Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.
3,110 Comments
Tomi Engdahl says:
3 Steps to Limit Data Breaches
http://evolutionofit.com/3-steps-to-limit-data-breaches/
Actionable
There are plenty of tools that announce when threats are happening. But for these to be useful the announcement must also suggest how to act against the intrusion.
Importance evaluation
In addition to advising about the breach, systems need to assess the severity and possible repercussions of the attack, and execute actions based on a ranking of the issue.
Automation
Cyber intrusions can happen quickly; by the time they are detected, data is being affected. Intrusion detection needs to be actionable, and that advice must trigger automated functions that counter the intrusion in addition to alerting security experts.
These three points won’t eliminate breaches but they will allow a better and more timely response. – See more at: http://evolutionofit.com/3-steps-to-limit-data-breaches/#sthash.HTxQBpay.dpuf
Tomi Engdahl says:
Virginia teen pleads guilty to giving Islamic State help on bitcoin
http://www.pcworld.com/article/2935192/virginia-teen-pleads-guilty-to-giving-islamic-state-help-on-bitcoin.html
Speculation about whether the Islamic State (IS) group is using bitcoin intensified Thursday in the U.S. when government officials said a Virginia teenager admitted to providing the organization with advice on the virtual currency.
Ali Shukri Amin, 17, pleaded guilty to charges of conspiring to provide material support and resources to IS, according to a Department of Justice statement.
Amin used Twitter to advise and encourage IS and its sympathizers, including tips on how to use bitcoin to conceal sending funds to the group.
Amin tweeted a link to an article on his blog that described how bitcoin works, how it could help jihadis and how they could use DarkWallet, an anonymous platform, to send bitcoin, according to a statement of facts filed with a plea agreement in the U.S. District Court for the Eastern District of Virginia, Alexandria Division.
Assistant Attorney General for National Security John Carlin described the case as a “wake-up call” that IS recruiting efforts are reaching U.S. youth, and warned that social media is giving the group global reach.
Various news reports over the past two years have also speculated on whether IS militants are actually using or benefitting from bitcoin. U.S. officials have long cautioned that virtual currencies, while offering benefits to the financial system, can also be exploited by criminals and terrorists.
Tomi Engdahl says:
Wikipedia to go all HTTPS, all the time
Freedom and security need MOAR SERVERS, says Wikimedia Foundation
http://www.theregister.co.uk/2015/06/14/wikipedia_to_go_all_https_all_the_time/
The Wikimedia Foundation has decided the time is right to implement HTTPS on all its projects, for all users, all the time.
It’s been possible to access the Foundation’s works – notably Wikipedia – with HTTPs for a while if you’re willing to jump through some hoops. The Foundation’s now decided to go all-HTTPs, all the time, was made because the Foundation says “Over the last few years, increasing concerns about government surveillance prompted members of the Wikimedia community to push for more broad protection through HTTPS.”
“We believe encryption makes the web stronger for everyone,” the Foundation’s post says. “In a world where mass surveillance has become a serious threat to intellectual freedom, secure connections are essential for protecting users around the world. Without encryption, governments can more easily surveil sensitive information, creating a chilling effect, and deterring participation, or in extreme cases they can isolate or discipline citizens. Accounts may also be hijacked, pages may be censored, other security flaws could expose sensitive user information and communications. Because of these circumstances, we believe that the time for HTTPS for all Wikimedia traffic is now.”
“We encourage others to join us as we move forward with this commitment.”
The post announcing the change says that the Foundation needs to do rather more than flick a switch to make the move.
“Our first steps involved improving our infrastructure and code base so we could support HTTPS. We also significantly expanded and updated our server hardware,” the Foundation writes. “Since we don’t employ third party content delivery systems, we had to manage this process for our entire infrastructure stack in-house.”
Tomi Engdahl says:
Santander To Track Customer Location Via Mobiles and Tablets
http://yro.slashdot.org/story/15/06/14/1515201/santander-to-track-customer-location-via-mobiles-and-tablets
Santander (one of the biggest banks in Europe) slipped a little note on the corner of my latest statement saying they intend to start collecting “location or other data” from mobiles and tablets that their customers own, from 1st July 2015. There is no link to further information about the policy, or any suggestion you can opt out of it. The stated aim is of course to “prevent and detect fraud”,
Santander to track customer location via mobile
http://richard.burtons.org/2015/06/14/santander-to-track-customer-location-via-mobile/
Tomi Engdahl says:
Connie Yu / The Intercept:
Government and Anthem data breaches pose indefinite threat of future harm as birthdate, full name, and SSN remain integral to identity in many systems
Data Theft Today Poses Indefinite Threat of “Future Harm”
https://firstlook.org/theintercept/2015/06/12/data-breach-threat-of-future-harm/
Benjamin Nuss was one of the nearly 80 million people whose social security number and personal information were compromised in this year’s Anthem data breach. He seems to have taken things in stride, continuing his daily routine of sharing computer time with his brother, eating healthy snacks and making crafts. Benjamin is four years old.
While it may seem trivial to think about the harm a preschooler will suffer from a data breach, the question is not what happens to him now, but what will happen years from now. Data theft poses an indefinite threat of future harm, as birthdate, full name and social security number remain a skeleton key of identity in many systems.
While data breach victims like Nuss and his adult counterparts face open-ended questions about what lies ahead, the data wars are running hot, with each week seemingly bringing news of vast new breaches, victims and potential victims gripped with anxiety, and debate raging about the vulnerability of companies and government. All the uncertainty is raising thorny legal questions.
The Supreme Court is readying to hear a case that could set new precedent on whether data breach lawsuits can be based on future harm. And, as the 2016 presidential race heats up, Republican White House contenders are pushing President Barack Obama to retaliate against China for its alleged role in hacking Anthem and federal databases.
When Anthem announced its breach in early February, government officials indicated it was the work of Chinese, state-funded hackers, possibly seeking the health records of employees at defense contractors like Northrop Grumman and federal workers. But most of the attention remained on the scale of the attacks. Last week, when the government revealed that a breach at the Office of Personnel Management (OPM) had compromised the records of 4.1 million current and former federal employees, the focus turned sharply to whether Chinese hackers were seeking U.S. intelligence targets.
UPDATE: In fact, federal officials later acknowledged that the OPM breach included what’s called a Standard Form-86, on which new hires (including military and intelligence officials) must reveal details that could make them vulnerable to blackmail or influence, including prior drug use, financial woes, and criminal convictions. The form also asks for ties to citizens of other countries; thus the hackers, if they are Chinese, would quickly be able to determine who has friends and family in their country.
Valeriano believes there’s still a gap between Chinese hackers acquiring the information and using it, particularly mining such a vast trove of data quickly.
There may be a faint silver lining in this for Joe and Jane Everycitizen. “[The hackers] are really doing this for a very specific purpose. That means the everyday citizen, the everyday employee in the Department of Transportation, they’re not really seen as the target,” Valeriano says. “They shouldn’t be worried so much.”
That said, there’s no guarantee that the “free-hand insiders” might not decide to sell information down the line, or that their own system might not be breached from without or within.
Tomi Engdahl says:
Massive Malvertising Campaign Hits Users with Angler Exploit Kit
http://www.securityweek.com/massive-malvertising-campaign-hits-users-angler-exploit-kit
Researchers with Raytheon|Websense have identified a massive malvertising campaign that has hit Web users in Europe and the U.S.
The attack is focused on users browsing several well-trafficked sites, including CNN Indonesia, the official website of Prague Airport, Detik, AASTOCKS, RTL Television Croatia and the Bejewled Blitz game on Facebook. According to the researchers, the attack leads users to the Angler Exploit kit, which leverages a vulnerability in Adobe Flash Player (CVE-2015-3090) to infect users with the Bunitu Trojan.
Tomi Engdahl says:
US Teen Facing 15 Years in Prison for Internet Aid to IS
http://www.securityweek.com/us-teen-facing-15-years-prison-internet-aid
A tech-savvy US teen pleaded guilty in court on Thursday to using social media to aid the Islamic State group, a crime punishable by up to 15 years in prison.
Ali Shukri Amin, 17, a resident of Virginia, admitted in court to providing advice and encouragement to IS and its supporters.
“Guilty, sir,” the teen answered, when asked by the judge in the court in Alexandria, Virginia to state his plea to the charges.
With a slender build and wearing a trace of a moustache, the high school student admitted to having sent more than 7,000 Tweets in support of IS.
“Around the nation, we are seeing ISIL use social media to reach out from the other side of the world,”
“Their messages are reaching America in an attempt to radicalize, recruit and incite our youth and others to support ISIL’s violent causes,”
Tomi Engdahl says:
Five Ways to Chase Away Your Best Security Analysts
http://www.securityweek.com/five-ways-chase-away-your-best-security-analysts
One topic of conversation that surfaces quite regularly is the skills gap and critical staffing shortage present in the security field. From the data points I’ve been able to gather, this need is felt most acutely in the security operations and incident response space.
