Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.
3,110 Comments
Tomi Engdahl says:
Peter Elkind / Fortune:
Instead of hardening security defenses, Sony Pictures focused on offending North Koreans less, and was more afraid of security costs than risks
Inside the Sony Hack
A cyber-invasion brought Sony Pictures to its knees and terrified corporate America. The story of what really happened—and why Sony should have seen it coming. A special three-part investigation.
Part 1: Who was manning the ramparts at Sony Pictures?
http://fortune.com/sony-hack-part-1/
Part 2: The storm builds
http://fortune.com/sony-hack-part-two/
Tomi Engdahl says:
Shane Harris / The Daily Beast:
OPM hackers obtained details more damaging than previously reported, including potentially humiliating “adjudication information” on federal workers
Hackers Stole Secrets of U.S. Government Workers’ Sex Lives
http://www.thedailybeast.com/articles/2015/06/24/hackers-stole-secrets-of-u-s-government-workers-sex-lives.html
Infidelity. Sexual fetishes. Drug abuse. Crushing debt. They’re the most intimate secrets of U.S. government workers. And now they’re in the hands of foreign hackers.
It was already being described as the worst hack of the U.S. government in history. And it just got much worse.
A senior U.S. official has confirmed that foreign hackers compromised the intimate personal details of an untold number of government workers. Likely included in the hackers’ haul: information about workers’ sexual partners, drug and alcohol abuse, debts, gambling compulsions, marital troubles, and any criminal activity.
Those details, which are now presumed to be in the hands of Chinese spies, are found in the so-called “adjudication information” that U.S. investigators compile on government employees and contractors who are applying for security clearances. The exposure suggests that the massive computer breach at the Office of Personnel Management is more significant and potentially damaging to national security than officials have previously said.
Tomi Engdahl says:
Rachael King / Wall Street Journal:
Automakers tackle the huge security challenges of vehicle-to-vehicle communication
Automakers Tackle the Massive Security Challenges of Connected Vehicles
http://blogs.wsj.com/digits/2015/06/26/automakers-tackle-the-massive-security-challenges-of-connected-vehicles/
The National Highway Traffic Safety Administration is accelerating its efforts to mandate vehicle-to-vehicle communications, a step that could help lower the number of traffic deaths in the U.S., but also creates a major challenge for data security and privacy.
NHTSA plans to submit a proposed connected car rule by the end of the year. New cars equipped with the communications technology could hit the market by the early 2020s, the Transportation Department estimates. The technology could have great public benefits, potentially reducing the 30,000-plus crash related deaths that occur in the U.S. every year. But the technology would emit a stream of data broadcasting the location of millions of cars, a potential security dilemma.
A group of eight automakers already has put years of work into developing an unprecedented system to manage such risks. The system is a form of so-called public key infrastructure, which employs encryption and authentication and is widely used by online shopping sites and banks. The idea is to let two vehicles that have no existing relationship securely exchange data.
PKI technology is effective, but not infallible.
The data stream that will come from vehicles is bound to attract a broad range of hackers. “A terrorist might want to shut down a major bridge or tunnel in a major urban area by causing a whole bunch of vehicles to misbehave,”
Designers of the new security system for connected cars are trying to guard against that possibility. The system would be larger than anything in use today, creating a new set of technical challenges. A PKI system for connected cars ultimately will need to scale to 200 million or more vehicles, while maintaining driver privacy and fending off hackers.
Automakers including Ford Motor , General Motors , Nissan Motor , Mazda Motor Corp., Honda Motor , Volkswagen and its luxury brand Audi , Daimler AG’s Mercedes-Benz and Hyundai Motor Co. and its affiliate Kia Motors plan to finish a proof of concept for a security credential management system by August of next year. The automakers, part of a Crash Avoidance Metrics Partnership consortium, have a cooperative agreement with the Transportation Department to build the system. CAMP has already invested 11 years researching and testing various security approaches.
Tomi Engdahl says:
Sheera Frenkel / BuzzFeed:
The Yemeni Cyber Army is likely an Iranian government-run operation
Meet The Mysterious New Hacker Army Freaking Out The Middle East
http://www.buzzfeed.com/sheerafrenkel/who-is-the-yemen-cyber-army#.vg9xrvJAk
The “Yemen Cyber Army” seemed to appear out of thin air to carry out one of the most audacious attacks of the year. BuzzFeed News’ Sheera Frenkel investigates who they are.
Tomi Engdahl says:
Sheera Frenkel / BuzzFeed:
The Yemeni Cyber Army is likely an Iranian government-run operation
Meet The Mysterious New Hacker Army Freaking Out The Middle East
http://www.buzzfeed.com/sheerafrenkel/who-is-the-yemen-cyber-army#.hgYYwmOqQ
The “Yemen Cyber Army” seemed to appear out of thin air to carry out one of the most audacious attacks of the year. BuzzFeed News’ Sheera Frenkel investigates who they are.
The first tweets appeared on April 14. The website of Al Hayat, a pro-Saudi newspaper, had been hacked, its front page replaced to threaten Saudi Arabia against getting involved in Yemen’s growing civil unrest. A group calling itself the Yemen Cyber Army took credit for the hack. Few took notice — amid the breaches of government databases and hacking armies with groups claiming affiliation with groups like ISIS, the takedown of a newspaper website was hardly news.
But the campaign continued to build. Twitter accounts were created calling for hackers to attack Saudi targets rallying around the hashtag #OpSaudi. On May 20, the Saudi foreign ministry was hacked. The next day, a story appeared on Iran’s state-run FARS news agency, the first media mention of the group (followed quickly by a second press mention on Russia Today). The FARS story credited the Yemen Cyber Army with carrying out the hack of the Saudi foreign ministry and said it would soon be releasing personal information about Saudi federal employees as well as diplomatic correspondence.
Tomi Engdahl says:
Leena Rao / Fortune:
Instacart lets some retailers collect personal data on customers if the user opts in, starting with Whole Foods
Instacart is asking its customers to do something new
http://fortune.com/2015/06/26/instacart-grocery-stores/
The grocery delivery service has premiered a new feature that some customers may want to avoid.
Tomi Engdahl says:
Secure Server Deployments in Hostile Territory
http://www.linuxjournal.com/content/secure-server-deployments-hostile-territory
Would you change what you said on the phone, if you knew someone malicious was listening? Whether or not you view the NSA as malicious, I imagine that after reading the NSA coverage on Linux Journal, some of you found yourselves modifying your behavior. The same thing happened to me when I started deploying servers into a public cloud (EC2 in my case).
Although I always have tried to build secure environments, EC2 presents a number of additional challenges both to your fault-tolerance systems and your overall security. Deploying a server on EC2 is like dropping it out of a helicopter behind enemy lines without so much as an IP address.
In this article, I discuss some of the techniques I use to secure servers when they are in hostile territory. Although some of these techniques are specific to EC2, most are adaptable to just about any environment.
So, what makes EC2 so hostile anyway? When you secure servers in a traditional environment, you may find yourself operating under a few assumptions. First, you likely assume that the external network is the main threat and that your internal network is pretty safe. You also typically assume that you control the server and network hardware, and if you use virtualization, the hypervisor as well. If you use virtualization, you probably also assume that other companies aren’t sharing your hardware, and you probably never would think it is possible that a malicious user might share your virtualization platform with you.
In EC2, all of those assumptions are false. The internal and external network should be treated as potentially hostile.
EC2 Security Groups can be thought of in some ways like a VLAN in a traditional network. With Security Groups, you can create firewall settings to block incoming traffic to specific ports for all servers that are members of a specific group
I generally use Security Groups like most people might use VLANs only with some changes. Every group of servers that share a common purpose have their own Security Group.
For instance, I might use changes to the default Security Group to allow all servers to talk to my Puppetmaster server on its custom port. As another example, I use a VPN to access my cloud network, and that VPN is granted access to SSH into all of the servers in my environment.
