/story/15/01/15/0344251/adobe-patches-nine-vulnerabilities-in-flash
Adobe has patched nine vulnerabilities in Flash Player — four of which are considered “critical”
Adobe patches critical Flash security vulnerabilities
http://www.zdnet.com/article/adobe-patches-critical-flash-security-vulnerabilities/
Summary:Adobe patches nine vulnerabilities — four of which are considered “critical” — in order to protect against hackers who could exploit the bug to take control of an affected system
Flash, which comes included with Google Chrome, and Internet Explorer on Windows 8 (and above) will automatically update to the patched version.
Adobe acknowledged security researchers from Google, McAfee, HP, and Verisign.
Tomi Engdahl says:
Jon Southurst / CoinDesk:
Bitcoin falls below $185; hash rate drops, mining not profitable, making network volatile — Bitcoin Price Continues to Fall, Breaks $200 Mark — The bitcoin price fell below the landmark $200 point at 07:24 (GMT) today, putting it back into territory not seen since late 2013.
Bitcoin Price Continues to Fall, Breaks $200 Mark
http://www.coindesk.com/bitcoin-price-continues-fall-breaks-200-mark/
Although most of the focus over the past 48 hours was on the price of bitcoin, the hash rate has also experienced a massive drop, followed by a fast recovery late Tuesday.
The problem is clear – the combination of a high difficulty level and low prices means mining is simply no longer profitable.
Mining revenue is simply too low to sustain the network at this price point and miners are faced with a tough choice – if they decide to power down, the next difficulty level will be attained later, but if they keep going, they will continue bleeding money. If the price does not recover, both scenarios are damaging to miners and bitcoin in general.
Many of those who decide to keep mining at a loss will be forced to unload their bitcoins as soon as possible, at any price, just to cover part of their expenses. This will increase supply of cheap BTC in the short run, depressing prices even further.
If a significant number of miners decide to halt operations, we could see a substantial drop in the difficulty rate, but not in two weeks – depending on the size of the cut, it could be much longer.
It is a vicious cycle, as the hashing power will still be there and many will be eager to pounce as soon as the difficulty drops.
Tomi Engdahl says:
Graham Cluley:
Google discloses *another* Microsoft Windows vulnerability before a patch is ready
http://grahamcluley.com/2015/01/google-discloses-microsoft-windows-vulnerability/
Earlier this month, Google controversially published proof-of-concept code, providing malicious hackers with a blueprint through which they could exploit Microsoft Windows 8.1 through a zero-day vulnerability.
This week, Google did it again.
The latest disclosure by Google is a new privilege escalation bug in Microsoft Windows 8.1 (reportedly also affecting the 64-bit edition of Windows 7 Professional SP 1).
Both flaws were patched by Microsoft on Tuesday, but understandably the company isn’t happy about Google’s releasing details of security holes when patches were not only in the works, but about to be imminently released.
Releasing details of security holes to the public before a patch is available only helps a tiny nerdy proportion of the internet community. It doesn’t help the vast majority of computer users at all – in fact, it potentially puts them in danger.
Tomi Engdahl says:
It’s 2015 and home routers still leave their config web servers wide open
ADB Pirelli boxes suffer a pair flats, says researcher
http://www.theregister.co.uk/2015/01/15/pirelli_router_bugs/
Broadband routers from ADB Pirelli – used by Movistar in Spain and an ISP in Argentina – are vulnerable to at least two nasty security weaknesses, it’s claimed.
The ADB Pirelli ADSL2/2+ Wireless Routers can be trivially controlled remotely from across the internet, allowing someone to surreptitiously monitor or disrupt home networks, according to a security researcher.
“Neither authentication nor any protection to avoid unauthorised extraction of sensitive information”
This would allow anyone to, say, request an owner’s Wi-Fi network password using a simple plain-text HTTP request
Tomi Engdahl says:
ISO floats storage security standard
ISO/IEC 27040:2015 is bedtime reading for storage admins
http://www.theregister.co.uk/2015/01/15/iso_floats_storage_security_standard/
The International Standards Organisation reckons the world needs help securing its data, so has published a new storage security standard to cover it.
As the home page of ISO/IEC 27040:2015 notes, sysadmins need to cover off security of devices and media, and their management systems, applications and services, users, and what to do with device and media at end-of-life (ie, ‘is a hammer sufficient to render a disk unreadable?).
The standard is designed as a set of guidelines that “includes guidance on the threat, design, and control aspects associated with typical storage scenarios and storage technology areas”, the ISO says.
ISO says the standard aims to help draw attention to storage security risks
The standard will also help admins and organisations with legal compliance.
Keeping data safe – what’s your back up?
http://www.iso.org/iso/home/news_index/news_archive/news.htm?refid=Ref1926
Securely storing and protecting data requires a whole lot more than a simple back up. A new International standard for data storage security ensures your valuable information stays in safe hands.