During the course of my career, I have seen organizations make mistakes that have cost them their best analysts. My hope is that this piece will help organizations identify ways in which they can improve in order to retain their best talent. Here are my thoughts on “Five Ways to Chase Away Your Best Analysts”:
1. Put a jerk or an idiot in charge: This concept is fairly universal
2. Deliver technology that doesn’t work: In the heat of an incident response, key stakeholders need answers, and they need them fast.
3. Micro-manage incident response: During an incident response, management has the best intentions and wants to do what’s best for the organization. But management may be several years removed from the operational realities and best practices of the day.
4. Value body heat over grey matter: It’s an unfortunate reality that office environments are sometimes political and require self-promotion. The best analysts are generally apolitical and spend most of their time hard at work, rather than tooting their own horn.
5. Don’t match your actions to your words: Analysts are, not surprisingly, analytical by nature. Actions speak louder than words, and analysts can see through words that are not matched by action. If your security operations program is a priority, then make it so through action. Simply speaking to it as a priority without matching that talk with action will cause your best analysts to look elsewhere for a better fit.
Security operations and incident response are already a high priority or are quickly becoming a high priority for almost every organization. There is simply not enough experienced analytical talent to meet the demands of the field.
Tomi Engdahl says:
OpenSSL Patches Logjam Bug, DoS Vulnerabilities
http://www.securityweek.com/openssl-patches-logjam-bug-dos-vulnerabilities
OpenSSL versions 1.0.2b, 1.0.1n, 1.0.0s and 0.9.8zg have been released. The latest versions of the open-source toolkit for SSL/TLS address several moderate and low severity security bugs.
An advisory published by developers shows that the recently disclosed vulnerability known as “Logjam” has been patched in OpenSSL 1.0.2b and 1.0.1n. The vulnerability (CVE-2015-4000) is similar to FREAK and it can be exploited through man-in-the-middle (MitM) attacks to downgrade TLS connections to 512-bit export-grade cryptography.
The latest updates also address a moderate severity denial-of-service (DoS) vulnerability caused by the way ECParameters structures are handled (CVE-2015-1788).
The vulnerability affects OpenSSL 1.0.2, 1.0.1, 1.0.0d and below, and 0.9.8r and below. Recent 1.0.0 and 0.9.8 versions are not impacted.
Another moderate severity DoS flaw is an out-of-bounds read in the X509_cmp_time function (CVE-2015-1789).
Tomi Engdahl says:
Security News This Week: The NSA Can’t Stop, Won’t Stop (Neither Will Israel, China, or Britain)
http://www.wired.com/2015/06/security-news-week-nsa-cant-stop-wont-stop-neither-will-israel-china-britain/
About Those NSA Restrictions Passed Last Week? Not So Fast
Reddit Bids Harassing Subreddits Adieu
Finally, the US Gov Discovers HTTPS
NSA Spying Could Cost Tech Companies Money Money Money
Britain Likes Stingrays, Too
Good and the Ugly of Catching Terrorists Using Intercepted WhatsApp Messages
No More Internet Taxes, Votes the House
Tomi Engdahl says:
Code So Sneaky You Have To Explain It
http://hackaday.com/2015/06/15/code-so-sneaky-you-have-to-explain-it/
Your mission, should you choose to accept it, is to code a program that leaks information to the user but does so in a way that can’t be discovered in a code audit. This was the challenge for the 2014 Underhanded C contest; the seventh time they’ve held the event.
Being Sneaky in C
http://www.codersnotes.com/notes/being-sneaky-in-c
Tomi Engdahl says:
Rethinking Security: Securing Activities Instead of Computers
http://it.slashdot.org/story/15/06/15/178256/rethinking-security-securing-activities-instead-of-computers?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
“Security is the set of activities that reduce the likelihood of a set of adversaries successfully frustrating the goals of a set of users.” But software development teams that understand what users want and what adversaries they face are very rare.
Rethinking security: Securing activities instead of computers
http://www.net-security.org/secworld.php?id=18510
For many people involved in the infosecurity community, the notion of security is too often tied to the quality of code (resistance to specific classes of bug, for example) and effective patching – in short, to low-level security.
But independent security consultant Eleanor Saitta believes that software developers and security engineers need to take a step back and look at the bigger picture.
“Security is not a property of a technical system,” she noted in her talk at the Hack in the Box conference in Amsterdam. “Security is the set of activities that reduce the likelihood of a set of adversaries successfully frustrating the goals of a set of users.”
Software development teams that understand what users want and what adversaries they face are very rare, she noted. And security engineers forgot – or misunderstood – what their job is: not securing computers, but securing activities that lead to the realization of greater goals.
“We forgot that our job was really to stop bad things from happening to good people,”
Security tools should be created with users’ needs in mind. We shouldn’t work on assumptions or go by intuition – we should set aside our egos, and consult with the end users – learn about their goals and adversaries.
So, how do we go about doing that? The answer is: in an organized manner – with threat modeling, adversary modeling, and operational planning.
“A threat model is a formal, complete, human-readable model of the human activities and priorities and of the security-relevant features of in-scope portions of a system,”
Tomi Engdahl says:
Joe Siegrist / The LastPass Blog:
LastPass warns it was hacked, says secure vault storing user passwords was not accessed, but account email addresses, password reminders, more were compromised
LastPass Security Notice
https://blog.lastpass.com/2015/06/lastpass-security-notice.html/
We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.
Alternative password keeper:
KeePass Password Safe
http://keepass.info/
This is the official website of KeePass, the free, open source, light-weight and easy-to-use password manager.
Tomi Engdahl says:
Natasha Singer / New York Times:
Privacy groups opt out of US talks on face recognition, say they can’t achieve minimum rights for consumers
Consumer Groups Back Out of Federal Talks on Face Recognition
http://bits.blogs.nytimes.com/2015/06/16/consumer-groups-back-out-of-federal-talks-on-face-recognition/
A central component of President Obama’s effort to give consumers more control over how companies collect and share their most sensitive personal details has run aground.
Nine civil liberties and consumer advocate groups announced early Tuesday morning that they were withdrawing from talks with trade associations over how to write guidelines for the fair commercial use of face recognition technology for consumers.
“At a base minimum, people should be able to walk down a public street without fear that companies they’ve never heard of are tracking their every movement — and identifying them by name — using facial recognition technology,” the privacy and consumer groups said in a statement. “Unfortunately, we have been unable to obtain agreement even with that basic, specific premise.”
Juliana Gruenwald, an N.T.I.A spokeswoman, said the telecommunications agency was disappointed that some participants had pulled out of the face recognition discussions.
With or without the consumer advocates, the participants intend to continue trying to develop a workable code of conduct for facial recognition privacy, said Carl Szabo, policy counsel for NetChoice, an e-commerce trade association.
Face recognition is a subset of biometrics, a technology that involves recording and analyzing people’s unique physiological characteristics, like their fingerprint ridges or facial features, to learn or confirm their identities. Face recognition technology works by scanning a photo or video still of an unknown face and comparing its unique topography against a facial-scan database of people whose names are already known.
Because the technology can be used covertly, civil liberties advocates say its popularization has the potential to undermine people’s ability to conduct their personal business anonymously in stores, hotels and other public spaces. That is one reason that Texas and Illinois have passed state laws requiring companies to notify people and obtain their permission before taking facial scans or sharing their biometric information.
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Kaspersky says Duqu 2.0 malware used stolen Foxconn certificates to penetrate its network, tap Iranian talks
Stuxnet spawn infected Kaspersky using stolen Foxconn digital certificates
Duqu 2.0 targeted Iranian nuke talks, may have cache of valid code certificates.
http://arstechnica.com/security/2015/06/stuxnet-spawn-infected-kaspersky-using-stolen-foxconn-digital-certificates/
Some of the malware that infected the corporate network of antivirus provider Kaspersky Lab concealed itself using digital certificates belonging to Foxconn, the electronics manufacturing giant and maker of the iPhone, Xbox, and other well-known products.
Cryptographically generated credentials are required to install drivers on newer, 64-bit versions of Windows. Foxconn used one such certificate when installing several legitimate drivers on Dell laptop computers in 2013. Somehow, the attackers who infected the Kaspersky Lab network appropriated the digital seal and used it to sign their own malicious drivers. As Ars explained last week, the drivers were the sole part of the entire Duqu 2.0 malware platform that resided on local hard drives. These drivers were on Kaspersky firewalls, gateways, or other servers that had direct Internet access and were used to surreptitiously marshal sensitive information in and out of the Kaspersky network.
Not the first time
The Foxconn certificate is the third one used to sign malware that has been linked to the same advanced persistent threat (APT) attackers. The Stuxnet malware, which reportedly was developed by the US and Israel to sabotage Iran’s nuclear program, used a digital certificate from Realtek, a hardware manufacturer in the Asia Pacific region. A second driver from Jmicron, another hardware maker in the Asia Pacific, was used several years ago to sign Stuxnet-related malware developed by some of the same engineers. Like the previous two certificates, the one belonging to Foxconn had never been found signing any other malicious software.