Finally, I never store a secret in my userdata file. Often when you spawn a server in EC2, you provide the server with a userdata file. A number of AMIs (Amazon Machine Images—the OS install image you choose) are configured to execute the userdata script.
configure my configuration management system (Puppet) and from that point on let it take over the configuration of the system
Handling Secrets
It’s incredibly important to think about how you manage secrets in a cloud environment beyond just the userdata script. The fact is, despite your best efforts, you still often will need to store a private key or password in plain text somewhere on the system. As I mentioned, I use Puppet for configuration management of my systems. I store all of my Puppet configuration within Git to keep track of changes and provide an audit trail if I ever need it. Having all of your configuration in Git is a great practice, but the first security practice I recommend with respect to secrets is to avoid storing any plain-text secrets in your configuration management system. Whenever possible, I try to generate secrets on the hosts that need them, so that means instead of pushing up a GPG or SSH key pair to a server, I use my configuration management system to generate one on the host itself.
Tomi Engdahl says:
Why Kaspersky chief calls IoT ‘Internet of Threats’
http://www.cloudpro.co.uk/cloud-essentials/cloud-security/5181/why-kaspersky-chief-calls-iot-internet-of-threats
Any device connected to the internet provides a new entry point for hackers, Eugene Kaspersky warns
Eugene Kaspersky has expressed fears about the Internet of Things (IoT), dubbing it the ‘Internet of Threats’.
The security firm’s chief was interviewed by NBC, and detailed the problems connected devices could cause.
The IoT will create a whole variety of entry points for hackers to infiltrate homes and businesses, he claimed, including via a phone connected to a device, as well as the computer that controls it.
Wit hundreds of devices being connected to each other, each provides the perfect opportunity for criminals to hack into devices and distribute ransom messages or malware.
They will also allow hackers to siphon off personal or confidential data stored on the devices, as well as the controllers.
“I am afraid that in the very near future we will see very bad incidents, maybe global incidents, from attacks which are designed for Mac or for Android systems,” he said.
“Take any device – and then think about the possible scenarios for criminal attacks, what kind of profits criminals can have from attacking the device,” Kaspersky said.
Tomi Engdahl says:
GCHQ accidentally spied on itself too much
http://www.wired.co.uk/news/archive/2015-06/25/gchq-spied-on-itself
GCHQ inadvertently collected too much data on its own staff, an annual report has revealed. The error was due to a “lack of understanding” of a spy system’s full capabilities, leading to more data being captured than was authorised.
In his 2014 report Intelligence Services Commissioner (ISC) Sir Mark Waller explained how an “internal monitoring system” setup to keep an eye on staff communications was “capturing more information that it was authorised to”.
GCHQ explained that it had not understood the full capabilities of the snooping tool with the Commissioner saying it was clearly a “technical error and not deliberate”.
The embarrassing error was revealed on the same day as the UK’s special envoy on intelligence and law enforcement data sharing released a summary of his findings (PDF).
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/438326/Special_Envoy_work_summary_final_for_CO_website.pdf
Tomi Engdahl says:
Navy pays Microsoft $9 million a year for Windows XP
http://money.cnn.com/2015/06/26/technology/microsoft-windows-xp-navy-contract/
The U.S. Navy is still using Windows XP — now 14 years old and defunct — and it has to pay Microsoft $9 million to keep supporting it.
Microsoft (MSFT, Tech30) pulled support for Windows XP last year, and will no longer issue security updates to fix major holes in the software. Companies and agencies that are still running XP have the option of paying Microsoft for continued Windows XP updates, which provide an essential line of defense against hackers.
In a statement, the Navy said it has a plan in place to upgrade its systems to a newer version of Windows. It expects to complete its upgrades by July 12, 2016.
But there’s a chance that it could take even longer. That’s why the Navy’s contract with Microsoft contains options to extend the deal through June 8, 2017. That would raise the amount the Navy will pay for Windows XP support to nearly $31 million.
“The Navy relies on a number of legacy applications and programs that are reliant on legacy Windows products,” said Steven Davis, spokesman for Space and Naval Warfare Systems Command. “Until those applications and programs are modernized or phased out, this continuity of services is required to maintain operational effectiveness.”
The Navy didn’t have exact figures on the number of systems that still run on XP, but given the $9-million-a-year check it’s writing Microsoft, it’s not a small amount of computers.
The XP issue is not restricted to the Navy. A stunning 44% of corporations still have Windows XP installed on at least one PC. Worldwide, nearly 15% of PCs are still running XP
Tomi Engdahl says:
List of BBC web pages which have been removed from Google’s search results
http://www.bbc.co.uk/blogs/internet/entries/1d765aa8-600b-4f32-b110-d02fbf7fd379
Since a European Court of Justice ruling last year, individuals have the right to request that search engines remove certain web pages from their search results. Those pages usually contain personal information about individuals.
Following the ruling, Google removed a large number of links from its search results, including some to BBC web pages, and continues to delist pages from BBC Online.
Update 29/06/15: Google has asked us to point out that links to the BBC articles below are only delisted from results for queries on certain names. They are not removed from the Google index entirely. We’re happy to make that clear.
Tomi Engdahl says:
Cisco warns of default SSH bug in three of its virtual applications
Flaw could allow attackers to decrypt traffic exchanged between the services
http://www.theinquirer.net/inquirer/news/2415349/cisco-warns-of-default-ssh-bug-in-three-of-its-virtual-applications
CISCO HAS WARNED of a default Secure Shell vulnerability in three of its virtual applications.
The flaw could allow attackers to decrypt traffic exchanged in the services, and has been detailed in a Cisco security advisory.
It affects Cisco’s Web Security Virtual Appliance (SMAv), Email Security Virtual Appliance and Security Management Virtual Appliance, which are already commercially available.
The default private encryption keys were preinstalled on all three of the products, a move which is considered bad security practice.
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150625-ironport
Tomi Engdahl says:
New York Times:
When a Company Goes Up for Sale, in Many Cases, So Does Your Personal Data —
http://www.nytimes.com/2015/06/29/technology/when-a-company-goes-up-for-sale-in-many-cases-so-does-your-personal-data.html?_r=0
The privacy policy for Hulu, a video-streaming service with about nine million subscribers, opens with a declaration that the company “respects your privacy.” — That respect could lapse, however, if the company is ever sold or goes bankrupt.
Tomi Engdahl says:
Mike Levine / ABC News:
In the wake of hack, OPM shuts down the system for federal background checks for 4 to 6 weeks to fix security vulnerability
Politics
In Wake Of Hack, OPM Shutters System For Federal Background Checks
http://abcnews.go.com/Politics/wake-massive-hack-opm-shuts-major-system-background/story?id=32104734
Three weeks after U.S. authorities determined foreign hackers may have stolen sensitive government records tied to tens of millions of people, the Office of Personnel Management has now shut down a system tied to the breach, essentially bringing to a halt background checks for new federal employees, contractors and others.
According to an “alert” posted on OPM’s website today, the Electronic Questionnaires for Investigations Processing system — or “e-QIP” — “will be down for an extended period of time for security enhancements.”
In a subsequent news release, OPM called it a “temporary suspension” that “will ensure our network is as secure as possible for the sensitive data with which OPM is entrusted.”
Through the e-QIP system, OPM conducts more than 90 percent of the U.S. government’s background investigations – spanning 100 federal agencies from the FBI to the Department of Agriculture.
Tomi Engdahl says:
WikiLeaks docs show NSA’s 10-year economic espionage campaign against France
Details of every business deal over $200m slurped
http://www.theregister.co.uk/2015/06/29/wikileaks_docs_show_nsa_vs_france/
Franco-American relations have taken a further hammering on Monday after WikiLeaks revealed new documents showing that the NSA has been collecting the details of commercial deals in the Land of Brie for over a decade and sharing them with its allies.
“The United States has been conducting economic espionage against France for more than a decade. Not only has it spied on the French Finance Minister, it has ordered the interception of every French company contract or negotiation valued at more than $200 million,” said Julian Assange in a statement.
