Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.
3,110 Comments
Tomi Engdahl says:
Ashley Madison keeps calm, carries on after hackers expose lives of millions of its users
ALM seemingly unconcerned about families of cheaters
http://www.theregister.co.uk/2015/08/19/ashley_madison_analysis/
nfidelity website Ashley Madison has pledged to continue operations after hackers leaked its customer database online.
The Impact Team, which claimed responsibility for the hack on Ashley Madison and sister site Established Men, have made good on their threat to publish compromising information on millions of people.
Around 9.7 GB of customer data were released on a dark web (.onion) site on Tuesday night. This information included sexual preferences, (stated) weight, addresses, GPS locations, card payment histories, phone numbers, dates of birth and more. More than 36 million names featured in the leak, which has already become available through BitTorrent.
More than 90 per cent of the accounts belong to men.
The data appears legit, because examples of throw-away email addresses used only on the site have turned up on the dump, among other factors. The depth and breadth of the leak is, if anything, worse than feared when the original news of the breach broke last month.
“Perhaps even more embarrassing for ALM and Ashley Madison is the disclosure of the fact that a significant proportion of users on the site are fake, bringing into question the credibility of the website as a whole,” he added.
ALM added that it has hired independent forensic experts and other security professionals to “assist with determining the origin, nature, and scope of this attack.” Several police agencies – including the Royal Canadian Mounted Police, the Ontario Provincial Police, and the US Federal Bureau of Investigation – have launched investigations into the attack.
Tomi Engdahl says:
Cybercrime forum Darkode returns with security, admins intact
Revived invite-only site has cleared out snitches, will rely on blockchain authentication
http://www.theregister.co.uk/2015/07/28/darkode_returns/
Crime forum Darkode has relaunched with renewed security two weeks after it was obliterated in a global police raid that shut down the site and saw members arrested.
The English-speaking forum, established in 2007, was a major player in the cybercrime underground where vetted members could buy and sell zero days, trojans, and credit card numbers.
The site was eliminated earlier this month under the FBI and European Cybercrime Centre Operation Shrouded Horizon which netted at least 28 users and administrators from 20 countries, including the UK, the US, and Australia.
Now the site appears to be back with renewed vigour.
“It appears the raids focused on newly added individuals or people that have been retired from the scene for years,” Sp3cial1st says.
Tomi Engdahl says:
“There are three main reasons for making Firefox run content in a separate process: performance, security, and stability, Bamberg says. “The goal is to reduce ‘jank’ — those times when the browser seems to briefly freeze when loading a big page, typing in a form, or scrolling.
Source: http://www.theregister.co.uk/2015/06/18/firefox_electrolysis/
Tomi Engdahl says:
Hackers exploiting wide-open Portmap to amp up DDoS attacks
Careless net adminds leave systems with cleartext trousers down
http://www.theregister.co.uk/2015/08/19/portmap_ddos_threat/
Security watchers have warned about a new class of DDoS amplification attack threat which only exists because too many users are failing to follow basic safeguards.
Improperly configured services such as DNS or Network Time Protocol (NTP) have been exploited to launch a string of DDoS attacks over the last couple of years, the most high-profile of which battered Spamhaus and buffeted internet exchanges back in March 2013. Over recent weeks, another service – Portmap – has become a vector of DDos attacks, US-based carrier Level 3 warned.
Attacks using the technique and monitored by Level 3 last week focused on gaming, hosting and internet infrastructure verticals.
Unlike DNS and NTP, Portmap has no business being exposed on internet-facing systems. Disabling or blocking internet-facing Portmap services using firewalls is trivial, but too many net admins have overlooked this well-understood practice, creating a resource which hackers can abuse.
Tod Beardsley, security engineering manager at Rapid7, the firm behind Metasploit, commented: “Portmap (port 111/UDP) used to be a common service on many UNIX-like distributions, including Linux and Solaris. To hear that it’s part of a ‘new DDoS’ attack is very disorienting, as Portmap attacks are by no means new.”
Portmap can still be useful in private, internal networks, but the technology is cleartext and essentially unauthenticated.
Tomi Engdahl says:
Linux Foundation CII announces best practice badge programme
Like a Blue Peter badge, but one you helped make earlier
http://www.theinquirer.net/inquirer/news/2422659/linux-foundation-cii-announces-best-practice-badge-programme
THE CORE INFRASTRUCTURE INITIATIVE (CII) has announced plans to involve the community in securing open source software.
The CII, which is run by the Linux Foundation, was formed as a joint venture by the technology sector after the Heartbleed palava last year, primarily as a curator of the OpenSSL protocol, but at a wider level to look at overall software security standards.
Today, it has announced a badge programme, inviting interested parties to contribute on the criteria used to determine the security, quality and stability of open source software.
The first draft of the criteria is already up on GitHub spearheaded by David Wheeler, coordinator of the CII Census Project.
The badge programme is described as a “secure open source development maturity model” and will allow developers to certify software with a best practices badge against common standards, such as attention to quality, security and knot-tying. No wait, that’s the Boy Scouts.
The announcement explains: “Virtually every industry and business leverages open source, and is therefore more connected and dependent on it than ever before. Despite its prevalence, trying to quickly determine the best maintained and most secure open source to use is a complex problem for seasoned CIOs and nimble developers.
“The self-assessment, and the badges that will follow, are designed to be a simple, fairly basic way for projects to showcase their commitment to security and quality. The criteria is also meant to encourage open source software projects to take positive steps with both in mind and to help users know which projects are taking these positive steps.”
Tomi Engdahl says:
Damian Saunders, EMEA CEO of Black Duck Software, told The INQUIRER earlier this month that the CII was formed after it was discovered that the OpenSSL standard was being maintained by “two guys named Steve”.
Black Duck on open source, Heartbleed and the growing complexity of stuff
Interview Firm talks about the importance of forward planning
http://www.theinquirer.net/inquirer/feature/2422047/black-duck-on-open-source-heartbleed-and-the-growing-complexity-of-stuff
AS MORE AND MORE CUSTOMERS move towards open source solutions in the enterprise, the question arises as to who is keeping the code pool safe and risk free.
The beauty of an open source environment is the freedom and openness that it brings, but by definition, this represents a Wild West frontier with no-one there to act as sheriff.
Enter Black Duck Software, set up in 2002 not as an anti-malware tool or a security outfit, but as a ‘curator’ of the open source infrastructure. As well as providing a gigantic database of code, based on safety, reliability and reputation of contributor, the company also provides consulting services to some of the largest IT companies in the world, actually helping to create open source policy.
It’s not a new idea, but in a software-defined future it becomes more important than ever.
“This is what some years ago people talked about as ‘secure-by-design’ in hardware, but this time it has software in its sights. When you don’t take this approach, it’s a bit like when you build a house, realise there is something wrong with the foundations and have to take half the house down to fix it. It’s better if you constantly test the house as you build it to make sure you don’t find anything,” he said.
“Heartbleed was the poster child of awareness of security around open source, but it also revealed to us what we refer to as operational risk. Security vulnerabilities are evident in open source, the same way they are in commercial software, maybe even more so because of the sheer volume of code out there.
“But when we started to dig into the cause, the truth was operational – OpenSSL was supported by two guys named Steve (!) and yet it was incorporated into some of the biggest e-commerce platforms, content delivery systems, websites, mission-critical assets,” explained Saunders.
“The reality is that we all trusted OpenSSL without looking after it. What no-one had noticed is that the supportability wasn’t there – these two guys weren’t getting paid in the same way as commercial developers, they were trying to keep the contributions going and the peer review levels high. But at the end of the day it was still an under-resourced, under-funded project. Which brings me back to my point that, when it comes to cyber security, it’s about prevention, not cure.”