Kaspersky researchers took that exclusivity to mean that the Duqu 2.0 attackers obtained the certificates by hacking or otherwise penetrating the hardware manufacturers and holding the certificates solely for a single dedicated purpose. The researchers also speculate that the developers behind Duqu and Stuxnet have a reliable supply of additional valid certificates to meet the needs of any future malware platforms.
“The fact that they have this ability and don’t reuse their certificates like other APT groups means they probably [used them only for targeted attacks],”
As Ars explained last week, Duqu 2.0 was a fully revamped version of the original Duqu malware, which was discovered in 2011 and had digital DNA from Stuxnet. Virtually all of the 18 megabytes of the new malware ran entirely in computer memory, making infections extremely hard to detect. The only exceptions were a few drivers that were installed on firewalls and other machines that had both direct Internet access to the outside and unfettered access inside the targeted corporate network.
In addition to infecting Kaspersky Lab, Duqu 2.0 also targeted the diplomatic talks the US and five other world powers held with Iran over its nuclear program. The same malware spied on people participating in the 70th anniversary of the liberation of the Auschwitz-Birkenau extermination camp.
Tomi Engdahl says:
How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last
“Equation Group” ran the most advanced hacking operation ever uncovered.
http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/
CANCUN, Mexico — In 2009, one or more prestigious researchers received a CD by mail that contained pictures and other materials from a recent scientific conference they attended in Houston. The scientists didn’t know it then, but the disc also delivered a malicious payload developed by a highly advanced hacking operation that had been active since at least 2001. The CD, it seems, was tampered with on its way through the mail.
It wasn’t the first time the operators—dubbed the “Equation Group” by researchers from Moscow-based Kaspersky Lab—had secretly intercepted a package in transit, booby-trapped its contents, and sent it to its intended destination. In 2002 or 2003, Equation Group members did something similar with an Oracle database installation CD in order to infect a different target with malware from the group’s extensive library. (Kaspersky settled on the name Equation Group because of members’ strong affinity for encryption algorithms, advanced obfuscation methods, and sophisticated techniques.)
Kaspersky researchers have documented 500 infections by Equation Group in at least 42 countries, with Iran, Russia, Pakistan, Afghanistan, India, Syria, and Mali topping the list. Because of a self-destruct mechanism built into the malware, the researchers suspect that this is just a tiny percentage of the total; the actual number of victims likely reaches into the tens of thousands.
Taken together, the accomplishments led Kaspersky researchers to conclude that Equation Group is probably the most sophisticated computer attack group in the world, with technical skill and resources that rival the groups that developed Stuxnet and the Flame espionage malware.
“It seems to me Equation Group are the ones with the coolest toys,” Costin Raiu, director of Kaspersky Lab’s global research and analysis team, told Ars. “Every now and then they share them with the Stuxnet group and the Flame group, but they are originally available only to the Equation Group people. Equation Group are definitely the masters, and they are giving the others, maybe, bread crumbs. From time to time they are giving them some goodies to integrate into Stuxnet and Flame.”
Tomi Engdahl says:
Cops turn Download Festival into an ORWELLIAN SPY PARADISE
Face recog tech, RFID tracking – gotta love Donington Park
http://www.theregister.co.uk/2015/06/11/download_festival_big_brother_playground_leicestershire_police/?page=2
Access denied – you ain’t got your RFID dogtag, man
In addition to police surveillance, Download Festival will be “the first major UK festival to use RFID technology for full cashless payment and access control”.
Download’s “customers” will be issued with an RFID festival wristband on arrival which will determine what areas of Donington Park they have access to, and will also function as an electronic payment system, linked to specifically set-up customer accounts through which “customers” will have to pay for food, drinks and merchandise.
“Every single person on site, including staff, children, RIP and VIP customers will need a dog tag to get around the festival,” according to the FAQ section of the site. “The only way to get around the festival and pay for stuff is to use this system. It’s not possible to opt out of this.”
Download’s privacy policy acknowledged that it will collect your information through the use of the cashless payment wristbands and will, typically, share that information with other companies, who will collaborate to establish your interests, purchases and household type to aid in profiling you for advertising purposes.
The FAQ also asked whether your “movement[s] can be tracked with RFID technology?” “No, it can’t” cometh the answer: “Your dog tag will not be equipped with GPS technology and therefore it will be impossible to track your movements.”
Tomi Engdahl says:
LastPass Hacked, Change Your Master Password Now
http://lifehacker.com/lastpass-hacked-time-to-change-your-master-password-1711463571?utm_campaign=socialflow_lifehacker_facebook&utm_source=lifehacker_facebook&utm_medium=socialflow
Bad news first, folks. LastPass, our favorite password manager (and yours) has been hacked. It’s time to change your master password. The good news is, the passwords you have saved for other sites should be safe.
LastPass has announced on their company blog that they detected an intrusion to their servers. While encrypted user data (read: your stored passwords for other sites) was not stolen, the intruders did take LastPass account email addresses, password reminders, server per user salts, and authentication hashes. The latter is what’s used to tell LastPass that you have permission to access your account.
Tomi Engdahl says:
Bing to encrypt search traffic by default
This HTTPS thing is catching on
http://www.theregister.co.uk/2015/06/16/bing_encryption/
Microsoft product manager Duane Forrester says it will encrypt all Bing search traffic later this year.
Forrester says the move follows Cupertino’s 2014 decision to allow users to opt-in to HTTPS for web searches.
“Beginning this (Northern hemisphere) summer, we will begin the process of encrypting search traffic by default,” Forrester blogged.
“This means that traffic originating from Bing will increasingly come from https as opposed to http.”
Microsoft will also drop query search terms from referrers strings in a bid to further shore up privacy.
The HTTPS move brings Microsoft up to speed with Google which began encrypting search traffic in 2011 making it compulsory in 2013, and Yahoo! which deployed HTTPS for its search in 2014.
Tomi Engdahl says:
Lack of encryption leaves LG and Samsung smartwatch data open to hackers
Researchers easily pull sensitive information from Android- and Tizen-powered wearables
http://www.theinquirer.net/inquirer/news/2413087/lack-of-encryption-leaves-lg-and-samsung-smartwatch-data-open-to-hackers
RESEARCHERS HAVE REVEALED that personal data can be easily swiped from the LG G Watch and Samsung Gear 2 as neither device encrypts user data.
The researchers from the University of New Haven said that hackers could easily extract data, including contacts, messages and health information, from the Tizen-powered Samsung Gear 2 and Android Wear-equipped LG G Watch.
Ibrahim Baggili, of the University of New Haven’s Cyber Forensics Research and Education Group, said: “It was not very difficult to get the data, but expertise and research was required.”
Tomi Engdahl says:
Beyond the USA Freedom Act: How U.S. Surveillance Still Subverts U.S. Competitiveness
http://www2.itif.org/2015-beyond-usa-freedom-act.pdf?_ga=1.114044933.369159037.1433787396
Tomi Engdahl says:
Download festival gets heavy with its punters
http://www.theguardian.com/commentisfree/2015/jun/12/download-festival-heavy-punters-the-man-police
Festivals are meant to be respite from The Man – but knowing you’re being matched with a police database could put a damper on the weekend
This temporary respite is what festivals were invented to provide. Particularly this weekend’s Download, historically known for a convivial atmosphere, little in the way of drugs or violence and an abundance of friendly people-of-a-certain-age in wraparound shades called Lizzie and Gaz. But no. Not this year. In 2015, The Man has chosen to pitch his tent firmly at Download, and he’s brought a couple of fairly alarming security measures with him.
“Strategically placed cameras will scan faces at the Download festival site in Donington before comparing [them] with a database of custody images from across Europe,” the Police Oracle reported, perturbingly, on Monday. Seeking clarification, the Register filed a freedom of information request with Leicestersh ire police, who explained the database is “a stand-alone database of legally held custody photographs drawn together with partners in Europol”.
So, you’ll be papped. Your sweaty mug is then compared to other mugs in a mainframe. And if it pings, meaning you’re a wanted person of some dastardly kind, you’re finished. If you’re not a criminal then be on your best behaviour anyway – they are always watching.
The whole thing is bizarre. But, in-keeping with the spirit of 2015, it gets worse. This year’s Download is also using RFID dogtags, an electronic and compulsory ID and payment system which will be used to gain access to stage areas and to purchase all food, drink and goods. The festival’s privacy policy suggests that data may be passed on to targeted marketing companies. The wristbands also presumably mean it will be possible to track your movements across the festival by checking your purchase history. In conjunction with the cameras, the only time you’ll actually be off the grid is during that spiritually devastating loo trip on Sunday morning. This is your brief moment of solitude. And it’s definitely no way to enjoy a festival.
Tomi Engdahl says:
Hacks To Be Truly Paranoid About
http://it.slashdot.org/story/15/06/15/1943247/hacks-to-be-truly-paranoid-about
Nothing is safe, thanks to the select few hacks that push the limits of what we thought possible, InfoWorld’s Roger Grimes writes in this roundup of hacks that could make even the most sane among us a little bit paranoid. “These extreme hacks rise above the unending morass of everyday, humdrum hacks because of what they target or because they employ previously unknown, unused, or advanced methods.”