“Hundreds of such contracts are signed every year. The United States not only uses the results of this spying itself, but swaps these intercepts with the United Kingdom. Do French citizens deserve to know that their country is being taken to the cleaners by the spies of supposedly allied countries? Mais oui!”
Tomi Engdahl says:
How IKEA Patched Shellshock
http://linux.slashdot.org/story/15/06/29/2136208/how-ikea-patched-shellshock
Magnus Glantz, IT manager at IKEA, revealed that the Swedish furniture retailer has more than 3,500 Red Hat Enterprise Linux servers. With Shellshock, every single one of those servers needed to be patched to limit the risk of exploitation. So how did IKEA patch all those servers? Glantz showed a simple one-line Linux command and then jokingly walked away from the podium stating “That’s it, thanks for coming.” On a more serious note, he said that it took approximately two and half hours to upgrade their infrastructure to defend against Shellshock.
Ikea Patched for Shellshock by Methodically Upgrading All Servers
http://www.eweek.com/security/ikea-patched-for-shellshock-by-methodically-upgrading-all-servers.html
It took about 2.5 hours to test, deploy and upgrade Ikea’s entire IT infrastructure to defend against Shellshock. Here’s how Ikea did it so quickly.
Glantz explained that Ikea has more than 3,500 Red Hat Enterprise Linux (RHEL) servers deployed in Sweden and around the world. With Shellshock, every single one of those servers needed to be patched and updated to limit the risk of exploitation. So how did Ikea patch all those servers?
Glantz showed a simple one-line Linux command and then jokingly walked away from the podium stating “That’s it, thanks for coming,” as the audience erupted into boisterous applause.
On a more serious note, Glantz said that it took approximately 2.5 hours to test, deploy and upgrade Ikea’s entire IT infrastructure to defend against Shellshock. The key to Ikea’s ability to quickly upgrade all its servers is having a consistent approach to system-management across its infrastructure, he said.
To audience applause and laughter, Glantz visually displayed the system-management approach with a graphic instruction manual that showed the parts in a manner similar to how a typical Ikea furniture assembly pamphlet looks.
“One does not patch random servers,” Glantz said.
Glantz explained that the first step in the assembly of his IT infrastructure is to have a well-defined Standard Operating Environment (SOE). The SOE includes a definition of the hardware platforms used as well as the Linux and application software that is installed.
It’s critical to enforce a system-management process that keeps servers and application software on the latest versions, Glantz said. He warned that if an enterprise doesn’t enforce that mandate, inevitably, the majority of systems will be running older versions and it will be more difficult to scale, manage and patch.
Ikea uses the Red Hat Satellite server-management technology to track and manage its Linux servers in a standardized manner.
One of the potential challenges of constantly updating servers is the risk that applications break when new server operating system software is loaded. Glantz, however, isn’t worried and noted that RHEL offers the promise of Application Binary Interface (ABI) compatibility across updates.
Tomi Engdahl says:
MIT System Fixes Software Bugs Without Access To Source Code
http://it.slashdot.org/story/15/06/29/1533204/mit-system-fixes-software-bugs-without-access-to-source-code
MIT researchers have presented a new system at the Association for Computing Machinery’s Programming Language Design and Implementation conference that repairs software bugs by automatically importing functionality from other, more secure applications.
Automatic bug repair
http://newsoffice.mit.edu/2015/automatic-code-bug-repair-0629
System fixes bugs by importing functionality from other programs — without access to source code.
At the Association for Computing Machinery’s Programming Language Design and Implementation conference this month, MIT researchers presented a new system that repairs dangerous software bugs by automatically importing functionality from other, more secure applications.
Remarkably, the system, dubbed CodePhage, doesn’t require access to the source code of the applications whose functionality it’s borrowing. Instead, it analyzes the applications’ execution and characterizes the types of security checks they perform. As a consequence, it can import checks from applications written in programming languages other than the one in which the program it’s repairing was written.
Once it’s imported code into a vulnerable application, CodePhage can provide a further layer of analysis that guarantees that the bug has been repaired.
“We have tons of source code available in open-source repositories, millions of projects, and a lot of these projects implement similar specifications,” says Stelios Sidiroglou-Douskos, a research scientist at MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) who led the development of CodePhage. “Even though that might not be the core functionality of the program, they frequently have subcomponents that share functionality across a large number of projects.”
With CodePhage, he says, “over time, what you’d be doing is building this hybrid system that takes the best components from all these implementations.”
To begin its analysis, CodePhage requires two sample inputs: one that causes the recipient to crash and one that doesn’t.
Automated future
The researchers tested CodePhage on seven common open-source programs in which DIODE had found bugs, importing repairs from between two and four donors for each. In all instances, CodePhage was able to patch up the vulnerable code, and it generally took between two and 10 minutes per repair.
As the researchers explain, in modern commercial software, security checks can take up 80 percent of the code — or even more. One of their hopes is that future versions of CodePhage could drastically reduce the time that software developers spend on grunt work, by automating those checks’ insertion.
“The longer-term vision is that you never have to write a piece of code that somebody else has written before,” Rinard says. “The system finds that piece of code and automatically puts it together with whatever pieces of code you need to make your program work.”
Tomi Engdahl says:
How the next Java update could make Yahoo your default search provider
http://www.pcworld.com/article/2940572/how-the-next-java-update-could-make-yahoo-your-default-search-provider.html
Tomi Engdahl says:
Of Ma And Malware: Inside China’s iPhone Jailbreaking Industrial Complex
http://www.forbes.com/sites/thomasbrewster/2015/06/26/china-iphone-jailbreak-industry/
In late March a handful of the western world’s best-known iPhone hackers were flown business class to Beijing. They were put up in the five-star Park Hyatt and given a tour of the sites
It was a bizarre trip hosted by an equally bizarre and secretive entity called TaiG (pronounced “tie-gee”), which flew the hackers to China to share techniques and tricks to slice through the defences of Apple’s mobile operating system in front of an eager conference-hall crowd. Why such interest and why such aggrandisement of iOS researchers? In the last two years, jailbreaking an iPhone – the act of removing iOS’ restrictions against installing unauthorized apps, app stores and other features by exploiting Apple security – has become serious business in China. From Alibaba to Baidu, China’s biggest companies are supporting and even funding the practice, unfazed at the prospect of peeving Apple, which has sought to stamp out jailbreaking ever since it became a craze in the late 2000s.
Any hacker who can provide the full code for an untethered jailbreak, where the hack continues to work after the phone reboots, can expect a big pay check for their efforts. “Many experts agree the price for an untethered jailbreak is around $1 million,”
More often, sellers of iOS zero-day vulnerabilities – the previously-unknown and unpatched flaws required for jailbreaks – make thousands if not hundreds of thousands of dollars from Chinese firms, private buyers or governments, in particular three-letter agencies from the US.
Such big sums are on offer due to the explosion of the third-party app store industry in China. There are at least 362 million monthly active mobile app users in China, according to data provided by iResearch. Whilst smartphone owners in Western nations are content within the walled gardens of Apple and Google app stores for their games, media and work tools, the Chinese are fanatical about apps and want the broadest possible choice from non-Apple app stores. Jailbreaks, which do away with Apple’s chains and allow other markets on the device, are thus vital to meeting that demand.
China’s app market industry came to life with Baidu’s 2013 $1.9 billion acquisition of 91 Wireless, which distributes iOS and Android apps, and at the time had shipped 10 billion apps. Its 91.com website openly advertises jailbreak tutorials.
From three per cent of total mobile sales in China in the first quarter of 2013, the iPhone hit 17 per cent in the same period in 2015. That was around four per cent higher than the closest competitor, China’s own Xiaomi.
And to get the biggest slice, the industry’s biggest players are undermining one another with aggressive tactics. To get one up on the competition, some are offering big money to hackers who can bundle stores with jailbreaks, so that when a user goes through the steps of unlocking their iPhone, they’re encouraged to download the sponsor’s app market, commonly known as “assistants” in China.
And yet Alibaba’s 25pp marketplace doesn’t need the phone to be unlocked to install on iOS. It flouts Apple security rules in other ways. FORBES has learned the store breaks Apple policy by using an Enterprise Certificate to install itself on users’ phones.