Tomi Engdahl says:
The £200 device that could steal your bank PIN
http://www.pressat.co.uk/releases/the-200-device-that-could-steal-your-bank-pin-a69640715056e6f8a7330376af293322/
The increasing availability of cheap thermal imaging equipment – once the sole preserve of only the best-equipped attacker – is creating an ever-increasing risk to push-button security devices. Using a readily available iPhone accessory costing less than £200, Sec-Tec tested a wide range of push-button security devices, including ATMs, locks and safes, and found that certain devices could leak the digits pressed by a legitimate user for over a minute after use.
Sec-Tec makes the following recommendations to limit the risk of attack:
1. The use of devices with metallic (as opposed to plastic or rubber) keys makes such attacks impossible.
2. Palming the keypad after use, even for only a few seconds, prevents attacks in the majority of cases.
Source: http://www.pressat.co.uk/releases/the-200-device-that-could-steal-your-bank-pin-a69640715056e6f8a7330376af293322/#ixzz3jM4W4Zuo
Tomi Engdahl says:
Show us your security chops with the Cyber 10K challenge
Students! Security amateurs! Beat the professionals and win £10,000
http://www.theregister.co.uk/2015/08/20/show_us_your_security_chops_with_the_cyber_10k_challenge/
NCC Group has devised a lovely cyber security competition, Cyber 10K, which sees the winning contestant receive £10,000 and expert advice from the company to develop their own security solution.
The aim of the competition is to engage young people and discover hidden talent in the field of cyber security, and is open to individuals and groups, students, IT security amateurs and small technology businesses.
NCC Group is a big cheese in cyber security, with thousands of enterprise clients on its roster. The company has devised the competition to maintain the momentum in the UK’s flourishing cyber-security sector.
https://www.cyber10k.trust/
Can you solve the cyber security challenges that businesses and consumers are facing today?
Tomi Engdahl says:
UK teenager arrested over FBI crash attack
Midlands teen in big time trouble
http://www.theinquirer.net/inquirer/news/2422871/uk-teenager-arrested-over-fbi-crash-attack
A UK TEENAGER WHO APPARENTLY BOASTED about how he could hack the FBI has been arrested for an attack on the FBI, and some others.
The chap, 19-year-old Charlton Floate, was arrested in Birmingham for his online crimes, and has pleaded guilty to three charges under the Computer Misuse Act, along with a couple of charges relating to the holding of prohibited material.
“A successful attack on the FBI.gov website is regarded by hackers as the Holy Grail of hacking,” he is reported as saying. “It was this which he attempted and, indeed, achieved. He was the person who instituted such attacks and assembled the tools and personnel for doing so.”
Tomi Engdahl says:
Now Ashley Madison hackers reveal ‘CEO’s emails and source code’
Meanwhile, IBM, Cisco and HP lead the IT pack on adultery website, it seems
http://www.theregister.co.uk/2015/08/20/ashley_madison_email_dump/
Another load of internal files swiped by hackers from Ashley Madison have been leaked online – and they apparently feature the CEO’s emails and the website’s source code.
The 18.5GB leak includes, it is claimed, archives of internal company emails, including one folder labeled Noel Biderman – the chief exec of Avid Life Media, Ashley Madison’s parent.
On Tuesday, the group released a 9.6GB collection of user databases containing profiles, email addresses, fantasies, sexual preferences, etc, of as many as 36 million people who used Ashley Madison, a Tinder-for-adulterers website, and its sister site Established Men, which was set up for women to find sugar daddies. Other information, including some users’ GPS coordinates, post codes and ZIP codes, dates of birth, hashed passwords, and partial credit card numbers, was also included.
Just over 24 million accounts have valid email addresses, while 12 million do not
The leaked account databases, examined by The Register, look legitimate
Unbelievably, it appears about 100 people used .gov.uk and .police.uk email accounts to sign up for Ashley Madison accounts. Thousands more used .gov and .mil addresses in the US, and it appears hundreds used work accounts at tech giants.
Releasing the profile records was a major blow for privacy – and for the art of seduction.
Assuming the new folders do contain company emails, this latest leak could be even more damaging for Avid Life Media than the first document dump – especially if, as the TrustedSec blog notes, other miscreants find vulnerabilities in the leaked code and exploit them to infiltrate the web biz.
But, as we’ve seen in the case of the Sony hack, The Hacking Team takedown, and Anonymous’ attack against HB Gary Federal, internal company emails can be very damaging to a company’s reputation. People writing internal emails often say things they wouldn’t be caught dead uttering in public and there are all kinds of juicy nuggets that are let slip.
And it begins: Ashley Madison bonk-seekers urged to lawyer up
Class-action lawsuit launched, 50 people already respond, only one would give his name
http://www.theregister.co.uk/2015/08/21/ashley_madison_class_action_lawsuit/
It’s been barely 48 hours since the Ashley Madison database of millions of fling-seekers was leaked online, and already the lawsuits are flying.
The first heads in the US have already started to roll as a result of the privacy breach.
Tomi Engdahl says:
Unholy Hong Kong hackers hit evangelicals with IE 0day
Fast moving blackhats backdoor church-goers.
http://www.theregister.co.uk/2015/08/21/ie_0day_exploited_in_hong_kong_korplug/
Hackers are already using an Internet Explorer vulnerability disclosed this week to hack members of an evangelical church.
The attackers compromised the website of the Evangelical Lutheran Church of Hong Kong, injecting a malicious iFrame that redirects the faithful to a malicious website sporting the Internet Explorer vulnerability (CVE-2015-2502).
More javascript redirections lead to the PlugX (pdf) malware landing on machines. Once running, the malware opens a back door and begins harvesting data.
“The malware has been used in a range of attacks, mainly in Asia over the past three years,” researcherssay.
“The vulnerability permits remote code execution if a user views a specially crafted webpage using Internet Explorer.
Tomi Engdahl says:
Yet another Android app security bug: This time ‘everything is affected’
Google says flap over user-interface spoofing is overstated
http://www.theregister.co.uk/2015/08/20/android_multitasking_flaw/
Yet another potentially serious security flaw has been revealed in Android.
This time the problem involves the mobile operating system’s ability to run more than one app at once – as opposed to its handling of multimedia messages, which was the crux of a cyber* of vulnerabilities last month.
The latest security blunder opens the door to criminals who want to spy on device owners, steal login details, install ransomware, and so on, it is claimed.
We’re told the vulnerability can be exploited to show a spoofed user interface, controlled by an attacker, when someone starts an app: the owner will not be aware that they are typing into another program masquerading as a legit application.
“The enabled attacks can affect all latest Android versions and all apps (including the most privileged system apps) installed on the system,” warned Chuangang Ren, a security researcher from Penn State University.
The five researchers – Chuangang Ren and Peng Liu, both from the Pennsylvania State University; Yulong Zhang, Hui Xue, and Tao Wei, all from FireEye – have notified the Android team about the findings of their research.
Tomi Engdahl says:
Now Google must censor search results about Right to Be Forgotten removals
http://betanews.com/2015/08/20/now-google-must-censor-search-results-about-right-to-be-forgotten-removals/
The Right to Be Forgotten has proved somewhat controversial. While some see the requirement for Google to remove search results that link to pages that contain information about people that is “inadequate, irrelevant or no longer relevant” as a win for privacy, other see it as a form of censorship.
To fight back, there have been a number of sites that have started to list the stories Google is forced to stop linking to. In the latest twist, Google has now been ordered to remove links to contemporary news reports about the stories that were previously removed from search results. All clear? Thought not…
edX
Ads by Rubicon Project
The Information Commissioner’s Office has ordered Google to remove from search results links to nine stories about other search result links removed under the Right to Be Forgotten rules.