ISO/IEC 27040:2015 Information technology – Security techniques – Storage security provides detailed technical guidance on how to effectively manage all aspects of data storage security, from the planning and design to the implementation and documentation.
t includes guidance on mitigating risks of data breaches and corruption and takes into account new technologies and the complexities of connectivity and supports the requirements of an Information Security Management System according to ISO/IEC 27001:2013, Information technology — Security techniques — Information security management systems — Requirements.
Tomi Engdahl says:
NSA: SO SORRY we backed that borked crypto even after you spotted the backdoor
Non-apology to mathematicians for Dual EC DRBG shenanigans
http://www.theregister.co.uk/2015/01/14/nsa_sorry_we_borked_nist_encryption_well_sorry_we_got_caught/
The NSA’s director of research Michael Wertheimer says it’s “regrettable” that his agency continued to support Dual EC DRBG even after it was widely known to be hopelessly flawed.
Writing in Notices, a publication run by the American Mathematical Society, Wertheimer outlined the history of the Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG), and said that an examination of the facts made it clear no malice was involved.
Writing in Notices, a publication run by the American Mathematical Society, Wertheimer outlined the history of the Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG), and said that an examination of the facts made it clear no malice was involved.
“With hindsight, NSA should have ceased supporting the Dual EC DRBG algorithm immediately after security researchers discovered the potential for a trapdoor.”
“The costs to the Defense Department to deploy a new algorithm were not an adequate reason to sustain our support for a questionable algorithm. Indeed, we support NIST’s April 2014 decision to remove the algorithm. Furthermore, we realize that our advocacy for the Dual EC DRBG casts suspicion on the broader body of work NSA has done to promote secure standards.”
For a start, Prof Green said problems with Dual EC DRBG systems that used the NSA’s elliptic curve points were first noticed way back in 2004 by members of an ANSI standards committee, when NIST was still considering backing the algorithm.
the ANSI investigation of problems was hardly an open process
Tomi Engdahl says:
Got a GE industrial Ethernet switch? Get patching
Hard-coded RSA keys found in firmware
http://www.theregister.co.uk/2015/01/15/got_a_ge_industrial_ethernet_switch_get_patching/
GE is the latest industrial kit vendor to send users patching to protect against hard-coded credentials in Ethernet switches.
IOActive disclosed the vulnerability to ICS-CERT, which issued this advisory (details here CVE-2014-5418 and here CVE-2014-5419).
The vulnerability occurs in various GE Multilink managed Ethernet switches: the ML800, 1200, 1600 and 2400 versions 4.2.1 and older; and the ML810, 3000 and 3100 versions older than version 5.2.0.
In these switches, the RSA key used to encrypt SSL traffic is hard-coded in the firmware, which needs to be updated (the company has issued patch instructions here). ICS-CERT reckons the skill level needed to remotely exploit the vulnerability is low.
Tomi Engdahl says:
Robert Graham / Errata Security:
Obama’s proposed laws against hacking will negatively impact cybersecurity professionals, create a cyber police state
Obama’s War on Hackers
By Robert Graham
http://blog.erratasec.com/2015/01/obams-war-on-hackers.html#.VLeyl3t3B-s
In next week’s State of the Union address, President Obama will propose new laws against hacking that could make either retweeting or clicking on the above link illegal. The new laws make it a felony to intentionally access unauthorized information even if it’s been posted to a public website. The new laws make it a felony to traffic in information like passwords, where “trafficking” includes posting a link.
You might assume that things would never become that bad, but it’s already happening even with the current laws.
Even if you don’t do any of this, you can still be guilty if you hang around with people who do. Obama proposes upgrading hacking to a “racketeering” offense, means you can be guilty of being a hacker by simply acting like a hacker (without otherwise committing a specific crime). Hanging out in an IRC chat room giving advice to people now makes you a member of a “criminal enterprise”, allowing the FBI to sweep in and confiscate all your assets without charging you with a crime. If you innocently clicked on the link above, and think you can defend yourself in court, prosecutors can still use the 20-year sentence of a racketeering charge in order to force you to plea bargain down to a 1-year sentence for hacking. (Civil libertarians hate the police-state nature of racketeering laws).
Obama’s proposals come from a feeling in Washington D.C. that more needs to be done about hacking in response to massive data breaches of the last couple years. But they are blunt political solutions which reflect no technical understanding of the problem.
Internet innovation happens by trying things first then asking for permission later. Obama’s law will change that.
The most important innovators this law would affect are the cybersecurity professionals that protect the Internet. If you cared about things such as “national security” and “cyberterrorism”, then this should be your biggest fear. Because of our knowledge, we do innocent things that look to outsiders like “hacking”. Protecting computers often means attacking them. The more you crack down on hackers, the more of a chilling effect you create in our profession. This creates an open-door for nation-state hackers and the real cybercriminals.
