Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.
3,110 Comments
Tomi Engdahl says:
Jacob Bogage / Washington Post:
ID theft protection service LifeLock misled consumers again and violated 2010 settlement, FTC says in a lawsuit demanding company to repay customers
LifeLock shares tank after FTC says it doesn’t protect consumers data as it claimed
https://www.washingtonpost.com/blogs/the-switch/wp/2015/07/21/lifelock-shares-tank-after-ftc-alleges-continued-wrongdoing/
LifeLock, the company that aggressively advertises its identify theft protection service, came under fire from the federal government Tuesday for failing to protect the data of its customers — once again.
Shares of the company cratered nearly 50 percent after the government announced its finding, closing at about $8 a share.
The Federal Trade Commission said LifeLock has been falsely promising that it would protect personal data such as Social Security numbers, credit card numbers and bank accounts. It also did not alert its customers “as soon as” the company became aware of a problem.
Those failures violated a March 2010 settlement with the FTC and 35 states in which LifeLock agreed to repay customers $12 million and establish a program to protect its users’ most sensitive data.
“It is essential that companies live up to their obligations under orders obtained by the FTC,”
Tomi Engdahl says:
Senate Bill Seeks Standards For Cars’ Defenses From Hackers
http://www.wired.com/2015/07/senate-bill-seeks-standards-cars-defenses-hackers/
A few years ago, the notion of hacking a car or truck over the Internet to control steering and brakes seemed like a bad plot point from CSI: Cyber. Today, the security research community has proven it to be a real possibility, and it’s one that at least two U.S. senators won’t wait to see play out with real victims.
On Tuesday morning, Senators Ed Markey and Richard Blumenthal plan to introduce new legislation that’s designed to require cars sold in the U.S. to meet certain standards of protection against digital attacks and privacy. The legislation, as described to WIRED by a Markey staffer, would call on the National Highway Safety and Transportation Administration and the Federal Trade Commission to together create new standards that automakers would be required to meet in terms of both their vehicles’ defenses from hackers and how the companies safeguard any personal information such as location records collected from the vehicles they sell.
Until now, car hacking has remained a largely theoretical threat, despite some instances when thieves have disabled cars’ door locks with wireless attacks, or when a disgruntled dealership employee used a tool designed to enforce timely car payments to remotely brick more than one hundred vehicles.
But the security industry has demonstrated that vehicles’ increasing connections to the internet create new avenues for attack.
Tomi Engdahl says:
Bloomberg Business:
FBI and Israel arrest four tied to JPMorgan hack, unveiling a complex securities fraud scheme — FBI, Israel Securities Fraud Arrests Tied to JPMorgan Hack … Law enforcement authorities arrested four people in Israel and Florida and revealed a complex securities fraud scheme
Digital Misfits Link JPMorgan Hack to Pump-and-Dump Fraud
http://www.bloomberg.com/news/articles/2015-07-21/fbi-israel-make-securities-fraud-arrests-tied-to-jpmorgan-hack
Authorities arrested four people in Israel and Florida and revealed a complex securities fraud scheme tied to the computer hacks of JPMorgan Chase & Co. and other financial institutions.
Behind the alleged crimes described Tuesday is a remarkable story of unpredictable alliances in modern computer crime involving, if true, a multi-layered organization with tentacles reaching Moscow, Tel Aviv and West Palm Beach.
Officials in Israel on Tuesday picked up two men charged in the U.S. with running a multimillion-dollar stock manipulation scheme. A third person remains at large. In another case in Florida, officials arrested two men for operating an unlicensed money-transfer business using bitcoins.
The two are also identified in a previously unreported FBI memo that connects them to the investigation of the hack of JPMorgan as well as to incidents at Fidelity Investments Ltd. and E*Trade Financial Corp. JPMorgan officials argued initially that one of the largest U.S. bank hacks in history was the work of the Russian government.
The alleged pump-and-dump scheme was several years old by the time of the Wall Street hacks. At least five stocks were manipulated in 2011 and 2012, according to the grand jury indictment unsealed Tuesday in Manhattan federal court.
The stock fraud is described as a “pump-and-dump” scheme in which promotional e-mails were sent to victims, encouraging them to buy “hot” stocks, according to a parallel complaint filed by the U.S. Securities and Exchange Commission.
Tomi Engdahl says:
Russell Brandom / The Verge:
Ashley Madison had a serious data management problem and the data breach is entirely its fault
Ashley Madison’s data breach is everyone’s problem
http://www.theverge.com/2015/7/20/9006213/ashley-madisons-data-breach-is-everyones-problem
Late last night, the 37 million users of the adultery-themed dating site Ashley Madison got some very bad news. A group calling itself the Impact Team appears to have compromised all the company’s data, and is threatening to release “all customer records, including profiles with all the customers’ secret sexual fantasies” if Ashley Madison and a sister site are not taken down.
Collecting and retaining user data is the norm in modern web businesses, and while it’s usually invisible, the result for Ashley Madison has been catastrophic. In hindsight, we can point to data that should have been anonymized or connections that should have been less accessible, but the biggest problem is deeper and more universal. If services want to offer genuine privacy, they have to break away from those practices, interrogating every element of their service as a potential security problem. Ashley Madison didn’t do that. The service was engineered and arranged like dozens of other modern web sites — and by following those rules, the company made a breach like this inevitable.
The most obvious example of this is Ashley Madison’s password reset feature. It works just like dozens of other password resets you’ve seen: you enter in your email, and if you’re in the database, they’ll send a link to create a new password. As developer Troy Hunt points out, it also shows you a slightly different message if the email really is in the database. The result is that, if you want to find out if your husband is looking for dates on Ashley Madison, all you have to do is plug in his email and see which page you get.
That was true long before the hack, and it was a serious data leak — but because it followed standard web practices, it slipped by mostly unnoticed. It’s not the only example: you could make similar points about data retention, SQL databases or a dozen other back-end features. This is how web development usually works. You find features that work on other sites and you copy them, giving developers a codebase to work from and users a head start in figuring out the site. But those features aren’t usually built with privacy in mind, which means developers often import security problems at the same time.
Why, for instance, did the site keep users’ real names and addresses on file? It’s a standard practice, sure, and it certainly makes billing easier — but now that Ashley Madison has been breached, it’s hard to think the benefits outweighed the risk. As Johns Hopkins cryptographer Matthew Green pointed out in the wake of the breach, customer data is often a liability rather than an asset. If the service is meant to be private, why not purge all identifiable information from the servers, communicating only through pseudonyms?
The worst practice of all was Ashley Madison’s “paid delete” service, which offered to take down user’s private data for $19 — a practice that now looks like extortion in the service of privacy. But even the idea of paying a premium for privacy isn’t new within the web more broadly.
It’s an open question how strong Ashley Madison’s privacy needed to be
But while Ashley Madison made a bad, painful error by openly retaining that much data, it’s not the only company that’s making that mistake. We expect modern web companies to collect and retain data on their users, even when they have no reason to. The expectation hits every level, from the way sites are funded to the way they’re engineered. It rarely backfires, but when it does, it can be a nightmare for companies and users alike. For Ashley Madison, it may be that the company didn’t truly consider privacy until it was too late.
Tomi Engdahl says:
Mary Jo Foley / ZDNet:
Microsoft to deliver Advanced Threat Analytics cybersecurity product in August, Azure Rights Management for Office on iOS on July 23
Microsoft to deliver Advanced Threat Analytics cybersecurity product in August
http://www.zdnet.com/article/microsoft-to-deliver-advanced-threat-analytics-cybersecurity-product-in-august/
Microsoft will make its Advanced Threat Analytics cybersecurity software available starting in August. Azure Rights Management support for iPhones and iPads running Office is coming this week.
Microsoft will make its Advanced Threat Analytics (ATA) product generally available in August.
advancedthreatanalytics.jpg
ATA, Microsoft’s on-premises cybersecurity software based on technology Microsoft acquired when it bought Aorato last year.