Tomi Engdahl says:
Australian Cyber Security Centre uses discredited data to quantify infosec threats
The numbers are down, but Australia’s Oz Cyber ForceTM says things are getting worse
http://www.theregister.co.uk/2015/07/29/australias_cyber_force_punts_discredited_data/
The cost of “cyber attacks” in Australia appears to be stabilising and the country has never been subject to an attack at the national scale, but the government’s Cyber ForceTM (not its real name) is still pitching the growth of the threat.
Along the way, an old and somewhat exaggerated estimate of the cost of cyber incidents has shambled out of the grave, with the Australia Cyber Security Centre telling Australians that hacking is a billion-dollar burden on the economy.
Keen readers of footnotes will observe that the estimate that cybercrime costs us a billion has come not from a government agency, but from the hardly-disinterested Symantec’s 2013 Norton report.
As the Australian Cyber Security Centre (ACSC) report notes, “it is difficult to establish an accurate figure for the cost of cybercrime”, and Symantec surely found it so: after its 2011 data point of AU$1.8 billion was challenged, its 2012 report revised the data down to $1.6 billion, and by 2013 it had “grown” to $1.06 billion.
Tomi Engdahl says:
Three Estonians jailed for malware spree that infected 4 MILLION computers
But they said sorry before being sent down, so that’s OK
http://www.theregister.co.uk/2015/07/24/3_estonians_in_slammer_for_pwning_4_million_computers_worldwide/
Three Estonians have been sentenced to a cumulative 11 years for their cybercrime activities which infected more than four million computers with malware across more than 100 countries.
The trio were charged as part of a party of seven in 2011. That comprised six Estonians and one Russian.
At least 500,000 of the infected computers were in the US, including computers belonging to US government agencies, including NASA.
The defendants’ malware secretly altered the settings on infected computers, allowing them to digitally hijack net searches and re-route computers to certain websites and advertisements — thus earning revenue for the cybercriminals.
Prosecutors said the gang earned $14m through its activities.
Tomi Engdahl says:
Thomas Fox-Brewster / Forbes:
New Spotify privacy policy says it can collect data on location, sensors, and photos from your phone
Location, Sensors, Voice, Photos?! Spotify Just Got Real Creepy With The Data It Collects On You
http://www.forbes.com/sites/thomasbrewster/2015/08/20/spotify-creepy-privacy-policy/
Music streaming market leader Spotify has decided that it wants to know a lot more about you. It wants to be able to access the sensor information on your phone so it can determine whether you’re walking, running or standing still. It wants to know your GPS coordinates, grab photos from your phone and look through your contacts too. And it may share that information with its partners, so a whole load of companies could know exactly where you are and what you’re up to.
This has all been made apparent by a rather significant update to the Spotify privacy policy, pushed out to users today. Upon opening the Spotify app up this morning, your reporter was greeted with a request to agree to the new conditions.
Tomi Engdahl says:
Autonomous Cars In, Big Data Out In Gartner Hype Cycle
http://www.eetimes.com/author.asp?section_id=36&doc_id=1327475&
Gartner’s annual Hype Cycle is out, and IoT and autonomous cars are in this year. Big data, however, is losing some of its luster.
Just two years ago, big data was at this peak of the hype cycle. It was replaced last year by the Internet of Things, a ranking that IoT still holds in this report. Indeed, big data is nowhere to be found on the current Garter Hype Cycle.
Additionally, the absence of any specific cybersecurity technologies from the Hype Cycle is puzzling, although “digital security” and “software-defined security” are mentioned as pre-peak areas.
Tomi Engdahl says:
Ashley Madison wide open to UK privacy lawsuits, claim lawyers
Means going to court though, in public. Mmmm?
http://www.theregister.co.uk/2015/08/21/ashley_madison_legal_woes_court_costs/
The Ashley Madison hack could cost the company millions and milions of pounds in compensation and settlements in the UK alone, according to lawyers Pinsent Masons.
Around 9.7GB of customer data from the website for people who seemingly can’t be trusted, and a sister site, were were released by hackers on Tuesday night following last month’s megabreach.
This data included the sexual preferences, (stated) weight, addresses, GPS locations, card payment histories, phone numbers, dates of birth, and so much more of more than 36 million people.
Hackers from Impact Team released the data after owners Avid Life Media refused to acceded to demands to shut sites marketed as offering would-be adulterers discreet hook-ups.
Tomi Engdahl says:
The Ashley Madison files – are people really this stupid?
Lots of users appear to have used work addresses
http://www.theregister.co.uk/2015/08/20/the_ashley_madison_files_are_people_really_this_stupid/
Comment2 It has been a depressing and enlightening day at El Reg’s San Francisco office as we’ve been churning through the Ashley Madison databases, and a recurrent theme echoing around the room is: “How could people be so stupid?”
It’s not the cheating per se – let’s not get started on the morals of it all – but it’s clear that many of the 36 million people who signed up didn’t have the first clue about safeguarding their privacy – why put all that compromising info in the hands of one website? – and more than a few were signing up from their work addresses.
Analyzing the email addresses is fraught with dangers. Many are obviously spoofed
But we’ve done some checking up, and it’s likely that some of these work emails are legitimate. Five British police officers using their .police.uk email accounts have details that check out,
It seems astonishing that IT departments are letting sites like Ashley Madison through web filters. Having a relatively open access policy to internet use at work is all well and good – and studies suggest is helpful to productivity – but dating sites? It seems a lot of filters need to be checked again.
Even some tech savvy users of the site seem to have got caught out. There are profiles that have the GPS coordinates of people’s homes attached to them. It may well be that people set up dummy accounts but did it with apps that logged their location, unbeknownst to the user.
Ashley Madison itself comes out from this leak looking not too bad – well, apart from charging people $19 to permanently delete their accounts. Credit cards (apart from the last four digits) were not stored in an easily accessible format, and passwords were hashed using bcrypt. Some people claim to have found credit card numbers in the databases; how that happened, we don’t know. Based on experience, the internal security of the company was better than most, just not good enough.
One final point: reading thorough some of the profiles it’s clear that this wasn’t all just horny malcontents looking for a cheap flesh fix – although that seems to make up the vast majority.
After spending the day reading through this database I wonder how many lives are going to be ruined by this hack? How many families torn apart? How many suicides?
The Impact Team claim to be doing this for high moral reasons, but tell that to those wrenched from a family because someone got curious and stupidly signed up, or just had their email address cut’n’pasted into a profile and subsequently leaked.
Tomi Engdahl says:
Joseph Cox / Motherboard:
Ashley Madison hackers: we still have 300GB of employee emails, internal docs, some user chats and pictures, more, but will not dump all of it — Ashley Madison Hackers Speak Out: ‘Nobody Was Watching’ — For the past week, international media has reported on the hack of extramarital site Ashley Madison …
Ashley Madison Hackers Speak Out: ‘Nobody Was Watching’
http://motherboard.vice.com/read/ashley-madison-hackers-speak-out-nobody-was-watching
For the past week, international media has reported on the hack of extramarital site Ashley Madison and its parent company Avid Life Media, which has affected potentially tens of millions of site users, as well as spewed the alleged source code of the company’s products onto the dark web.
The hackers behind the breach, who call themselves The Impact Team, first released snippets of the data back in July. After nearly 30 days, they then dumped 10GB of customer information, shortly followed by another 20GB of internal data. Minutes ago, the hackers also posted a third data dump.
MOTHERBOARD: How did you hack Avid Life Media? Was it hard?
The Impact Team: We worked hard to make fully undetectable attack, then got in and found nothing to bypass.
What was their security like?
Bad. Nobody was watching. No security. Only thing was segmented network. You could use Pass1234 from the internet to VPN to root on all servers.