Tomi Engdahl says:
In short, President Obama’s War on Hackers is a bad thing, creating a Cyber Police State. The current laws already overcriminalize innocent actions and allow surveillance of innocent people. We need to roll those laws back, not extend them.
Source: http://blog.erratasec.com/2015/01/obams-war-on-hackers.html#.VLeyl3t3B-s
Tomi Engdahl says:
How to Set Up a VPN (and Why You Should)
http://www.whoishostingthis.com/blog/2014/12/11/vpn-setup/
Think your Internet connection is secure from hackers and spies?
You know your basic online safety tips. You’re careful at home, scrutinizing your email for phishing attempts, never giving out personal information, and installing nothing unknown on your computer. When you’re out and about, connecting to public Wi-fi, you verify you’re on the right network and watch your address bar for that “https.” You’ve got your 2-factor authentication, your firewalls, your antivirus software.
But is that enough?
With every passing year, hackers come up with more and more ingenious ways to get at your data. You may be able to spot Nigerian princes with the best of them, but there are many more insidious tactics you may not even notice until your identity is stolen or your bank account is hit.
There is one method you can use to keep you safer that isn’t commonly found in lists of Internet safety tips: a VPN.
Setting up a Virtual Private Network is one of the best ways to keep you and your private data safe.
When you use a VPN to go online, all your data is encrypted, leaving you and your identity secure from hackers. A VPN makes it harder to track your activities online, see what files you’re downloading, read the data you enter into online forms, read your email, and trace any online data back to you.
And implementing a VPN isn’t as technical or difficult as it may sound: you can easily use a third-party service.
Listed below are some of the most popular VPN services you can use to keep safe and secure online. But keep in mind that not all VPNs are the same. There are pros and cons to each service, and not all of them may fit your needs.
Tomi Engdahl says:
Universal Plug and Play
Router Security Check
http://upnp-check.rapid7.com/
Recent research from Rapid7 revealed that many of these devices are at risk due to security flaws in the UPnP protocol. These issues potentially expose millions of users to remote attacks that could result in the theft of sensitive information or further assaults on connected machines such as personal computers.
This service can test your router and determine whether it is vulnerable to attack.
GRC’s | ShieldsUP! — UPnP Exposure Test
https://www.grc.com/su/UPnP-Rejected.htm
There is no question whether hackers are, in fact, currently sweeping the Internet for the presence of exposed and vulnerable consumer Internet routers in order to gain access to the private networks residing behind them. Just such hacking packets are now being detected across the Internet. Scanning is underway and the threat is real.
Whenever changes are made to your network configuration, whenever you update your router’s firmware, and also from time to time just to be sure, you should consider re-running this quick test to confirm that your Internet-facing equipment is continuing to ignore all attempts at its subversion though the Universal Plug n’Play (UPnP) protocols.
Tomi Engdahl says:
Achieve tamper-proof capacitive sensing
http://www.edn.com/design/sensors/4438316/1/Achieve-tamper-proof-capacitive-sensing-
Applications such as Point Of Sale (POS) devices and keypads for secure door locks are required to be tamper resistant. If these devices are tampered with, then there are possibilities for theft of confidential information such as the Personal Identification Number (PIN) of a credit/debit card or access code of a lock. Hence, the devices incorporate special measures to detect tampering and halt further operation to avoid loss of sensitive data.
One of the easiest ways to gain access into a device is through the region where electrical contacts are brought out, or are closer to surface. Mechanical buttons are required to gather user input and these generally use tactile switches placed beneath the rubber or plastic key mat. Since switches have electrical contacts that connect them to microcontrollers and, as these switches are relatively close to surface, they are an easy target for tamper attempts.
A micro drill is used to make small holes on the keypad overlay and reach electrical contacts beneath them. Once electrical contacts are reached, very thin wires are attached to them. Once electrical contacts are reached, very thin wires are attached to them and are connected to a parallel processing system
User will have no clue that the device is tampered with and thus become the victim of a tampering attack.
Similarly, there are other numerous ways used to tamper with a design. These may include tapping the communication lines of the controller or monitoring the transactions of the device passively by fixing a ‘bug’ on the system. It is also possible to cut the power supply of the device and tamper the system. The component of the system, which has least measures to protect it against tampering, becomes the most vulnerable part and thus the target of tampering attacks. Hence, it is not sufficient if we incorporate measures to secure any single component of the device in order to make the whole system tamper resistant. The combination of anti-tamper measures incorporated on every part that goes inside the device is what makes the system tamper-proof.
Tomi Engdahl says:
Finnish invention revealed the murderer
Sports Tracker tracking information were the key evidence in a murder story in the United States.