ATA is meant to help businesses block targeted attacks by automatically analyzing, learning and identifying all normal and abnormal behavior, using machine learning, according to Microsoft’s explanation.
Tomi Engdahl says:
Security
Smartwatch security fails to impress: Top devices vulnerable to cyberattack
Smartwatch security fails to impress: Top devices vulnerable to cyberattack
http://www.zdnet.com/article/smartwatch-security-fails-to-impress-top-devices-vulnerable-to-cyberattack/
A new study into the security of smartwatches found that 100 percent of popular device models contain severe vulnerabilities.
A research study conducted by Hewlett-Packard has found serious security issues in today’s top smartwatch wearable devices.
Smartwatches are part of the wearable device trend, which extends from medical devices and fitness trackers to acting as an extension of your smartphone.
Wearables can be useful and have grown in popularity with the arrival of the Internet of Things (IoT) concept in the marketplace. However, as smartwatches become mainstream, cybercriminals have been gifted with a new avenue to exploit in the quest to steal valuable data.
Revealed on Wednesday, HP’s Smartwatch Security Study suggests that while wearable technology is on the rise, security has been left behind. The tech giant’s research team combined manual testing along with the use of digital tools and HP Fortify on Demand — on both iOS and Android-based smartwatches — to evaluate a total of 10 of today’s “top” devices on the market.
In HP’s words, the results were “disappointing, but not surprising.” The tech giant found that every one of the ten devices analyzed contained significant vulnerabilities, including insufficient authentication, lack of encryption and privacy concerns.
In total, 30 percent of smartwatches use cloud-based web interfaces, which HP said “exhibited account enumeration concerns.” In separate tests, HP said this arrangement enabled hackers to identify valid user accounts through reset password services.
Tomi Engdahl says:
Security focus must move toward data analysis
http://www.zdnet.com/article/security-focus-must-move-toward-data-analysis/
Outmaneuvered by increasingly sophisticated adversaries, the security industry is intensifying its efforts to gain more visibility from data and behavioral analysis to combat cyberattacks.
With antivirus technology no longer effective, businesses and security vendors must now shift their focus to tools that operate on data and behavioral analysis.
With a security landscape today that is highly complex and sophisticated, organizations are struggling to figure out who’s who and provide information access to users who are supposed to have access to that information. This is especially difficult when they are fighting also to keep the bad guys out.
Speaking during his keynote Wednesday at RSA Asia-Pacific and Japan Conference in Singapore, Yoran noted: “Clearly, the adversaries are outmaneuvering and outgunning the security industry. Once inside the network environment, they can go undetected for months and, in some cases, years.
“The only forward is to change our cybersecurity mindset,” he said, stressing that any notion that prevention would keep networks safe would be misguided. “Firewalls, anti-malware tools are all nice to have, but if you believe this will keep sophisticated, focused adversaries out of your environment, you’re asleep at the wheel. Prevention won’t solve our problem.”
Tomi Engdahl says:
Security
Researcher lashes out at Hacking Team over open-source code discovery
http://www.zdnet.com/article/researcher-lashes-out-at-hacking-team-over-open-source-code-discovery/
When the researcher released his code as open-source, Android spyware development for governments was not its intended purpose.
Researcher Collin Mulliner has lashed out at Hacking Team after discovering his codes have been used as a springboard in the development of Android surveillance tools sold to governments and law enforcement agencies.
Milan-based Hacking Team suffered a cyberattack this month which led to the theft of 400GB in corporate data. The once-secretive firm’s corporate innards have been thrown across the Internet, resulting in released customer lists, exploits, surveillance tool code and internal communications now available for viewing and examination in the public domain.
While software vendors are rapidly patching newly-discovered Hacking Team zero-day vulnerabilities, the disclosures have also hit the open-source community.
System security researcher Colin Mulliner said in a blog post on Tuesday that he discovered his open-source creations were being used — without notice or permission by Hacking Team — after individuals on Twitter pointed it out and he received a flood of emails and personal notifications.
Tomi Engdahl says:
Blackberry to buy crisis alerts firm AtHoc
http://www.zdnet.com/article/blackberry-to-buy-crisis-alerts-firm-athoc/
AtHoc provides its networked comms services to a bevy of marquee customers, including the US Department of Defense and the US Department of Homeland Security.
Blackberry said on Wednesday said it is acquiring AtHoc, makers of a secure software platform for crisis communication. Financial terms of the deal were not disclosed.
AtHoc’s communications software is essentially a messaging alerts system, but for entities that need to exchange potentially sensitive and critical information between devices, organizations and people when other forms of communication may be unavailable. The software supports a variety of devices and platforms, including iOS, Android, PCs and Macs.
The purchase highlights how Blackberry continues to cater its platform toward regulated and government agencies.
Tomi Engdahl says:
Microsoft says on his blog that the company stopped yesterday extended support for servers on Windows Server 2003 operating system. Support out of the previously announced life-cycle of the product as planned.
Microsoft also reminds its customers that the SQL Server 2005′s extended support ends next spring, exactly 12/04/2016. Nine months may seem a long time for the upgrade, but the upgrade to the company’s systems, depending on the take up to months at a time.
Source: http://etn.fi/index.php?option=com_content&view=article&id=3082:windows-server-2003-n-tuki-loppui&catid=13&Itemid=101
Tomi Engdahl says:
Terabyte disk with a strong information security
Companies and organizations are the basic consumer to a higher standard storage devices. Micro Semin are based on the latest in flash memory solid state disk meets the most stringent security requirements.
SATA-hole SSD is intended for defense and intelligence agencies, unmanned air ships and similar high security demanding applications. 2.5-inch to 9.5-mm-thick disk is suitable for single terabytes of data.
Disk encrypts itself.
attempt to physically break the encryption key to be destroyed in less than 30 milliseconds.
The second level of protection will be able to wipe all the data off less than 10 seconds.
Source: http://etn.fi/index.php?option=com_content&view=article&id=3104:teratavun-levy-vahvalla-tietoturvalla&catid=13&Itemid=101
Tomi Engdahl says:
Jacqueline Beauchere / Microsoft on the Issues:
Microsoft makes it easier for revenge porn victims to report images and videos for removal from Bing, OneDrive, and Xbox Live — ‘Revenge porn:’ Putting victims back in control — When someone shares intimate images of another person online without that person’s consent, the effects can be truly devastating.
‘Revenge porn:’ Putting victims back in control
http://blogs.microsoft.com/on-the-issues/2015/07/22/revenge-porn-putting-victims-back-in-control/
When someone shares intimate images of another person online without that person’s consent, the effects can be truly devastating. These gross violations of privacy are commonly (and unartfully) referred to as “revenge porn.” Unfortunately, revenge porn is on the rise across the globe. It can damage nearly every aspect of a victim’s life: relationships, career, social activities. In the most severe and tragic cases, it has even led to suicide.
Much needs to be done to address the problem. As a first step, we want to help put victims back in control of their images and their privacy. That’s why Microsoft will remove links to photos and videos from search results in Bing, and remove access to the content itself when shared on OneDrive or Xbox Live, when we are notified by a victim. While people have been able to report to us in the past, we’ve set up a new reporting Web page, available today, to make it easy for victims to let us know about these particular photos and videos. It is available in English now and will be expanded to other languages in the coming weeks. When we remove links or content, we will do so globally.
Clearly, this reporting mechanism is but one small step in a growing and much-needed effort across the public and private sectors to address the problem. It’s important to remember, for example, that removing links in search results to content hosted elsewhere online doesn’t actually remove the content from the Internet – victims still need stronger protections across the Web and around the world.
Tomi Engdahl says:
Ginny Marvin / Marketing Land:
Study: In-app Ad Fraud Could Near $1 Billion Globally In 2015
Study: In-app Ad Fraud Could Near $1 Billion Globally In 2015
http://marketingland.com/study-in-app-ad-fraud-could-near-1-billion-globally-in-2015-136195
Firm claims to find large number of “mobile device hijacking” instances in which mobile apps load hidden ads and simulate human activity similar to traditional botnets.