When did you start hacking them? Years ago?
A long time ago.
What other data from Avid Life Media do you have?
300GB of employee emails and docs from internal network. Tens of thousands of Ashley Madison user pictures. Some Ashley Madison user chats and messages.
What do you think about Avid Life Media’s (and CEO Noel Biderman’s) reaction?
They make $100,000,000 in fraud a year. Not very surprised they didn’t shut down. Maybe lawyers can shut them down now. They sound like politicians, cannot stop lying. They said they don’t store CC [credit card information]. Sure, they don’t store email either, they just log in every day to server and read. They had password to CC processor. We dumped from CC processor.
Will The Impact Team be hacking any other sites in the future? If so, what targets or sort of targets do you have in mind?
Not just sites. Any companies that make 100s of millions profiting off pain of others, secrets, and lies. Maybe corrupt politicians. If we do, it will be a long time, but it will be total.
Tomi Engdahl says:
Daniel Ek / Spotify Blog:
Spotify apologizes for confusion over privacy policy, clarifies that no information will be collected without explicit permission — Sorry! — We are in the middle of rolling out new terms and conditions and privacy policy and they’ve caused a lot of confusion about what kind of information we access and what we do with it.
SORRY.
https://news.spotify.com/us/2015/08/21/sorry-2/
Tomi Engdahl says:
Microsoft has no plans to tell us what’s in Windows patches
Each update is a black box, and it’s going to stay that way.
http://arstechnica.com/information-technology/2015/08/microsoft-has-no-plans-to-tell-us-whats-in-windows-patches/
Microsoft has now released three cumulative updates for Windows 10. These updates combine security fixes with non-security bug fixes, and so far, Microsoft hasn’t done a very good job of describing the contents of these cumulative updates. While the security content is quite fully described, explanations of the non-security fixes have been lacking.
Many, including your author, feel that this is undesirable and that a key part of the Windows-as-a-Service concept, in which Microsoft releases a steady stream of fixes and functional improvements, is a clear explanation of what those updates are. This is a new approach for Microsoft, and it seems like reassuring users and administrators that issues are getting fixed—and that functional changes are clearly described—should be important.
Tomi Engdahl says:
New data uncovers the surprising predictability of Android lock patterns
Like “p@$$w0rd” and “1234567″ many Android patterns are easy to guess.
http://arstechnica.com/security/2015/08/new-data-uncovers-the-surprising-predictability-of-android-lock-patterns/
The abundance of password leaks over the past decade has revealed some of the most commonly used—and consequently most vulnerable—passphrases, including “password”, “p@$$w0rd”, and “1234567″. The large body of data has proven invaluable to whitehats and blackhats alike in identifying passwords that on their face may appear strong but can be cracked in a matter of seconds.
Now, Android lock patterns—the password alternative Google introduced in 2008 with the launch of its Android mobile OS—are getting the same sort of treatment. The Tic-Tac-Toe-style patterns, it turns out, frequently adhere to their own sets of predictable rules and often possess only a fraction of the complexity they’re capable of.
Tomi Engdahl says:
Transfer Data via YouTube
http://hackaday.com/2015/08/23/transfer-data-via-youtube/
The LVDO project (and a recent Windows fork) says it is steganography, but we aren’t quite sure it meets the definition. What it does is converts data into a video that you can transfer like any other video. A receiver that knows what LVDO parameters you used to create the video can extract the data (although, apparently, the reproduction is not always completely error-free).
The reason we aren’t sure if this really counts as steganography is that–judging from the example YouTube video (which is not encoded)–the output video looks like snow. It uses a discrete cosine transform to produce patterns.
Tomi Engdahl says:
Exclusive: Russian antivirus firm faked malware to harm rivals – Ex-employees
http://www.reuters.com/article/2015/08/14/us-kaspersky-rivals-idUSKCN0QJ1CR20150814
Beginning more than a decade ago, one of the largest security companies in the world, Moscow-based Kaspersky Lab, tried to damage rivals in the marketplace by tricking their antivirus software programs into classifying benign files as malicious, according to two former employees.
They said the secret campaign targeted Microsoft Corp (MSFT.O), AVG Technologies NV (AVG.N), Avast Software and other rivals, fooling some of them into deleting or disabling important files on their customers’ PCs.
Kaspersky Lab strongly denied that it had tricked competitors into categorizing clean files as malicious, so-called false positives.
The opportunity for such trickery has increased over the past decade and a half as the soaring number of harmful computer programs have prompted security companies to share more information with each other, industry experts said. They licensed each other’s virus-detection engines, swapped samples of malware, and sent suspicious files to third-party aggregators such as Google Inc’s (GOOGL.O) VirusTotal.
By sharing all this data, security companies could more quickly identify new viruses and other malicious content. But the collaboration also allowed companies to borrow heavily from each other’s work instead of finding bad files on their own.
Kaspersky Lab in 2010 complained openly about copycats, calling for greater respect for intellectual property as data-sharing became more prevalent.
In an effort to prove that other companies were ripping off its work, Kaspersky said it ran an experiment: It created 10 harmless files and told VirusTotal that it regarded them as malicious. VirusTotal aggregates information on suspicious files and shares them with security companies.
Within a week and a half, all 10 files were declared dangerous by as many as 14 security companies that had blindly followed Kaspersky’s lead, according to a media presentation given by senior Kaspersky analyst Magnus Kalkuhl in Moscow in January 2010.
In its response to written questions from Reuters, Kaspersky denied using this technique. It said it too had been a victim of such an attack in November 2012, when an “unknown third party” manipulated Kaspersky into misclassifying files from Tencent (0700.HK), Mail.ru (MAILRq.L) and the Steam gaming platform as malicious.
The former employees said Kaspersky Lab manipulated false positives off and on for more than 10 years, with the peak period between 2009 and 2013.
It is not clear if the attacks have ended, though security executives say false positives are much less of a problem today.
“Although the security market is very competitive, trusted threat-data exchange is definitely part of the overall security of the entire IT ecosystem, and this exchange must not be compromised or corrupted,” Kaspersky said.
Tomi Engdahl says:
Why Car Info Tech Is So Thoroughly At Risk
http://tech.slashdot.org/story/15/08/23/2353239/why-car-info-tech-is-so-thoroughly-at-risk
Cory Doctorow reflects in a post at Boing Boing on the many ways in which modern cars’ security infrastructure is a white-hot mess. And as to the reasons why, this seems to be the heart of the matter, and it applies to much more than cars:
[M]anufacturers often view bugs that aren’t publicly understood as unimportant, because it costs something to patch those bugs, and nothing to ignore them, even if those bugs are exploited by bad guys
There is a sociopathic economic rationality to silencing researchers who come forward with bugs.
Car information security is a complete wreck — here’s why
http://boingboing.net/2015/08/23/car-information-security-is-a.html?utm_content=buffer6d5bf&utm_medium=social&utm_source=facebook.com&utm_campaign=buffer
Sean Gallagher’s long, comprehensive article on the state of automotive infosec is a must-read for people struggling to make sense of the summer’s season of showstopper exploits for car automation, culminating in a share-price-shredding 1.4M unit recall from Chrysler, whose cars could be steered and braked by attackers over the Internet.
All complex systems have bugs. Even well-audited systems have bugs luring in them (cough openssl cough). Mission-critical systems whose failings can be weaponized by attackers to wreak incredible mischief are deeply, widely studied, meaning that the bugs in the stuff you depend on are likely being discovered by people who want to hurt you, right now, and turned into weapons that can be used against you. Yes, you, personally, Ms/Mr Nothing To Hide, because you might be the target of opportunity that the attacker’s broad scan of IP addresses hit on first, and the software your attacker wrote is interested in pwning everything, regardless of who owns it.