These certificates are supposed to be used by businesses to disseminate bespoke apps within the confines of the corporate network and are strictly not for commercial use. Apple could simply revoke the certificate, but it would be easy for Alibaba’s subsidiary to obtain a new one and start breaking the rules all over again.
China’s third-party marketplaces have become synonymous with iOS malware and piracy, however.
Even if the iOS cracking market shrinks as Chinese corporations expand and crack down on piracy-linked activity, the jailbreaking game is expected to remain a profitable one.
Apart from Bassen, none of the attendees admit to selling jailbreak services to a Chinese company. But some jailbreakers FORBES spoke with say they have been approached with six and seven-figure offers over the last two years from different sources.
The lack of transparency is one reason selling iOS zero days to Chinese companies is frowned upon by some in the scene, as indicated by Hill’s own antipathy.
Money, it seems, has turned jailbreaking from a hobbyist affair concerned with free and open software, into a hostile game where vast sums are up for grabs.
Tomi Engdahl says:
Cloud-Based Backup and Disaster Recovery Is a Win-Win for Business
http://www.cio.com/article/2942073/disaster-recovery/cloud-based-backup-and-disaster-recovery-is-a-win-win-for-business.html
New models present a compelling alternative for business continuity
The cloud is pretty much a win-win when it comes to business continuity. First, a cloud service structurally is a mesh of redundant resources scattered across the globe. If one resource should become unavailable, requests re-route to another available site. So from a high-availability standpoint, everyone benefits.
That’s why classes of “as a service” models are emerging for backup and recovery. Backup as a service (BaaS) and disaster recovery as a service (DRaaS) resonate particularly well with smaller, growing businesses that may not have the budgets for the equipment and real estate required to provide hot, warm, or even cold backup facilities and disaster recovery sites. The cloud itself becomes “the other site” – and you only pay for the “facilities” when you use them because of the cloud’s inherent usage-based pricing model.
The global DRaaS market is forecast to grow by 36 percent annually from 2014 to 2022, according to Transparency Market Research. Cloud-based backup and DR makes it easy to retrieve files and application data if your data center or individual servers become unavailable. Using the cloud alleviates the threat of damage to or theft of a physical storage medium, and there’s no need to store disks and tape drives in a separate site.
Cloud-based disaster recovery services eliminate the need for site-to-site replication
Tomi Engdahl says:
Cybersquatting lawsuit filed over domain name registered 16 years before plaintiff’s use
http://domainnamewire.com/2015/06/29/cybersquatting-lawsuit-workbetter/
Office Space Solutions wants a domain name registered 16 years before it started using the corresponding term in commerce. It’s taking the legal route to get it.
Now Office Space Solutions wants the domain name for its business. Rather than paying for it, the company has filed a lawsuit under the Anticybersquatting Protection Act.
New York company Office Space Solutions, Inc. has filed a cybersquatting lawsuit against Jason Kneen of Great Britain over the domain name WorkBetter.com.
The lawsuit never mentions that the defendant registered the domain name in 1999.
According to an Office Space Solutions’ filing with the USPTO, it didn’t use the term “Work Better” in commerce until February 11, 2015.
Hmm, that seems to be after the domain name was allegedly renewed. So even the spurious “renewed in bad faith” argument shouldn’t hold up.
Filing such a lawsuit is risky, given that courts have made companies pay domain name owners in cases of reverse domain name hijacking.
It failed to acquire the domain name, and is now trying to take it via a lawsuit.
Comments:
This is ridiculous. It is an opportunistic attempt to bypass the investment others have made with domain names. Companies don’t have have to register the domains they want, just sue others for them now.
ICANN could easily stop this madness.
The phrase used to be SLAPP SUIT, i.e., a lawsuit filed by some one with very deep pockets against someone with not a lot of visible resources with the deep pocketed party hoping that THE COST OF LITIGATION and the simple grind of litigation is enough to force the weaker party to settle the lawsuit on terms favorable to the stronger party.
Tomi Engdahl says:
Study: Wi-Fi Devices Require Minimum Distance from Medical Equipment
http://www.medicaldesignbriefs.com/component/content/article/1104-mdb/news/22431
The electromagnetic radiation caused by wireless technology can interfere with electronic medical equipment and lead to serious clinical consequences for patients. New research from Concordia University helps to define safety parameters for health-care workers carrying Wi-Fi devices.
Hospitals often specify that staff members carrying wireless transmitters not approach sensitive electronic medical devices any closer than a designated minimum separation distance (MSD). The research team set out to study if the policy truly affects the risk of electromagnetic interference.
“We found that MSD policy really does work. If hospital staff comply fully with the policy, they can have a tablet in the same room as the patient and medical equipment without posing a danger,”
According to the study, the risk reduces rapidly by increasing the MSD from zero to a small value. The risk does not decrease further, however, with larger minimum separation distances.
Is your tablet a risk to hospital care?
http://www.concordia.ca/news/cunews/main/stories/2015/06/16/research-study-examines-wireless-transmitters-in-hospitals.html
A Concordia study examines whether wireless transmitters represent a danger to patients
Thousands of patients die each year in hospitals across North America due to medical errors that could be prevented were doctors and nurses provided with instant access to patient records via wireless technology. Cue the Catch-22: the electromagnetic radiation caused by those very devices can interfere with electronic medical equipment and thus lead to serious clinical consequences for patients.
Luckily, that could soon change thanks to new research from Concordia University that helps define a clear rule of thumb for how close health-care workers with their Wi-Fi devices can be to electronic medical equipment.
In a study published recently in IEEE Transactions on Electromagnetic Compatibility,
Hospitals often specify that staff members carrying wireless transmitters not approach sensitive electronic medical devices any closer than a designated minimum separation distance (MSD).
“We found that MSD policy really does work. If hospital staff comply fully with the policy, they can have a tablet in the same room as the patient and medical equipment without posing a danger,” says Ardavan.
“We observed that the risk reduces rapidly by increasing the MSD from zero to a small value. After that, the risk doesn’t decrease when you increase the MSD beyond a level that we call the optimal MSD. This indicates that specifying larger minimum separation distances doesn’t necessarily increase safety.”
The bottom line: keep your wireless device further than arm’s length from medical equipment and the risk of interference is very small.
Tomi Engdahl says:
Synopsys Acquires Elliptic Technologies, Beefs up Security
http://www.eetimes.com/document.asp?doc_id=1327012&
EDA software company Synopsys, Inc. announced (June 29) its acquisition of security intellectual property company Elliptic Technologies. Elliptic, a founding member of the prpl Foundation’s Security Working Group, has been working on an open security framework for deploying secured and authenticated virtualized services in the IoT and related emerging markets. Its security IP is already in many devices, from mobile, automotive, digital home, Internet of Things (IoT) and cloud computing applications, according to the press release.
Synopsys also recently announced acquisition of Codenomicon and plans to acquire Quotium’s Seeker product.
Synopsys Expands Security Solutions with Acquisition of Elliptic Technologies
Acquisition Complements DesignWare IP Portfolio with a Broad Range of Security IP
http://news.synopsys.com/2015-06-29-Synopsys-Expands-Security-Solutions-with-Acquisition-of-Elliptic-Technologies
Tomi Engdahl says:
Arik Hesseldahl / Re/code:
Famed security researcher Peiter “Mudge” Zatko leaves Google to create a “CyberUL” at behest of U.S. government, an organization to make software more secure
Famed Security Researcher Mudge Leaves Google
http://recode.net/2015/06/29/famed-security-researcher-mudge-leaves-google-for-white-house-gig/
Peiter Zatko, a respected computer security researcher better known by the nickname Mudge, says he’s leaving his job at Google to explore ways to help U.S. government make software more secure.
plans say he’s looking at setting up an independent non-profit organization devoted to software security that may in time get some government funding.
Still in mentioning a CyberUL, Zatko referred to a body that many security pros have wished existed for nearly two decades, one inspired in by Underwriters Laboratories, the 111-year-old company that tests products of all kinds for safety, but dedicated to cyber security.