The police found that the phone’s memory found in Sports Tracker application training file with a timestamp matched with the spirit of the crime at the time. Incredibly, the girl’s Sports Tracker application had been on the whole the murder of the event, and for a long time after that.
The problem was that the FBI, the authorities did not know how to extract appliques encryption, and are thus able to interpret the data deposited by the application. So after a few weeks of trying too authorities made letters rogatory Finnish police through the Sports Tracker for last September.
- Our specialists received the “decrypted” file in five minutes, says Sports Tracking Technologies Ltd’s CEO and founder Jussi Kaasinen.
At this point, the Finnish firm did not know what kind of a case related to the request, and the FBI refused to investigative reasons explain the case in detail. When the firm was demolished application information and placed the phone’s movements on the map, the reality was the first Google search result very obvious.
- Senseless thing. It is seen that each of us in your pocket every day passing technology enables all kinds, sometimes very unexpected way, Kaasinen says.
Source: http://www.iltalehti.fi/uutiset/2015011519026746_uu.shtml
Tomi Engdahl says:
Silk Road Trial Defense: Mt. Gox CEO Was the Real Dread Pirate Roberts
http://yro.slashdot.org/story/15/01/15/2140201/silk-road-trial-defense-mt-gox-ceo-was-the-real-dread-pirate-roberts
The defense team for Ross Ulbricht, the 30-year-old man accused of running the online black market Silk Road under the pseudonym Dread Pirate Roberts, just dropped an unexpected new theory: Mark Karpeles, the CEO of failed Bitcoin company Mt. Gox, is the real Dread Pirate Roberts.
Defense in Silk Road Trial Says Mt. Gox CEO Was the Real Dread Pirate Roberts
http://motherboard.vice.com/read/defense-in-silk-road-trial-says-mt-gox-ceo-was-the-real-dread-pirate-roberts
“We have the name of the real mastermind and it’s not Ulbricht,” Joshua Dratel, Ulbricht’s lawyer, said in his opening statement in the trial. It now seems clear that he plans to argue that Karpeles framed Ulbricht.
The defense is clearly trying to raise reasonable doubt by implying that someone else could have been responsible for the site, which did more than a billion dollars in underground commerce for drugs, false IDs, and more before being shut down in October of 2013.
Karpeles, who is from France, ran what was once the world’s largest Bitcoin exchange, Mt. Gox, which was based in Tokyo. DerYeghiayan’s theory was that Karpeles wanted to create a market that used Bitcoin in order to keep the price of the semi-anonymous cryptocurrency robust, which he believed was probable cause for Karpeles’s arrest. (Mt. Gox went bankrupt in early 2014.)
“[Silk Road] would be a device for leveraging the value of Bitcoin”
When the Baltimore investigators asked Karpeles about Silk Road, he said he would tell them the name of the person behind the site.
Tomi Engdahl says:
Google OUTS a Microsoft security COVER-UP
Redmond ran out of time to patch Windows flaw this week, so Googlee’s told world+dog
http://www.theregister.co.uk/2015/01/16/google_dries_redmonds_tears_with_more_0day/
Google has once again decided Microsoft’s moving too slowly on the security front – by dropping yet another proof-of-concept attack against a Windows 7 and 8.1 bug that Redmond tried and failed to fix this week.
The flaw is present in Windows on 32- and 64-bit architectures, and can accidentally disclose sensitive information or allow a miscreant to bypass security checks, apparently.
Google’s Project Zero dropped the bug in line with its 90-day fix-it-or-else disclosure policy which this week ruffled its foe’s feathers after a serious flaw was revealed two days before Redmond issued a fix.
Microsoft asked for the disclosure of that particular bug be held back slightly until it could be dealt with on Patch Tuesday, to reduce impact on customers.
Google appears to be flinging fudge at all netizens that don’t take patching seriously: coupled with its tight 90-day dump rule, the software giant also refused to fix a serious WebView flaw in its own Android platform for the old but hugely popular version 4.3.
It is estimated that close to a one billion users – 60 percent of the Android customer base – would be impacted unless they updated their phones and tablets. That feat’s not simple, as device manufacturers and telcos need to get in on the act and push out Google’s latest updates.
One alternative is for users to install supported modified operating systems such as Cyanogenmod that, while stable, may require a process too alien and fiddly for the non-technical masses.
Tomi Engdahl says:
Pirate Activist Shows Politicians What Digital Surveillance Looks Like
http://mobile.slashdot.org/story/15/01/15/1541239/pirate-activist-shows-politicians-what-digital-surveillance-looks-like
How to make politicians really understand the dangers of mass digital surveillance and the importance of information security? Gustav Nipe, the 26-year old president of the Swedish Pirate Party’s youth wing, tried to do it by setting up an open Wi-Fi network at the Society and Defence National Conference held in Sälen, Sweden, and collecting and analyzing the metadata of conference attendees who connected to it.