Ad fraud has come to mobile apps in a big way, according to a new study on “mobile device hijacking” by ad fraud detection firm Forensiq.
Forensiq says its fraud detection platform identified more than 5,000 mobile applications committing ad fraud while monitoring for irregular impression traffic patterns on various real time bidding (RTB) ad exchanges. “Fraudulent apps were observed generating traffic through most major ad exchanges and networks. These apps would establish on average 1,100 connections per minute and communicate with 320 ad networks, ad servers, exchanges and data providers in the course of an hour.”
Over a 10-day period, the company says it observed more than 12 million unique devices with “infected” apps, affecting about one percent of mobile devices it observed in the US and two to three percent in Europe and Asia.
Tomi Engdahl says:
Jack Moore / Nextgov:
OPM Says Background Check System Now Back Online after Security Tweaks
http://www.nextgov.com/cybersecurity/2015/07/opm-says-background-check-system-back-online/118503/
The Office of Personnel Management on Thursday afternoon announced it’s beginning to restore access to an online system used to process background investigations. Officials had yanked the system offline last month after uncovering a vulnerability during a security review.
The system outage came weeks after OPM first announced personal information on millions of current and former federal employees had been stolen by hackers. Earlier this month, OPM confirmed a total of 21.5 million employees, contractors and their families were affected by the hack, which included information collected on background investigations forms stored by OPM.
OPM “proactively” pulled the plug on the Web-based e-QIP system June 26 “as a result of our comprehensive security assessment, to safeguard the ongoing security of the network,” said OPM spokesman Sam Schumach in a statement. Official didn’t detect any malicious activity, and there was no evidence the unspecified vulnerability had ever been exploited, he said.
The system has been down less than four weeks.
Tomi Engdahl says:
WordPress 4.2.3 Fixes Vulnerabilities, Bugs
WordPress 4.2.3 has been released. The latest version patches 20 bugs and two vulnerabilities.
http://www.securityweek.com/wordpress-423-fixes-vulnerabilities-bugs
The developers of the WordPress content management system (CMS) announced on Thursday the availability of WordPress 4.2.3. This security and maintenance release fixes a couple of vulnerabilities, along with 20 bugs.
Tomi Engdahl says:
OpenSSH Vulnerability Exposes Servers to Brute Force Attacks
http://www.securityweek.com/openssh-vulnerability-exposes-servers-brute-force-attacks
OpenSSH vulnerability (CVE-2015-5600) exposes servers to brute-force attacks. Patch will be rolled out with the release of OpenSSH 7.0.
Tomi Engdahl says:
Siemens Patches Vulnerabilities in SIPROTEC, SIMATIC, RuggedCom Products
http://www.securityweek.com/siemens-patches-vulnerabilities-siprotec-simatic-ruggedcom-products
Siemens releases software and firmware updates to patch vulnerabilities in SIPROTEC, SIMATIC and RuggedCom products.
Tomi Engdahl says:
Rapid7 Nets $110 Million from IPO
http://www.securityweek.com/rapid7-nets-110-million-ipo
Boston, Mass.-based Rapid7, a provider of security analytics software and services, said on Wednesday that its recent initial public offering (IPO) netted the company over $100 million in new cash.
Tomi Engdahl says:
We Never Broke Any Laws: Hacking Team
http://www.securityweek.com/we-never-broke-any-laws-hacking-team
Italian spyware maker Hacking Team has responded to some of the reports published following the recent breach and has once again denied breaking any laws or regulations.
Hackers leaked more than 400GB of data stolen from the company’s systems earlier this month, including exploits, source code, documents, and communications. The leaked data has been analyzed by many researchers and organizations, and some interesting aspect of Hacking Team’s operations and tools comes to light almost every day.
Hacking Team says it’s displeased with the fact that it is being treated like an offender when in reality it has never broken any laws.
“The truth is that the company itself has operated within the law and all regulation at all times,” said Eric Rabe, Chief Marketing and Communications Officer at Hacking Team. “However, commentators dislike the fact that strong tools are needed to fight crime and terrorism, and Hacking Team provides them. So the company is being treated as the offender, and the criminals who attacked the company are not.”
Rabe claims the company currently complies with new regulations developed in 2014 and enacted in January 2015.
Hacking Team does not deny that it has sold its products to Sudan. However, the spyware maker argues that at the time when it sold its solutions to Sudan, back in 2012, its technology was not classified as a weapon or dual use technology. The same goes for other countries that don’t have a good civil rights record, including Russia and Ethiopia, Rabe said.
The spyware maker initially warned that the leaked source code would be useful to terrorists and extortionists.
However, the company now says its leaked code has become “obsolete” because it is easy to detect. Rook Security has released a free software tool designed to help organizations determine if their systems are infected with malware developed by Hacking Team.
Researchers at Trend Micro have analyzed the source code for Hacking Team’s RCSAndroid product and believe it “can be considered one of the most professionally developed and sophisticated Android malware ever exposed.”
It appears that Hacking Team’s Android spyware uses some open source tools developed by researcher Collin Mulliner.
“I’m pretty angry and sad to see my open source tools being used by Hacking Team to make products to spy on activists.”
Tomi Engdahl says:
Security Policy Debt Is Leaving You Vulnerable
http://www.securityweek.com/security-policy-debt-leaving-you-vulnerable
There is a well-understood concept in our industry (coined by Ward Cunningham) called technology debt. Said simply, it is the idea that technology is placed into the market in an incomplete—albeit functional—state and engineering development teams will, over time, get around to correcting the issues through software or firmware updates before the product becomes instable or unusable. It’s not unlike finance: as long as debt can be serviced (interest paid), the enterprise remains solvent.
Debt, itself, is not necessarily a bad thing. But, what happens when debt accelerates out of control? Imagine this debt was your security policy (how you express the rules than manage security in your enterprise). We have hit an inflection point in the industry where the amount of security policy debt—i.e., the expression of security enforcement actions such as firewall rules and IDS signatures—has most enterprises wondering if they can continue to service the debt (keep adding and subtracting) or if the organization will grind to a complete halt.
In today’s hyper-charged cyber environment, a reckoning has arrived. Is adding additional security policy to the data center making us more or less vulnerable? Is our infrastructure and network security so complex, so brittle that we are both less secure and hamstrung from moving quickly?
Tomi Engdahl says:
Sandboxes are “Typed”: It’s Time to Innovate to Defeat Advanced Malware
http://www.securityweek.com/sandboxes-are-typed-it%E2%80%99s-time-innovate-defeat-advanced-malware
Tomi Engdahl says:
Sandboxes are “Typed”: It’s Time to Innovate to Defeat Advanced Malware
http://www.securityweek.com/sandboxes-are-typed-it%E2%80%99s-time-innovate-defeat-advanced-malware
Sandbox technology used to fight advanced malware is also “typed” – as a security technology that malware authors expect to operate in a certain way. The problem is that cybercriminals increasingly use this knowledge to create new techniques to evade this line of defense.
Given this continuous innovation by attackers, it’s likely that your malware analysis needs have exceeded the capabilities of traditional sandboxing technologies. There are three typical ways that organizations purchase and deploy sandbox technology.
1. As a stand-alone solution without dependency on other security products
2. Built into network-based security devices such as firewalls, IPS, or UTMs
3. Built into secure content gateways, such as web or email gateways
While each deployment option has its own set of pros and cons, traditional sandboxing technologies generally work in the same way: they extract suspicious samples; analyze in a local virtual machine; and produce a report. They also face similar limitations: they can be evaded by environmentally-aware advanced malware; they don’t use nor do they share data that can be used to identify malware that has penetrated the network; and they offer limited remediation capabilities.