An Obama Administration official tells Re/code that recent advances in using automated methods to analyze software code for vulnerabilities have spurred interest in government circles to see if there’s a way to standardize how software is tested for security and safety. “The Administration has had some discussions about the potential pros and cons of such a system and how it might be implemented,” the official said. The administration is interested supporting a feasibility study to determine if such techniques could work, the official said, but stressed that no plans have been finalized.
The idea for a CyberUL was first proposed in 1999 by L0pht Heavy Industries, a hacker think tank based in Cambridge, Mass., of which Zatko was a member.
Tomi Engdahl says:
Trevor Hughes / USA Today:
FBI investigating 11 physical attacks on internet fiber optic cables in San Francisco-area dating back a year, including one Tuesday on Level 3 and Zayo
FBI investigating 11 attacks on San Francisco-area Internet lines
http://www.usatoday.com/story/tech/2015/06/30/california-internet-outage/29521335/
The FBI is investigating at least 11 physical attacks on high-capacity Internet cables in California’s San Francisco Bay Area dating back a year, including one early Tuesday morning.
Agents confirm the latest attack disrupted Internet service for businesses and residential customers in and around Sacramento, the state’s capital.
FBI agents declined to specify how significantly the attack affected customers, citing the ongoing investigation. In Tuesday’s attack, someone broke into an underground vault and cut three fiber-optic cables belonging to Colorado-based service providers Level 3 and Zayo.
“When it affects multiple companies and cities, it does become disturbing,” Wuthrich said. “We definitely need the public’s assistance.”
Tomi Engdahl says:
Charlie Savage / New York Times:
FISA Court rules that 2nd Circuit Court of Appeals was wrong, NSA can temporarily resume bulk data collection for the next five months — Surveillance Court Rules That N.S.A. Can Resume Bulk Data Collection — WASHINGTON — The Foreign Intelligence Surveillance Court ruled late Monday …
http://www.nytimes.com/2015/07/01/us/politics/fisa-surveillance-court-rules-nsa-can-resume-bulk-data-collection.html
Tomi Engdahl says:
Charlie Osborne / ZDNet:
Cisco to buy cybersecurity firm OpenDNS in $635m deal
http://www.zdnet.com/article/cisco-to-buy-cybersecurity-firm-opendns-in-635m-deal/
Cisco has announced its intention to purchase threat protection security firm OpenDNS in a deal worth $635 million.
Announced on Tuesday, the tech giant said the move will accelerate the development of the Cisco Cloud Delivered Security Portfolio, and OpenDNS will prove a boost to advanced threat protection services for Cisco clients.
In addition, the OpenDNS cloud delivered platform will give Cisco better visibility and more insight into the threat landscape.
.Cisco’s latest portfolio addition will be made in light of the Internet of Everything (IoE), linked to the Internet of Things (IoT) concept. With over 50 billion devices expected to become connected by 2020, the rush to create smart devices and appliances also gives threat actors a far wider reach and more opportunities to breach networks and break corporate security.
This is where cloud-based security solutions come in — bolt-on Software-as-a- Service (SaaS) models which can provide better security for the enterprise without requiring vast in-house teams or expertise.
“In a world in which devices and people can connect from anywhere at anytime, enterprise IT teams have increasingly limited visibility into potential threats from these unmonitored and potentially unsecure entry points into the network, creating tremendous security risk,” Cisco says.
Tomi Engdahl says:
Ruth Reader / VentureBeat:
Medium adds sign-in option that emails users a one-time login link, no password required
Medium doesn’t think it needs passwords to offer secure authentication
http://venturebeat.com/2015/06/29/medium-doesnt-think-it-needs-passwords-to-offer-secure-authentication/
Blogging platform Medium is opening up its login process, so you don’t need a Twitter account, Facebook account, or a password.
Starting today, users can now log into Medium with just an email address — no password required. Upon entering your email address, Medium will email you a link through which you can securely sign on. The new sign-on is available for web, iOS, and Android versions of Medium.
“Passwords are neither secure nor simple. They’re hard to remember or easy to guess, everyone re-uses them (even though they know they shouldn’t), and they’re a pain to type on mobile. They don’t even keep you that safe,” the company wrote in a blog post.
It’s a really interesting solution to a problem that plagues the Web. With the growing number of hacks on major retailers and banks, many have acknowledged that passwords are no longer effective in securing accounts. To enhance security, companies including Facebook and Twitter have started offering two-factor authentication, a process by which users have to prove their identify twice before getting access to an account.
By getting rid of the password, Medium is seemingly taking an opposite approach. However, a password-free login could be just as secure. Medium users will be notified every time someone tries to log into their account, and the sign-in link will expire after a short amount of time; it also can only be used once.
Signing in to Medium by email
No Twitter or Facebook necessary… and no passwords either.
https://medium.com/the-story/signing-in-to-medium-by-email-aacc21134fcd
Wait, what?
That’s right, no passwords. When you want to sign in to Medium, we’ll send you an email that contains a special sign in link. Clicking on that link will sign you in. That’s all there is to it. If you’ve ever used a “forgot password” feature, it works a lot like that, except you don’t have to forget a password to use it.
Tomi Engdahl says:
Serdar Yegulalp / InfoWorld:
Amazon’s new open-source encryption library, s2n, implements TLS, aims to be small, light, and auditable
http://www.infoworld.com/article/2942085/encryption/amazons-s2n-encryption-library-aims-to-be-small-light-and-auditable.html
New open source encryption library is meant to be easy to implement as well as easy to audit for security issues
In hopes of avoiding the kinds of bugs that have found their way into the OpenSSL or GnuTLS encryption libraries, Amazon is rolling its own library for implementing SSL/TLS and giving it away for free — although it’s still only in its early stages.
The library, named s2n, is meant to provide a small, fast, and simple implementation of TLS. The scaled-down nature of s2n doesn’t just make the library easier to create and implement, it makes it easier to audit as well.
s2n allows the user to set the latest, most-preferred default settings by way of a simple API call. Specific versions of protocols can also be invoked for backwards compatibility if needed.
In a post to Amazon’s security blog, the company detailed how s2n — which consists of only about 6,000 lines of C code — doesn’t even implement many of the less-used extensions or options found in TLS. The company claims it has “already completed three external security evaluations and penetration tests on s2n, a practice we will be continuing.”
What s2n doesn’t do is also worth noting. For one, Amazon is not positioning it as a direct replacement for the OpenSSL library; Amazon’s plan is to support that project by way of the Linux Foundation’s Core Infrastructure Initiative.
Also, s2n isn’t meant — at least not yet — to be a general-purpose cryptography library. Instead it is focusing exclusively on providing TLS functionality for servers
Aside from continuing to advance the project on its own, Amazon’s next move is to integrate the Apache-licensed library into AWS’ services over the next few months.
s2n : an implementation of the TLS/SSL protocols
https://github.com/awslabs/s2n
Tomi Engdahl says:
A third of iThings open to VPN-hijacking, app-wrecking attacks
Masques off: Researchers detail five ways to wreck Apple stuff
http://www.theregister.co.uk/2015/07/01/masque_attack_ios_fireeye/
A trio of FireEye researchers have reported twin ‘app-demolishing’ iOS vulnerabilities Apple has partially fixed in its latest update that could wreck core apps such as the App Store and Settings.
Researchers Zhaofeng Chen, Tao Wei, Hui Xue, and Yulong Zhang revealed the latest in five so-called Masque attacks that could wreck installed apps when installed over wireless enterprise provisioning.
They detailed the entire family of ‘app-demolishing’ Masque attacks that after some five months still affect about a third of all iOS devices that run versions below iOS 8.1.3.