Nipe set up an open wireless Internet access point named “Open Guest”
Pirate activist shows politicians what digital surveillance looks like
http://www.net-security.org/secworld.php?id=17828
This conference is an annual summit organized by the Swedish Society and Defence NGO, during which defense and national security issues in Sweden are debated by the speakers and other participants, usually Riksdag (Swedish parliament) members, representatives of political parties, trade unions, the government, and journalists.
Nipe set up an open wireless Internet access point named “Open Guest” on the premises of the hotel where the conference was held, and over 100 delegates used this particular unsecured Wi-Fi network to go online.
The collected metadata showed that, among other sites, they visited those of daily Swedish newspaper Aftonbladet, Swedish private ads website Blocket, eBay, and tourism sites. “This was during the day when I suppose they were being paid to be at the conference working,” Nipe noted for The Local.
But the collected metadata also showed a far more serious thing: on several occasions, users connected to e-mail servers belonging to the likes of the Swedish Civil Contingencies Agency (MSB) and other government organizations.
“The scary part is that with unsecure networks like these you can end up getting access even to secure servers because people so often use the same passwords for different sites. So we could have got into the government’s server or used other information to track people in their everyday lives,” he noted.
The fact that they managed to identify authority figures, journalists and politicians through their use of a wireless network and their less thoughtful use of online services demonstrates the tremendous power available to anyone controlling the internet, they pointed out.
“It also shows the risk involved for public figures and private individuals to work and live their lives on a network whose safety is compromised,”
This action has been criticized by many, and the question of whether a stunt like this is legal according to the Sweden’s Personal Data Act has been raised. Nipe promised to encrypt all the collected information and to destroy it after it’s thoroughly analyzed.
Tomi Engdahl says:
Matthew Goldstein / New York Times:
Hacker’s List matches professional hackers with those needing their service for $100 – $5,000
Need Some Espionage Done? Hackers Are for Hire Online
http://dealbook.nytimes.com/2015/01/15/need-some-espionage-done-hackers-are-for-hire-online/?_r=0
A man in Sweden says he will pay up to $2,000 to anyone who can break into his landlord’s website. A woman in California says she will pay $500 for someone to hack into her boyfriend’s Facebook and Gmail accounts to see if he is cheating on her.
The business of hacking is no longer just the domain of intelligence agencies, international criminal gangs, shadowy political operatives and disgruntled “hacktivists” taking aim at big targets. Rather, it is an increasingly personal enterprise.
At a time when huge stealth attacks on companies like Sony Pictures, JPMorgan Chase and Home Depot attract attention, less noticed is a growing cottage industry of ordinary people hiring hackers for much smaller acts of espionage.
A new website, called Hacker’s List, seeks to match hackers with people looking to gain access to email accounts, take down unflattering photos from a website or gain access to a company’s database. In less than three months of operation, over 500 hacking jobs have been put out to bid on the site, with hackers vying for the right to do the dirty work.
It is done anonymously, with the website’s operator collecting a fee on each completed assignment. The site offers to hold a customer’s payment in escrow until the task is completed.
In just the last few days, offers to hire hackers at prices ranging from $100 to $5,000 have come in from around the globe on Hacker’s List, which opened for business in early November.
Tomi Engdahl says:
Lucian Constantin / PC World:
CryptoWall ransomware is back with new version after two months of silence
http://www.pcworld.com/article/2868972/
Tomi Engdahl says:
Julian Hattem / The Hill:
Obama backs call for tech backdoors — President Obama wants a backdoor to track people’s social media messages. — The president on Friday came to the defense of British Prime Minister David Cameron’s call for tech companies to create holes in their technology to allow the government to track suspected terrorists or criminals.
Obama backs call for tech backdoors
http://thehill.com/policy/technology/229787-obama-backs-call-for-tech-backdoors
“Social media and the Internet is the primary way in which these terrorist organizations are communicating,” Obama said during a press conference with Cameron on Friday.
“That’s not different from anybody else, but they’re good at it and when we have the ability to track that in a way that is legal, conforms with due process, rule of law and presents oversight, then that’s a capability that we have to preserve,” he said.
“Because this is a whole new world, as David says, the laws that might’ve been designed for the traditional wiretap have to be updated,” Obama said. “How we do that needs to be debated both here in the United States and in the U.K.”
In the wake of the terror attacks in Paris last week, Cameron has warned against companies’ moves to block out government officials or criminal hackers.
“We’re not asking for backdoors,” he said on Friday. “We’re asking for very clear front doors through legal processes to help keep our country safe.”