Tomi Engdahl says:
Stepping Up Security Risk Management Practices
http://www.securityweek.com/stepping-security-risk-management-practices
Targeted and highly sophisticated cyber-attacks are compelling security practitioners to change the way they deal with evolving threats. The damages associated with breaches are motivating companies to transition from a check-box mentality to a pro-active, risk-based approach to security. This means that security risk management needs to advance beyond traditional yearly assessments.
For decades, security risk management was driven by point-in-time compliance certification that was intended to strengthen an organization’s security posture. Escalating data breaches have proven what practitioners have known for years — being in compliance does not equal being secure. In response to the uptick in cyber-attacks, legislators and industry governing bodies alike have started to revise their guidelines to emphasize the implementation of a pro-active, risk-based approach to security over the traditional check-box mentality.
This approach requires that organizations take real-time information into account when running continuous monitoring and mitigation programs. Technology plays a central role in gathering all the necessary pieces that make up the security risk management puzzle.
Tomi Engdahl says:
Breaches Are More Than Malware
http://www.securityweek.com/breaches-are-more-malware
Over the years, the topic of advanced persistent threats (APTs) has become virtually synonymous with malware. However, while malware is obviously a critically important tool in the attacker’s arsenal, it is just one of many that make sophisticated attacks successful.
To bring this into focus, Mandiant, the incident response arm of FireEye, found that 46% of all compromised devices were not infected with malware. Focusing exclusively on the malware ensures that you only see half the problem.
It’s an eye-opening statistic for an industry that has over-rotated to focus almost exclusively on malware when thinking of advanced threats. It may be symptomatic of the adage, “If all you have is a hammer, everything looks like a nail.”
APTs have been defined largely by companies that sold malware sandboxes, which of course focus on malware. This isn’t meant to diminish the importance of these products. They address very real problems of custom and polymorphic malware that ran amok over traditional antivirus controls.
However, it’s a mistake to equate the lifecycle of an advanced attack with malware. Remember, advanced threats are often under the control of intelligent, creative humans. Malware is one of many tools at their disposal. If we lose sight of the big picture, we’ll develop blind spots and unintentionally play into attackers’ hands.
Go beyond the malware
Instead of spreading malware, it’s more practical and inconspicuous for an attacker to steal passwords or credentials from a compromised machine, and then use those credentials to spread inside the network. To avoid suspicion, attackers can tweak allowed applications to suit their needs.
Tomi Engdahl says:
Pakistan to shut down BlackBerry services by December over ‘security’
http://www.reuters.com/article/2015/07/24/us-pakistan-telecoms-idUSKCN0PY23920150724
The Pakistani government plans to shut down BlackBerry Ltd’s secure messaging services by Dec. 1 for “security reasons”, the Pakistan Telecommunication Authority said on Friday.
Pakistan, a nuclear-armed nation of 180 million people, is plagued by militancy, criminal gangs and drug traffickers.
“PTA has issued directions to local mobile phone operators to close BlackBerry Enterprise Services from Nov. 30 on security reasons,” an official with the Pakistan Telecommunications Authority said in a text message.
BlackBerry encrypts data
The company has faced similar problems in the past in India, the United Arab Emirates, Saudi Arabia and Indonesia.
Tomi Engdahl says:
Sarah Perez / TechCrunch:
Team behind Delicious releases Dmail, a Chrome extension to make Gmail messages self-destruct
Dmail Makes Your Gmail Messages Self-Destruct
http://techcrunch.com/2015/07/23/dmail-makes-your-gmail-messages-self-destruct/
Have you ever regretted sending an email, and wished you could take it back? Or maybe you’ve worried about sending confidential information over email – especially after seeing the damage a large-scale email hack can cause, like the one that hit Sony Pictures last year? A new “self-destructing” email service called Dmail aims to eliminate these concerns with the introduction of tool that allows you to better control the messages that are sent over Gmail.
With Dmail, you can revoke access to any email at any time, and, in a release arriving soon, you’ll be able to stop recipients from forwarding your message to others, too.
The product works by way of a Google Chrome web browser extension, which only you, as the email sender, have to install.
https://mail.delicious.com/
Tomi Engdahl says:
Are E-commerce Retailers Facing an EMV Armageddon?
http://pro.whitepages.com/blog/are-e-commerce-retailers-facing-an-emv-armageddon/
Depending on what type of business you operate, whether brick and mortar, e-commerce or both, the rapidly approaching deadline to implement EMV-enabled payment processing systems either couldn’t come fast enough or it’s happening too soon.
On one hand, there’s obvious motivation to embrace more robust payment security systems. An article for Multichannel Merchant explained retailers saw $32 billion empty from their coffers as a result of fraud in 2014. The figure for the previous year was roughly $23 billion, which gave weight to the argument to President Obama and commercial organizations that something must be done, and carried out fairly quickly.
The massive breaches at Target and Home Depot only added fuel to the fire. Additionally, retailers got a reminder of the extensive damage that the fraud can have with Apple Pay’s troubles earlier this year.
An expected spike in e-commerce fraud
Multichannel Merchant highlighted the fact that e-commerce merchants in countries that switched to EMV payment cards experienced a sharp increase in fraud subsequent to the change. For instance, online fraud jumped 21 percent in Europe in 2012, which has been associated with the implementation of PIN-and-chip cards.
Because it’s more difficult to use counterfeit cards in a brick-and-mortar location, there’s a much greater incentive for fraudsters to put their efforts into online channels. There’s still an opportunity for cybercriminals to use stolen credentials to apply for a PIN-and-chip credit card. Being a card-not-present transaction, purchases through e-commerce storefronts present fewer barriers for these individuals to carry out their schemes.
The fact that card fraud is expected to double to $6.4 billion by 2018, according to PYMNTS.com, may be frightening enough to force e-tailers to reduce the speed at which they clear orders.
Tomi Engdahl says:
Wall Street Journal:
France approves surveillance law that allows government to monitor suspect’s communications without warrant, requires ISPs to collect traffic metadata
French Constitutional Court Approves New Powers for Intelligence Services
Decision clears final hurdle for a law which was accelerated after January terror spree in Paris
http://www.wsj.com/article_email/french-constitutional-court-approves-new-powers-for-intelligence-services-1437730809-lMyQjAxMTA1NzI0NjgyNzY1Wj
The court-backed provisions of the law allow a wide range of new surveillance techniques meant for the Internet age, including the collection of “metadata” about online traffic and the use of software that can monitor every keystroke on a computer. The court said intelligence services can use these tools without approval of a judge, though the government must still seek permission from an independent body created to oversee surveillance activities.
Tomi Engdahl says:
Washington Post:
Former DNI Mike McConnell, DHS Secretary Michael Chertoff, and Deputy Secretary of Defense William Lynn back strong encryption in op-ed — Why the fear over ubiquitous data encryption is overblown
Why the fear over ubiquitous data encryption is overblown
https://www.washingtonpost.com/opinions/the-need-for-ubiquitous-data-encryption/2015/07/28/3d145952-324e-11e5-8353-1215475949f4_story.html
More than three years ago, as former national security officials, we penned an op-ed to raise awareness among the public, the business community and Congress of the serious threat to the nation’s well-being posed by the massive theft of intellectual property, technology and business information by the Chinese government through cyberexploitation. Today, we write again to raise the level of thinking and debate about ubiquitous encryption to protect information from exploitation.
In the wake of global controversy over government surveillance, a number of U.S. technology companies have developed and are offering their users what we call ubiquitous encryption — that is, end-to-end encryption of data with only the sender and intended recipient possessing decryption keys. With this technology, the plain text of messages is inaccessible to the companies offering the products or services as well as to the government, even with lawfully authorized access for public safety or law enforcement purposes.
The FBI director and the Justice Department have raised serious and legitimate concerns that ubiquitous encryption without a second decryption key in the hands of a third party would allow criminals to keep their communications secret, even when law enforcement officials have court-approved authorization to access those communications.
Several other nations are pursuing access to encrypted communications. In Britain, Parliament is considering requiring technology companies to build decryption capabilities for authorized government access into products and services offered in that country. The Chinese have proposed similar approaches to ensure that the government can monitor the content and activities of their citizens. Pakistan has recently blocked BlackBerry services, which provide ubiquitous encryption by default.