“The Manifest masque attack leverages the vulnerability (CVE-2015-3722, CVE-2015-3725) to demolish an existing app on iOS when a victim installs an in-house iOS app wirelessly using enterprise provisioning from a website,”
Tomi Engdahl says:
MIT’s Bitcoin-Inspired ‘Enigma’ Lets Computers Mine Encrypted Data
http://it.slashdot.org/story/15/07/01/027233/mits-bitcoin-inspired-enigma-lets-computers-mine-encrypted-data
Guy Zyskind, Oz Nathan, and the MIT Media Lab have developed a system to encrypt data in a way that it can still be shared and used without being decrypted. “To keep track of who owns what data—and where any given data’s pieces have been distributed—Enigma stores that metadata in the bitcoin blockchain, the unforgeable record of messages copied to thousands of computers to prevent counterfeit and fraud in the bitcoin economy.
MIT’s Bitcoin-Inspired ‘Enigma’ Lets Computers Mine Encrypted Data
http://www.wired.com/2015/06/mits-bitcoin-inspired-enigma-lets-computers-mine-encrypted-data/
The cryptography behind bitcoin solved a paradoxical problem: a currency with no regulator, that nonetheless can’t be counterfeited. Now a similar mix of math and code promises to pull off another seemingly magical feat by allowing anyone to share their data with the cloud and nonetheless keep it entirely private.
On Tuesday, a pair of bitcoin entrepreneurs and the MIT Media Lab revealed a prototype for a system called Enigma, designed to achieve a decades-old goal in data security known as “homomorphic” encryption: A way to encrypt data such that it can be shared with a third party and used in computations without it ever being decrypted. That mathematical trick—which would allow untrusted computers to accurately run computations on sensitive data without putting the data at risk of hacker breaches or surveillance—has only become more urgent in an age when millions of users constantly share their secrets with cloud services ranging from Amazon and Dropbox to Google and Facebook. Now, with bitcoin’s tricks in their arsenal, Enigma’s creators say they can now pull off homomorphically encrypted computations more efficiently than ever.
“You send whatever data you want, and it runs in the black box and only returns the result. The actual data is never revealed, neither to the outside nor to the computers running the computations inside.”
Enigma’s homomorphic technique works by mimicking a few of the features of bitcoin’s decentralized network architecture: It encrypts data by splitting it up into pieces and randomly distributing indecipherable chunks of it to hundreds of computers in the Enigma network known as “nodes.” Each node performs calculations on its discrete chunk of information before the user recombines the results to derive an unencrypted answer. Thanks to some mathematical tricks the Enigma creators implemented, the nodes are able to collectively perform every kind of computation that computers normally do, but without accessing any other portion of the data except the tiny chunk they were assigned.
To keep track of who owns what data—and where any given data’s pieces have been distributed—Enigma stores that metadata in the bitcoin blockchain, the unforgeable record of messages copied to thousands of computers to prevent counterfeit and fraud in the bitcoin economy.
It’s important to note that any new and unproven encryption scheme should be approached with caution. But if Enigma’s homomorphic encryption works as its creators promise, it would have vast implications. Private databases could be hosted and queried in the cloud without any risk of revealing the database’s contents. It could also enable a search engine to return search results without ever seeing the user’s unencrypted search request.
The Enigma creators are far from the first to suggest a scheme for homomorphic encryption; IBM researcher Craig Gentry achieved a major breakthrough in 2009 when he came up with the first fully homomorphic encryption scheme
Tomi Engdahl says:
Security News This Week: Google Says Goodbye to Revenge Porn, Hello to Eavesdropping
http://www.wired.com/2015/06/security-news-this-week-062615/
Of all the security news this week, Facebook’s ability to identify individuals who aren’t even showing their face is perhaps the most disturbing. If you thought turning away from the camera in a photograph meant that you could escape from Facebook’s steely gaze, you’re in for a big surprise. It may well be able to recognize you even if you put a paper bag over your head.
And make sure to add a $300 spy bug that fits inside a pita to your list of threats, lest your encryption keys get stolen with radio waves originating from your processor. Another not-so-comforting thought: the protocol used to transmit flight plans lacks authentication, so basically all airlines have the same security holes that grounded more than 10 planes on June 20.
Wikileaks released a scandalous collection of classified NSA files revealing that the US has been spying on French presidents for three administrations.
Shocker: NSA and GCHQ were engaged in a prolonged and systematic campaign to target Kaspersky and other antivirus and security firms to subvert their software. Hundreds of .gov passwords have been found in public hacker data dumps, so hopefully those very same passwords weren’t reused on personal accounts.
Kim Zetter took a deep dive into the Wassenaar Arrangement, a proposed set of export rules that are intended to restrict surveillance tool sales to oppressive regimes, but are written so vaguely and broadly that they could criminalize legitimate security tools and make it difficult for security researchers to do their jobs.
Google may not have the power to rid the world of revenge porn altogether, but it’ll be taking an important step to at least make it a little bit harder to find.
Chromium, the open-source version of Google’s Chrome browser, was caught sneakily installing Chrome Hotword, an extension with eavesdropping capabilities
Yet Another Adobe Flash Zero-Day
Corrupt DEA Agent Who Investigated Silk Road Pleads Guilty
British intelligence agency GCHQ may have helped the NSA coordinate drone strikes outside of recognized war zones
Another Software Company Flees the UK Due to Surveillance Concerns
Tomi Engdahl says:
With Its French NSA Leak, WikiLeaks Is Back
http://www.wired.com/2015/06/french-nsa-leak-wikileaks-back/
Classified documents appear on WikiLeaks.org, revealing that the American government is spying on its allies. American officials rush to deal with a sudden diplomatic crisis while publicly refusing to comment on leaked materials. And WikiLeaks proclaims that it’s just getting started.
On Tuesday night WikiLeaks released a collection of documents it’s called Espionnage Élysée, a collection of classified NSA files that show that the US intelligence agency has been spying on French heads of state going back three administrations.
Tomi Engdahl says:
Turns Out the US Launched Its Zero-Day Policy in Feb 2010
http://www.wired.com/2015/06/turns-us-launched-zero-day-policy-feb-2010/
A newly released document from the FBI sheds a little more light on the government’s controversial policy around the use of zero-day exploits. Though there is still much we don’t know, the question of when the secretive policy was put into place is finally answered: February, 2010.
It wasn’t until last year that the government even admitted to using zero-day exploits for attack purposes. Following that disclosure, the White House then revealed that it had established an Equities process for determining when a zero-day software vulnerability it learns about should be disclosed to a vendor to be fixed or kept secret so that the NSA and other agencies can exploit it for intelligence or law enforcement purposes.
Tomi Engdahl says:
This Online Anonymity Box Puts You a Mile Away From Your IP Address
http://www.wired.com/2015/07/online-anonymity-box-puts-mile-away-ip-address/
In the game of anonymity-versus-surveillance online, the discovery of the user’s IP address usually means game over. But if Ben Caudill has his way, a network snoop who successfully hunts a user through layers of proxy connections to a final IP address would be met with a dead end—while the anonymous user remains safe at home more than a mile away.
At the upcoming DefCon hacker conference in Las Vegas next month, Caudill plans to unveil ProxyHam, a “hardware proxy” designed to use a radio connection to add a physical layer of obfuscation to an internet user’s location. His open-source device, which he built for $200, connects to Wi-Fi and relays a user’s Internet connection over a 900 megaherz radio connection to their faraway computer, with a range of between one and 2.5 miles depending on interference from the landscape and buildings. That means even if investigators fully trace the user’s internet connection, they’ll find only the ProxyHam box the person planted in a remote library, cafe, or other public place—and not their actual location.
ProxyHam, which Caudill says he’ll offer for sale at cost to DefCon attendees and will also teach users how to build with instructions on his website and ProxyHam’s Github page (both available after DefCon), is actually two devices.
Caudill intends ProxyHam to protect sensitive Internet users, such as dissidents and whistleblowers, for whom tools like VPNs and even the anonymity software Tor may not provide sufficient security. If an attacker can manage to install malware on the user’s PC, for instance, that malware can circumvent Tor and send the user’s IP address directly to the attacker. But with ProxyHam, that malware attack would only lead investigators to the ProxyHam device, not the user. “The KGB isn’t kicking in your door,” says Caudill. “They’re kicking in the door of the library 2.5 miles away.”
