Security trends for 2015

Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.

Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.

According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.

Despite the high profile CryptoLocker takedown, ransomware scams remain an all-too-real threat. Crooks are developing more sophisticated encryption schemes to support their fraud.

The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.

There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?

Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.

It seems like year 2014 has almost been “The Year of PoS Breaches.”  Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers.  I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.

Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations.  Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.

Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.

As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.

Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.

Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.

It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.

Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.

Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.

Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.

Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.

There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.

Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.

More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.

Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.

Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.

You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before.  End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.

 

3,110 Comments

  1. Tomi Engdahl says:

    Jessica Guynn / USA Today:
    Google to remove nude or sexually explicit images posted online without consent from its search results when requested — Google to remove “revenge porn” from search results — SAN FRANCISCO —In a significant step to combat “revenge porn,” Google will honor requests to remove …

    Google to remove ‘revenge porn’ from search results
    http://www.usatoday.com/story/tech/2015/06/19/google-revenge-porn-search-results/28983363/

    Google usually only removes search results with a valid legal request. It makes an exception for images of child sexual abuse and sensitive information such as bank account numbers and signatures.

    In Europe, under the right to be forgotten law, Google has removed nearly 1 million links. The ruling gives European residents the ability to demand that search engines remove links that appear in searches for an individual’s name, but so far only in Europe.

    “Google has long been hesitant to mess with its search results and there are some good reasons for that. If you pull out one kind of content, other people will want you to pull out another kind of content and it can become a slippery slope,” said Danny Sullivan, founding editor of SearchEngineLand.com. “Having said that, this is one of those cases where I think people would nod in agreement that yes, this is terrible, this stuff should be removed.”

    Sullivan said Google’s decision could have a deterrent effect.

    “If it’s not in Google, does it actually exist? The answer is yes, it does exist but it’s a heck of a lot harder to find. Even this won’t make it impossible but it does make it more difficult and, when it’s more difficult, it makes it less attractive for people to do this kind of behavior.”

    Yet for years there was little anyone could do when intimate photos appeared online.

    New Jersey passed the first law addressing revenge porn in 2004. Since then, 18 states have passed laws criminalizing revenge porn

    The Federal Trade Commission has also started cracking down.

    With the growing backlash against revenge porn, technology companies are also taking a stand. In March, Twitter became the latest Internet company to enact explicit rules that ban the posting of nude photographs and videos without the subject’s permission. Facebook also banned revenge porn in March.

    Reddit banned it in February. Last year a 4Chan poster hacked into celebrities’ iCloud accounts and posted naked photos

    Some people don’t think the policies go far enough because they still require women to police their own harassment.

    Reply
  2. Tomi Engdahl says:

    Joseph Menn / Reuters:
    OPM hack employed rare tool also used in last year’s Anthem breach, which was tied to Chinese intelligence — U.S. employee data breach tied to Chinese intelligence — The Chinese hacking group suspected of stealing sensitive information about millions of current and former U.S. government employees …
    http://www.reuters.com/article/2015/06/19/us-usa-data-breach-idUSKBN0OZ20Z20150619

    Reply
  3. Tomi Engdahl says:

    Officials: Chinese had access to U.S. security clearance data for one year
    http://www.washingtonpost.com/blogs/federal-eye/wp/2015/06/18/officials-chinese-had-access-to-u-s-security-clearance-data-for-one-year/?postshare=8401434679772773

    The recently disclosed breach of the Office of Personnel Management’s security-clearance computer system took place a year ago, giving Chinese government intruders access to sensitive data for a year, according to new information.

    The considerable lag time between breach and discovery means that the adversary had more time to pull off a cyber-heist of consequence, said Stewart Baker, a former National Security Agency general counsel.

    “The longer you have to exfiltrate the data, the more you can take,” he said. “If you’ve got a year to map the network, to look at the file structures, to consult with experts and then go in and pack up stuff, you’re not going to miss the most valuable files.”

    The compromise of the system was discovered early this month and dates back to June or early July 2014, agency officials said. The network holds a wealth of personal, family and financial details on millions of current, former and prospective federal employees and contractors.

    The discovery of that breach followed the detection in April of the compromise of a personnel database containing Social Security numbers and other personal information of 4.1 million current and former federal employees. That hack dates back to December, officials said.

    In the case of the personnel database, the time between breach and discovery was four months — much shorter than the one-year interval for the security clearance system.

    OPM officials are still trying to determine how much data was actually stolen and who was affected. The background-check system is complex and antiquated, made up of many databases and fed by numerous agencies.

    The Obama administration has not publicly named the suspected perpetrator of the intrusions. But U.S. officials, speaking privately, have said it is the Chinese government.

    The following month, in March 2014, the Department of Homeland Security notified OPM of the first hack of the security clearance database.

    But one challenge was a bureaucracy that made it difficult to buy security tools quickly, officials said. “OPM can’t get through government procurement that fast,”

    In an article published last week, anonymous sources told the Wall Street Journal that CyTech — not OPM — discovered the breach of the agency’s network through a product demonstration.

    In fact, Wagner said, OPM discovered the malicious software — the tip-off that a breach has occurred — on April 15, six days before CyTech’s product demonstration, using a different firm’s software.

    The malware OPM discovered was a never-before-seen variant of the malware known as PlugX, officials with knowledge of the probe said.

    Reply
  4. Tomi Engdahl says:

    Dave Maass / Electronic Frontier Foundation:
    Facebook fails EFF’s censorship test because it doesn’t disclose US government content-restrictions requests; records show it has suspended inmate accounts

    Why Facebook Failed Our Censorship Test
    https://www.eff.org/deeplinks/2015/06/why-facebook-failed-our-censorship-test

    If you click around Facebook’s “Government Request Report,” you’ll notice that, for many countries, Facebook enumerates the number of “content restrictions” the company has fulfilled. This is a sanitized term for censorship.

    But if you click over to the United States, Facebook’s home country, you’ll find that the “content restrictions” category is conspicuously missing.

    This is odd, considering that Facebook has been suspending the accounts of inmates in the U.S. for at least four years at the behest of prison officials.

    Reply
  5. Tomi Engdahl says:

    Joel Rosenblatt / Bloomberg Business:
    Former US Secret Service agent Shaun Bridges who allegedly stole $820K in bitcoin during Silk Road investigation to plead guilty

    Ex-U.S. Agent Charged With Bitcoin Theft to Plead Guilty
    http://www.bloomberg.com/news/articles/2015-06-18/ex-u-s-agent-charged-with-pocketing-bitcoins-reaches-plea-deal

    One of two former U.S. agents charged with pocketing hundreds of thousands of dollars in digital money during the investigation of the illegal Silk Road Internet drug emporium reached a plea agreement with prosecutors.

    Reply
  6. Tomi Engdahl says:

    Dune Lawrence / Bloomberg Business:
    The nine-year-old history of the notorious Zeus malware and the hunt for its creator, the financial industry’s most-wanted hacker — The Hunt for the Financial Industry’s Most-Wanted Hacker … In any global outbreak, it’s important to identify Patient Zero. In the movies, you get a leggy Gwyneth Paltrow.

    The Hunt for the Financial Industry’s Most-Wanted Hacker
    http://www.bloomberg.com/news/features/2015-06-18/the-hunt-for-the-financial-industry-s-most-wanted-hacker

    The malware known as ZeuS and its rogue creator have been at the cutting edge of cyber-crime for nearly a decade

    Investigators studying the code knew its creator only by aliases that changed almost as frequently as the malware itself: A-Z, Monstr, Slavik, Pollingsoon, Umbro, Lucky1235. But the mystery coder gave his product a name with staying power; he called it ZeuS. Like the procreation-minded god of Greek mythology, this ZeuS fathered powerful descendants—and became a case study of the modern cybercrime industry.

    This is the story of a nasty piece of code, and the hunt for its creator.

    There, ZeuS caused an immediate sensation; Jackson had never seen such intense interest in a new piece of malware. Writing malicious code is no easier than creating legitimate software. Do it sloppily, and your malware will alert victims by slowing down their computers, interfering with other programs or crashing entire systems. ZeuS operated seamlessly, Jackson says. Beyond that, its author maintained a feverish pace of improvements.

    “It was just a bestseller,” Jackson says. “People just loved it. It was a living coding project, and it had all the state-of-the-art features.”

    By mid-2007, ZeuS had evolved into something like enterprise software, bundling together all the tools for a DIY cyber-theft operation. Crucially, the package included features to track and manage machines it infected, making it much easier to build zombie networks. These so-called botnets are the foundation for online scams of every stripe. They’re not only sources for the data harvested from each of the computers; they’re also a force multiplier that hackers can use to unleash floods of spam and heavy traffic to shut down targeted sites.