We believe that the greater public good is a secure communications infrastructure protected by ubiquitous encryption at the device, server and enterprise level without building in means for government monitoring.
First, such an encryption system would protect individual privacy and business information from exploitation at a much higher level than exists today. As a recent MIT paper explains, requiring duplicate keys introduces vulnerabilities in encryption that raise the risk of compromise and theft by bad actors.
Second, a requirement that U.S. technology providers create a duplicate key will not prevent malicious actors from finding other technology providers who will furnish ubiquitous encryption.
Finally, and most significantly, if the United States can demand that companies make available a duplicate key, other nations such as China will insist on the same. There will be no principled basis to resist that legal demand. The result will be to expose business, political and personal communications to a wide spectrum of governmental access regimes with varying degrees of due process.
Strategically, the interests of U.S. businesses are essential to protecting U.S. national security interests. After all, political power and military power are derived from economic strength. If the United States is to maintain its global role and influence, protecting business interests from massive economic espionage is essential. And that imperative may outweigh the tactical benefit of making encrypted communications more easily accessible to Western authorities.
Tomi Engdahl says:
David E. Sanger / New York Times:
Anonymous Obama administration sources say US will retaliate against China for OPM hack and is weighing options that include breaching the Great Firewall
U.S. Decides to Retaliate Against China’s Hacking
http://www.nytimes.com/2015/08/01/world/asia/us-decides-to-retaliate-against-chinas-hacking.html?_r=0
The Obama administration has determined that it must retaliate against China for the theft of the personal information of more than 20 million Americans from the databases of the Office of Personnel Management, but it is still struggling to decide what it can do without prompting an escalating cyberconflict.
The decision came after the administration concluded that the hacking attack was so vast in scope and ambition that the usual practices for dealing with traditional espionage cases did not apply.
But in a series of classified meetings, officials have struggled to choose among options that range from largely symbolic responses — for example, diplomatic protests or the ouster of known Chinese agents in the United States — to more significant actions that some officials fear could lead to an escalation of the hacking conflict between the two countries.
That does not mean a response will happen anytime soon — or be obvious when it does.
“One of the conclusions we’ve reached is that we need to be a bit more public about our responses, and one reason is deterrence,” said one senior administration official involved in the debate, who spoke on the condition of anonymity to discuss internal White House plans. “We need to disrupt and deter what our adversaries are doing in cyberspace, and that means you need a full range of tools to tailor a response.”
Mr. Clapper predicted that the number and sophistication of hacking aimed at the United States would worsen “until such time as we create both the substance and psychology of deterrence.”
“Criminal charges appear to be unlikely in the case of the O.P.M. breach,”
There is another risk in criminal prosecution: Intelligence officials say that any legal case could result in exposing American intelligence operations inside China — including the placement of thousands of implants in Chinese computer networks to warn of impending attacks.
One of the most innovative actions discussed inside the intelligence agencies, according to two officials familiar with the debate, involves finding a way to breach the so-called great firewall, the complex network of censorship and control that the Chinese government keeps in place to suppress dissent inside the country. The idea would be to demonstrate to the Chinese leadership that the one thing they value most — keeping absolute control over the country’s political dialogue — could be at risk if they do not moderate attacks on the United States.
But any counterattack could lead to a cycle of escalation just as the United States hopes to discuss with Chinese leaders new rules of the road limiting cyberoperations.
Tomi Engdahl says:
Dan Goodin / Ars Technica:
New attack on Tor can deanonymize hidden services with surprising accuracy
New attack on Tor can deanonymize hidden services with surprising accuracy
Deanonymization requires luck but nonetheless shows limits of Tor privacy.
http://arstechnica.com/security/2015/07/new-attack-on-tor-can-deanonymize-hidden-services-with-surprising-accuracy/
Computer scientists have devised an attack on the Tor privacy network that in certain cases allows them to deanonymize hidden service websites with 88 percent accuracy.
Such hidden services allow people to host websites without end users or anyone else knowing the true IP address of the service. The deanonymization requires the adversary to control the Tor entry point for the computer hosting the hidden service. It also requires the attacker to have previously collected unique network characteristics that can serve as a fingerprint for that particular service. Tor officials say the requirements reduce the effectiveness of the attack. Still, the new research underscores the limits to anonymity on Tor, which journalists, activists, and criminals alike rely on to evade online surveillance and monitoring.
“Our goal is to show that it is possible for a local passive adversary to deanonymize users with hidden service activities without the need to perform end-to-end traffic analysis,”
The research is sure to interest governments around the world, including the US. On at least two occasions over the past few years, FBI agents have exploited software vulnerabilities, once Adobe Flash and once in Mozilla Firefox, to identify criminal suspects. Recently unsealed court documents also show the FBI seizing a Tor-hidden child porn site and allowing it to run for weeks so agents could gather evidence on visitors.
In an e-mail, Tor project leader Roger Dingledine said the requirements of the attack greatly limited its effectiveness in real-world settings. First, he said, the adversary must control one of the entry guards a hidden service is using.
Tomi Engdahl says:
Kim Zetter / Wired:
Researchers Create First Firmware Worm That Attacks Macs — The common wisdom when it comes to PCs and Apple computers is that the latter are much more secure. Particularly when it comes to firmware, people have assumed that Apple systems are locked down in ways that PCs aren’t.
Researchers Create First Firmware Worm That Attacks Macs
http://www.wired.com/2015/08/researchers-create-first-firmware-worm-attacks-macs/
Two researchers have found that several known vulnerabilities affecting the firmware of all the top PC makers can also hit the firmware of MACs. What’s more, the researchers have designed a proof-of-concept worm for the first time that would allow a firmware attack to spread automatically from MacBook to MacBook, without the need for them to be networked.
The attack raises the stakes considerably for system defenders since it would allow someone to remotely target machines—including air-gapped ones—in a way that wouldn’t be detected by security scanners and would give an attacker a persistent foothold on a system even through firmware and operating system updates. Firmware updates require the assistance of a machine’s existing firmware to install, so any malware in the firmware could block new updates from being installed or simply write itself to a new update as it’s installed.
The only way to eliminate malware embedded in a computer’s main firmware would be to re-flash the chip that contains the firmware.
“[The attack is] really hard to detect, it’s really hard to get rid of, and it’s really hard to protect against something that’s running inside the firmware,” says Xeno Kovah, one of the researchers who designed the worm.
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Hackers begin exploiting denial-of-service bug in BIND software to attack DNS servers
Exploits start against flaw that could hamstring huge swaths of Internet
If you haven’t installed Bind update, now would be a good time to do so.
http://arstechnica.com/security/2015/08/exploits-start-against-flaw-that-could-hamstring-huge-swaths-of-internet/
Hackers have started exploiting an extremely severe vulnerability in a widely used software utility, touching off concerns that the in-the-wild attacks could affect the stability of the Internet.
The attacks are exploiting a denial-of-service bug in all versions of Bind, the most widely used software for translating human-friendly domain names into IP addresses used by servers. As Ars reported last week, the flaw can be exploited with a single command to crash authoritative and recursive domain name system servers and in theory could allow a single person to take down large swaths of the Internet. There’s no practical workaround, although some website firewalls can block many exploits. The only way administrators can ensure they don’t fall victim is to install a recently published patch.
“Because of its severity we’ve been actively monitoring to see when the exploit would be live,” Daniel Cid, founder and CTO of security firm Sucuri, wrote in a blog post published Sunday. “We can confirm that the attacks have begun. DNS is one of the most critical parts of the Internet infrastructure, so having your DNS go down, it also means your e-mail, HTTP, and all other services will be unavailable.”
Bind is bundled in most versions of Linux. While the update is already available for just about every distribution, admins must manually install it and restart DNS servers to be properly patched.