To avoid radio detection on the user’s end, ProxyHam’s wireless signals are designed to look indistinguishable from the many cordless telephones that use the same frequency.
No one should depend on ProxyHam alone—particularly until its security has been proven in real-world testing, says Micah Lee, a security technologist for The Intercept and occasional developer for the anonymous whistle-blowing software SecureDrop.
Tomi Engdahl says:
MasterCard will approve purchases by scanning your face
http://money.cnn.com/2015/07/01/technology/mastercard-facial-scan/
This fall, MasterCard will start experimenting with a new program: approving online purchases with a facial scan.
At checkout, you’ll be asked to hold up your phone and snap a photo. MasterCard’s thinking? It’s easier than remembering a password.
“The new generation, which is into selfies … I think they’ll find it cool. They’ll embrace it,” said Ajay Bhalla, who’s in charge of coming up with innovative solutions for MasterCard’s security challenges.
This is MasterCard’s way of cutting down fraud.
Currently, customers can set up something called “SecureCode,” which requires a password when shopping online. This stops credit-card-number-stealing hackers from actually using your card on the Web. It was used in 3 billion transactions last year, the company said.
But passwords get forgotten, stolen, or intercepted. So, banks are following Apple’s lead. The iPhone’s fingerprint scanner started a security revolution in 2013. Apple Pay showed that customers are willing to use biometrics to prove their identity.
MasterCard (MA) will launch a small pilot program that uses fingerprints — but also facial scans.
How it works
You have to download the MasterCard phone app to use the feature.
MasterCard said a pop-up will ask for your authorization after you pay for something (the company did not demonstrate a working version to CNNMoney).
If you choose fingerprint, all it takes is a touch. If you go with facial recognition, you stare at the phone — blink once — and you’re done. MasterCard’s security researchers decided blinking is the best way to prevent a thief from just holding up a picture of you and fooling the system.
MasterCard said it doesn’t actually get a picture of your finger or face. All fingerprint scans will create a code that stays on the device. The facial recognition scan will map out your face, convert it to 1s and 0s and transmit that over the Internet to MasterCard.
Bhalla promised that MasterCard won’t be able to reconstruct your face — and that the information would transmit securely and remain safe on the company’s computer servers.
This makes some cybersecurity experts uncomfortable. They prefer that your data stay on your phone.
Keeping this kind of information in one location makes it more tempting to hack. But there’s some faith that MasterCard can adequately protect it
MasterCard is only at the testing phase, company representatives noted.
Tomi Engdahl says:
Federal wiretaps down slightly, encryption impact decreases
http://www.networkworld.com/article/2942611/security0/federal-wiretaps-down-slightly-encryption-impact-decreases.html
For the first time in a number of years the use of authorized federal wiretaps decreased 13% in 2014 over 2013.
Tomi Engdahl says:
20 yr-old Brazilian births 100 banking trojans
Who cares about OPSEC with slack laws and busy cops?
http://www.theregister.co.uk/2015/07/02/20_yrold_brazilian_births_100_banking_trojans/
A 20 year-old Brazilian kid has pumped out more than 100 banking trojans selling each for around US$300 a pop, Trend Micro researchers say.
The computer science student’s extracurricular activities landed him the dishonourable title of his country’s most prolific banking malware creator.
Researchers say “Lordfenix”, his chosen hacker handle, made the cash between April 2013 and today targeting banks including HSBC Brazil, Bank of Brazil, and Caixa.
Brazilian banking malware is a smart target for the unscrupulous, because the nation has very high usage rates for online banking.
Tomi Engdahl says:
Harvard University admits to IT systems data breach
Attack affected eight schools and administrative organisations at the university
http://www.theinquirer.net/inquirer/news/2416034/harvard-university-admits-to-it-systems-data-breach
Tomi Engdahl says:
Hacker snaffles Plex’s privates, demands ransom or he’ll bare ALL
Firm: Chil – no credit card data went AWOL and the rest was hashed and salted
http://www.theregister.co.uk/2015/07/02/plex_targeted_by_hackers/
Hackers have accessed the forum and blog server of TV software biz Plex, gaining access to IP addresses, private messages, emails and encrypted forum passwords.
As a response, Plex is requiring customers to change their passwords.
Tomi Engdahl says:
FBI updates Most Wanted cyber felons list, offers US$4.2m bounties
Zeus creator has $3m on his head, may be boating on the Black Sea
http://www.theregister.co.uk/2015/07/02/42m_for_five_hacker_heads/
The mastermind of the Zeus trojan; a car scamming screwball; an identity thief; a malvertiser, and a keylogger monger: nail these five net crims to the wall and the FBI will pay you US$4.2 million.
Cyber’s Most Wanted
https://www.fbi.gov/wanted/cyber/@@wanted-group-scroll-view
Tomi Engdahl says:
Wayback Machine’s 485 billion web pages blocked by Russian government order
An unintended consequence of archive.org using HTTPS for connections.
http://arstechnica.com/tech-policy/2015/06/wayback-machines-485-billion-web-pages-blocked-by-russian-government-order/
The Internet Archive—including its Wayback Machine, which currently stores 485 billion snapshots of the world’s web pages at different dates—is inaccessible for some users in Russia, as a post on the Global Voices site explains. This is the result of a blocking order from the country’s Attorney General, under legislation originally designed to protect minors from pornography sites, sexual abuse sites, and sites that provide details about drug use and suicide, but later extended to cover sites advocating “extremist activities” too.
The Attorney General’s order is to block a single page held by the Wayback Machine—one called “Solitary Jihad in Russia,” which contains information about the “theory and practice of partisan resistance,” as Global Voices reports. Since the Internet Archive site uses HTTPS by default for its connections, Russian ISPs are unable identify which page is being requested by their users, and thus whether it is the one subject to the new ban. Mindful of the consequences of ignoring the Attornery General’s order, some have responded by blocking the entire archive.org domain
The Internet Archive is not alone in encountering problems caused by Russia’s increasingly restrictive Internet laws
Tomi Engdahl says:
Dan Levine / Reuters:
Ex-DEA agent Carl Force pleads guilty to stealing bitcoins during Silk Road investigation
Former U.S. agent pleads guilty to bitcoin theft in Silk Road probe
http://www.reuters.com/article/2015/07/01/us-usa-bitcoin-silkroad-idUSKCN0PB66B20150701
A former federal agent pleaded guilty on Wednesday to stealing bitcoins during the government’s investigation of Silk Road, and to secretly soliciting payment from the operator of the online black market for information on its probe.
Carl Force, a former U.S. Drug Enforcement Administration agent, admitted to charges of extortion, money laundering and obstruction of justice. In a San Francisco federal court, Force appeared in an orange jump suit and leg shackles and acknowledged a litany of criminal acts.
Among them, Force said he agreed to a contract with Twenty-First Century Fox Inc (FOXA.O) last year to help make a movie about the Silk Road investigation, without the permission of his supervisors. That deal called for him to be paid up to $240,000.
Silk Road operated for more than two years until it was shut down in October 2013, generating more than $214 million in sales of drugs and other illicit goods using bitcoins, prosecutors said.
Tomi Engdahl says:
An Unassuming Web Proposal Would Make Harassment Easier
http://www.wired.com/2015/07/unassuming-web-proposal-make-harassment-easier/
The privacy of countless website owners is at risk, thanks to a proposal in front of the byzantine international organization at the heart of the Internet: ICANN. If adopted, the new proposal could limit access to proxy and privacy services, which protect domain registrants from having their home addresses exposed to everyone on the Internet.
When you register a domain, you must post information, including an address, phone number and email to a global database called WHOIS. The information is easily available online via a terminal command or an online lookup tool. If a domain registrant doesn’t want the Internet masses to know their address or phone number, they have two options: enter modified information, or use a privacy or proxy registration service that hides the information behind that of a company.
Both the authors of this op-ed use privacy services.