The only defense is to have those bugs discovered by people who want to help you, and who then report them to manufacturers. But manufacturers often view bugs that aren’t publicly understood as unimportant, because it costs something to patch those bugs, and nothing to ignore them, even if those bugs are exploited by bad guys, because the bad guys are going to do everything they can to keep the exploit secret so they can milk it for as long as possible, meaning that even if your car is crashed (or bank account is drained) by someone exploiting a bug that the manufacturer has been informed about, you may never know about it. There is a sociopathic economic rationality to silencing researchers who come forward with bugs.
In the computer world, the manufacturers have largely figured out that threatening researchers just makes their claims more widely know (the big exceptions are Oracle and Cisco, but everyone knows they’re shitty companies run by assholes).
The car industry is nearly entirely run by Oracle-grade assholes. GM, for example, says that your car is a copyrighted work and that researching its bugs is a felony form of piracy. Chrysler was repeatedly informed about its showstopper, 1.4M-car-recalling bug, and did nothing about it until it was front-page news. Volkswagen sued security researchers and technical organizations over disclosure of major bugs in VW’s keyless entry system. Ford claims that its cars are designed with security in mind, so we don’t have to worry our pretty little heads about them
None of this stops bad guys from learning about the bugs in these systems — it just stops you
Tomi Engdahl says:
Highway to hack: why we’re just at the beginning of the auto-hacking era
A slew of recently-revealed exploits show gaps in carmakers’ security fit and finish.
http://arstechnica.com/security/2015/08/highway-to-hack-why-were-just-at-the-beginning-of-the-auto-hacking-era/
Imagine it’s 1995, and you’re about to put your company’s office on the Internet. Your security has been solid in the past—you’ve banned people from bringing floppies to work with games, you’ve installed virus scanners, and you run file server backups every night. So, you set up the Internet router and give everyone TCP/IP addresses. It’s not like you’re NASA or the Pentagon or something, so what could go wrong?
That, in essence, is the security posture of many modern automobiles—a network of sensors and controllers that have been tuned to perform flawlessly under normal use, with little more than a firewall (or in some cases, not even that) protecting it from attack once connected to the big, bad Internet world. This month at three separate security conferences, five sets of researchers presented proof-of-concept attacks on vehicles from multiple manufacturers plus an add-on device that spies on drivers for insurance companies, taking advantage of always-on cellular connectivity and other wireless vehicle communications to defeat security measures, gain access to vehicles, and—in three cases—gain access to the car’s internal network in a way that could take remote control of the vehicle in frightening ways.
While the automakers and telematics vendors with targeted products were largely receptive to this work—in most cases, they deployed fixes immediately that patched the attack paths found—not everything is happy in auto land. Not all of the vehicles that might be vulnerable (including vehicles equipped with the Mobile Devices telematics dongle) can be patched easily. Fiat Chrysler suffered a dramatic stock price drop when video of a Jeep Cherokee exploit (and information that the bug could affect more than a million vehicles) triggered a large-scale recall of Jeep and Dodge vehicles.
And all this has played out as the auto industry as a whole struggles to understand security researchers and their approach to disclosure—some automakers feel like they’re the victim of a hit-and-run.
Tomi Engdahl says:
Hacker slaps Dolphin, Mercury browsers, squirts zero day
Not-Chrome -not-Firefox browsers popped with remote code execution.
http://www.theregister.co.uk/2015/08/24/hacker_slaps_dolphin_mercury_browsers_squirts_zero_day/
Mobile security guy Rotologix has popped two popular not-Chrome not-Firefox Android browsers, gaining the power to commit remote code execution using zero-day flaws.
The holes affect Dolphin Browser and Mercury Browser which have something in the realm of 100 million and one million installs respectively.
For comparison FireFox scores up to 500 million installs and Chrome clocks some five billion installs, or roughly the population of Earth in 1987.
Tomi Engdahl says:
Telstra News spews banking trojan after malvertising attack
Not Teltra’s fault, but not a good look for the Big T either
http://www.theregister.co.uk/2015/08/24/popped_telstra_news_spews_banking_trojan/
Australia’s dominant telco, Telstra, has been serving one of the world’s most dangerous hacking tools after its news site was infected with malvertising.
Malwarebytes researcher Jerome Segura says the attackers were likely dropping the Tinba trojan, considered to be the world’s smallest malware by file size at about 20kb and one that raids bank accounts.
“The media home page of Australia’s largest telecommunications company, Telstra, was pushing some malvertising similar to the attack we just documented on the PlentyOfFish website,” Segura says.
It is unknown and difficult to know how many if any users have been popped, but the best exploit kits like Nuclear compromise up to 40 percent of users who encounter it.
Tomi Engdahl says:
Ashley Madison spam starts, as leak linked to first suicide
‘Uber for private investigators’ accused of harvesting search data
http://www.theregister.co.uk/2015/08/23/ashley_madison_spam_starts_as_leak_linked_to_first_suicide/
Part of the near-inevitable wash-up from the Ashley Madison hack has begun, with people reporting getting e-mails offering to save them from embarrassment, and a possible suicide in the USA.
The misery caused by the hack is already in evidence in this report of a San Antonio city employee named in the Ashley Madison database committing suicide (the report notes that at this stage authorities are noting the association but not positively attributing the suicide to the exposure).
According to both Reddit and a Tweet from 0x1C, one of the companies that made the Ashley Madison data searchable last week, Trustify, is sending “you were on the database” e-mails.
Tomi Engdahl says:
Even ‘super hackers’ leave entries in logs, so prepare to drown in data
The 1990s called. It wants its breach classification system back
http://www.theregister.co.uk/2015/08/24/ir_briefing_even_super_hackers_leave_logs_and_relish_the_data_deluge/
Gartner: Super hackers basically don’t exist, your incident response plan sucks, and you should relish the opportunity to drown in data: such are the lessons from incident response fanatic Anton Chuvakin.
The analyst, physicist, and former director of Security Warrior Consulting gave delegates of the Gartner Security and Risk Management Conference in Sydney today a sermon on the dos-and-don’ts of security incidence response.
The Garner Vice President™ says the old school incident response model security bods are taught as tots is ineffective but sadly popular. He says while “super hackers” exist, they aren’t ghosts and everyone leaves logs.
“Super hackers practically do not exist,” Chuvakin says. “They always leave trace.”
“You should deploy more visibility tools; it’s likely you don’t have enough, even if you think you are drowning in data.
“Many think the win is not about being secure, but is about stopping the attackers. And that mindset makes it difficult to do advanced incidence response.”
Chuvakin paints a red cross through the old-school response flow process of prepare, detect, contain, and eradicate, but says it should not be entirely consigned to the incidence response recycling bin.
The method rather needs updating to focus on indicators of compromise and to have dedicated teams charged with handling separate and dedicated areas of a response process, the boffin says.
Tomi Engdahl says:
Underground Piracy Sites Want To Block Windows 10 Users
http://tech.slashdot.org/story/15/08/23/1231254/underground-piracy-sites-want-to-block-windows-10-users
Some smaller pirate sites have become concerned about Windows 10 system phoning home too many hints regarding that the users are accessing their site. Therefore, the pirate administrators have started blocking Windows 10 users from accessing the BitTorrent trackers that the sites host.
Microsoft Wants to Block Pirated Content? Pirate Sites Ban Windows 10 Instead
http://news.softpedia.com/news/microsoft-wants-to-block-pirated-content-pirate-sites-ban-windows-10-instead-489827.shtml
The misunderstanding around Microsoft’s Services Agreement is starting to trickle into the ordinary life of regular Internet users, with scared torrent tracker admins banning or thinking of banning Windows 10 users from their sites.