Cybersecurity experts who have criticized the call for a “golden key” to allow government officials to crack all encyrption technology have said that there is no real difference between a “back” and “front” door around the technology. The same weaknesses that would allow the government to track a suspected terrorist could also be exploited by criminals or officials in Russia and China, they say.
Tomi Engdahl says:
BBC:
UK and US to stage “cyber attack war games” involving commercial banks to test critical national infrastructure
‘Cyber attack war games’ to be staged by UK and US
http://www.bbc.com/news/uk-politics-30842669
The UK and US are to carry out “war game” cyber attacks on each other as part of a new joint defence against online criminals.
The first exercise, a staged attack on the financial sector, will take place later this year, Downing Street said.
The “unprecedented” arrangement between the two countries was announced by Prime Minister David Cameron ahead of talks with US President Barack Obama.
Tomi Engdahl says:
U.S. Discloses New Trove of Phone Call Records
http://www.nytimes.com/2015/01/17/us/dea-kept-telephone-records-on-americans-justice-department-says.html?_r=0
The Justice Department revealed on Thursday the existence of yet another database of American telephone records, adding new details to the disclosures in recent years about mass government surveillance.
This database was maintained by the Drug Enforcement Administration and contained the records of calls made between phone numbers in the United States and overseas. The phone records were retained even if there was no evidence the callers were involved in criminal activity.
Tomi Engdahl says:
Insurance Company Dongles Don’t Offer Much Assurance Against Hacking
http://hardware.slashdot.org/story/15/01/18/2351217/insurance-company-dongles-dont-offer-much-assurance-against-hacking
According to a story at Forbes, Digital Bond Labs hacker Corey Thuen has some news that should make you think twice about saving a few bucks on insurance by adding a company-supplied car-tracking OBD2 dongle:
It’s long been theorised that [Progressive Insurance's Snapshot and other] such usage-based insurance dongles, which are permeating the market apace, would be a viable attack vector. Thuen says he’s now proven those hypotheses;
Hacker Says Attacks On ‘Insecure’ Progressive Insurance Dongle In 2 Million US Cars Could Spawn Road Carnage
http://www.forbes.com/sites/thomasbrewster/2015/01/15/researcher-says-progressive-insurance-dongle-totally-insecure/
Thuen, a security researcher at Digital Bond Labs who will present his findings at the S4 conference in a talk titled Remote Control Automobiles, has been figuring out how he might hack the vehicle’s on-board network via a dongle that connects to the OBD2 port of his pickup truck. That little device, Snapshot, provided by one of the biggest insurance providers in the US, Progressive Insurance, is supposed to track his driving to determine whether he deserves to pay a little more or less for his cover. It’s used in more than two million vehicles in the US. But it’s wholly lacking in security, meaning it could be exploited to allow a hacker, be they in the car or outside, to take control over core vehicular functions, he claims.
It’s long been theorised that such usage-based insurance dongles, which are permeating the market apace, would be a viable attack vector. Thuen says he’s now proven those hypotheses
By hooking up his laptop directly to the device he says he would have been able to unlock doors, start the car and gather engine information, but he chose not to “weaponise” his exploits, he told Forbes. “Controlling it wasn’t the focus, finding out if it was possible was the focus.”
It emerged the Snapshot technology, manufactured by Xirgo Technologies, was completely lacking in the security department, Thuen said. “The firmware running on the dongle is minimal and insecure. It does no validation or signing of firmware updates, no secure boot, no cellular authentication, no secure communications or encryption, no data execution prevention or attack mitigation technologies… basically it uses no security technologies whatsoever.”
The researcher noted that for a remote attack to take place, the concomitant u-blox modem, which handles the connection between Progressive’s servers and the dongle, would have to be compromised too. Such systems have been exploited in the past
Regardless of the steps needed for a successful attack, it’s apparent such dongles are insecure, posing a genuine risk to people’s lives, Thuen added. “I suspected that these dongles were built insecurely, and I was correct. The technology being used in them is outdated and vulnerable to attack which is highly troubling considering it is being used to remotely access insecure by design vehicle computers,” he said. “A skilled attacker could almost certainly compromise such dongles to gain remote control of a vehicle, or even an entire fleet of vehicles. Once compromised, the consequences range from privacy data loss to life and limb.
“Also, there is the attack vector of Progressive backend infrastructure.”
“In simple terms, we have seen that cars can be hacked and we have seen that cell comms can be hacked.”
Privacy of data within cars is also a growing concern
The findings landed on the same day as the World Economic Forum’s Global Risks 2015 report warned about the increasing potential for digital attacks on cars. “There are more devices to secure against hackers, and bigger downsides from failure: hacking the location data on a car is merely an invasion of privacy, whereas hacking the control system of a car would be a threat to life. The current internet infrastructure was not developed with such security concerns in mind,” the report read.