CVE-2015-5477: An error in handling TKEY queries can cause named to exit with a REQUIRE assertion failure
https://kb.isc.org/article/AA-01272/74/CVE-2015-5477%3A-An-error-in-handling-TKEY-queries-can-cause-named-to-exit-with-a-REQUIRE-assertion-failure.html
Tomi Engdahl says:
Eva Dou / Wall Street Journal:
China to impose export controls on advanced drones and supercomputers from August 15th — China Restricts Exports of Drones, Supercomputers — China is curbing its exports of advanced drones and supercomputers, in the country’s latest move to tighten control over technologies linked to national security.
China Restricts Exports of Drones, Supercomputers
http://blogs.wsj.com/chinarealtime/2015/08/03/china-restricts-exports-of-drones-supercomputers/
China is curbing its exports of advanced drones and supercomputers, in the country’s latest move to tighten control over technologies linked to national security.
Starting in mid-August, Chinese makers of super-powerful drones and some advanced computers will have to obtain an export license, according to a statement from China’s Ministry of Commerce and the General Administration of Customs on Friday.
Computers will require an export license if they exceed 8 “teraflops”
China’s new supercomputer export control standard is similar to the one used by the U.S
China has been strengthening its control over its technology industry, as it seeks to avoid infiltration by foreign spies and build up globally competitive tech companies.
China’s drones have also caused political incidents in recent months, after unmanned aircraft sold by Shenzhen-based SZ DJI Technology Co. were flown onto the roof of the office of Japanese Prime Minister Shinzo Abe and the grounds of the White House in Washington. Tensions flared between Pakistan and India last month after Pakistan’s military shot down an Indian “spy drone” in the disputed region of Kashmir that appeared from pictures to be made by DJI.
export restrictions are likely meant to call attention to China’s technology strengths
Tomi Engdahl says:
Gurman Bhatia / Poynter:
How a 17-year-old Daily Dot reporter, William Turton, broke the New York Magazine cyber attack story — Meet the 17-year-old who breaks cybersecurity news — William Turton was transcribing interviews at The Daily Dot office when he got the information that Planned Parenthood’s website had been hacked.
Meet the 17-year-old who breaks cybersecurity news
http://www.poynter.org/news/mediawire/362325/meet-the-17-year-old-who-breaks-cybersecurity-news/
William Turton was transcribing interviews at The Daily Dot office when he got information that Planned Parenthood’s website had been hacked. It was 8:22 p.m. on a Sunday evening. He started reporting. Around six hours later, he got another tip that New York Magazine’s website was facing a cyber attack. He jumped on that as well. Sitting in an empty workspace, Turton had kept the lights off so that he could manage his headache. He went on to report on both the stories into the night and published them at 8 a.m. that morning. He was the first one to get the news out. Turton covers politics and hacking for The Daily Dot. He is also a 17-year-old high school student.
IMG_20150731_160457
Based in a suburb in Virginia, Turton got into journalism at the age of 14 when he started writing about gaming.
“I had always wanted to write about politics and hacking. But the only way anyone would really take me seriously, I figured, is if I wrote about video games,” said Turton.
How do you cover hacking? It’s just like any other beat, Turton said, and a lot of it means building relationships with hackers and speaking to them regularly. According to Andrew Couts, one of his editors, that is Turton’s strength.
“He maintains relationships with sources constantly to find out what they are doing. I think that a lot of reporters can take a lesson from him just in terms of cultivating sources,” said Couts.
Turton also understands the technicalities behind the methods of attacks. Since he was always into computers, that came to him naturally. Many of his sources use advanced forms of communication and encryption to hide their real identity, so being accessible with those technologies also helps.
What is tricky about covering a beat such as cybersecurity is the verification process.
“William’s sources are definitely people who you want to be skeptical of no matter now cooperative they are,” said Couts. “In some cases, be more skeptical when they are cooperative.”
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Symantec: Anthem was a secondary target for hacking group Black Vine, which primarily targeted aerospace, energy, military, and technology industries
Group that hacked Anthem shared weaponized 0-days with rival attackers
History’s biggest healthcare breach was just another hack for Black Vine gang.
http://arstechnica.com/security/2015/07/group-that-hacked-anthem-shared-weaponized-0-days-with-rival-attackers/
An attack in early 2014 on Anthem, the No. 2 US health insurer, was by most measuring sticks a historic hack, leading to the biggest healthcare data breach ever. New evidence unearthed by researchers from security firm Symantec, however, shows it was business as usual for the hacking group, which over the past three years has carried out more than a dozen similar attacks.
Dubbed Black Vine, the group is well financed enough to have a reliable stream of weaponized exploits for zero-day vulnerabilities in Microsoft’s Internet Explorer browser. Since 2012, the gang has brazenly infected websites frequented by executives in the aerospace, energy, military, and technology industries and then used the compromises to siphon blueprints, designs, and other intellectual property from the executives’ organizations. The targeting of Anthem appears to reflect more of a secondary interest that was intended to further advance a primary interest in aerospace, energy, and other similar industries rather than to target healthcare information for its own sake.
“If someone just has Vikram’s healthcare records, overall there’s very little gain,” Vikram Thakur, senior security researcher with Symantec, told Ars, as he described the motivations of the Black Vine group hacking Anthem. “But then you get healthcare information about a Vikram working for a government entity or a defense contractor, there is substantial value in that. This is the kind of data that’s used in combination with something else to reach an entirely non-healthcare related goal.”
Tomi Engdahl says:
Advanced spyware for Android now available to script kiddies everywhere
Hacking Team code is the most professionally developed Android malware ever exposed.
http://arstechnica.com/security/2015/07/advanced-spyware-for-android-now-available-to-script-kiddies-everywhere/
Java and Flash both vulnerable—again—to new 0-day attacks
Java bug is actively exploited. Flash flaws will likely be targeted soon.
http://arstechnica.com/security/2015/07/two-new-flash-exploits-surface-from-hacking-team-combine-with-java-0-day/
Internet users should take renewed caution when using both Adobe Flash and Oracle’s Java software framework; over the weekend, three previously unknown critical vulnerabilities that could be used to surreptitiously install malware on end-user computers were revealed in Flash and Java.
The Java vulnerability is significant because attackers are actively exploiting it in an attempt to infect members of NATO, researchers from security firm Trend Micro warned in a blog post published Sunday. They said the attack involves a separate Windows vulnerability indexed as CVE-2012-015, which Microsoft addressed in 2012 in bulletin MS12-027. Oracle developers are working on a fix, the blog post said.
Tomi Engdahl says:
Keith Collins / Quartz:
Easily accessible dark web marketplaces list stolen identities from $1, to $450 for a premium identity with a high credit score
Here’s what your stolen identity goes for on the internet’s black market
http://qz.com/460482/heres-what-your-stolen-identity-goes-for-on-the-internets-black-market/
The going rate for a stolen identity is about twenty bucks.
Tens of millions of people have lost their private information in data breaches over the past few years. But what happens after that—how the data are leveraged for financial gain—remains murky. Many of those stolen records end up for sale on the anonymous, seedy area of the internet commonly known as the dark web.
Analyzing the sale of those records sheds some light on the vibrant market for stolen identities. On the dark web’s eBay-like marketplaces, the full set of someone’s personal information—identification number, address, birthdate, etc.—are known as “fullz.”
Tomi Engdahl says:
John Fontana / ZDNet:
Federal courts start to recognize the possibility of ongoing harm to data breach victims, fueling class-action lawsuits
Federal Court’s data breach decision shows new tilt toward victims, class-action lawsuits
http://www.zdnet.com/article/courts-data-breach-decision-shows-new-tilt-toward-victims-class-action-lawsuits/
Federal courts beginning to recognize possibility of on-going harm to those who lose financial, personal data in a breach
Federal courts historically have been quick to dismiss plaintiff claims of on-going harm when their data is snatched in a breach, but a crack is appearing in that logic that could change how liability is gauged for hacked corporations and fuel class-action lawsuits against those companies.