Tomi Engdahl says:
Sui-Lee Wee / Reuters:
Chinese police say they have arrested about 15K people for Internet crimes, a month after launching a six-month program code-named “Cleaning the Internet”
Chinese police arrest 15,000 for Internet crimes
http://www.reuters.com/article/2015/08/18/us-china-internet-idUSKCN0QN1A520150818
Police in China said on Tuesday they had arrested about 15,000 people for crimes that “jeopardized Internet security”, as the government moves to tighten controls on the Internet.
Since taking over in 2013, President Xi Jinping has led an increasingly harsh crackdown on China’s Internet, which the Communist Party views with greater importance and acknowledges it needs to control, academics and researchers say.
Police have investigated 7,400 cases of cyber crime, the Ministry of Public Security said in a statement on its website. It did not make clear over what period the arrests were made, but referred to a case dating to last December.
Tomi Engdahl says:
Ashley Madison Hackers Speak Out: ‘Nobody Was Watching’
http://motherboard.vice.com/read/ashley-madison-hackers-speak-out-nobody-was-watching
Tomi Engdahl says:
New Advances in FPGA Security
http://www.eetimes.com/document.asp?doc_id=1327477&
As I mentioned in my Cyber Insecurity column a few days ago, any system is only as secure as its weakest link. In order to protect a system, we need a layered approach to secure:
The Hardware: DPA resistance, NIST-certified crypto accelerators, a secure supply chain, etc.
The Design: Bitstream (FPGAs), firmware (MCUs and SoC FPGAs), and application software, including tamper detection and protection against copying, cloning, and reverse engineering
The Data: Key storage using physically unclonable function (PUFs), advanced crypto accelerators, DPA resistance, etc.
There is a hierarchy to potential attacks, starting at the low-cost, low expertise high-school hacker protocol level (eavesdropping, main-in-the-middle, replay, relay, and other protocol-focused attacks), and ranging all the way to the high-cost, high-expertise semi-invasive and invasive (e.g., optical, electron microscope, focused ion beam (FIB)) and cryptographic attacks mounted by well-funded adversaries like nation states.
Between these two extremes, we find insidious non-invasive side-channel attacks, including timing, simple power analysis (SPA), differential power analysis (DPA), and differential electromagnetic analysis (DEMA). Secrets such as cryptographic keys can “leak out” via these unintended side-channels.
In the case of FPGAs, for example, if left unprotected, side-channel attacks can be used to extract secret keys by measuring power consumption during cryptographic operations like bitstream loading. A simple, readily available $400 setup can end up costing the owners and users of an unsecured system millions of dollars.
But the bottom line is that it behooves the creators of electronic, computer, and embedded systems to make the security of these systems a top priority, and the folks at Microsemi are making this much easier for the rest of us.
Tomi Engdahl says:
Two Danes face up to six years in jail for explaining how to use Popcorn Time
Another case of disproportionate punishment just because copyright is involved.
http://arstechnica.co.uk/tech-policy/2015/08/two-danes-face-up-to-six-years-in-jail-for-explaining-how-to-use-popcorn-time/
Tomi Engdahl says:
Směrť Špionam! BAN Windows 10, it SPIES too much, exclaim Russians
Nyet to Redmondian probe tentacles up our ass
http://www.theregister.co.uk/2015/08/24/win_russia_privacy_controversy/
Russian lawyers have filed a complaint calling for an outright ban – or at least tight restrictions – over the sale of Windows 10 in Russia.
The complaint to the Russian Prosecutor General’s Office argues that Windows 10 collects user information in a way that violates Russian laws. Moscow-based Bubnov and Partners contended that the collection of passwords, location data, typed texts and browsing history and the uploading of the information to Microsoft’s cloud violate Russian privacy legislation.
A Communist Party deputy in the Russian Duma (parliament), Vadim Solovyov, also called for the Prosecutor General’s Office to review Microsoft’s technology, over concerns that Windows 10 is spying on its users.
However a local IT trade group, the Russian Association for Electronic Communications, defended Microsoft’s technology. It pointed out that Windows 10 has flexible settings and argued that it doesn’t violate local privacy laws. The association has put out an advisory explaining how users can change default settings to improve privacy.
Tomi Engdahl says:
Car information security is a complete wreck — here’s why
http://boingboing.net/2015/08/23/car-information-security-is-a.html?utm_content=buffer6d5bf&utm_medium=social&utm_source=facebook.com&utm_campaign=buffer
Tomi Engdahl says:
Brian Krebs / Krebs on Security:
Leaked Ashley Madison emails claim CTO hacked competitor nerve.com and exfiltrated its entire user database — Leaked AshleyMadison Emails Suggest Execs Hacked Competitors — Hacked online cheating service AshleyMadison.com is portraying itself as a victim of malicious cybercriminals …
Leaked AshleyMadison Emails Suggest Execs Hacked Competitors
http://krebsonsecurity.com/2015/08/leaked-ashleymadison-emails-suggest-execs-hacked-competitors/
Hacked online cheating service AshleyMadison.com is portraying itself as a victim of malicious cybercriminals, but leaked emails from the company’s CEO suggests that AshleyMadison’s top leadership hacked into a competing dating service in 2012.
A review of those missives shows that on at least one occasion, a former company executive hacked another dating website, exfiltrating their entire user database. On Nov. 30, 2012, Raja Bhatia, the founding chief technology officer of AshleyMadison.com, sent a message to Biderman notifying his boss of a security hole discovered in nerve.com, an American online magazine dedicated to sexual topics, relationships and culture.
At the time, nerve.com was experimenting with its own adult dating section, and Bhatia said he’d uncovered a way to download and manipulate the nerve.com user database.
Troy Hunt / Troy Hunt’s Blog:
Lack of company support and tech knowledge increase anxiety for those affected by Ashley Madison hack, based on hundreds of users’ emails — Here’s what Ashley Madison members have told me — I found myself in somewhat of a unique position last week: I’d made the Ashley Madison data searchable …
Here’s what Ashley Madison members have told me
http://www.troyhunt.com/2015/08/heres-what-ashley-madison-members-have.html
Tomi Engdahl says:
Julia Smirnova / Washington Post:
Russia orders ISPs to block Wikipedia after site editors refuse to delete article; Wikimedia expects site to be blocked for most users within days
Russia’s war with Wikipedia
https://www.washingtonpost.com/news/worldviews/wp/2015/08/24/russias-war-with-wikipedia/?postshare=3741440456063397
The recent battle between Russian authorities and Wikipedia started in a village called Chyorny Yar (population: less than 8,000) in southern Russia.
A prosecutor in the village was concerned about a Wikipedia entry on charas, a form of cannabis, though the reasons are unclear. Chyorny Yar appears to have no major problems with drug abuse — and apparently no cannabis fields. According to Wikipedia, charas is a “hashish form of cannabis which is handmade in India, Lebanon, Pakistan, Nepal and Jamaica” — places far from Chyorny Yar.
The prosecutor demanded that the Russian-language Wikipedia entry be deleted. A court in the village endorsed his position in June.
Tomi Engdahl says:
Appeals Court Affirms FTC Authority Over Corporate Data-Security Practices
Challenge by Wyndham has been seen as a test of the commission’s powers
http://www.wsj.com/news/article_email/appeals-court-affirms-ftc-authority-over-corporate-data-security-practices-1440425754-lMyQjAxMTI1NDI5NDYyNzQ2Wj
WASHINGTON—Companies that fail to provide customers with reasonable protections against theft of online data can be sued by federal consumer-protection enforcers, a federal court ruled on Monday.