Be paranoid: 10 terrifying extreme hacks
http://www.infoworld.com/article/2933868/hacking/10-extreme-hacks-to-be-truly-paranoid-about.html
Nothing is safe, thanks to the select few hacks that push the limits of what we thought possible
Extreme hack No. 1: ATM hacking
Most automated teller machines (ATMs) contain a computer that runs a popular OS, so it should come as no shock that they can be hacked. For the most part, this means Microsoft Windows, with a smaller percentage running some version of Linux.
Barnaby Jack’s ATM exploits caught the attention of ATM manufacturers, inspiring them to set about defeating his easiest attacks.
Extreme hack No. 2: Shocking pacemakers
Jack then turned his skills toward medical devices. His most extreme demonstrations included being able to send unauthorized, lethal shocks to pacemaker patients from a remote location and lethal doses of insulin to diabetic patients.
Most medical devices undergo five to 10 years of development, testing, and certification approval before they can be used on human patients. Unfortunately, this means that any software used in the devices has five or more years of unpatched vulnerabilities by the time they ship. Worse, developers of medical devices often rely on the relative obscurity of their devices as a means of providing some sort of artificial protection — aka “security by obscurity.”
The situation isn’t getting better.
Extreme hack No. 3: Card skimming
Less morbid are card skimmers, which can, however, mess up your financial life. The hack is relatively simple: The hacker places a device called a skimmer on another device, such as an ATM, gas pump, or payment terminal, to capture your debit or credit card information and your PIN number, if typed in.
Extreme hack No. 4: Wireless card hacking
If your credit or debit card contains an RFID “contactless” payment mechanism, such as MasterCard PayPass or American Express ExpressPay, its information can likely be read by a hacker who walks by your wallet or purse. This is because any nonprotected RFID device can be hacked, including RFID-enabled passports, building access cards, and product tracking stickers.
Extreme hack No. 5: BadUSB
Last year, researchers demonstrated that about half of the USB ports installed on computers can be compromised by a maliciously configured USB device. Simply plug in a USB thumb drive to an unsuspecting computer, and it will automatically execute any commands configured, bypassing any security controls, firewalls, or antimalware software you have activated.
Extreme hack No. 6: Stuxnet
Which brings us to the world’s most advanced cyber war attack to date: Stuxnet. Easily the most advanced and flawless malware program ever written, Stuxnet did not use BadUSB, but it spread via USB keys and a previously publicly unknown USB execution method, along with three other zero-day attacks.
Extreme hack No. 7: Road sign hacks
Hacking electronic road signs — aka portable changeable message signs — is illegal and can get you in serious trouble. But it’s hard not to crack a smile at a good “Caution! Zombies! Ahead!!!” road sign hack on an otherwise unused sign that does not create a dangerous situation.
Extreme hack No. 8: The NSA’s order book
Anyone who has been paying attention to revelations from former NSA employee Edward Snowden knows the NSA has what is essentially an “order book” for ordering advanced hacks and advanced hacking devices. This book is nearly the definition of extreme hacking.
After reading what the NSA can order, it should be quite clear that the NSA (and any other nation-state entity) can pretty much spy on whatever device it wants, and there is little we can do about it — as long as it remains legal and the agency can gain access.
Extreme hack No. 9: Cryptographic attacks
remotely monitor a device’s radio frequency or electromagnetic radiation emissions and tell you the 1s and 0s that made up its secret key
Extreme hack No. 10: Car hacking
Car manufacturers are racing to put as much computing functionality as possible in their cars, and it should come as no surprise that these same computers are incredibly vulnerable to attack. Early on hackers learned how to unlock cars using their wireless remote key fobs and to prevent car owners from locking their cars despite thinking they have.
Think about that the next time you’re at a dealership, tempted by the model with the best Wi-Fi.
Tomi Engdahl says:
Malware Attacks Give Criminals 1,425% Return On Investment
http://it.slashdot.org/story/15/06/16/0317220/malware-attacks-give-criminals-1425-return-on-investment
Trustwave released a new report which reveals the top cybercrime, data breach and security threat trends. According to their findings, attackers receive an estimated 1,425 percent return on investment for exploit kit and ransomware schemes ($84,100 net revenue for each $5,900 investment).
Malware attacks give criminals 1,425% return on investment
http://www.net-security.org/malware_news.php?id=3057
Trustwave released a new report which reveals the top cybercrime, data breach and security threat trends from 2014. They gathered the data from 574 breach investigations
Return on investment: Attackers receive an estimated 1,425 percent return on investment for exploit kit and ransomware schemes ($84,100 net revenue for each $5,900 investment).
Weak application security: 98 percent of applications tested by Trustwave in 2014 had at least one vulnerability.
The password problem: “Password1” was still the most commonly used password. 39 percent of passwords were eight characters long.
Who criminals target: Retail was the most compromised industry making up 43 percent of Trustwave’s investigations followed by food and beverage (13 percent) and hospitality (12 percent).
Top assets compromised: 42 percent of investigations were of e-commerce breaches. Forty percent were of point-of-sale (POS) breaches.
Lack of self-detection: The majority of victims, 81 percent, did not detect breaches themselves. The report reveals that self-detection leads to quicker containment of a breach. In 2014, for self-detected breaches, a median of 14.5 days elapsed from intrusion to containment. For breaches detected by an external party, a median of 154 days elapsed from intrusion to containment.
How criminals break in: Weak remote access security and weak passwords tied as the vulnerability most exploited by criminals in 2014. Weak remote access security or weak passwords contributed to 94 percent of POS breaches.
Spam on the decline: Spam volume continues to decrease making up 60 percent of total inbound mail
“After digesting the core of the report it is clear that something needs to change. The clear definition of the insanity in cyber today is that we continue to protect sensitive data the same way over and over again and expect a different result. I do not think there do be any doubt in that current methods are simply not good enough and something needs to change.”
Tomi Engdahl says:
Android malware hijacks power button, empties wallet while you sleep
Engineer’s reset recommended
http://www.theregister.co.uk/2015/02/19/android_malware_hijacks_power_button_to_steal_while_you_sleep/
Security biz AVG has spotted an outbreak of a new kind of Android malware that will come alive even when the phone is supposedly switched off. The software nasty is able to do this by hijacking the mobe’s power-off sequence.
“After pressing the power button, you will see the real shutdown animation, and the phone appears off. Although the screen is black, it is still on,” said the firm’s mobile security team in an advisory.
“While the phone is in this state, the malware can make outgoing calls, take pictures and perform many other tasks without notifying the user.”
Once the malware is installed by the user – it’s typically bundled within an innocent-looking app, but AVG isn’t naming names – it asks for root-level permissions and injects code into the operating system’s system server.
Don’t panic, though. So far the outbreak in small and localized
Tomi Engdahl says:
Hackers serve password manager LastPass a slice of irony
Firm advises users to change their master passwords
http://www.theinquirer.net/inquirer/news/2413275/hackers-serve-password-manager-lastpass-a-slice-of-irony
PASSWORD MANAGEMENT SERVICE LastPass has advised users to change their passwords (lol) after hackers infiltrated its network.
LastPass is, ironically, a service that helps users keep their many passwords secure. The firm admitted on Monday that it discovered some suspicious activity on its network last week, which led to the discovery that some users’ email addresses, password reminders and authentication hashes were compromised.
However, the firm noted that no encrypted data was taking during the attack
Tomi Engdahl says:
Damn the Equities, Sell Your Zero-Days to the Navy!
https://www.eff.org/deeplinks/2015/06/damn-equities-sell-your-zero-days-navy
Noted eagle eye and EFF Investigative Researcher Dave Maass happened on an interesting item from earlier this week on FedBizOpps, the site for government agencies to post contracting opportunities. The Navy put up a solicitation explaining that the government wants “access to vulnerability intelligence, exploit reports and operational exploit binaries affecting widely used and relied upon commercial software,” including Microsoft, Adobe, Android, Apple, “and all others.” If that weren’t clear enough, the solicitation explains that “the vendor shall provide the government with a proposed list of available vulnerabilities, 0-day or N-day (no older than 6 months old). . . .The government will select from the supplied list and direct development of exploit binaries.”
the fact that the United States government is looking for vendors to sell it software vulnerabilities isn’t news—we’ve known for some time that the government uses software vulnerabilities, sometimes known as zero-days, for offensive intelligence-gathering and espionage.
What’s more noteworthy is how little regard the government seems to have for the process of deciding to exploit vulnerabilities. As we’ve explained before, the decision to use a vulnerability for “offensive” purposes rather than disclosing it to the developer is one that prioritizes surveillance over the security of millions of users. To its credit, the government has acknowledged that this decision is an extraordinarily important one in every case.