Tomi Engdahl says:
Zubie: This Car Safety Tool ‘Could Have Given Hackers Control Of Your Vehicle’
http://www.forbes.com/sites/thomasbrewster/2014/11/07/car-safety-tool-could-have-given-hackers-control-of-your-vehicle/
Now, alumni of Israel’s cyber intelligence division, Unit 8200, have discovered that an innocuous American in-vehicle technology could have been exploited to remotely mess with the brakes, steering and engine. It’s the first example of such a cyber attack on a specific in-car “dongle”. And it may prove to be a watershed moment in the history of vehicular security.
Ironically, the vulnerability lay in a safety-enhancing technology known as Zubie, which tracks cars’ performance and location to offer suggestions for more efficient, responsible driving. Zubie CEO Tim Kelly says the issue has now been fixed. But the findings will do nothing to assuage fears of remote hacking of vehicles via such technologies.
Zubie consists of a number of parts. First, there’s the hardware, which plugs into the OnBoard Diagnostic (OBD2) port of a car, found underneath the steering wheel. This device communicates with the internal network of the vehicle. It also has a mobile GPRS modem that connects it to the Zubie cloud, which then feeds information to an Android and iOS compatible app.
The researchers were able to unlock the doors and manipulate the dials on the dash on an unnamed vehicle, Argus claimed in its blog post.
Argus’ malware could also track the vehicle’s location, driving behaviors and siphon off all this data. “This clearly violates passengers’ privacy,” the company wrote in its blog.
A remote attack on an aftermarket telematics service
http://argus-sec.com/blog/remote-attack-aftermarket-telematics-service/
Tomi Engdahl says:
Spiegel Online:
New Snowden documents show scope of United States’ cyber war plans: infiltrate and control or destroy enemy systems and networks — NSA Preps America for Future Battle — The NSA’s mass surveillance is just the beginning. Documents from Edward Snowden show that the intelligence agency
The Digital Arms Race: NSA Preps America for Future Battle
http://www.spiegel.de/international/world/new-snowden-docs-indicate-scope-of-nsa-preparations-for-cyber-battle-a-1013409.html
The NSA’s mass surveillance is just the beginning. Documents from Edward Snowden show that the intelligence agency is arming America for future digital wars — a struggle for control of the Internet that is already well underway.
Tomi Engdahl says:
New York Times:
N.S.A. Tapped Into North Korean Networks Before Sony Attack, Officials Say — WASHINGTON — The trail that led American officials to blame North Korea for the destructive cyberattack on Sony Pictures Entertainment in November winds back to 2010, when the National Security Agency scrambled …
N.S.A. Tapped Into North Korean Networks Before Sony Attack, Officials Say
http://www.nytimes.com/2015/01/19/world/asia/nsa-tapped-into-north-korean-networks-before-sony-attack-officials-say.html
The trail that led American officials to blame North Korea for the destructive cyberattack on Sony Pictures Entertainment in November winds back to 2010, when the National Security Agency scrambled to break into the computer systems of a country considered one of the most impenetrable targets on earth.
Spurred by growing concern about North Korea’s maturing capabilities, the American spy agency drilled into the Chinese networks that connect North Korea to the outside world, picked through connections in Malaysia favored by North Korean hackers and penetrated directly into the North with the help of South Korea and other American allies, according to former United States and foreign officials, computer experts later briefed on the operations and a newly disclosed N.S.A. document.
A classified security agency program expanded into an ambitious effort, officials said, to place malware that could track the internal workings of many of the computers and networks used by the North’s hackers, a force that South Korea’s military recently said numbers roughly 6,000 people.
The evidence gathered by the “early warning radar” of software painstakingly hidden to monitor North Korea’s activities proved critical in persuading President Obama to accuse the government of Kim Jong-un of ordering the Sony attack, according to the officials and experts
Mr. Obama’s decision to accuse North Korea of ordering the largest destructive attack against an American target — and to promise retaliation, which has begun in the form of new economic sanctions — was highly unusual: The United States had never explicitly charged another government with mounting a cyberattack on American targets.
“Attributing where attacks come from is incredibly difficult and slow,”
“The speed and certainty with which the United States made its determinations about North Korea told you that something was different here — that they had some kind of inside view.”
For about a decade, the United States has implanted “beacons,” which can map a computer network, along with surveillance software and occasionally even destructive malware in the computer systems of foreign adversaries. The government spends billions of dollars on the technology
The extensive American penetration of the North Korean system also raises questions about why the United States was not able to alert Sony as the attacks took shape last fall, even though the North had warned, as early as June, that the release of the movie “The Interview,” a crude comedy about a C.I.A. plot to assassinate the North’s leader, would be “an act of war.”
But those attacks did not look unusual.