The Philadelphia-based Third U.S. Circuit Court of Appeals ruled the Federal Trade Commission could proceed with a lawsuit alleging hotel chain Wyndham Worldwide Corp. bore some of the responsibility for three breaches between 2008 and 2010 in which hackers allegedly stole more than 619,000 credit- and debit-card numbers.
The decision bolsters the commission’s power to police corporate cybersecurity at a time when Congress hasn’t passed comprehensive data-security legislation.
The FTC has sought to step into that void, bringing more than 50 data-security cases based on its authority to take action against unfair and deceptive business practices.
Tomi Engdahl says:
Cyber security becomes Finnish export product
Illegal data collection, network eavesdropping and denial of service attacks have become more frequent exponentially. Finnish security companies have joined forces against the global launch cyber-attacks and provide expertise now also Vietnam, which is a hard country to economic growth creates numerous opportunities for the Finnish information and cyber security solutions.
The ever-increasing cyber attacks are a constant threat to societies that are increasingly dependent on a variety of computer networks and cyber security. Now also the governments of emerging economies have found an increased need to invest in cyber security to national programs and solutions.
Vietnam will continue, for example, distributed denial of service attacks, focusing inter alia on automated industrial production and society, critical infrastructure, interfering with their constant activity. VTT Technical Research Centre Ltd, kyberturvayritys Nixu Corporation and the FISC Finnish Information Security Cluster together provide assistance for Vietnam, which is the subject of ongoing, targeted malware and different internet harassment.
Vietnam wants to systematically develop their skills and their ability to combat these threats, but also an urgent need for external expertise and solutions that Finland can offer to Vietnam situation.
Vietnam is of course not the only country where Finland can offer cyber protection. For example, the Philippines offers Finnish ICT and growing security industry companies to the market.
Source: http://etn.fi/index.php?option=com_content&view=article&id=3229:kybersuojasta-suomalaisille-vientituote&catid=13&Itemid=101
Tomi Engdahl says:
Ashley Madison is working with the FBI to find its hackers
Called the cops
http://www.theinquirer.net/inquirer/news/2418367/hackers-breach-cheaters-website-ashleymadison-in-data-debrief-encounter
CONTROVERSIAL DATING SITE ASHLEY Madison has lined up the Federal Bureau of Investigation and the Canadian Mounted Police in order to help it seek out and identify the hackers that are causing it consternation.
The FBI and the Mounted police are joined by the Ontario Provincial Police, and the Toronto Police Services… So quite a big net has been laid out, Ashley Madison is hoping that justice will be served.
“Regardless of the nature of the content, our customers, this company, and its employees are all exercising their legal and individual rights, and all deserve the ability to do so unhindered by outside interference, vigilantism, selective moralising and judgment. The individual or individuals who are responsible for this straightforward case of theft should be held accountable to the fullest extent of international law,” explained the firm.
Ashley Madison is facing a class action lawsuit that accuses it of not doing enough to protect personal and private information.
The class action case, from two Canadian law firms, argues that the hook-up station failed users by not protecting their information and not deleting it after a fee had been paid to ensure its deletion. The suit seeks $578m in damages.
“With such diversity of individuals, whose information was compromised through the Ashley Madison hack, you have to wonder what the lasting impact of this breach can be,” he said.
“What are the implications to the companies these individuals work for? Will these individuals give in to blackmail to betray their employer, save their marriage or relationship? What can this data, plus the information from breaches like OPM, be used for to compromise our national security or trade secrets? These are all questions employers should be asking themselves.”
“People will always be a risk to any company’s security strategy. When I was a penetration tester, I always relied on other people to gain access into an environment,” he explained.
He said that the hackers have made good on their word to release more information from the site, reporting that a huge data dump has appeared on torrent sites and made its way into the community.
“The hackers stated that, if Ashley Madison didn’t shut down, it would expose the databases and information hacked from the popular online cheating site. Today it appears that promise came true and Ashley Madison did not buckle or shut down,” he said.
Ashley Madison said that it is aware of the leak and is looking into it.
“Furthermore, we will continue to put forth substantial efforts into removing any information unlawfully released to the public, as well as continuing to operate our business.”
The firm explained that this is not “hacktivism” but “criminality” and that it hopes people will see it as that and help it track down the culprits.
The implications of the hack on the infidelity website are already bad. It puts personal information in harm’s way and it puts philandering lotharios at risk of sour moods and awkward evenings, never mind divorce courts and the resulting legal fees.
The fallout, messy and grubby as it is, is pretty fascinating, however, and shows that, wherever you go in the world, you have a strong chance of being approached for a no-strings – unless that is your thing – night in a hotel room with an otherwise legally attached stranger.
“The proclivity to cheat often goes hand-in-hand with opportunity. Those with discretionary income and freedom to travel are even more likely to stray,”
The firm is offering a free full wipe of accounts, something that it usually charges for, and has explained that, despite what the internet is saying about the hard delete, it does actually work and it will remove all evidence of wandering minds, eyes and hands.
Ashley Madison puts $377,000 bounty on hackers’ heads
http://www.cnet.com/news/ashley-madison-puts-bounty-on-hackers-heads/
Police suspect two suicides are related to the release of information stolen from the relationship-cheating website.
Amid reports that the Ashley Madison security breach may have led to suicides and extortion plots, Toronto police and the affair-arranging website are upping the ante to catch the hackers responsible for the embarrassing leak of users’ information.
To increase the chance of that happening, Ashley Madison’s parent company, Avid Life Media, offered $500,000 Canadian ($377,000) on Monday to anyone providing information leading to the arrest of those involved.
Hackers calling themselves the Impact Team first revealed in July they had stolen information from the site, including data on more than 30 million Ashley Madison patrons, who sign up with the goal of having extramarital affairs.
The cyber attackers threatened to release the embarrassing data if the website didn’t shut down. Ashley Madison refused, and so the hackers delivered on their threat last week, upending the lives of people who’d counted on the site’s confidentiality.
Tomi Engdahl says:
High-heeled hacker builds pen-test kit into her skyscraper shoes
Social engineering with very obvious assets blinds you to techno-toolkit
http://www.theregister.co.uk/2015/08/24/heeled_hacker_turns_wedges_into_concealed_pwn_weapons/
MILDLY NSFW A Chinese hardware hacker has hidden a penetration-testing toolkit into her high-heeled shoes.
The Wi-Fi-popping platforms were forged in a 3D printer, and contain compartments to smuggle hacking hardware past strict security checks in data centres and the like, and later retrieved.
The hacker and pen-tester, who goes by the handle “SexyCyborg”, showcases the heels she dubs Wu Ying shoes, named after the famed “shadowless kick” that Chinese folk hero Wong Fei Hung used to distract opponents.
The hacker published snaps of the shoes in an Imgur gallery (somewhat NFSW) showing how a router, backup battery, and lock-picking set can be concealed from security guards while on red team penetration tests.
“With my shadowless shoes I distract the target with my upper body and they don’t see the real danger on my feet,” she writes.
SexyCyborg says “… my right shoe contains a pen testing drop box which is a wireless router running OpenWRT with a built in rechargeable battery that could either be left running inside the shoe (for war-walking, wifi sniffing and logging) or could be removed and plugged into a convenient open network jack [gaining] gain remote access anytime via SSH tunnel.”
Her skimpy outfit (NSFW 3D printing gallery) is also a tactical decision: “My typical clothing does not leave room to hide anything, but that’s all the more reason they would not be suspicious of me,” she says.
The Chinese hacker installed the OpenWRT firmware on a TL-MR10U router concealed in a cavity within the heel that runs Wispi and Jasager. Those tools can help the heeled hacker set up rogue access points that trick employees into punching in their enterprise credentials into fake phishing login pages.