    Within a year of its introduction, the software was developing ways to foil malware hunters—the human kind like Jackson as well as automated antivirus programs. Once inside a new computer, ZeuS rejiggered its own code, altering the patterns that antivirus would look for. Hackers could also turn on a feature that sent stolen data through “proxy servers”—fake locations that hid the real path and destination and complicated the task of retrieving it.

    “Nobody knows how many people purchased the Trojan code, how many attacks are underway, and how many are planned,” Jackson wrote. “Meanwhile, corporate PCs and home PC users are bleeding sensitive information by the gigabytes.”

    ZeuS reemerged in 2008 with something rare in the chaotic world of malware: an end-user agreement. Don’t redistribute, don’t study the code, don’t send it to antivirus companies. It’s not clear whether anybody ever broke those rules, nor whether ZeuS’s maker ever held anybody accountable, but it signaled he was serious about protecting his IP. By 2009, the malware’s protection had evolved into a hardware-based license: Each buyer got an encrypted file that could be unlocked only with a key unique to his or her computer. There’d be no sharing.

    No one knew for sure whether the reemergent ZeuS was the work of the same coder who’d introduced it originally. But the drive to innovate remained constant.

    One security company, Damballa, estimated that ZeuS had infected 3.6 million computers in the U.S. in 2009, making it the top botnet threat. The JabberZeuS botnet was responsible that year for at least $100 million in bank losses—more than all traditional, non-cyber crime against banks put together, according to SecureWorks.

    In May 2009, a rash of fraudulent electronic payments from banks spurred the FBI into action.

    It took a year and a half, but on Sept. 30, 2010, law enforcement in the U.S., Ukraine, and the U.K. arrested or detained more than 150 people.

    The program’s author wasn’t among those arrested, but days after law enforcement pounced, the cybercrime world got another shock: ZeuS and its biggest competitor, SpyEye, planned to merge.

    It was an effective disappearing trick, though the deal proved short-lived. In May 2011, the ZeuS source code leaked online.

    The comeback for the creator of ZeuS took shape in a private botnet venture that began to raise alarm bells in late 2011. Instead of selling the malware for criminals to build their own botnets, he and his new gang built their own and rented parts of it out to other criminals for a fee. That way, the coder could become the administrator of his own botnet and control the operation’s security himself.

    As banks got better at defending themselves against ZeuS’s predations, the Gameover gang developed a novel business model to supplement bank robbery: ransom.

    The breakthrough came in the fall of 2013, says Grasso, when private partners, including SecureWorks, came up with a way to break the botnet.

    ZeuS, meanwhile, has become a permanent gift to the cyber underground. SecureWorks documented attacks that targeted more than 1,400 financial institutions across more than 80 countries—just from 2014 through March 2015. Since the ZeuS source code leak, almost all banking malware has incorporated its features, according to SecureWorks.

    “To create a tool that may be responsible since its inception for a billion dollars in damages, and still to evade arrest despite all that up to this point, is just amazing to me,”

    Reply
  7. Tomi Engdahl says:

    Ethan Zuckerman / The Atlantic:
    As commonplace objects like toys become cloud-connected recording devices, policymakers should confront the implications

    Beware the Listening Machines
    http://www.theatlantic.com/technology/archive/2015/06/listening-machines/396179/

    When dolls and friendly robots can listen and respond to what people say, where’s the line between personal assistance and mass surveillance?

    What’s a listening machine? The example of everyone’s lips was Hello Barbie, a version of the impossibly proportioned doll that will listen to your child speak and respond in kind. Here’s how The Washington Post described the doll back in March: “At a recent New York toy fair, a Mattel representative introduced the newest version of Barbie by saying: ‘Welcome to New York, Barbie.’ The doll, named Hello Barbie, responded: ‘I love New York! Don’t you? Tell me, what’s your favorite part about the city? The food, fashion, or the sights?’
    ADVERTISING

    Barbie accomplishes this magic by recording your child’s question, uploading it to a speech recognition server, identifying a recognizable keyword (“New York”) and offering an appropriate synthesized response. The company behind Barbie’s newfound voice, ToyTalk, uses your child’s utterance to help tune their speech recognition, likely storing the voice file for future use.

    And that’s the trick with listening systems. If you can imagine reasons why you might not want Mattel maintaining a record of things your child says while talking to his or her doll, you should be able to imagine the possible harms that could come from use—abuse or interrogation of other listening systems. (“Siri, this is the police. Give us the last hundred searches Mr. Zuckerman asked you to conduct on Google. Has he ever searched for bomb-making instructions?”)

    As one of the speakers put it (we’re under Chatham House rules, so I can’t tell you who), listening machines trigger all three aspects of the surveillance holy trinity:

    1. They’re pervasive, starting to appear in all aspects of our lives.
    2. They’re persistent, capable of keeping records of what we’ve said indefinitely.
    3. They process the data they collect, seeking to understand what people are saying and acting on what they’re able to understand.

    To reduce the creepy nature of their surveillant behavior, listening systems are often embedded in devices designed to be charming, cute, and delightful: toys, robots, and smooth-voiced personal assistants. Proponents of listening systems see them as a major way technology integrates itself more deeply into our lives, making it routine for computers to become our helpers, playmates, and confidants.

    If a robot observes spousal abuse, should it call the police? If the robot is designed to be friend and confidant to everyone in the house, but was paid for by the mother, should we expect it to rat out one of the kids for smoking marijuana?

    Despite the helpful provocations offered by real and proposed consumer products, the questions I found most interesting focused on being unwittingly and unwillingly surveilled by listening machines. What happens when systems like ShotSpotter, currently designed to identify shots fired in a city, begins dispatching police to other events, like a rowdy pool party (just to pick a timely example)?

    A representative of one of the consumer regulatory agencies in the United States gave an excellent talk in which she outlined some of the existing laws and principles that could potentially be used to regulate listening machines in the future. While the U.S. does not have comprehensive privacy legislation in the way many European nations do, there are sector-specific laws that can protect against abusive listening machines: the Children’s Online Privacy Protection Act, the Fair Credit Reporting Act, HIPA, and others.

    Do we want a world in which we confide in our phones? And how should companies be forced to handle the data generated by these new interactions?

    The challenge is figuring out how, in our current, barely functional political landscape, we decide what technologies should trigger pre-emptive conversations about whether, when, and how those products should come to market.

    If my example of Siri affecting your credit score seems either fanciful or trivial,

    The good news is that there’s both a precedent of executive authority to ban certain lines of research, and a robust tradition of debate within the scientific community that seeks to influence this policymaking.

    Reply
  8. Tomi Engdahl says:

    Interesting security technology:

    Shotspotter
    http://www.shotspotter.com/

    ShotSpotter Flex instantly notifies officers of gunshot crimes in progress with real-time data delivered to dispatch centers, patrol cars and even smart phones. This affordable, subscription-based service enhances officer safety and effectiveness through:

    Real-time access to maps of shooting locations and gunshot audio,
    Actionable intelligence detailing the number of shooters and the number of shots fired,
    Pinpointing precise locations for first responders aiding victims, searching for evidence and interviewing witnesses.

    http://www.shotspotter.com/cloud-based-solution

    SST’s cloud-based system is cost effective.
    SST owns and operates the underlying sensor network as well as the data center infrastructure which provides the 24x7x365 real-time data. Sensors are installed and maintained by SST, and operate on “machine-to-machine” data contracts provided by our cellular provider partners. Because SST maintains thousands of live sensor connections with those partners, we achieve per-sensor connectivity savings far beyond what a single agency could negotiate, and we pass those savings along to our customers in the form of a fixed price subscription.

    Built-in redundancy eliminates any single point of failure.
    SST operates fully redundant data centers on both the East and West Coasts, both of which have doubly-redundant power and HVAC, and triply-redundant Internet connectivity. The company has invested in full data redundancy and backups, as well as offsite backup, and provides a level of 24x7x365 fault tolerant hardware and network uptime that no agency–even the biggest–could afford to procure, let alone maintain, on its own.

    Reply
  9. Tomi Engdahl says:

    Heinz ketchup bottle QR code leads to hardcore porn site
    http://www.theverge.com/2015/6/19/8811425/heinz-ketchup-qr-code-porn-site-fundorado

    Company apologizes to German man after letting its domain expire

    Heinz this week apologized to a German man who was directed to a hardcore porn site after scanning a QR code on a ketchup bottle. The man, Daniel Korell, scanned the code thinking it would lead to a promotional site where he could design his own Heinz Ketchup label. But as The Local reports, Heinz’s label design campaign ran from 2012 to 2014, and the domain expired this year. It was then snatched up by a German porn site called FunDorado, which is why Korell’s QR code led to thumbnails of sex videos.

    Korell notified Heinz of the mishap on its Facebook page, writing that the ketchup “probably isn’t for minors,” and criticizing the company for letting its domain expire.