Last week, the U.S. Court of Appeals for the Seventh Circuit began to question the depth of on-going harm to victims by overturning a district court that had tossed a class-action lawsuit against Neiman Marcus over a 2014 data breach. The Court said victims had “standing,” a right to file a lawsuit in federal court, over concerns of on-going problems.
Liability is the piece of the breach puzzle that gets lost in the ranting against weak passwords and the standard corporate cleanup with its perfunctory one-year free credit monitoring services. Use of stolen passwords to hack the victim’s accounts on other sites has been going on for years.
The number of breaches that have been occurring show that most companies are near defenseless against data breaches either via their own shoddy security, weakness is partner networks, or the all-too-familiar “sophisticated attack” excuse corporate PR machines use when announcing a breach.
Companies have been walking away from liability after the initial breach mess is cleaned up.
The Seventh Circuit ruled that even beyond reimbursement for fraudulent charges, that plaintiffs incurred other costs to rebuild their financial lives. In addition, the court said even those in the class-action lawsuit who did not experience fraudulent charges have a likelihood of fraud in their future.
The Court said, “Neiman Marcus customers should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing.”
Ballard Spahr lawyers said in their review, that the Seventh Circuit’s opinion “…is likely to lead to an increase in data breach class actions in cases involving hacking”
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Zero-day vulnerability in Apple’s latest, fully patched OS X allows hackers to surreptitiously infect Macs with malware
0-day bug in fully patched OS X comes under active exploit to hijack Macs
Privilege-escalation bug lets attackers infect Macs sans password.
http://arstechnica.com/security/2015/08/0-day-bug-in-fully-patched-os-x-comes-under-active-exploit-to-hijack-macs/
Hackers are exploiting a serious zero-day vulnerability in the latest version of Apple’s OS X so they can perform drive-by attacks that install malware without requiring victims to enter system passwords, researchers said.
As Ars reported last week, the privilege-escalation bug stems from new error-logging features that Apple added to OS X 10.10. Developers didn’t use standard safeguards involving additions to the OS X dynamic linker dyld, a failure that lets attackers open or create files with root privileges that can reside anywhere in the OS X file system. It was disclosed last week by security researcher Stefan Esser.
Tomi Engdahl says:
Deborah Gage / Wall Street Journal:
Cloud security provider Zscaler raises $100M at $1B+ valuation, in a Series B round led by TPG
Aiming for an IPO, Zscaler Raises $100M to Provide Security from the Cloud
http://blogs.wsj.com/venturecapital/2015/08/03/aiming-for-an-ipo-zscaler-raises-100m-to-provide-security-from-the-cloud/
Tomi Engdahl says:
Duncan Campbell / The Intercept:
British security journalist Duncan Campbell on being charged with espionage and his struggles reporting on agencies like GCHQ
https://firstlook.org/theintercept/2015/08/03/life-unmasking-british-eavesdroppers/
Tomi Engdahl says:
American Airlines, Sabre Said to Be Hit in China-Tied Hacks
http://www.bloomberg.com/news/articles/2015-08-07/american-airlines-sabre-said-to-be-hit-in-hacks-backed-by-china
A group of China-linked hackers that has mowed through the databanks of major American health insurers and stolen personnel records of U.S. military and intelligence agencies has struck at the heart of the nation’s air-travel system, say people familiar with investigations of the attacks.
Sabre Corp., which processes reservations for hundreds of airlines and thousands of hotels, confirmed that its systems were breached recently, while American Airlines Group Inc., the world’s biggest carrier, said it is investigating whether hackers had entered its computers.
Both companies were hacked as part of the same wave of attacks that targeted insurer Anthem Inc. and the U.S. government’s personnel office, according to three people with knowledge of the cybersecurity probes. The investigators have tied those incursions to the same China-backed hackers, an assessment shared by U.S. officials, the people said.
The latest incidents, which haven’t previously been reported, are the broadest yet on the U.S. travel industry, emerging a week after security experts attributed an attack on United Airlines, the world’s second-largest carrier, to the same group.
Months-Long Hack
The OPM link, if confirmed, would add two more big names to a ballooning list of victims. In the case of United, the hackers plundered its databanks for several months based on the compiled data of the malware found in the airline’s system, according to a person familiar with the matter.
Before the disclosures about United, American and Sabre, cybersecurity firm FireEye Inc. said the same China-tied group responsible for the OPM breach had hit about 10 victims since 2013.
Tomi Engdahl says:
Emily Dreyfuss / Wired:
LG joins Samsung and Google in committing to monthly security updates for its devices — Big Android Makers Will Now Push Monthly Security Updates — The Stagefright bug has quickly frightened cell phone manufacturers into action. It’s been just over a week since researchers alerted …
Big Android Makers Will Now Push Monthly Security Updates
http://www.wired.com/2015/08/google-samsung-lg-roll-regular-android-security-updates/
The Stagefright bug has quickly frightened cell phone manufacturers into action. It’s been just over a week since researchers alerted the public to the serious flaw that has been called the worst Android “bug ever discovered,”, and the major Android manufacturers have already taken concrete steps to fix it.
As of yesterday, Google will now roll out regular monthly over-the-air security updates to its devices. And so will Samsung. And LG.
“LG will be providing security updates on a monthly basis which carriers will then be able to make available to customers immediately. We believe these important steps will demonstrate to LG customers that security is our highest priority,” an LG representative told WIRED today in an email.
Yesterday, Samsung announced a similar program in an blog post: “Samsung Electronics will implement a new Android security update process that fast tracks the security patches over the air when security vulnerabilities are uncovered. These security updates will take place regularly about once per month.”
As for Google, its updates will be rolling out to its entire Nexus line.
Tomi Engdahl says:
Kim Zetter / Wired:NEW
Researchers gain complete control of electric skateboards by hijacking unencrypted Bluetooth communications between the board and the remote — Hackers Can Seize Control of Electric Skateboards and Toss Riders — Richard “Richo” Healey was riding his electric skateboard toward an intersection …
Hackers Can Seize Control of Electric Skateboards and Toss Riders
http://www.wired.com/2015/08/hackers-can-seize-control-of-electric-skateboards-and-toss-riders-boosted-revo/
Richo Healey was riding his electric skateboard toward an intersection in Melbourne, Australia, last year when suddenly the board cold-stopped beneath him and tossed him to the street.
It didn’t take long to determine that Bluetooth noise in the neighborhood was the likely culprit. The intersection, near Federation Square, was notorious for being saturated with radio frequency noise. Healey was controlling his board with a handheld remote that sent drive commands to the board via Bluetooth. It was clear he hadn’t been hacked; instead, he concluded, a flood of Bluetooth traffic from devices around him had interfered with his remote’s connection to the board.
The incident served as inspiration. “I got to thinking, what is it about this environment and can I replicate it?” he told WIRED.
They focused their research on Healey’s board, a Boosted board made by the American company of the same name, which sells for about $1,500; as well as a board made by the Australian firm Revo, which runs between $700 and $1,000; and a board called E-Go made by the China-based firm Yuneec, which costs about $700.
They found at least one critical vulnerability in each board, all of which hinge on the fact that the manufacturers of the boards failed to encrypt the communication between the remotes and the boards. The attack for controlling the boards is essentially identical for each skateboard, but the mechanism for conducting it differs somewhat for each
How the FacePlant Hack Works
The Boosted board works with an app, which controls two 1,000-watt electric motors, a small, handheld remote, which the rider uses to adjust speed using Bluetooth Low Energy wireless technology, and a battery that allows the board to operate for about six miles on a single charge. A dead man’s switch, which the rider holds down to stay in motion, cuts the motor if the rider releases the switch.
Because the Bluetooth communication is not encrypted or authenticated, a nearby attacker can easily insert himself between the remote and the app, forcing the board to connect to his laptop. Once he achieves this, he can stop the skateboard abruptly, ejecting the rider, send a malicious exploit that causes the wheels to suddenly alter direction and go in reverse at top speed, or disable the brakes. An attacker can also simply jam the communication between the remote and the board while a driver is on a steep hill, causing the brakes to disengage.