“Wispi and pen-test drop boxes should of course should only be experimented with at home for educational purposes; while it’s good to know about this stuff, always obey your local laws,”
Tomi Engdahl says:
Swiss watch: Cuckoo-clock cops threaten Win 10 whup-ass can pop
Silicon Valley ‘eats away at our freedom every day’
http://www.theregister.co.uk/2015/08/25/swiss_privacy_watchdog_growls_at_microsoft_and_threatens_to_get_windows_10_banned/
Switzerland’s top data cop says Microsoft has “gone too far” in abusing people’s privacy.
The Federal Commissioner for Data Protection, Jean-Philippe Walter, told Le Temps on Sunday that he was prepared to take Microsoft to court if it does not alter its privacy policy for Windows 10.
According to Walter, the installation procedure does not properly inform users about the scope of the default settings. In France, the data protection authority CNIL issued public advice on how to set up privacy controls for Windows 10 earlier this month, but CNIL’s Swiss counterpart is feeling more combative.
“If necessary, we will issue a recommendation,” he warned – a recommendation which could be for the authorities to ban the sale of Windows 10 in Switzerland.
“They eat away at our freedom every day. If we do not respond, one day it will be too late. Some analysts expect the end of the private sphere in the next 20 years,”
Tomi Engdahl says:
Experts: Deleted online information never actually goes away
http://www.chicagotribune.com/bluesky/technology/chi-deleted-online-information-never-goes-away-20150821-story.html
The Ashley Madison hack is a big reminder to all Web users: If you submit private data online, chances are it will never fully be deleted.
The hackers, who stole the data about a month ago and then posted it online this week, claimed in a statement that part of the reason for the theft was Ashley Madison’s fraudulent promise to fully delete users’ information if they paid the company a $19 fee.
The website — whose slogan is “Life is short. Have an affair” — is marketed to people looking for extramarital relationships. It purports to have about 39 million members.
The hackers said the company failed to delete the information, even though it collected the fees. Toronto-based Avid Life Media Inc., Ashley Madison’s parent company, hasn’t commented on the hackers’ accusation. A company spokesman didn’t respond to multiple emails seeking comment.
It’s virtually impossible to exist in modern society without putting at least some personal information online. Many people can’t get through a day without using the Internet to shop, pay a bill, or check their credit card balance.
People have become accustomed to trusting their most precious personal information to companies. But they also need to know that all of that information is being shared more than they would expect, privacy experts say.
Before you hit “submit,” stop and think before giving up your personal information to any kind of website, said Michael Kaiser, executive director of the National Cyber Security Alliance, an industry-funded group that educates consumers about cybersecurity.
“Personal information is like money, and you don’t just give away your money,” Kaiser says. “In the environment we’re in right now, you have to value it and think about protecting it everywhere you go on the Internet.”
“Ashley Madison actually charges you to remove your information when you remove your account,” he says. “That’s a big clue about how they feel about your personal information.”
People also need to sometimes take a pass on convenience in the name of online security.
Many consumers like it when e-commerce sites have their credit card and other information on file, or when Web browsers automatically fill in forms with their name, address and other details, says Peter Tyrrell, chief operating officer of the data security firm Digital Guardian. Meanwhile, worries about data theft and loss have prompted companies to back up important information in multiple places.
But both practices increase the likelihood that information could be leaked or shared. And it means that even when a person thinks that their information has been permanently deleted, chances are there are still copies floating around somewhere.
“Ashley Madison is a company with a service that’s completely predicated on privacy,” Tyrrell says, adding that that characteristic sets it apart from many traditional e-commerce sites such as retailers.
Breaches, whether they be at a major retailer such as Target Corp., a health insurance company such as Anthem Inc., or Ashley Madison, have become so common that people should give some serious thought before putting personal information online, says Caleb Barlow, a vice president at IBM’s security division.
“Why are we using Social Security Numbers for both identification and access?” he questions. “Any data that can never be changed can be used for identity, but should never be used for access.”
Tomi Engdahl says:
John McAfee: Ashley Madison database stolen by lone female who worked for Avid Life Media
http://www.ibtimes.co.uk/john-mcafee-ashley-madison-database-stolen-by-lone-female-who-worked-avid-life-media-1516833
Yes, it is true. Ashley Madison was not hacked – the data was stolen by a woman operating on her own who worked for Avid Life Media. The reason that I am so late to the second act of the Ashley Madison affair is that, without a supercomputer, it has taken over a week to finish the analysis of the massive data dumps that the perpetrator has so generously provided us with.
A hacker is someone who uses a combination of high-tech cybertools and social engineering to gain illicit access to someone else’s data. But this job was done by someone who already had the keys to the Kingdom. It was an inside job.
In my first IBTimes UK article about Act One of the Ashley Madison Affair, I alleged that the group of hackers claiming responsibility for the “hack” simply did not exist. I gleaned this information from reliable sources within the Dark Web – which have yet to fail me. I also claimed that it was the act of a single person.
Any adept social engineer would have easily seen this from the wording in the first manifesto published by the alleged hacking group.
Today, I can confidently claim that the single person is a woman, and has recently worked within Avid Life Media.
How did I come to this conclusion? Very simply. I have spent my entire career in the analysis of cybersecurity breaches, and can recognise an inside job 100% of the time if given sufficient data – and 40GB is more than sufficient.
How did I discover that it was an inside job? From the data that was released, it was clear that the perpetrator had intimate knowledge of the technology stack of the company (all the programs being used). For example, the data contains actual MySQL database dumps. This is not just someone copying a table and making into a .csv file. Hackers rarely have full knowledge of the technology stack of a target.
More important, large companies are heavily departmentalised, in spite of having centralised databases. When a hacker gains access to any corporate data, the value of that data depends on which server, or sometimes a single person’s computer, that the hacker gains access to.
Any reasonable cybersecurity expert would come to the conclusion that only someone on the inside, who could easily gain all of the files through deception and guile, could have done the job.
If we include the fact that the perpetrator’s two manifestos clearly state a strong personal dislike of the VP of Information Technology
Tomi Engdahl says:
Skylake Has a Voice DSP and Listens To Your Commands
http://hardware.slashdot.org/story/15/08/24/1713205/skylake-has-a-voice-dsp-and-listens-to-your-commands
Intel’s new Skylake processor (like the Core M processor released last year) comes with a built-in digital signal processor (DSP) that will allow you to turn on and control your PC with your voice. Although the feature is not new, what is new is the availability of a voice controlled app to use it: Enter Windows 10 and Cortana.
This caused something of a freak-out among gamers, who feared Microsoft would be listening.’
Skylake has a voice DSP and listens to your commands
http://www.itworld.com/article/2974590/hardware/skylake-has-a-voice-dsp-and-listens-to-your-commands.html
Tomi Engdahl says:
A Breakdown of the Windows 10 Privacy Policy
http://tech.slashdot.org/story/15/08/24/1853251/a-breakdown-of-the-windows-10-privacy-policy?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
The Verge has a piece on Windows 10 privacy that presents actual passages from the EULA and privacy policy that suggest what the OS is capturing and sending back to Microsoft. The piece takes a Microsoft-friendly point of view, arguing that all Microsoft is doing is either helpful or already being done either by Google or older releases of Windows, and also touches on how to shut things off
Windows, Privacy, and You
http://www.theverge.com/2015/8/23/9191989/windows-privacy-and-you
So you got Windows 10, but now you’re worried that Microsoft is stealing your data, even when you turn most the new features off. Let me explain.
Tomi Engdahl says:
August 21, 2015
OpenSSH 7.0 contained a logic error in PermitRootLogin= prohibit-password/without-password that could, depending on compile-time configuration, permit password authentication to root while preventing other forms of authentication.
This bug is corrected in OpenSSH 7.1. For more information, please refer to the release notes
Source: http://www.openssh.com/security.html