    Reply
  10. Tomi Engdahl says:

    Polish airline LOT was grounded after ‘IT attack’ took hold
    Surely we can’t be stuck in Warsaw? You are, and don’t call me Shirley
    http://www.theregister.co.uk/2015/06/22/polish_airline_lot_flights_delayed_it_attack_pwns_flight_planning/

    An unspecified IT attack has left 1,400 passengers of Polish flag carrier LOT Polish Airlines stuck in Warsaw, after the company discovered it was unable to file flight plans for its departing aircraft.

    Reuters reports that the airline’s ground computer system — used to issue the flight plans — had been “hacked” on Sunday afternoon.

    The system was “fixed” after five hours, leading to ten cancellations and a dozen or more flights being delayed.

    Reply
  11. Tomi Engdahl says:

    Wiktor Szary / Reuters:
    Attack on computer system for Polish airline LOT grounded 1,400 passengers on Sunday; CEO says all airlines are vulnerable

    Polish airline, hit by cyber attack, says all carriers are at risk
    http://www.reuters.com/article/2015/06/22/us-poland-lot-cybercrime-idUKKBN0P21DC20150622

    No airline is safe from the type of cyber attack that grounded aircraft and hundreds of passengers at Poland’s busiest airport at the weekend, the chief executive of Polish national carrier LOT [LOT.UL] said on Monday.

    Poland’s domestic intelligence agency said it had been called in to investigate, but there was no word on who might be responsible for the attack, which disabled the system LOT uses for issuing flights plans.

    The attack is likely to bring renewed scrutiny to the question of whether the systems which help keep airliners safely in the air are adequately protected from hackers intent on causing havoc or even on bringing down a plane.
    ADVERTISING

    “This is an industry problem on a much wider scale, and for sure we have to give it more attention,” LOT chief executive Sebastian Mikosz told a news conference.

    “I expect it can happen to anyone anytime.”

    The airline said there was never any danger to passengers from the attack since it did not affect systems used by aircraft while in the air.

    “This was a capacity attack, which overloaded our network,” said the spokesman, Adrian Kubicki.

    Ruben Santamarta, a researcher on airline’s cyber-security, said there were not enough details on the LOT attack to properly assess what happened.

    “There are multiple systems at ground level that provide critical services for airlines and aircraft, in terms of operations, maintenance, safety and logistics,” said Santamarta, who is principal security consultant for Seattle-based security research firm IOActive.

    “I am quite surprised that such sensitive systems dedicated to airline operations are exposed to the Internet to be exposed to denial of service attacks,”

    Reply
  12. Tomi Engdahl says:

    DOJ vs. Google: How Google Fights on Behalf of Its Users
    http://lauren.vortex.com/archive/001110.html

    One of the oft-repeated Big Lies — still bandied about by Google haters today — is the false claim that Google enthusiastically turns over user data to government agencies. This fallacy perhaps reached its zenith a few years ago, when misleading PowerPoint slides from Edward Snowden’s stolen NSA documents cache were touted by various commercial parties (with whom he had entrusted the data), in a misleading, out-of-context manner, designed for maximum clickbait potential. The slides were publicized by these parties with glaring headlines suggesting that Google permitted NSA to freely rummage around through Google data centers, grabbing goodies like a kid set loose in a candy store.

    Google immediately and forcefully denied these claims, and for anyone familiar with the internal structure and dialogues inside Google, these allegations were ludicrous on their face. (Full disclosure: While I have consulted to Google in the relatively recent past, I am not currently doing so.)

    Obviously, Google must obey valid laws, but that doesn’t mean they’re a pushover — exactly the opposite.

    While some companies have long had a “nod and wink” relationship with law enforcement and other parts of government — willingly turning over user data at mere requests without even attempting to require warrants or subpoenas, it’s widely known that Google has long pushed back — sometimes though multiple layers of courts and legal processes — against data requests from government that are not accompanied by valid court orders or that Google views as being overly broad, intrusive, or otherwise inappropriate.

    Reply
  13. Tomi Engdahl says:

    ISC2 launches security cert training for cloud-defending cherubs
    ‘Making a bible of cloud knowledge’
    http://www.theregister.co.uk/2015/06/23/iscsup2sup_launches_security_cert_training_for_cloud_defending_cherubs/

    ISC2 has announced the dates of its training courses for its new cloud security certification, created alongside Cloud Security Alliance (CSA), beginning with exam availability in PearsonVUE testing centres from 21 July.

    The pitch for the ISC2- and CSA-developed Certified Cloud Security Professional (CCSP) certification describes it as meeting “a critical market need to ensure that cloud security professionals have the required knowledge, skills and abilities to audit, assess and secure cloud infrastructures”.

    ISC2, or the International Information Systems Security Certification Consortium, is a non-profit organisation which specialises in information security education and certifications.

    ISC2 notes that offering market reassurance is a pressing need in the light of over two-thirds (68 per cent) of the telecoms industry listing cloud services as a top security threat, while 55 per cent in the banking sector, 50 per cent in government, 40 per cent in defence and 60 per cent in utilities said the same, according to their recent study.

    James Rees, managing director at consultants Razor Thorn, told The Register that “to date there is a serious lack of information security in the cloud computing industry and maybe CCSP is a good first step to begin to address the situation.”

    Jennings also noted that customers “want to know not only that their data is secure but they also want to know where it is. This dual concern over data security and data residency leads to confusion over whether data can move into the cloud at all”.

    “In short, EU data protection law allows for the transfer of data provided it is kept secure. So, while it is legitimate to know where the data is and to exercise control over that, the key is to ensure the data is secure, wherever it is held,” he added.

    Reply
  14. Tomi Engdahl says:

    After 10 years, reddit will finally be HTTPS-only
    http://www.neowin.net/news/after-10-years-reddit-will-finally-be-https-only

    After 9 months of effort, reddit has finally catered to its internet security-friendly userbase and announced its intentions to switch the site to HTTPS by June 29th.

    Reddit has long utilized HTTP for its web traffic, and many users are happy with the change, something they consider long overdue. According to Ricky Ramirez, a software developer for reddit who posted about the change, the entire site will now be in SSL – and users won’t have an option to disable it.

    Reply
  15. Tomi Engdahl says:

    What Tech Companies Have Your Back When It Comes to Privacy
    http://webscripts.softpedia.com/blog/What-Tech-Companies-Have-Your-Back-When-It-Comes-to-Privacy-484752.shtml

    In its annual Who Has Your Back report, the Electronic Frontier Foundation (EFF) has applauded the efforts of various tech companies in their efforts to boost user privacy and transparency inside their daily activities.

    The EFF report grants one star to companies that comply with various criteria in five different categories:

    - Follow industry accepted best practices

    - Tells users about government data demands

    - Discloses policies on data retention

    - Discloses government content removal requests

    - Pro-user public policy by opposing backdoors

    This year, the only ones that got a full 5-star rating, complying with all the above criteria were Adobe, Apple, Credo, Dropbox, Sonic.net, Wikipedia, WordPress, and Yahoo.

    Reply
  16. Tomi Engdahl says:

    Vikram Dodd / Guardian:
    New Europol unit hunting Isis social media accounts starts July 1 with help from social media firms; aims to take down accounts within two hours of detection

    Europol web unit to hunt extremists behind Isis social media propaganda
    http://www.theguardian.com/world/2015/jun/21/europol-internet-unit-track-down-extremists-isis-social-media-propaganda

    Europe-wide police team aims to find key figures in campaign producing 100,000 tweets daily linked to terror group, seeking to recruit foreign fighters

    A new Europe-wide police unit is being set up to scour the internet for the ring leaders behind Islamic State’s social media propaganda campaign, which it has used to recruit foreign fighters and jihadi brides.

    The police team will seek to track down the key figures behind the estimated 100,000 tweets a day pumped out from 45,000 to 50,000 accounts linked to the Islamist terror group, which controls parts of Iraq and Syria.

    Run by the European police agency Europol, it will start work on 1 July, with a remit to take down Isis accounts within two hours of them being detected.

    Europol’s director, Rob Wainwright, told the Guardian that the new internet referral unit would monitor social media output to identify people who might be vulnerable and those preying on them. He said: “Who is it reaching out to young people, in particular, by social media, to get them to come, in the first place? It’s very difficult because of the dynamic nature of social media.”

    Reply
  17. Tomi Engdahl says:

    The Intercept:
    NSA and GCHQ have tried since at least 2008 to reverse-engineer antivirus software like Kaspersky, monitored company emails for new malware they could use — Popular Security Software Came Under Relentless NSA and GCHQ Attacks — The National Security Agency and its British counterpart …

    Popular Security Software Came Under Relentless NSA and GCHQ Attacks
    https://firstlook.org/theintercept/2015/06/22/nsa-gchq-targeted-kaspersky/

    The National Security Agency and its British counterpart, Government Communications Headquarters, have worked to subvert anti-virus and other security software in order to track users and infiltrate networks, according to documents from NSA whistleblower Edward Snowden.