The proposal in front of the ICANN working group would limit privacy and proxy domain protection to websites that are not commercial and transactional—which sounds reasonable. However, the working group’s current definition of commercial could include the website of any small business owner who sells goods via an online store, or the website of an activist who takes donations to cover her living expenses.
Why is this information available at all? WHOIS is an archaic remnant from the earliest days of the Internet whose “fathers” neglected to think about the consequences of requiring domain owners to make their physical addresses public.
The Internet is a very different place today, one where the consequences of having your address online can range from prank pizza delivery to the arrival of a SWAT team with guns drawn (called SWATing). For many, particularly those who become the targets of online harassment, WHOIS proxy or privacy protections are vital for their safety.
WHOIS privacy services are a de facto tax on targets of online harassment: personal safety should come as a default, not as a premium service. But this premium service is, for many, what keeps them safe from real, imminent danger. The time is ripe to update WHOIS, but this is a step backward, not a step forward.
How can the ICANN proposal be stopped? It’s difficult, actually. According to Stoltz, ICANN listens to public comments “when they come from insiders who have actually invested in the policy-making process,”
Tomi Engdahl says:
Trolls No Longer Welcome In New Zealand
http://yro.slashdot.org/story/15/07/03/0219200/trolls-no-longer-welcome-in-new-zealand
With Hobbit and LoTR in the can, Trolls no longer welcome in New Zealand
Kiwi parliament passes ‘Harmful digital communications bill’ outlawing online nasties
http://www.theregister.co.uk/2015/07/01/nz_swings_banhammer_at_trolls/
New Zealand has become the latest country to think bad online manners are amenable to legislation.
The country last night passed a controversial bill, the Harmful Digital Communications Bill, in the hope of stemming “cyber-bullying”.
The bill creates a regime under which digital communications causing “serious emotional distress” are subject to an escalating regime that starts as “negotiation, mediation or persuasion” but reaches up to creating the offences of not complying with an order, and “causing harm by posting digital communication”.
The most serious offenders would face two years in jail or a maximum fine of NZ$50,000 (US$33,900).
The bill covers posts that are racist, sexist, or show religious intolerance, along with hassling people over disability or sexual orientation.
There’s also a new offence of incitement to suicide (three years’ jail).
Tomi Engdahl says:
Angler Exploit Kit Evasion Techniques Keep Cryptowall Thriving
http://it.slashdot.org/story/15/07/02/1829244/angler-exploit-kit-evasion-techniques-keep-cryptowall-thriving
Since the Angler Exploit Kit began pushing the latest version of Cryptowall ransomware, the kit has gone to great lengths to evade detection from IDS and other security technologies. The latest tactic is an almost-daily change to URL patterns used by the kit in HTTP GET requests for the Angler landing page, requests for a Flash exploit, and requests for the Cryptowall 3.0 payload.
Evasion Techniques Keep Angler EK’s Cryptowall Business Thriving – See more at: https://threatpost.com/evasion-techniques-keep-angler-eks-cryptowall-business-thriving/113596#sthash.tihhmlc0.dpuf
Tomi Engdahl says:
PureVPN calls pure BS on VPN insecurity study
‘We fixed that stuff last year’, company says, ‘but have a new client anyway’
http://www.theregister.co.uk/2015/07/03/purevpn_calls_pure_bs_on_study/
Hong Kong virtual private network provider PureVPN has rejected claims in a study published this week that its service among many other popular providers are open to DNS hijacking and has pushed fixes to shore up security.
“Please note that the study is rather outdated”
“It is also incorrect in stating that our users are at risk of DNS hijacking. We would like to ensure our customers and your readers that PureVPN users are safe from DNS hijacking and there has not been an attack.”
“With regards to the IPv6 leakages, IPv6 traffic has been disabled since late 2014″
It says it has disabled IPv6 traffic since 2014 third quarter removing the possibility that attackers could trace users requests by tricking them into downloading IPv6 content.
Tomi Engdahl says:
Chinese snoops try tracking VPN users with fiendish JSONP trickery
Never mind your bank account. Tell me your name
http://www.theregister.co.uk/2015/06/16/chinese_circumvent_web_privacy_javascript/
Snoops are exploiting vulnerabilities in China’s most frequented websites to target individuals accessing web content which state censors have deemed hostile.
Even users who run VPN connections to access websites that are blocked by China’s censorship technology, often called the Great Firewall (GFW), are potentially being tracked.
The attacks exploits vulnerabilities in the top Chinese websites, including those run by Baidu and Alibaba, and use cross-site request forgery to expose users accessing restricted sites. These restricted sites have been hacked and booby-trapped with malicious code in order to make the attack work.
Tomi Engdahl says:
Plant this box to beam cafe WiFi over 4kms so you can surf in obscurity
RPi-powered rig suited to Snowdenistas keen to dodge plod
http://www.theregister.co.uk/2015/07/03/plant_this_box_to_beam_cafe_wifi_over_4kms/
Rhino Security founder Benjamin Caudill has created a tool to help privacy pundits and criminals to connect to wireless networks from a distance of four kilometres, in a bid to foil eavesdropping authorities.
The Proxyham Raspberry Pi hardware box is a complement to toolkits such as Tor that mask the source of web traffic.
Prolific security prober Caudill (@caudillbenjamin) told Motherboard the device would be placed at the WiFi source to beam a signal at 900MHz to distant users.
“We consider this the last or worst case scenario, the absolute fallback plan if everything else fails,” Caudill says.
“You can have it all the way across town, and worst case scenario the police go barge into the library across town.”
Caudill will sell the box at cost for about US$200. Users who wish to build thier own will be able to check out the hardware schematics and open source software when it is detailed at Defcon in August.
Tomi Engdahl says:
Privacy Is Personal
http://www.linuxjournal.com/content/privacy-personal
Try to nail two boards together with your bare hands.
Can’t be done. You need a hammer. But the power is not the hammer’s. It’s yours, because the hammer is your tool. As a tool, it becomes part of you. That’s what tools do: they enlarge your capacity for action and effect.
That capacity is called agency. To have agency is to operate with effect in the world. The range of that effect expands with the number and quality of our tools, and our expertise in using them.
This range is called scale, and it operates at two levels. The first is personal. The best tools work for many purposes in many places.
Organizations want scale too. Every new company these days talks about “scaling up.” But personal scale is different.
In 1943, Friedrich Kessler, a law professor at Columbia, observed that freedom of contract, a feature of civilization for centuries (if not millennia), was abandoned by big business in the Industrial Age, for the sake of scale
Kessler despaired that freedom of contract would never again operate in the Industrial world. But that was before the Internet introduced new conditions to that world
The Internet does many things, but the most profound is giving every end point the same status, and reducing the functional distance between end points to zero. Or close enough. Same with cost. The protocols that govern the Net cost nothing, and were not designed to support billing.
Yet surveillance at scale is also delusional.
Clothing and shelter are privacy technologies. They involve tools — clothing, doors, windows — that give us agency and scale. These tools have been well developed and understood for thousands of years. Our civilization is based on those understandings.
So the real privacy challenge is simple one. We need clothing with zippers and buttons, walls with doors and locks, windows with shutters and shades — that work the same for each and all of us, to give us agency and scale.
Giants aren’t going to do it for us. Nor are governments. Both can be responsive and supportive, but they can’t be in charge, or that will only make us worse victims than we are already. Privacy for each of us is a personal problem online, and it has to be solved at the personal level. The only corporate or “social” clothing and shelter online are the equivalents of prison garb and barracks.
What would our clothing and shelter be, specifically? A few come to mind:
Ways to easily encrypt and selectively share personal data with other parties we have reason to trust.
Ways to know the purposes to which shared data is used.
Ways to assert terms and policies and obtain agreement with them.
Ways to assert and maintain sovereign identities for ourselves, and manage our many personal identifiers — and to operate anonymously by default with those who don’t yet know us. (Yes,administrative identifiers are requirements of civilization, but they are not who we really are, and we all know that.)
Ways to know and protect ourselves from unwelcome intrusion in our personal spaces.
All these things need to be as casual and easily understood as clothing and shelter are in the physical world today. They can’t work only for wizards.