In recent weeks, investigators have concluded that the hackers spent more than two months, from mid-September to mid-November, mapping Sony’s computer systems, identifying critical files and planning how to destroy computers and servers.
“They were incredibly careful, and patient,”
American intelligence agencies “couldn’t really understand the severity” of the destruction that was coming
The skeptics say, however, that it would not be that difficult for hackers who wanted to appear to be North Korean to fake their whereabouts. Mr. Comey said there was other evidence he could not discuss.
http://www.spiegel.de/media/media-35679.pdf
Tomi Engdahl says:
AT LAST: Australia gets its very own malware
Carberp and Cryptolocker target Aussies with local variants
http://www.theregister.co.uk/2015/01/19/new_carberp_trojan_hits_oz/
Australians are being targeted by a new variant of the Carberp malware under what appears to be renewed criminal interest in the antipodes.
The modified trojan, Carberp.C, was spread through a spam operation masquerading as a payment invoice.
Virus writers pushed the malware out a day after coding it, Symantec researcher Roberto Sponchioni said.
“The malware authors obviously didn’t waste much time between coding up and releasing,” Sponchioni said.
Tomi Engdahl says:
Turkey Threatens to Block Social Media Over Released Documents
http://www.nytimes.com/2015/01/17/world/europe/turkey-threatens-to-block-social-media-over-released-documents.html
Turkish officials threatened to shut down Twitter in the country unless the social-media company blocked the account of a left-wing newspaper that had circulated documents about a military police raid on Turkish Intelligence Agency trucks that were traveling to Syria last January.
Networks like Twitter, Facebook and Google Plus complied with the court order on Wednesday, removing content from accounts to avert a shutdown, Turkish news outlets reported.
Tomi Engdahl says:
Spencer Ackerman / Guardian:
NSA academic advisory panel says there’s no potent alternative to bulk data collection for identifying new intelligence targets
Technology offers no magic solution to bulk data collection issues, says panel
http://www.theguardian.com/world/2015/jan/15/technology-no-magic-solution-bulk-data-collection-panel
Advisory body says ‘technological magic’ cannot resolve security objectives and privacy concerns about phone records and details of other communications
National Journal:
CIA review panel exonerates CIA personnel who searched Senate Intelligence Committee computers
CIA Review Board Clears Spy Agency of Wrongdoing in Senate Hack
The new report contradicts earlier statements from the agency.
http://www.nationaljournal.com/congress/cia-review-board-clears-spy-agency-of-wrongdoing-in-senate-hack-20150114
Tomi Engdahl says:
Elizabeth Dwoskin / Wall Street Journal:
Palantir was valued at $15B in November, making it the third most valuable VC-backed company
Palantir, Valued at $15 Billion, Is Raising More Money
http://blogs.wsj.com/digits/2015/01/16/palantir-raising-more-money-after-tagged-with-15-billion-valuation/
Palantir Technologies, one of the more secretive companies in Silicon Valley, was valued at $15 billion in November and is currently raising a new round of funding, according to people familiar with the matter.
The 11-year-old company, which sells software to the U.S. government and Wall Street to mine large amounts of data, raised a total of $500 million last year, one of the people said.
Palantir has built a popular data-mining tool that lets government agencies such as the Central Intelligence Agency and the Federal Bureau of Investigations quickly visualize and link relationships among large amounts of data. The input could be anything – phone numbers, bank records, friend lists, photos of license plates. Palantir’s software reportedly was used by the U.S. government to track down Osama bin Laden.
Tomi Engdahl says:
Another Lizard Arrested, Lizard Lair Hacked
http://krebsonsecurity.com/2015/01/another-lizard-arrested-lizard-lair-hacked/
Several media outlets are reporting that authorities in the United Kingdom early this morning arrested an 18-year-old in connection with the denial-of-service attacks on Sony Playstation and Microsoft Xbox systems over Christmas. The arrest is one of several tied to a joint U.K. and U.S. law enforcement investigation into a group calling itself the “Lizard Squad,” and comes as the group’s attack-for-hire online service was completely compromised and leaked to investigators.
In an unrelated development, not long after this publication broke the news that the Lizard Squad’s attack infrastructure is built on a network of thousands of hacked home Internet routers, someone hacked LizardStresser[dot]su, the Web site the group uses to coordinate attacks and sell subscriptions to its attacks-for-hire service.
A copy of the LizardStresser customer database obtained by KrebsOnSecurity shows that it attracted more than 14,241 registered users, but only a few hundred appear to have funded accounts at the service. Interestingly, all registered usernames and passwords were stored in plain text. Also, the database indicates that customers of the service deposited more than USD $11,000 worth of bitcoins to pay for attacks on thousands of Internet addresses and Web sites (including this one).
Two other Lizard Squad members also have been rounded up by police since the initial Christmas Day attacks.