Tomi Engdahl says:
Insecure radio links and the end of Moore’s Law discussed at DAC 2015
http://www.edn.com/electronics-blogs/benchtalk/4439670/Insecure-radio-links-and-the-end-of-Moore-s-Law-discussed-at-DAC-2015?_mc=NL_EDN_EDT_EDN_today_20150616&cid=NL_EDN_EDT_EDN_today_20150616&elq=9ebbdd84e2f44b8595dccd06965132df&elqCampaignId=23462&elqaid=26475&elqat=1&elqTrackId=860123c9a6bf418cacd9dfbb76f58490
Crying wolf
Are you concerned about all the insecure radio links out there? The DAC panel “The Researcher Who Cried Wolf” featured several speakers who presented some simultaneously entertaining and troubling stories about security problems of various sorts.
The first speaker, a self-described SDR (software-defined radio) evangelist, talked about all the open radio protocols out there, focusing on aircraft systems. He’d created some impressive animations of aircraft operations over both large geographic areas, and right down to simulated views out the windshield of aircraft at a nearby airport. He also showed demos of restaurant pager hacking and decoding of items like toll transponders and keyless entry. Fortunately, the talk was mostly of a cautionary nature. Use as much security as your app demands.
The second speaker, from TrapX Labs, covered IoT and related attacks. With even electric toothbrushes available that connect to your network, one realizes that the number of potential attack vectors is only going to keep increasing. He also pointed out the need to expect the unexpected, such as malware planted in a barcode reader! Malware has also been found in medical equipment like analyzers and image archive systems running older OSes. Finally, the Nest thermostat was discussed. Well designed from a security standpoint, it was still possible to plant modified units on store shelves which would allow access into the purchaser’s network.
Next, the seemingly unlikely scenario of hardware trojans was discussed: the concept of modifying actual IC circuitry somewhere in the production process. The most undetectable scenario is changing doping of selected transistors to force various states and behaviours, the trick of course being it must be undetectable during test. A good example was that of a random number generator used for encryption
Tomi Engdahl says:
European Court: Websites Are Responsible For Users’ Comments
http://yro.slashdot.org/story/15/06/17/0220211/european-court-websites-are-responsible-for-users-comments
A new ruling from the European Court of Human Rights found it perfectly acceptable to hold websites responsible for comments left by users. Experts are worried the ruling will encourage websites to censor content posted by users out of concern that they’re opening themselves up to legal liability. The judgment also seems to support the claim that “proactive monitoring” can be required of website owners.
Shock European court decision: Websites are liable for users’ comments
The ruling is likely to be influential on EU courts’ thinking in future.
http://arstechnica.co.uk/tech-policy/2015/06/shock-european-court-decision-websites-are-liable-for-users-comments/
In a surprise decision, the European Court of Human Rights (ECHR) in Strasbourg has ruled that the Estonian news site Delfi may be held responsible for anonymous and allegedly defamatory comments from its readers. As the digital rights organisation Access notes, this goes against the European Union’s e-commerce directive, which “guarantees liability protection for intermediaries that implement notice-and-takedown mechanisms on third-party comments.” As such, Peter Micek, Senior Policy Counsel at Access, says the ECHR judgment has “dramatically shifted the internet away from the free expression and privacy protections that created the internet as we know it.”
A post from the Media Legal Defence Initiative summarises the reasons why the court came to this unexpected decision. The ECHR cited “the ‘extreme’ nature of the comments which the court considered to amount to hate speech, the fact that they were published on a professionally-run and commercial news website,” as well as the “insufficient measures taken by Delfi to weed out the comments in question and the low likelihood of a prosecution of the users who posted the comments,” and the moderate sanction imposed on Delfi.
Tomi Engdahl says:
Sunday Times Issues DMCA Takedown Notice To the Intercept Over Snowden Article
http://news.slashdot.org/story/15/06/16/228209/sunday-times-issues-dmca-takedown-notice-to-the-intercept-over-snowden-article
On Sunday, British newspaper The Sunday Times published an article citing anonymous UK government sources claiming that the cache of documents taken by Edward Snowden was successfully decrypted by the Russians and Chinese. Shortly thereafter, Glenn Greenwald at The Intercept published scathing criticism of the article. In Greenwald’s article, he included a photograph of the newspaper’s front page, where the story was featured.
U.K. newspaper tries to silence Glenn Greenwald criticism with copyright claim
http://www.dailydot.com/politics/snowden-sunday-times-dmca-takedown/
Accused of publishing government propaganda against NSA whistleblower Edward Snowden, the Sunday Times is using copyright to hit back at its strongest critic.
In a paywalled feature published Sunday, titled “British spies betrayed to Russians and Chinese,” three authors, citing anonymous government sources, claim that “Russia and China have cracked the top-secret cache of files stolen by the fugitive U.S. whistleblower Edward Snowden.” In turn, the Times’s sources say, the U.K. had to relocate special agents around the world who were allegedly in harm’s way.
ADVERTISEMENT
ADVERTISING
In an extremely critical takedown post, The Intercept’s Glenn Greenwald, the journalist Snowden first met with after fleeing the U.S., denied many of the details in the Times story.
Greenwald’s post also includes a screengrab of the Times’s layout—and that’s what the Times used to pounce on their high-profile critic. In a legal notice sent Monday, the paper cites the Digital Millennium Copyright Act (DMCA) and claims the Intercept is violating the Times’s copyright of “the typographical arrangement of the front page.”
“If Greenwald were selling a book of Great Covers of the Sunday Times, they’d have a case,” Parker Higgins, an activist at the Electronic Frontier Foundation who specializes in intellectual property, told the Daily Dot. “But this is grasping at straws and attempting to use the strictest takedown law available—copyright—just to silence criticism.”
There’s a long history of people accused of using online copyright law to censor critics
Tomi Engdahl says:
Pirate Bay’s Gottfrid Svartholm Loses Hacking Appeal
By Andy on June 17, 2015
C: 7
Breaking
https://torrentfreak.com/pirate-bays-gottfrid-svartholm-loses-hacking-appeal-150617/
Following the largest case of its type in Denmark, in October 2014 Gottfrid Svartholm was found guilty of hacking IT company CSC. The Pirate Bay founder immediately appealed but after a technically complex hearing a jury at the High Court today unanimously upheld the decision of the lower court.
The Pirate Bay founder and a 21-year-old co-defendant stood accused of hacking computer mainframes operated by US IT giant CSC. It was billed as the largest case of its kind ever seen in the Scandinavian country.
Right from the outset Gottfrid’s position was that his computer, from where the hacking had taken place, had been compromised by outside attackers. Respected security expert Jacob Appelbaum gave evidence for the defense in support of this theory. However, the court was not convinced.
Dismissing the “remote control” defense, Judge Ulla Otken described the hacking of CSC as both “systematic and comprehensive.” Three judges and four of six jurors returned guilty verdicts in 2014 and Gottfrid was sentenced to 3.5 years in prison.
Never one to give up, Gottfrid immediately filed an appeal and this month his case came before the Eastern High Court.
Writing earlier this week for Version2.dk, Elías Lundström reported that even as an IT journalist he had difficulty in following the evidence, a sentiment shared by Gottfrid’s mother.
“I also have trouble understanding it – how should any of the jurors be able to follow the evidence?” Kristina Svartholm said.
Gottfrid’s lawyer Luise Høj also underlined the difficulty in dealing fairly with such a complex case.
“I think overall that progress continues to be characterized by the fact that we all lack the technical knowledge to deal with this matter, and it characterizes the whole process,” she said.
Addressing the “remote access” defense, the High Court ruling notes that it would be unlikely that Gottfrid’s computer could be accessed without him noticing it. Furthermore, the Court found it unusual that the Swede refused to assist police in getting to the bottom of the crime.
Tomi Engdahl says:
Information-Stealing Malware “Stegoloader” Hides in Image File
http://www.securityweek.com/information-stealing-malware-%E2%80%9Cstegoloader%E2%80%9D-hides-image-file
Researchers at Dell SecureWorks have analyzed Stegoloader, a stealthy piece of malware designed to steal information from infected systems.
Stegoloader, detected as Win32/Gatak.DR by Microsoft and TSPY_GATAK.GTK by Trend Micro, has been around since at least late 2013. The malware’s modular design allows cybercriminals to carry out various tasks while making it difficult for researchers to analyze the threat.
According to experts in the Dell SecureWorks Counter Threat Unit, Stegoloader attacks start with a deployment module that’s responsible for downloading and launching the malware’s main module on infected systems.
Before downloading the main component, the deployment module checks for the presence of an analysis environment by monitoring mouse movements. If the mouse cursor doesn’t change its position, or if it changes its position constantly, the malicious application is terminated.
The deployment module also lists running processes to see if popular analysis and security tools such as Wireshark, Fiddler, Sandboxie, InCtrl5, and OllyDBG are running. If a process associated with one of the targeted tools is detected, the malware is terminated.
A method used by the malware authors to slow down static analysis involves the dynamic construction of strings in the binary. This makes detection and analysis more difficult compared to malware that stores strings inside its body in clear text.
Once it ensures that it’s not being analyzed, the deployment module accesses a hardcoded URL to download a Portable Network Graphics (PNG) image file hosted on a legitimate website. This harmless-looking image file contains the main Stegoloader module.