    The spy agencies have reverse engineered software products, sometimes under questionable legal authority, and monitored web and email traffic in order to discreetly thwart anti-virus software and obtain intelligence from companies about security software and users of such software. One security software maker repeatedly singled out in the documents is Moscow-based Kaspersky Lab, which has a holding registered in the U.K., claims more than 270,000 corporate clients, and says it protects more than 400 million people with its products.

    The efforts to compromise security software were of particular importance because such software is relied upon to defend against an array of digital threats and is typically more trusted by the operating system than other applications, running with elevated privileges that allow more vectors for surveillance and attack. Spy agencies seem to be engaged in a digital game of cat and mouse with anti-virus software companies; the U.S. and U.K. have aggressively probed for weaknesses in software deployed by the companies, which have themselves exposed sophisticated state-sponsored malware.

    Reply
  18. Tomi Engdahl says:

    Computer Failure Leaves State Dept. Unable to Issue Visas
    http://www.nytimes.com/2015/06/23/world/americas/computer-failure-leaves-state-dept-unable-to-issue-visas.html?smid=tw-nytimes&_r=1

    The United States has been unable to issue visas to travelers around the world for two weeks because of a computer hardware failure that remains unresolved, State Department officials said Monday.

    The country gets an average of 50,000 visa applications worldwide every day. The vast majority of those applications are piling up while the department tries to fix a hardware issue linked to biometric data. The failure prevented officials from processing and transmitting fingerprints and photographs for security checks.

    The system was not expected to come back online before next week, Mr. Kirby said. In the meantime, the department issued 1,500 visas deemed priority cases for medical or humanitarian reasons.

    Ashley Garrigus, a spokeswoman for the Bureau of Consular Affairs, said that there had been a backup system in place, but that it had also failed.

    “While switching to the backup system, we discovered that the data was damaged and unusable,”

    Reply
  19. Tomi Engdahl says:

    Gmail for web gets ‘Undo Send’ to save you from typos and ‘Reply All’ nightmares
    Graduates from Gmail Labs after six years
    http://www.theinquirer.net/inquirer/news/2414439/gmail-for-web-gets-undo-send-to-save-you-from-typos-and-reply-all-nightmares

    GMAIL FOR WEB has finally received an ‘Undo Send’ feature that could save you from any future embarrassing ‘Reply All’ incidents.

    ‘Undo Send’ has been available in Gmail Labs since early 2009, and Google announced this week that, six years later, it has finally graduated to the browser-based version of Gmail.

    “‘Undo Send’ allows people using Gmail to cancel a sent mail if they have second thoughts immediately after sending,” Google explained.

    Undo Send will be switched off by default for those not using the Labs version of Gmail, but can be enabled from the General tab in Gmail settings.

    Once switched on, users can choose the length of time they’ll have to hit Undo Send after clicking the send button, from five to 30 seconds

    Google has yet to announce when, or if, the feature will come to the Gmail apps for iOS and Android

    Reply
  20. Tomi Engdahl says:

    SPICEWORKS FAIL: Are we ready for ‘social’ network administration?
    Still more questions than answers
    http://www.theregister.co.uk/2015/06/23/spiceworks_social_sign_on_fail_log_in_linkedin_facebook_admin/

    Yesterday, a security screw up with the Spiceworks application was noticed, and reported a little earlier by our good selves. Anyone with a Facebook or LinkedIn account could log in to Spiceworks installs running the latest version and it would create an administrative account for them.

    This is not OK, not at all. Many Spiceworks users leave the Spiceworks helpdesk portal open to the net.

    It is not uncommon to have employees or clients from all over that need to access the helpdesk. It’s a nonstarter to have them VPNing into the network in order to access it.

    This flaw allowed anyone with a Facebook or LinkedIn account to create an administrative account on a Spiceworks install, allowing all sorts of chaos to ensue.

    Not only can helpdesk tickets and so forth be changed or deleted, but Spiceworks itself tends to know everything there is to know about a given network.

    By default, Spiceworks performs regular scans, vacuuming up every iota of data it can find about the network on which it is installed, from the configuration of printers to the number of sticks of RAM installed in which slots, and on what PCs.

    Spiceworks is frequently integrated into Active Directory, amongst many other management and control systems.

    For now, in this instance, Spiceworks has disabled the feature that caused this flaw.

    But the flaw did happen, and it should cause us to start asking questions, such as:

    What is the necessity of integrating any given application with services hosted on the internet?
    What must be best practices regarding this sort of implementation, both at a code level and at a systems administration level?
    How comfortable are any of us, really, with “hybrid cloud” applications such as Spiceworks?

    Not only are cloud logons from social media networks directly responsible for this particular flaw, but Spiceworks mitigated the issue by flicking a switch on its end and disabling the feature for everyone across the board.

    The idea that they can simply flick a switch and obliterate years of effort and accumulated knowledge is deeply unsettling.

    How about the other applications that have hybrid could authentication or integration? How deep does the vendor’s control go over the bits of data that your business absolutely depends upon?

    How much damage could a vengeful employee at the vendor side do to operations for all clients? What security procedures exist on their side to prevent such things?

    As we move into this brave new cloudy, interconnected world these are the kinds of questions that we must ask. As we put all of our data into public cloud software-as-a-service offerings, and rely ever more on cloud authentication or hybrid applications, we need to constantly ask ourselves how vulnerable are we to the human error – or maliciousness – of vendors?

    Reply
  21. Tomi Engdahl says:

    Andy Greenberg / Wired:
    Researchers develop palm-sized device, built for less than $300, that can steal laptop crypto keys using radio waves leaked by its processor

    This Radio Bug Can Steal Laptop Crypto Keys, Fits Inside a Pita
    http://www.wired.com/2015/06/radio-bug-can-steal-laptop-crypto-keys-fits-inside-pita/

    The list of paranoia-inducing threats to your computer’s security grows daily: Keyloggers, trojans, infected USB sticks, ransomware…and now the rogue falafel sandwich.

    Researchers at Tel Aviv University and Israel’s Technion research institute have developed a new palm-sized device that can wirelessly steal data from a nearby laptop based on the radio waves leaked by its processor’s power use. Their spy bug, built for less than $300, is designed to allow anyone to “listen” to the accidental radio emanations of a computer’s electronics from 19 inches away and derive the user’s secret decryption keys, enabling the attacker to read their encrypted communications. And that device, described in a paper they’re presenting at the Workshop on Cryptographic Hardware and Embedded Systems in September, is both cheaper and more compact than similar attacks from the past—so small, in fact, that the Israeli researchers demonstrated it can fit inside a piece of pita bread.

    “The result is that a computer that holds secrets can be readily tapped with such cheap and compact items without the user even knowing he or she is being monitored,” says Eran Tomer, a senior lecturer in computer science at Tel Aviv University. “We showed it’s not just possible, it’s easy to do with components you can find on eBay or even in your kitchen.”

    The Tel Aviv researchers focused their attack on extracting the keys stored by GnuPG, an open source and widely used version of the encryption software PGP.

    The notion of someone planting an eavesdropping device less than two feet away from a target computer may seem farfetched as an espionage technique—even if that spy device is concealed in a pita (a potentially conspicuous object in certain contexts) or a stealthier disguise like a book or trashcan. But the PITA attack represents a significant advancement from less than a year ago, when the same researchers released an attack that required the attacker to actually touch a laptop’s metal components to pick up their charge.

    Stealing Keys from PCs using a Radio: Cheap Electromagnetic Attacks on Windowed Exponentiation
    http://www.scribd.com/doc/269396737/Stealing-Keys-from-PCs-using-a-Radio-Cheap-Electromagnetic-Attacks-on-Windowed-Exponentiation

    Reply
  22. Tomi Engdahl says:

    Nicole Hong / Wall Street Journal:
    Blackshades co-creator Alex Yucel sentenced to 57 months in prison for selling RAT software

    Blackshades Leader Sentenced to Prison
    Alex Yucel had pleaded guilty to computer-hacking charges
    http://www.wsj.com/article_email/blackshades-leader-sentenced-to-prison-1435093984-lMyQjAxMTA1MzIyMzMyOTM3Wj

    The leader of the Blackshades operation, which sold computer-hacking software to thousands of buyers around the world, was sentenced to four years and nine months in prison by a federal judge on Tuesday.

    Alex Yucel, a 25-year-old Swedish national who had been living in Moldova, pleaded guilty in February to computer-hacking charges related to his ownership and operation of Blackshades. The site sold a software called a remote access tool, or “RAT,” which allowed cybercriminals to secretly control other people’s computers from a distance—for just $40 per license.