“This thing can cause some serious damage,”
Timing Is the Key
The FCC mandates that in order to have a Bluetooth device certified it has to be able to withstand the presence of interference. But none of the three boards they tested were resilient against the interference of the researchers.
It takes two to ten seconds of jamming for an attacker’s Bluetooth connection to land on the board, then the exploit has a window of just 10 milliseconds to kick in before the rider’s remote control will automatically attempt to re-connect to the board.
“The trick is, Bluetooth sniffing is not entirely an evolved science, but with no encryption and no signing, once we own the connection, it’s over right there,” says Healey.
Because the Boosted app is capable of updating the firmware, in impersonating the app so can an attacker.
“Once you have the ability to write arbitrary firmware, you can change the top speed, change the minimum speed, make the board refuse to stop and ignore the existence of the [remote] controller,” says Ryan. And after overwriting the firmware, the skateboard owner would have to refresh the firmware to regain control of the board.
To seize control, they used three transmitters that cost about $100 each. If they wanted to increase the likelihood of hitting the board on first try, they could increase their power by using say $1,000 worth of equipment to jam the signal. But this sledgehammer approach would likely jam every Bluetooth device in the neighborhood, not just a skateboard.
We haven’t seen any safety in the electric vehicle market and there’s a pretty serious lack of manufacturers taking security seriously. Richo Healey
Tomi Engdahl says:
This Hacker’s Tiny Device Unlocks Cars And Opens Garages
http://www.wired.com/2015/08/hackers-tiny-device-unlocks-cars-opens-garages/
The next time you press your wireless key fob to unlock your car, if you find that it doesn’t beep until the second try, the issue may not be a technical glitch. Instead, a hacker like Samy Kamkar may be using a clever radio hack to intercept and record your wireless key’s command. And when that hacker walks up to your vehicle a few minutes, hours, or days later, it won’t even take those two button presses to get inside.
At the hacker conference DefCon in Las Vegas tomorrow, Kamkar plans to present the details of a gadget he’s developed called “RollJam.” The $32 radio device, smaller than a cell phone, is designed to defeat the “rolling codes” security used in not only most modern cars and trucks’ keyless entry systems, but also in their alarm systems and in modern garage door openers.
RollJam, as Kamkar describes it, is meant to be hidden on or near a target vehicle or garage, where it lies in wait for an unsuspecting victim to use his or her key fob within radio range. The victim will notice only that his or her key fob doesn’t work on the first try. But after a second, successful button press locks or unlocks a car or garage door, the RollJam attacker can return at any time to retrieve the device, press a small button on it, and replay an intercepted code from the victim’s fob to open that car or garage again at will. “Every garage that has a wireless remote, and virtually every car that has a wireless key can be broken into,” says Kamkar.
Thieves have used “code grabber” devices for years to intercept and replay wireless codes for car and garage doors. But both industries have responded by moving the ISM radio signals their key fobs use to a system of rolling codes, in which the key fob’s code changes with every use and any code is rejected if it’s used a second time.
To circumvent that security measure, RollJam uses an uncannily devious technique: The first time the victim presses their key fob, RollJam “jams” the signal
When that first signal is jammed and fails to unlock the door, the user naturally tries pressing the button again. On that second press, the RollJam is programmed to again jam the signal and record that second code, but also to simultaneously broadcast its first code. That replayed first code unlocks the door, and the user immediately forgets about the failed key press. But the RollJam has secretly stored away a second, still-usable code. “You think everything worked on the second time, and you drive home,”
If the RollJam is attached to the car or hidden near a garage, it can repeat its jamming and interception indefinitely no matter how many times the car or garage door’s owner presses the key fob, replaying one code and storing away the next one in the sequence for the attacker.
Kamkar isn’t the first, as Cadillac implies, to invent the RollJam’s method of jamming, interception and playback.
Tomi Engdahl says:
Hacking a KVM: Teach a Keyboard Switch to Spy
http://hackaday.com/2015/08/08/hacking-a-kvm-teach-a-keyboard-switch-to-spy/
When it comes to large systems, there are a lot more computers than there are people maintaining them. That’s not a big deal since you can simply use a KVM to connect one Keyboard/Video/Mouse terminal up to all of them, switching between each box simply and seamlessly. The side effect is that now the KVM has just as much access to all of those systems as the human who caresses the keyboard. [Yaniv Balmas] and [Lior Oppenheim] spent some time reverse engineering the firmware for one of these devices and demonstrated how shady firmware can pwn these systems, even when some of the systems themselves are air-gapped from the Internet.
Tomi Engdahl says:
Millions of Satellite Receivers are Low-Hanging Fruit for Botnets
http://hackaday.com/2015/08/09/millions-of-satellite-receivers-are-low-hanging-fruit-for-botnets/
Satellite television is prevalent in Europe and Northern Africa. This is delivered through a Set Top Box (STB) which uses a card reader to decode the scrambled satellite signals. You need to buy a card if you want to watch. But you know how people like to get something for nothing. This is being exploited by hackers and the result is millions of these Set Top Boxes just waiting to form into botnets.
The Hardware in Satellite receivers is running Linux. They use a card reader to pull in a Code Word (CW) which decodes the signal coming in through the satellite radio.
An entire black market has grown up around these Code Words. Instead of purchasing a valid card, people are installing plugins from the Internet which cause the system to phone into a server which will supply valid Code Words. This is known as “card sharing”.
On the user side of things this just works; the user watches TV for free.
[Sofiane] demonstrated how little you need to know about this system to create a botnet:
Build a plugin in C/C++
Host a card-sharing server
Botnet victims come to you (profit)
It is literally that easy. The toolchain to compile the STLinux binaries (gcc) is available in the Linux repos. The STB will look for a “bin” directory on a USB thumb drive at boot time, the binary in that folder will be automatically installed. Since the user is getting free TV they voluntarily install this malware.
Tomi Engdahl says:
BBC:
Hackers may have accessed personal details of 2.4M Carphone Warehouse customers, along with 90K encrypted credit card records
Carphone Warehouse in customer data breach
http://www.bbc.com/news/uk-33835185
Personal details of up to 2.4 million Carphone Warehouse customers may have been accessed in a cyber-attack, the mobile phone retailer says.
Up to 90,000 customers may also have had their encrypted credit card details accessed, it said in a statement.
While the “vast majority” of Carphone Warehouse customers are unaffected, the breach does concern some of the company’s separately managed divisions.
The BBC’s Joe Lynam says Carphone Warehouse first became aware of the problem on 5 August.
“In that time, 72 hours, they will say we need to find the depth of the breach, but let’s say some people do have their cards compromised,” he said.
“They will be livid that they weren’t told straight away, so they could cancel those cards.”
Tomi Engdahl says:
DEF CON: Abusing Scripts in Multiplayer Games
http://hackaday.com/2015/08/08/def-con-abusing-scripts-in-multiplayer-games/
Everyone has at least a few games on their computer, and I would assume most of the Hackaday readership would be among the enlightened PC gamer bretheren. At this year’s DEF CON, [Tamas Szakaly] gave a talk about the data these games leak to the Internet, the data they accept from the Internet, and what you can do with that data.
[Tamas]’ first target was Crysis 2 and the CryEngine3. This game uses a Lua scripting engine and has no sandbox whatsoever. That means [Tamas] can call os.execute, and from there the entire game is over. Or it’s just begun. Either way you look at it, it’s pretty bad.
CryTek notwithstanding, [Tamas] can also use games with Lua scripting that have a real sandbox. DOTA2 has a leaky sandbox and can be used to call OS I/O routines and execute base 64 encoded executables right over the main executable.
Interestingly, these games have anti-cheat mechanisms that look at the memory used by the game and report back ‘irregularities’. This catches players using common cheat techniques such as walking through walls, but [Tamas]’ techniques aren’t detected at all.