“After downloading the image, Stegoloader uses the gdiplus library to decompress the image, access each pixel, and extract the least significant bit from the color of each pixel. The extracted data stream is decrypted using the RC4 algorithm and a hard-coded key,” researchers explained in a blog post.
Hiding malware in images is not unheard of. The technique, known as digital steganography, has also been used by threats such as the Lurk downloader and the Neverquest Trojan.
Stegoloader is difficult to detect using traditional signature-based analysis because the PNG image and the decrypted code are not saved to the disk. The malware’s main module resides in a memory area specially allocated for this purpose.
Tomi Engdahl says:
China Uses Watering Hole Attacks, JSONP Hijacking to Identify Users
http://www.securityweek.com/china-uses-watering-hole-attacks-jsonp-hijacking-identify-users
Chinese authorities are leveraging watering hole attacks and JSONP hijacking techniques to track down users who might attempt to hide their identity online, according to unified security management and threat intelligence company AlienVault.
The Chinese government keeps a close eye on the country’s Internet with the aid of the Great Firewall and other censorship systems. While the Great Firewall is highly efficient when it comes to tracking users and blocking them from accessing certain resources, the system can be bypassed using virtual private networks (VPNs) and the Tor anonymity network.
Researchers at AlienVault have observed a series of watering hole attacks that they believe allow the Chinese government to identify certain users who might be trying to keep their identity hidden.
It’s not uncommon for Chinese threat actors to use watering hole attacks to target certain user groups or sectors. The attacks analyzed by AlienVault have targeted the visitors of the Chinese-language sites of NGOs, Uyghur communities, and Islamic associations.
Tomi Engdahl says:
Pwned so many times – but saved by the incident response plan
In IT paranoia is never a bad thing
http://www.theregister.co.uk/2015/06/17/it_security_incident_response_plan/
Companies that are more proficient with technology are more likely to believe that their security is “very effective”. Is this a form of contempt born of familiarity, or a true understanding of the risks? The bigger the company, the harder they fall, and no organisation – not even the US state department – has proven impenetrable.
Survey after survey is conducted and each time it seems that the”early adopters” of whatever tomorrow’s next big thing is are the companies who think they have got this security thing taped. Companies who felt ahead of the curve because they were all cloudified were riding high on the knowledge that public cloud providers have better security than most.
Until they realised you’re only as secure as your stupidest mistake.
Internet of Things and wearable adopters don’t seem to even be thinking that far. Lots of widgets are being deployed with security threats that will never be patched and companies are gleefully putting these on the same networks as their primary data. In IT, the hard lessons learned face-first by so many other companies in the past never seem to be retained.
It’s easy to think that large companies with huge resources have security down.
Unhealthy security
An off the record discussion with a source of mine within the US health care insurance industry revealed the shocking fact his very large employer had thousands of servers with no anti=malware, intrusion detection or other defenses installed. These aren’t any old servers either – we’re talking database farms filled with the most sensitive of customer data. The entire organisation relies on eggshell security: crunchy defences on the very outer edge, but the inside is soft.
Worse, being in the industry they talk to others in the industry, and it turns out that this is fairly standard. It is alleged that some of these companies even cover it up in order to pass audits.
Paranoia is proper
I’ve been hacked. After 20 years in IT, my systems have probably been penetrated dozens of times. It happens a few times a year now, so I’ve honestly lost count.
By admitting this, I am of course setting myself up for a right pantsing in the comments section for being wholly inadequate to live. Sysadmin machismo and brogrammer culture demand that all technologists be infinitely capable, infinitely knowledgeable and under no circumstances ever admit fault.
Well screw that. I got pwned. Right pwned. Several times. Some of them were clearly my fault (I done goofed) and some of them were the result of completely asymmetric resources deployed against me. I’ve seen stuff turn up on my personal systems that qualifies as state-level (seriously, they hid the malware in the video bios!)
I’ve also had attacks against systems I thought were “secure” that were so spectacularly beyond my level of capability that months later I still don’t have the foggiest idea in hell how they got in. Those systems had no known exploits, the attackers danced past every security feature, from fail2ban to layers of intrusion detection. To this day, I’m completely baffled.
I have come to accept being pwned as a matter of course.
Those breaches however, aren’t “fatal”. Why? Paranoia. Defence in depth. A realisation quite some time ago that eggshell computing is a really, really bad plan.
We must assume that any system on our network can be – and in the fullness of time will be – compromised. Data and applications need to be segmented. Different applications need to be separated. Pwning one system cannot be allowed to grant an attacker access to all other systems, nor can it allow them the ability to nuke the only copy of vital data.
Sysadmin enough to admit you need help
I learned a long time ago that I’m not the IT messiah.
No one human being can fit all that needs be known about our industry into their brain.
So I simply gave up. Every now and again I need an adult.
I am not going to build a better firewall than F5. Even if it is all I did all year long, they are smarter, more experienced and there are simply more of them than there are of me. Hell, technology is moving so fast today that I can barely keep
Security appliances are required. Professional security services are required. External audits, additional pairs of eyes and above all else engineering your network expecting to be compromised are required.
You aren’t as good a sysadmin as you think.
I promise you that you aren’t hot shit enough defend your home network against a well-resourced attack, let alone an enterprise IT network.
Accept it. Deal with it. And as with all things in IT, plan for failure. Including your own.
Prevention will not stop all security threats. Detection will miss some incidents. You, and I, and all of us need to be spending time on mitigating the inevitable, and preparing incidence response plans for when breaches happen anyways.
Tomi Engdahl says:
The insidious danger of the lone wolf control freak sysadmin
He’s got your back… along with your passwords, your contacts and your work
http://www.theregister.co.uk/2015/06/17/dangers_of_lone_wolf_sys_admins/
Often within teams there is a certain shared camaraderie and level of trust between team members. They chew the fat, have a moan or playful poke at other staff during a day’s work. They cover for each other and stuff usually gets done. At the end of the day, they spend more time with each other than family.
Occasionally, however, you get a lone wolf admin who gets into the team. When I say “lone wolf admin”, I am not talking about quiet or shy individuals. I’m talking about the glory hunters. Those that don’t play well within a team and are happy to throw others under the metaphorical bus. When these types get into a good and stable team, bad things can and do happen.
Lone wolves can be a danger on a number of levels, not only to good team relations but also potentially to the company’s bottom line.
These types of people have been around since the inception of the IT department. The difference is that in these modern times, IT is everything to most companies and the potential for damage a lot greater.
This guy – let’s call him “Tim” – had been given a major project and wanted to prove himself as the best of the best. He wanted to be the go-to person for this technology.
What a lot of people miss is that when individuals hoard information and knowledge as a tool of power over others, they become a weak point in the system. Documentation and knowledge needs to be maintained, so that when something goes bang while you are eating your Sunday lunch, you aren’t scrabbling round for fragments of information to try and fix the issues. If you don’t have a Wiki-style document repository where people can add designs, hints, tips and known issues, you really are missing a trick.
Despite repeated attempts to wrangle documents and designs out of Tim, he would either point-blank refuse to share, ignore people or just plain lie and claim they were not ready, while distributing to management as a method of glorification.
Tomi Engdahl says:
Online identity woes can only be solved through the medium of GIF
Non-graphical bods seek vendor support for Identity 3.0
http://www.theregister.co.uk/2015/06/10/global_identity_foundation_gif_online/
The Global Identity Foundation aims to recruit vendors in its ambitious quest to develop a global digital identity ecosystem.
GIF is seeking to develop a new, global solution for digital identities, with the not-for-profit organisation building on work from the Jericho Forum, including the Jericho Forum’s Identity, Entitlement & Access Management (IdEA) Commandments (PDF).
More specifically, GIF aims to bring together vendors and security experts to develop a single, open-source, globally accepted, digital identity ecosystem – Identity 3.0 – for secure and trusted online and offline transactions.
“Digital identity is broken,” said Paul Simmonds, chief exec of the GIF and ex co-founder and board member of the Jericho Forum. “Online credit card fraud, phishing, and cybercrime all succeed by fraudulently using someone else’s identity and users are rightly concerned about access to their personal information.”
“In 2014 alone, millions of user records were stolen through data breaches including at Sony, eBay, and JP Morgan. In a world where we shop and bank online, and share personal details on social media, we urgently need to move beyond passwords and basic web security,” he added.
Identity 3.0 aims to evolve as a framework that will allow existing and new identity technologies – utilising existing standards and cryptography – to co-exist in a decentralised global framework.
Tomi Engdahl says:
Banking trojan besieges Bundestag … for the second time
Swatbanker malware appearance seems politically motivated
http://www.theregister.co.uk/2015/06/17/banking_trojan_hits_bundestag/
Tomi Engdahl says:
Mike Masnick / Techdirt:
Huge Loss For Free Speech In Europe: Human Rights Court Says Sites Liable For User Comments — Last year we wrote about a very dangerous case going to the European Court of Human Rights: Delfi AS v. Estonia, which threatened free expression across Europe. Today, the ruling came out and it’s a disaster.