    “The message must go forth that this is a serious crime worthy of a serious punishment,” Judge Castel said, also requiring Mr. Yucel to forfeit $200,000.

    The judge said cybercriminals deserve stiffer punishments because crimes committed on the Internet are especially difficult to detect and root out.

    Roughly 100 people have been arrested around the world as part of the Blackshades investigation, which has drawn a global law-enforcement effort.

    After federal agents seized and searched the Blackshades server, they found more than 6,000 customer accounts in more than 100 countries. The business, which operated from 2010 to 2013, generated at least $350,000 in sales revenue, according to court documents.

    Sites such as Blackshades have allowed people with little technical expertise to hack computers at a relatively low cost, posing an increasingly difficult threat for law enforcement. These cases have also raised challenging questions about what punishment to give the individuals who do get caught, many of whom are young and well-educated men with no prior criminal history.

    Blackshades customers were able to access and steal a wide variety of the victims’ personal information, including photographs, passwords and credit-card numbers. The victims’ Web cameras could even be activated to obtain a live feed without their knowledge. The computers were infected by tricking victims into clicking an email link or hiring someone to install the RAT on the computer, according to court documents.

    Reply
  23. Tomi Engdahl says:

    Emil Protalinski / VentureBeat:
    Samsung is actively disabling Windows Update on at least some computers — Samsung is actively disabling Windows Update on at least some of the computers it sells. Microsoft MVP Patrick Barker made the discovery and documented the details on his blog after trying to help a user troubleshoot issues with his Samsung machine.

    Samsung is actively disabling Windows Update on at least some computers
    http://venturebeat.com/2015/06/23/samsung-is-actively-disabling-windows-update-on-at-least-some-computers/

    Samsung is actively disabling Windows Update on at least some of the computers it sells. Microsoft MVP Patrick Barker made the discovery and documented the details on his blog after trying to help a user troubleshoot issues with his Samsung machine.

    Windows Update appeared to be getting disabled “randomly” until Microsoft’s Auditpol utility pointed the finger to Samsung’s SW Update software. More specifically, Samsung’s update tool had managed to download and run a file inconspicuously named “Disable_Windowsupdate.exe.”

    Samsung describes its update tool as follows: “You can install relevant software for your computer easier and faster using SW Update. The SW Update program helps you install and update your software and driver easily.”

    In other words, this is the typical OEM tool that ships with your computer to keep all the manufacturer’s software and drivers updated, as well as any other included third-party software (read: bloatware). As Barker rightly points out, there is one major difference between Samsung’s update tool and that of other OEMs: SW Update disables Windows Update.

    Reply
  24. Tomi Engdahl says:

    Karen Zraick / New York Times:
    Computer hardware failure linked to biometric data leaves US unable to process visas for over two weeks, unlikely to be resoved for at least another week

    Computer Failure Leaves State Dept. Unable to Issue Visas
    http://www.nytimes.com/2015/06/23/world/americas/computer-failure-leaves-state-dept-unable-to-issue-visas.html?_r=0

    “We are working around the clock to fix it,” John Kirby, a department spokesman, said Monday. “More than 100 computer experts from both the private and public sectors across the United States are working on this.”

    The system was not expected to come back online before next week, Mr. Kirby said.

    There was no sign the computer failure was the result of a malicious act, nor was it the same software issue that caused shutdowns last year, officials said.

    “While switching to the backup system, we discovered that the data was damaged and unusable,” she wrote in an email. “We deeply regret the inconvenience to travelers and recognize the hardship to those waiting for visas, and in some cases, their family members or employers in the United States.”

    Reply
  25. Tomi Engdahl says:

    Software companies are leaving the UK because of government’s surveillance plans
    Growing concerns about Snooper’s Charter and crypto backdoors fuelling exodus.
    http://arstechnica.co.uk/tech-policy/2015/06/software-companies-are-leaving-the-uk-because-of-governments-surveillance-plans/

    The company behind the open-source blogging platform Ghost is moving its paid-for service out of the UK because of government plans to weaken protection for privacy and freedom of expression. Ghost’s founder, John O’Nolan, wrote in a blog post: “we’ve elected to move the default location for all customer data from the UK to DigitalOcean’s [Amsterdam] data centre. The Netherlands is ranked #2 in the world for Freedom of Press, and has a long history of liberal institutions, laws and funds designed to support and defend independent journalism.”

    O’Nolan was particularly worried by the UK government’s plans to scrap the Human Rights Act, which he said enshrines key rights such as “respect for your private and family life” and “freedom of expression.” The Netherlands, by contrast, has “some of the strongest privacy laws in the world, with real precedents of hosting companies successfully rejecting government requests for data without full and legal paperwork,” he writes.

    This is by no means the first software company to announce that it will be leaving the UK because of the government’s plans to attack privacy through permanent bulk surveillance of online activities and weakened crypto. At the beginning of May, Aral Balkan revealed that he would be moving his Ind.ie software project out of the country

    A few weeks later, Eris Industries became the second company to react to the new UK government and its plans. Eris is “free software that allows anyone to build their own secure, low-cost, run-anywhere data infrastructure using blockchain and smart contract technology.” The company’s move was prompted by the threat that new laws could require backdoors in its encryption technology.
    “with immediate effect, we have temporarily moved our corporate headquarters to New York City, where open-source cryptography is firmly established as protected speech pursuant to the First Amendment to the Constitution of the United States.”

    Reply
  26. Tomi Engdahl says:

    Three-way EU Big Data privacy wrestling match kicks off
    Euro Parl, Commish, EU countries slip on singlets
    http://www.theregister.co.uk/2015/06/24/big_data_protection_negotiations_commence_on_wednesday/

    The EU will take a big step towards finalising measures to protect its citizens’ privacy today, as negotiators from member states, the European Commission, and the European Parliament will come together for the first time to thrash out an agreement on the EU’s planned data protection law.

    The Parliament agreed its position on the draft law more than a year ago, but the council of national ministers fought bitterly over a common position, only reaching a grudging agreement earlier this month.

    Many European countries are still concerned about aspects of the text, but felt it best to reach a compromise in order to move forward.

    Reply
  27. Tomi Engdahl says:

    Wind River VxWorks patches some TCP sequence spoofing bugs
    1995 called, wants its vulnerability back
    http://www.theregister.co.uk/2015/06/24/wind_river_vxworks_patches_some_tcp_sequence_spoofing_bugs/

    Intel-owned embedded software outfit Wind River has been caught with an embarrassing bug in its VxWorks OS.

    According to the ICS-Cert advisory, the bug’s only been identified in kit from Schneider Electric at this stage. It relates to how various VxWorks versions handle their TCP flows.

    Discovered by a bunch of researchers from NEETRAC at Georgia Tech, the vulnerability affects VxWorks Version 7 older than February 13, 2015; version 6.9 releases lower than 6.9.4.4, version 6.8 releases lower than 6.8.3, version 6.7 releases lower than 6.7.1.1, and most releases prior to version 6.6.

    What’s embarrassing is that the vulnerability permits one of the oldest-known attacks on the Internet: a TCP spoofing attack.

    During the 1990s, most operating systems got TCP stacks that randomised initial TCP sequences to get around spoofing, and that’s the mistake that Wind River has made.

    “The VxWorks software generates predictable TCP initial sequence numbers,” the advisory says, “that may allow an attacker to predict the TCP initial sequence numbers from previous values”.

    Reply
  28. Tomi Engdahl says:

    Triple glitch grounds ALL aircraft in New Zealand
    Radar and comms failure pushes Welly to manual
    http://www.theregister.co.uk/2015/06/24/triple_gitch_grounds_aircraft_in_new_zealand/

    A trinity of network failures led to the grounding of all aircraft in New Zealand yesterday.

    Just four minutes of outage ended up keeping planes on the ground for two hours, affecting 200 flights on 23 June.

    It cut off radar systems and forced traffic controllers to revert to manual systems to land some of the fifty aircraft airborne at the time.

    “There are fall back systems that allow us to handle these outages safely,” Lamb says.

    “In this case the radar and communications data that normally is fed to [controllers] was not distributed … due to three events happening at the same time which we isolated.”

    “We took some time to make sure the system was working correctly and testing it before we resumed operations.”

    Reply
  29. Tomi Engdahl says:

    Feds count Cryptowall cost: $18 million says FBI
    Bad news Oz: you may have lost even more
    http://www.theregister.co.uk/2015/06/24/feds_count_cryptowall_cost_18_million_says_fbi/

    Cryptowall authors have wrought some US$18 million in damages on US users and businesses alone, according to the FBI.

    The Cryptolocker-imitation ransomware family has etched itself as one of the most prolific and capable since it was first detected in April 2014.

    Global damage reported to the US agency are likely considerably higher; Australian victims account for about half of Cryptowall revenue, with North America accounting for only a quarter.

    Feds say the US Internet Crime Complaints Commission has received 992 complaints from ransomware victims each extorted for between $US200 to $US10,000.

    “Many victims incur additional costs associated with network mitigation, network countermeasures, loss of productivity, legal fees, IT services, and/or the purchase of credit monitoring services for employees or customers, ” the FBI alert says.

    Reply
  30. Tomi Engdahl says:

    Security updates available for Adobe Flash Player
    https://helpx.adobe.com/security/products/flash-player/apsb15-14.html

    Adobe has released security updates for Adobe Flash Player for Windows, Macintosh and Linux. These updates address a critical vulnerability (CVE-2015-3113) that could potentially allow an attacker to take control of the affected system.

    Adobe is aware of reports that CVE-2015-3113 is being actively exploited in the wild via limited, targeted attacks. Systems running Internet Explorer for Windows 7 and below, as well as Firefox on Windows XP, are known targets.

    Adobe recommends users update their product installations to the latest versions

    Reply
  31. Tomi Engdahl says:

    Analysis and Exploitation of an ESET Vulnerability
    http://googleprojectzero.blogspot.co.uk/2015/06/analysis-and-exploitation-of-eset.html

    Many antivirus products include emulation capabilities that are intended to allow unpackers to run for a few cycles before signatures are applied. ESET NOD32 uses a minifilter or kext to intercept all disk I/O, which is analyzed and then emulated if executable code is detected.

    Attackers can cause I/O via Web Browsers, Email, IM, file sharing, network storage, USB, or hundreds of other vectors. Whenever a message, file, image or other data is received, it’s likely some untrusted data passes through the disk. Because it’s so easy for attackers to trigger emulation of untrusted code, it’s critically important that the emulator is robust and isolated.

    Unfortunately, analysis of ESET emulation reveals that is not the case and it can be trivially compromised. This report discusses the development of a remote root exploit for an ESET vulnerability and demonstrates how attackers could compromise ESET users. This is not a theoretical risk, recent evidence suggests a growing interest in anti-virus products from advanced attackers.

    Popular Security Software Came Under Relentless NSA and GCHQ Attacks
    https://firstlook.org/theintercept/2015/06/22/nsa-gchq-targeted-kaspersky/

    Reply
  32. Tomi Engdahl says:

    Do svidaniya to public record as Russia passes NEED to be forgotten bill
    Parliamentary lower house pushes it through, no worries
    http://www.theregister.co.uk/2015/06/24/ido_svidaniyai_to_public_record_as_russia_passes_need_to_be_forgotten_bill/

    The lower house of the Russian‬ Parliament has given its approval to a new law which will resemble the European Union’s controversial “Right to be Forgotten” legislation, but which critics have warned is stricter, arbitrary, and open to abuse.

    The bill, which was advanced earlier this month, requires search engines to remove “outdated or irrelevant personal information from search results on request from users”.

    In response to the EU bill, Google established a process so that complainants could rapidly highlight hyperlinks they wish to remove from searches for their names – as well as explaining why the offending content they wished to remove is “inadequate, irrelevant or no longer relevant”.

    However, under the Russian law, complainants would not be required to provide specific hyperlinks, instead simply declaring what information they wished to be removed.

    What has especially raised concerns, however, is that the Russian law does not exclude public figures, as the EU law does. This has raised fears that it will be misused to conceal information from the public about politicians’ misdeeds, especially when those politicians might be able to force the removal of content without seeking a court order, or providing evidence or justification for their request.

    Yandex has also claimed that the legislation would unconstitutionally restrict people’s right to access reliable information.

    “If this bill is passed, the information about a clinic or a doctor, a school or a teacher one is considering to choose, may be impossible to find,” a company statement said.

    Russia Proposes Strict Online Right to be Forgotten
    http://blogs.wsj.com/digits/2015/06/17/russia-proposes-strict-online-right-to-be-forgotten/

    Reply
  33. Tomi Engdahl says:

    Killer ChAraCter HOSES almost all versions of Reader, Windows
    Google Project Zero bod drops 15 remote code execution holes
    http://www.theregister.co.uk/2015/06/24/killer_character_hoses_smallalmostsmall_all_versions_of_reader_windows/

    Get patching: Google Project Zero hacker Mateusz Jurczyk has dropped 15 remote code execution vulnerabilities, including a single devastating hack against Adobe Reader and Windows he reckons beats all exploit defences.

    The accomplished offensive security researcher (@j00ru) presented findings at the Recon security conference this month

    The nastiest vulnerabilities for 32-bit (CVE-2015-3052) and 64-bit (CVE-2015-0093) systems exist in the Adobe Type Manager Font Driver (ATMFD.dll) module which has supported Type 1 and Type 2 fonts in the Windows kernel since Windows NT 4.0

    “The exploit defeats all modern user and kernel-mode exploit mitigations, with the only non-fully deterministic step being kernel pool spraying [that is] working with 100 percent reliability in the tested environments,” Jurczyk says.

    “The video demonstrates reliable exploitation of a vulnerability in the handling of the BLEND instruction in Type 1 fonts, used in two stages to first achieve arbitrary code execution in Adobe Reader 11.0.10, and further escape the sandbox and elevate privileges to System by attacking the Adobe Type Manager Font Driver in the Windows 8.1 Update 1 32-bit (or 64-bit) kernel.”

    Reply
  34. Tomi Engdahl says:

    The Secret to IT Resiliency:
    Simplify your organization’s business continuity strategy and improve its effectiveness by leveraging both the cloud and pervasive virtualization.
    Business Continuity Needs Business:
    While IT is often seen as wholly responsible for disaster recovery strategy, business continuity resilience planning requires project leadership from throughout the organization, as well as input from diverse staff members operating at different levels.

    Reply
  35. Tomi Engdahl says:

    Wake up, sheeple! If you ask Siri about 9/11 it will rat you out to the police!
    Also, shill scientists refuse to research whether jet fuel can melt steel beams
    http://www.theregister.co.uk/2015/06/24/siri_911_immediately_calls_police_lol/

    The Illuminati have revealed themselves once again, this time through their “intelligent personal assistant” Siri, which immediately reports device owners to the police when they ask about 9/11.

    CBCnews reports that 114 budding truthers were redirected to the police over a two hour period on Sunday morning.

    Police believe the calls, which were quickly hung-up, were the result of a viral message circulating on social media which encouraged people to ask Siri about 9/11 – which is phonetically identical to the emergency telephone number in North America.

    Emergency services cannot ignore a call just because it has been hung up, however, and will return the calls to investigate whether a real emergency is happening.

    The process of re-establishing contact can require several attempts and can tie up resources that could be used to help people in genuine need, say the rozzers.

    The Regina Police Service is asking people to be aware of the consequences of understanding this latest fad.

    Reply
  36. Tomi Engdahl says:

    Login creds for US agencies found scrawled on the web’s toilet walls
    Poor security practices and lack of 2FA responsible for leakiness, says report
    http://www.theregister.co.uk/2015/06/24/no_us_government_login_credentials_dumped_on_the_clearweb_lol_joke/

    A threat intelligence report into the availability of login credentials for US government agencies has identified 47 agencies across 89 unique domains may be compromised.

    The findings resulted from an analysis of open source intelligence (OSint) from 17 paste sites, carried out between 4 November 2013 and 4 November 2014.

    The report comes after the February 2015 Office of Management and Budget (OMB) report [PDF] to Congress, which highlighted 12 agencies which did not require their most privileged users to log in with any form of two-factor authentication.

    All 12 of these agencies, (including the Departments of State and Energy) had possibly valid login credentials available on the open web

    The credentials must be qualified as being only “possible”, as it would have been illegal for Recorded Future to attempt to authenticate them

    “While some agencies employ VPNs, two-factor authentication, and other tokens to provide a safety net, many agencies lag behind, as cited by the OMB report to Congress,” the report claims.

    The report recommends the following:

    Enable multi-factor authentication and/or VPNs
    Require government employees to use stronger passwords and change with greater regularity
    Gauge and define use of government email addresses on third-party sites
    Maintain awareness of third-party breaches and regularly assess exposure
    Ensure Robot Exclusion Standard (i.e. robots.txt) is set for government login pages to prevent listing of webmail/web services in search engines

    Reply
  37. Tomi Engdahl says:

    Optus admits handing user phone numbers to websites
    http://www.itnews.com.au/News/405656,optus-admits-handing-user-phone-numbers-to-websites.aspx

    Without customer’s knowledge.

    Optus has admitted to handing over its customer’s phone numbers to certain third-party websites accessed by the user.