Huge Loss For Free Speech In Europe: Human Rights Court Says Sites Liable For User Comments
https://www.techdirt.com/articles/20150616/11252831361/huge-loss-free-speech-europe-human-rights-court-says-sites-liable-user-comments.shtml
Tomi Engdahl says:
Josh Aas / Let’s Encrypt:
Let’s Encrypt, the free SSL certificate service backed by EFF, Mozilla, others, announces limited launch end of July and general availability mid-September — Let’s Encrypt Launch Schedule — Let’s Encrypt has reached a point where we’re ready to announce our launch schedule.
Let’s Encrypt Launch Schedule
https://letsencrypt.org/2015/06/16/lets-encrypt-launch-schedule.html
Let’s Encrypt has reached a point where we’re ready to announce our launch schedule.
First certificate: Week of July 27, 2015
General availability: Week of September 14, 2015
We will issue the first end entity certificates under our root under tightly controlled circumstances. No cross-signature will be in place yet, so the certificates will not validate unless our root is installed in client software. As we approach general availability we will issue more and more certificates, but only for a pre-approved set of domains. This limited issuance period will give us time to further ensure that our systems are secure, compliant, and scalable.
Tomi Engdahl says:
Downing Street dodges Freedom of Information act with automatic 3-month deletion of emails
http://thestack.com/downing-street-deletes-emails-after-three-months-170615
Weeks before Tony Blair’s Freedom of Information (FOI) act first came into force, Downing Street adopted a policy of automatically deleting emails more than three months old, resulting in a system described by those who worked under it as ‘dysfunctional’. Campaigners have described the timing of the IT policy as ‘not a coincidence’.
The system was retained under the coalition government of 2010-2015, and is still in place. Under the system workers can only retain a mail beyond three months if they specifically move it out of the firing line, usually accomplished in server-based mail by dragging it, or a copy, into local storage on the user’s computer.
Tomi Engdahl says:
‘No evidence’ Snowden was working for foreign power says ex-NSA boss
And claims Uncle Sam would have hacked China’s personnel database ‘at the speed of light’
http://www.theregister.co.uk/2015/06/18/no_evidence_snowden_was_working_for_foreign_power_says_exnsa_boss/
He was also asked about the hacking of the US Office of Personal Management. Sensitive databases held by the agency appeared to have been stolen by the People’s Liberation Army Department Three (the Middle Kingdom’s version of the NSA), he said, and the swiped dossiers on American citizens were “a legitimate foreign intelligence target.”
“If I as director of CIA or NSA would have had the opportunity to grab the equivalent from the Chinese system, I would not have thought twice, I would not have asked permission, I’d have launched the Star Fleet and we’d have brought those suckers home at the speed of light,” Hayden said.
“So this is not shame on China, this is shame on us. For not protecting that kind of information.”
Hayden argued the stolen OPM databases, which apparently included US national security clearance application forms, would be useless for blackmail since Uncle Sam already knew what was on the forms. Instead it would be used for old-fashioned source grooming.
He explained that the way to use this was to build up intelligence dossiers on key people the Chinese government wanted to spy on. By knowing their home details, preferences, habits, and lifestyle, an agent could inveigle their way into the target’s confidence, and gleam useful information.
US intelligence services, indeed all intelligence services, used these techniques, he said, and they were just part and parcel of government in the modern world.
Tomi Engdahl says:
Phone scamming up 30 percent last year: Report
Tech support fraudsters still booming
http://www.theregister.co.uk/2015/06/18/pindrop_security_report/
Retail and finance call centre phone scamming in the US is up 30 percent according to research.
The 2014 findings are based on some 86 million scam calls a month picked up by Pindrop Security in which attackers aimed to obtain personal information on potential victims.
The phone security company says one in 2200 calls are fraudulent up from one in 2900 in 2013, topping US$9 million a year.
“Rates of phone fraud are similar across economically developed countries, regardless of security regulations and legislation in place,” the report states.
“Phone channel assailants use multi-pronged attacks, targeting consumers,retailers, and financial institutions simultaneously.
“Credit card issuers face the highest rate of fraud calls, with one fraud call per every 900 calls.”
Scammers are increasingly using VoIP and robo-dialers to mask incoming phone numbers and better target consumers.
It says an astonishing one in six phone numbers placing consumer calls is a robo-caller with the bots calling some 2.5 per cent of phone numbers a week.
Technical support scams are unsurprisingly the most common type of phone fraud scam chalking up eight million calls a month, followed by small credit loans, and automotive insurance.
Tomi Engdahl says:
Serious OS X and iOS flaws let hackers steal keychain, 1Password contents
Researchers sneak password-stealing app into Apple Store to demonstrate threat.
http://arstechnica.com/security/2015/06/serious-os-x-and-ios-flaws-let-hackers-steal-keychain-1password-contents/
Researchers have uncovered huge holes in the application sandboxes protecting Apple’s OS X and iOS operating systems, a discovery that allows them to create apps that pilfer iCloud, Gmail, and banking passwords and can also siphon data from 1Password, Evernote, and other apps.
The malicious proof-of-concept apps were approved by the Apple Store, which requires all qualifying submissions to treat every other app as untrusted. Despite the supposed vetting by Apple engineers, the researchers’ apps were able to bypass sandboxing protections that are supposed to prevent one app from accessing the credentials, contacts, and other resources belonging to another app. Like Linux, Android, Windows, and most other mainstream OSes, OS X and iOS strictly limit app access for the purpose of protecting them against malware. The success of the researchers’ cross-app resource access—or XARA—attacks, raises troubling doubts about those assurances on the widely used Apple platforms.
“The consequences are dire,” they wrote in a research paper titled Unauthorized Cross-App Resource Access on MAC OS X and iOS.
Unauthorized Cross-App Resource Access on MAC OS X and iOS
https://drive.google.com/file/d/0BxxXk1d3yyuZOFlsdkNMSGswSGs/view?pli=1
Tomi Engdahl says:
Samsung Keyboard Security Risk Disclosed:
Over 600M+ Devices Worldwide Impacted
https://www.nowsecure.com/keyboard-vulnerability/
Over 600 million Samsung mobile device users have been affected by a significant security risk on leading Samsung models, including the recently released Galaxy S6. The risk comes from a pre-installed keyboard that allows an attacker to remotely execute code as a privileged (system) user.
This flaw was uncovered by NowSecure mobile security researcher Ryan Welton. Samsung was notified in December of 2014. Given the magnitude of the issue, NowSecure notified CERT who assigned CVE-2015-2865, and also informed the Google Android security team.
If the flaw in the keyboard is exploited, an attacker could remotely:
Access sensors and resources like GPS, camera and microphone
Secretly install malicious app(s) without the user knowing
Tamper with how other apps work or how the phone works
Eavesdrop on incoming/outgoing messages or voice calls
Attempt to access sensitive personal data like pictures and text messages
While Samsung began providing a patch to mobile network operators in early 2015, it is unknown if the carriers have provided the patch to the devices on their network.
Tomi Engdahl says:
“Let’s Encrypt” Project To Issue First Free Digital Certificates Next Month
http://it.slashdot.org/story/15/06/17/1923258/lets-encrypt-project-to-issue-first-free-digital-certificates-next-month
Let’s Encrypt, the project that hopes to increase the use of encryption across websites by issuing free digital certificates, is planning to issue the first ones next month. Backed by the EFF, the Mozilla Foundation, the Linux Foundation, Akamai, IdenTrust, Automattic, and Cisco, Let’s Encrypt will provide free-of-charge SSL and TSL certificates to any webmaster interested in implementing HTTPS for their products.
” Website operators are generally hesitant to use SSL/TLS certificates due to their cost. An extended validation (EV) SSL certificates can cost up to $1,000.”
Free encryption project ‘Let’s Encrypt’ to issue first digital certificates next month
http://thestack.com/free-encryption-project-first-digital-certificates-170615
Let’s Encrypt, the first free and open certification authority, will launch to the general public in September, with its first digital certificates issued over the next month.
The project is funded by the Internet Security Research Group (ISRG), a new Californian public-benefit group backed by leading tech firms including Mozilla, The Electronic Frontier Foundation (EFF) and Cisco.
Tomi Engdahl says:
E-Detective Spy Tool Used By Police and Governments Has Major Security Holes
http://it.slashdot.org/story/15/06/17/2245215/e-detective-spy-tool-used-by-police-and-governments-has-major-security-holes
A controversial intercept tool called E-Detective from Taiwanese based company Decision Group has a major security hole which could allow a hacker to remotely execute code and read all the data captured by the software. Considering over 100 law enforcement agencies and governments around the world use E-Detective, this could be a big problem.
E-Detective: Spying tool used by over 100 law enforcement agencies has major security holes
http://www.ibtimes.co.uk/e-detective-spying-tool-used-by-over-100-law-enforcement-agencies-has-major-security-holes-1506447
A controversial spying tool called E-Detective used by over 100 governments and law enforcement agencies around the world has a serious security vulnerability which could allow hackers access to highly sensitive information.