    As first flagged by a user on telco forum Whirlpool, when a user browses certain websites, Optus provides the customer’s mobile phone number to the website operator where a “commercial relationship” exists.

    The practice, known as HTTP header enrichment, includes a mobile browser’s phone number in the HTTP header of the website request. The process aims to streamline direct billing for customers.

    The Whirlpool user discovered the practice after receiving alerts about a subscription to a site they had not signed up to.

    Optus confirmed its use of HTTP header enrichment to iTnews but said it only provided the details to certain sites involved in a “trusted” commercial relationship with the telco.

    “When consumers browse the internet, information about the device they’re using is passed on to website owners in order to optimise websites for those users,” a spokesperson said.

    Read more: http://www.itnews.com.au/News/405656,optus-admits-handing-user-phone-numbers-to-websites.aspx#ixzz3dyy75qaK

    Reply
  38. Tomi Engdahl says:

    Reuters:
    In a first, the US SEC asks at least eight public companies about data breaches as it probes an insider trading case

    Exclusive: SEC hunts hackers who stole corporate emails to trade stocks
    http://www.reuters.com/article/2015/06/23/us-hackers-insidertrading-idUSKBN0P31M720150623

    U.S. securities regulators are investigating a group of hackers suspected of breaking into corporate email accounts to steal information to trade on, such as confidential details about mergers, according to people familiar with the matter.

    The Securities and Exchange Commission has asked at least eight listed companies to provide details of their data breaches, one of the people said. The unusual move by the agency reflects increasing concerns about cyber attacks on U.S. companies and government agencies.

    It is an “absolute first” for the SEC to approach companies about possible breaches in connection with an insider trading probe, said John Reed Stark, a former head of Internet enforcement at the

    “The SEC is interested because failures in cybersecurity have prompted a dangerous, new method of unlawful insider trading,” said Stark, now a private cybersecurity consultant.

    The hackers targeted healthcare and pharmaceutical companies because their stocks tend to be volatile, and thus potentially more profitable. In one case, the hackers had sought information about Medicaid rebates and government purchasing decisions, FireEye said.

    sed fake Microsoft Outlook login pages to trick attorneys, executives and consultants into surrendering their user names and passwords.

    Reply
  39. Tomi Engdahl says:

    Not OK, Google: Chromium voice extension pulled after spying concerns
    Company agreed that a closed source module wasn’t a good fit for an open source browser.
    http://arstechnica.com/security/2015/06/not-ok-google-chromium-voice-extension-pulled-after-spying-concerns/

    Google has removed an extension from Chromium, the open source sibling to the Chrome browser, after accusations that the extension was installed surreptitiously and subsequently eavesdropped on Chromium users.

    The issue first came to light in late May when a bug was filed in the Debian bug tracker. Chromium version 43 was seen downloading a binary extension from Google, and there was neither any ability to prevent this download, nor any source code available for the extension. The extension, called “Chrome Hotword,” was found to be responsible for providing the browser’s “OK, Google” functionality. Although off by default, both Chrome and Chromium, when set to use Google as their default search engine, can permanently listen to the microphone and respond instantly to voice queries, with “OK Google” used as the trigger keyword.

    Concern about the nature and purpose of the extension was compounded by the way the browser did and didn’t disclose the extension’s existence. The list of extensions visible at chrome://extensions/ doesn’t include Hotword. Conversely, Hotword’s own status page, chrome://voicesearch/ said that by default the extension was enabled and had access to the microphone.

    This looked like an egregious privacy violation; Google silently installing software that listens in to the microphone (and potentially reports back everything it hears to the mothership), and doing so not only in its partially closed source Chrome browser, but the free and open Chromium browser. The extension is supposed to detect the “OK Google” phrase locally, sending only search phrases to Google, but as no source code is available, there’s no easy way to determine this. Other trigger phrases could be included that start transmission, and nobody outside Google would be any the wiser.

    In a bug filed in the Chromium bug tracker, Google offered explanations for the behavior.

    Even with the “OK Google” feature turned off, when you start Chrome, the extension is loaded for a few seconds, and then unloaded.

    This constant loading and unloading likely explains the experience of developer Ofer Zelig, who noticed that his webcam’s activation light (enabled whenever the webcam’s camera or microphone are accessed) kept turning on apparently at random. This likely coincided with his visits to Google’s home page or when starting a new tab.

    For users of Chrome, there doesn’t seem to be any serious issue. Chrome users already have to trust Google to a greater or lesser extent, because the browser isn’t fully open source and contains proprietary Google code.

    For Chromium, the situation is a little more complex. One of the reasons that people use open source software is precisely so they can inspect the source code and know precisely what is going on: automatically downloading and installing a binary extension with no source code clearly runs very contrary to this spirit.

    Reply
  40. Tomi Engdahl says:

    Instapaper flaw leaves Android users’ details open to hackers
    Bitdefender warns that sensitive data is at risk
    http://www.theinquirer.net/inquirer/news/2414722/instapaper-flaw-leaves-android-users-details-open-to-hackers

    A VULNERABILITY in Instapaper’s Android app leaves user data open to hackers, security firm Bitdefender has warned.

    Instapaper allows users to save articles to read later, and has been downloaded hundreds of thousands of times on Android, according to its Google Play listing.

    Reply
  41. Tomi Engdahl says:

    Toshiba is working on an ‘unbreakable’ encryption technology
    But security experts aren’t convinced
    http://www.theinquirer.net/inquirer/news/2414766/toshiba-is-working-on-an-unbreakable-encryption-technology

    TOSHIBA WILL SOON BEGIN working on an encryption technology that the firm claims is a guaranteed defence against hackers and “completely secure from tapping”.

    The technology is described as the first use of a quantum cryptographic communication system using actual data, and Toshiba will begin verification testing with the transmission of genome analysis data in Japan on 31 August.

    Quantum cryptographic communication uses quantum physics to ensure that data encrypted with digital keys remains secret.

    “While standard optical communications can be intercepted and read by measuring a part of the optical signal, bits in quantum communications are carried and sent by individual photons, which cannot be tampered with without leaving a trace of the intrusion,” the firm said.

    This means that there is a guarantee of secrecy for the untampered encryption keys and the data they protect, according to Toshiba.

    The verification programme will run until August 2017, and will monitor and verify communication stability and speed in long-term operation and the impact of environmental conditions, including weather, temperature and the status of the optical connection, Toshiba said.

    Toshiba said that it aims to use the results of the tests to support commercialisation within five years of a quantum cryptographic communication system able to guarantee secure transfers of confidential and personal information. Potential users will include public agencies and medical institutions.

    However, not everyone is convinced by the research.

    Security firm TripWire’s senior analyst, Ken Westin, said that it’s good to see new innovations and research focused on better methods of encrypting data, but that the terms \unbreakable encryption’ or ’100 percent secure’ make him “immediately think of the Titanic”.

    Reply
  42. Tomi Engdahl says:

    Adobe issues emergency patch for Flash player zero-day flaw
    Could allow hackers to perform remote code execution on a victim’s machine
    http://www.theinquirer.net/inquirer/news/2414694/adobe-issues-emergency-patch-for-flash-player-zero-day-flaw

    SOFTWARE COMPANY Adobe has issued an emergency patch update to fix a critical zero-day flaw in a Flash plugin that could allow hackers to perform remote code execution on a victim’s machine.

    The CVE-2015-3113 vulnerability is classified with the maximum ‘critical’ severity rating, and affects Flash Player 18.0.0.161 and earlier versions on Windows and Mac, and version 11.2.202.466 and earlier releases on Linux.

    Adobe confirmed reports from FireEye researchers who discovered that the vulnerability was being actively exploited in a phishing campaign earlier this month.

    “Adobe is aware of reports that [the vulnerability] is being actively exploited in the wild via limited, targeted attacks,” the firm said in an advisory.

    “Systems running Internet Explorer for Windows 7 and below, as well as Firefox on Windows XP, are known targets.”

    There is no evidence of any attacks via Chrome.

    Reply
  43. Tomi Engdahl says:

    With Its French NSA Leak, WikiLeaks Is Back
    http://www.wired.com/2015/06/french-nsa-leak-wikileaks-back/

    Classified documents appear on WikiLeaks.org, revealing that the American government is spying on its allies. American officials rush to deal with a sudden diplomatic crisis while publicly refusing to comment on leaked materials. And WikiLeaks proclaims that it’s just getting started.

    On Tuesday night WikiLeaks released a collection of documents it’s called Espionnage Élysée, a collection of classified NSA files that show that the US intelligence agency has been spying on French heads of state going back three administrations. The documents even include evidence that the NSA listened in on the French presidents’ phone calls. On Wednesday the French foreign ministry summoned the American ambassador to a meeting to explain that snooping, and president Francois Hollande issued a statement that “France will not tolerate actions that threaten its security and the protection of its interests.”

    Aside from the leak’s revelation that France, like Germany, falls under the NSA’s virtually limitless spying on foreigners, it also represents a milestone for WikiLeaks: the first top-secret document it’s published in years.

    Those sorts of bombshells mark a gradual but significant shift out of a five-year period when WikiLeaks seemed to have diminished in activity—or at points practically gone into hibernation.

    But the strongest sign of new life from WikiLeaks is its efforts to enable and even incentivize leakers to give it fresh material.

    Reply
  44. Tomi Engdahl says:

    How the next Java update could make Yahoo your default search provider
    http://www.pcworld.com/article/2940572/how-the-next-java-update-could-make-yahoo-your-default-search-provider.html

    Next time you’re prompted to update the Java software on your computer, pay attention or you might become a Yahoo user without realizing it.

    The search company has cut a deal with Oracle to promote Yahoo search alongside future updates to Oracle’s Java technology, which runs on most PCs. Starting this month, when people are prompted to update to the next version of Java, they’ll be asked if they want to make Yahoo their default search engine on Chrome and Internet Explorer.

    The box to reply in the affirmative will be checked by default, the Wall Street Journal reported, so those not paying attention might find themselves using Yahoo search even if they didn’t mean to.

    CEO Marissa Mayer announced the deal at Yahoo’s annual shareholder meeting Wednesday. It’s the latest partnership the search company has signed to promote its services.

    How the next Java update could make Yahoo your default search provider
    http://www.itworld.com/article/2940575/enterprise-software/how-the-next-java-update-could-make-yahoo-your-default-search-provider.html

    Yahoo has cut a deal with Oracle to promote Yahoo alongside its Java technology

    The deals are intended to grow Yahoo’s meager share of the search market. At the end of April, Google led the pack with 64 percent of desktop search traffic in the U.S., followed by Microsoft with 20 percent and Yahoo with less than 13 percent, according to comScore.

    Reply
  45. Tomi Engdahl says:

    HackerOne Bags $25M As Security Info Sharing Mainstreams
    http://techcrunch.com/2015/06/24/hackerone-bags-25m-as-security-info-sharing-mainstreams/

    HackerOne, makers of a bug bounty platform where companies pay hackers to find vulnerabilities in their products, announced a $25 million Series B round today.

    The company’s platform mixes elements of social and gamification to find exploits and share reports about them with other platform users. Companies offer hackers rewards to find holes that black hat hackers could exploit. The platform provides an avenue for sharing information about all the parties involved including the companies paying the bounties, the hackers and their skills and details about the vulnerabilities found. Each participant builds a rating and reputation as they engage in platform activities.

    So far the platform is responsible for uncovering almost 10,000 vulnerabilities and paying hackers over $3 million, according to company CTO Alex Rice. The company has 250 customers including Twitter, Slack, Adobe, Yahoo and Airbnb.

    Reply
  46. Tomi Engdahl says:

    Electronic Frontier Foundation:
    ICANN considering changes that would disallow proxy registration for domains used for commercial purposes, could put user privacy at risk

    Changes to Domain Name Rules Place User Privacy in Jeopardy
    https://www.eff.org/deeplinks/2015/06/changes-domain-name-rules-place-user-privacy-jeopardy

    But under a proposal [PDF] currently being considered by ICANN, that may all change. It is proposed that domains used for commercial purposes might no longer be eligible to use proxy registration services. Is TG Storytime used for commercial purposes? Well, Joe currently covers the site’s expenses, but also notes that “ads and donations may be used in the future to cover costs”, and sites that run ads have been judged as commercial in domain name disputes.

    Reply
  47. Tomi Engdahl says:

    MAC address privacy inches towards standardisation
    IEEE hums along to IETF anti-surveillance tune
    http://www.theregister.co.uk/2015/06/26/mac_address_privacy_inches_towards_standardisation/

    The Internet Engineering Task Force’s (IETF’s) decision last year to push back against surveillance is bearing fruit, with the ‘net boffins and the IEEE proclaiming successful MAC address privacy tests.

    While MAC address randomisation has been a feature of various clients (including Linux, Windows, Apple OSs and Android) for some time, it has yet to be written into standards.

    Hence, as part of the anti-surveillance effort it launched in May 2014, the IETF had identified MAC address snooping as a problem for WiFi users.

    In November, the IETF ran an experiment to look at whether MAC address randomisation would upset the network – for example, because two clients presented the same MAC address to an access point.

    The success of that test had to be confirmed with the IEEE, though, because the latter is the standards body responsible for 802 standards. Those standards are where the handling of the media access control address is specified, so changing the old assumption that the MAC address is written into hardware needs the IEEE’s co-operation.

    Now, the IETF and IEEE have agreed that the experiment was a success, along with further trials at the IEEE’s 802 plenary and a second IETF meeting, both in March.

    InterDigital principal engineer Juan Carlos Zuniga, who chairs the IEEE 802 Privacy Executive Committee Study Group, said the tests “set the stage for further study and collaboration to ensure the technical community prioritises Internet privacy and security”.

    Back in the 1980s when Ethernet was first created, and even in the 1990s when WiFi was born, little thought was given to the risk that the MAC address could put personal privacy at risk.

    The blossoming of mobile computing, smartphones, and public WiFi, however, means that fixed, unique identifiers no longer look like such a good idea.

    Reply
  48. Tomi Engdahl says:

    Put Your Enterprise Financial Data In the Cloud? Sure, Why Not
    http://it.slashdot.org/story/15/06/26/0052217/put-your-enterprise-financial-data-in-the-cloud-sure-why-not

    For many, the idea of storing sensitive financial and other data in the cloud seems insane, especially considering the regulatory aspects that mandate how that data is protected. But more and more organizations are doing so as cloud providers start presenting offerings that fulfill regulatory need

    Enterprise financials in the cloud? Why the fog of skepticism may be lifting
    http://www.itworld.com/article/2939472/enterprise-software/enterprise-financials-in-the-cloud-why-the-fog-of-skepticism-may-be-lifting.html

    Spreadsheets and email documents are a bigger threat than the cloud, says Forrester Research’s Liz Herbert

    San Diego — The corporate accounting department is the last place that I expected to see cloud computing. Thoughts of “fiduciary responsibility” and “Sarbanes-Oxley” and “HIPAA” and “PCI compliance” float through my mind as Insight Software talked up its new cloud-based offerings at its HubbleUp 2015 user conference, held here in mid June. Attendees, largely from financial departments at large companies, lapped it up.

    Insight Software is a well-known maker of reporting, analytics and planning software that integrates tightly with big ERP (enterprise resource planning) financial packages such as JD Edwards, Oracle eBusiness Suite and SAP. Traditionally, ERP packages and add-ons like Insight’s tools run entirely on-premises. The latest version of Insight’s software, rebranded as Hubble, is also available as a cloud-based SaaS offering.

    As a business owner myself, this is scary. My financials? My budgets, my projections, my variance reports, my P&L statements, in the cloud? Exposed? If something bad happens, who is going to own the decision to place this critical data outside the firewall? Who will explain the incident to the shareholders, the Securities and Exchange Commission, the Wall Street Journal?

    Turns out that while some organizations are perhaps moving slowly to put critical information like financials into the cloud, when you get outside the technology-analyst fog of skepticism, there’s a lot more optimism than expected.

    Reply
  49. Tomi Engdahl says:

    Secure Server Deployments in Hostile Territory
    http://www.linuxjournal.com/content/secure-server-deployments-hostile-territory

    Would you change what you said on the phone, if you knew someone malicious was listening?

    Although I always have tried to build secure environments, EC2 presents a number of additional challenges both to your fault-tolerance systems and your overall security. Deploying a server on EC2 is like dropping it out of a helicopter behind enemy lines without so much as an IP address.

    In this article, I discuss some of the techniques I use to secure servers when they are in hostile territory. Although some of these techniques are specific to EC2, most are adaptable to just about any environment.

    Reply
  50. Tomi Engdahl says:

    Cisco in single SSH key security stuff-up
    Patch NOW, people
    http://www.theregister.co.uk/2015/06/25/cisco_in_single_ssh_key_security_stuffup/

    A red-faced Cisco has pushed out a patch for a bunch of virtual security appliances that had hard-coded SSH keys.

    Since the keys are associated with the virty appliances’ remote management interface, a successful login would let an attacker waltz through the devices.

    The Borg has announced that its Web Security Virtual Appliance (WSAv), Email Security Virtual Appliance (ESAv), and Security Management Virtual Appliance (SMAv) all carry default keys for their remote support access.

    The virtual appliances have hard-coded default authorised SSH keys and SSH host keys.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*