E-Detective is a product developed by Taiwanese company Decision Group and is described as a “real-time network forensics and lawful interception system” – which means it will allow customers to spy on people using mobile or internet networks and capture data including usernames and passwords from services such as Gmail, Twitter, Facebook and even banking websites.
A computer science student has uncovered a major security flaw in the E-Detective software which could allow anyone exploiting it to remotely access the system, execute code and read any of the captured data.
According to al-Bassam, a “script in the web root allows for unauthenticated users to read arbitrary files on the system. This may include database credentials and captured data intercepts”. Al-Bassam has published a proof of concept for the vulnerability on GitHub.
E-Detective works by “sniffing the network” it is monitoring and captures data packets before sending them to be reassembled and decoded.
Unlike other products E-Detective promises to “reconstruct the data to its original format” for the end users so that it will be seen the same way that it was seen on the network.
E-Detective also advertises as a network forensic tool for private enterprises to “protect sensitive data from data leakage”.
E-Detecitve says it can decode over 140 internet protocols including HTTP and even YouTube videos as standard, but it also offers an additional module which will allow users to decode the Https standard widely used to protect websites where sensitive data is being captured, such as banking and webmail services.
Tomi Engdahl says:
The Internet of Things Is the Password Killer We’ve Been Waiting For
http://it.slashdot.org/story/15/06/17/2233226/the-internet-of-things-is-the-password-killer-weve-been-waiting-for
You can’t enter a password into an Apple Watch; the software doesn’t allow it, and the UI would make doing so difficult even if it did. As we enter the brave new world of wearable and embeddable devices and omnipresent ‘headless’ computers, we may be seeing the end of the password as we know it.
IoT is the password killer we’ve been waiting for
http://www.itworld.com/article/2937232/security/iot-is-the-password-killer-weve-been-waiting-for.html
IoT, with its tiny screens & headless devices, will drive an authentication revolution. It’s a short leap from the kind of two-factor authentication used on the Apple Watch to proximity-based authentication that does away with any user interaction. Passwords are just the canary in the coalmine.
A brave, new, password-free world
The password is dead. We’ve known that for a while – password managers like LastPass (hacked last week) are but end-of-the-line accessories for a technology that has reached and surpassed its useful life – like a floppy disk holder or a cabinet for a big, fat cathode ray TV set.
The shift to wearables and other small form-factor devices will hasten that trend, eliminating the kind of screen real estate that alphanumeric passwords require. “For the Apple Watch, the user has to be authenticated to their phone for the Watch to get updates and such. If there’s any kind of security threshold, the phone provides that,” said Marc Boroditsky, the COO of the security company Authy, which provides authentication technology for the Apple Watch.
The solution, for now, is two factor technology of the kind Mr. Boroditsky’s company offers, and that is already common on many web sites and applications, including Google, Apple’s iCloud, Facebook and more. Software sends a simple numeric code to a mobile device that can then be entered into a traditional login screen. In the case of Apple’s Watch, that numeric code is simplified to a “Yes” or “No” authorization.
It’s a short leap from there to proximity-based authentication that does away with any user interaction. That’s already a common feature of automobiles. The Apple Watch or other wearables will greatly expand the possible use cases for such interactions. For example, if the homeowner is at the door and she is wearing the Watch, unlock the door! No need to put down the groceries.
But what about the universe of connected devices that don’t have any screen at all? So-called “headless” devices are likely to be among the most populous of the hundreds of billions of systems that will make up the Internet of Things. Think: embedded sensors, smart city infrastructure, industrial robots.
“We’re heading into a new world where user IDs and passwords won’t exist,” said , Jason Sabin, Chief Security Officer at the firm DigiCert, a U.S. based certificate authority. “Wearables, headless devices or small screen, small form factor devices – you definitely have to think about what identity means.”
On the question of authentication, Sabin believes that what is lost in graphical interfaces will be more than compensated for by the wealth of data – biometric and otherwise – that will be captured by IoT devices. “Maybe authentication becomes the way you walk as a person, or how you interact with the environment around you,” Sabin said. “My shoes, my phone, my watch, my clothing – those could be another form of identification to prove that I am ‘Jason.’”
Doing IoT security right?
Nobody knows how all of this will work – let alone how to secure it. And once you start talking about identity federation at the scale of the billions of connected endpoints on the Internet of Things, everything gets dicey.
Even today, online identity is splintered. Technologies and identity systems like Security Assertion Markup Language (SAML), Initiative For Open Authentication (OATH) and OpenID provide ways for users to connect to applications and resources. Siloed identity systems like Facebook Connect have also become popular as a way to authenticate individuals to online services. But all of those suppose that the authenticating device is a “smart” and “connected” device, constantly connected to the Internet and capable of handling such processing-intensive exchanges. Those are assumptions that may not hold for the many low-power, single function, intermittently connected IoT endpoints that will soon fill our environment.
Simply connecting devices that were once disconnected is a much easier problem to solve than managing security and identity.
To do security “right,” IoT device makers need to lock down communications to and from their endpoint using TLS or some equivalent technology. They also need features to push down software and configuration updates and – when appropriate – to secure data at rest on the device. Also, IoT devices may have useful lives measured in decades; companies need a way to future-proof their creations.
That’s a high bar, which is why Sabin argues that it may be better – in many consumer use cases – not to attempt or make assurances about security at all. “Why pretend to inject security into system that you can never update or where you can’t manage the security of the system,” Sabin argues. “You’re just giving consumers and customers a false sense of security – that you’ve sprinkled in some security and think its enough.”
In most cases, however, not offering security for connected devices will not be an option. The risk posed by hundreds or thousands of vulnerable or insecure devices to the security of their corporate IT environment is considerable.
Shaw looks to emerging standards like OAuth2 and UMA (User Managed Access) as a way to do authentication and granular permissions at the scale of the Internet of Things.
Tomi Engdahl says:
Reddit joins the HTTPS-only stampede
Strict Transport Security joins strict new anti-abuse policies
http://www.theregister.co.uk/2015/06/18/reddit_to_be_https_by_default_from_july/
Reddit will soon be served over HTTPS only as part of wider moves to secure the web.
The Front Page of the Internet™ began serving its user-curated pages over secure sockets layer last September, in an effort that took some nine months to complete.
The site has now decided that as of 29 June it will begin pushing all traffic to HTTPS with HTTP Strict Transport Security, phasing out the ability to gobble clear text and eliminating man-in-the-middle attack vectors.
The move will break some Reddit users’ scripts, and applications may become useless unless developers tweak code to work with the more secure mechanism.
Site system administrator Ricky Ramirez notified Reddit’s millions of users of the change in a brief post.
“You won’t have an option to disable this,” Ramirez says.
Tomi Engdahl says:
Protecting users against advanced threats and the human factor
http://www.theregister.co.uk/2015/06/18/protecting_users_against_advanced_threats_and_the_human_factor/
Handy synopsis for you
As we reported in April, you build security, and the users muck it up. At a time when productivity growth in many businesses has ground to a halt, our white collar workers are managing to give 200 per cent in one area, at least: yes, in the last 12 months they have doubled their click rates on phishing emails!
And a special shout out to staff in sales, finance and procurement departments. They are really going the extra mile, clicking on links in malicious messages 50 to 80 per cent more often than the average. It’s just one example of how, when you try to build foolproof internet security, users can manage to break it in minutes.
Here’s three ways to protect these hapless people from themselves:
1. Hide their keyboards
2. Force them to wear mittens at work
3. WATCH OUR REGCAST
Tomi Engdahl says:
Soureforge now listed as malicious when clicked from Google search results
http://www.reddit.com/r/technology/comments/3a9h9x/soureforge_now_listed_as_malicious_when_clicked/
What’s going on with Sourceforge?
Malware bundling.
They had it coming, it’s a sad state of affairs.
SourceForge packed adware into the binaries of open source projects. They had their chance to make amends, and now it’s time for their comeuppance.
Getting Google Search to treat SourceForge as a malicious site.
nobody wins if their entire domain gets tagged, which is what would normally happen if they weren’t holding so many legit projects hostage. probably the most pragmatic solution under the circumstances, though now that google has removed some incentive, this could get ugly if they are stubborn about it. they must have been pretty desperate already to take this route in the first place.
Expect to see the same thing for cnet.download.com presently. Or do CBS Interactive just have too much money for that to work?
Hell, if they want to be really consistent they should show the same warning for Google Play. After all, half of that shit’s spyware and the rest is adware. It’s kind of depressing, but malware really is the new normal.
sf still does offer great service for some opensource projects for free.
Don’t like what’s happening to Sourceforge? Don’t throw the baby out with the bathwater.
Sourceforge hosts ~440,000 projects dating back to 1999; It seems to have been the default option to host software projects for a decade or so.
If Sourceforge goes down under present conditions and all the mirrors have dropped out as per the request here: https://www.reddit.com/r/linux/comments/38ebj4/dont_like_whats_happening_with_sourceforge/ , digital historians are losing access to a substantial number of entire programming languages, and the ability to read many thousands of file formats of varying obscurity, forever.