Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.
3,110 Comments
Tomi Engdahl says:
Sexy sock puppets seduce security suckers
Eager types ‘endorse’ LinkedIn infosec probers wearing models’ photos as avatars
http://www.theregister.co.uk/2015/09/07/sexy_sock_puppets_seduce_security_suckers/
Phishers have been targeting security researchers with fake LinkedIn profiles built on re-purposed photos of models and company logos, according to F-Secure hacker Sean Sullivan (@5ean5ullivan).
The threat-finding bod said that would-be recruiters, linked to a network of phoney cryptographers and security types, were successfully gaining an entry point into infosec circles by tricking researchers into connecting with fake LinkedIn profiles under their control.
“Multiple LinkedIn accounts recently targeted numerous security specialists in an attempt to map their social graphs,” Sullivan said.
“Several of our researchers received these LinkedIn invitations themselves.”
The scammers’ intention was unclear but assumed to be an information reconnaissance mission.
Connecting with researcher profiles would help attackers map relationships between targets, view otherwise hidden personal information, and potentially open lines of communication through which valuable data may be disclosed.
Cursory reverse image searches reveal the woman’s likeness had been used for many LinkedIn profiles.
Tomi Engdahl says:
Five Star Automotive Cyber Safety Program
https://www.iamthecavalry.org/domains/automotive/5star/
★ Safety by Design
Do you have a published attestation of your Secure Software Development Lifecycle, summarizing your design, development, and adversarial resilience testing programs for your products and your supply chain?
★ Third Party Collaboration
Do you have a published Coordinated Disclosure policy inviting the assistance of third-party researchers acting in good faith?
A collaboration policy supports a positive, productive collaboration between the automotive industry and security researchers.
★ Evidence Capture
Do your vehicle systems provide tamper evident, forensically-sound logging and evidence capture to facilitate safety investigations?
★ Security Updates
Can your vehicles be securely updated in a prompt and agile manner?
★ Segmentation and Isolation
Do you have a published attestation of the physical and logical isolation measures you have implemented to separate critical systems from non-critical systems?
Tomi Engdahl says:
Security News This Week: Turns Out Baby Monitors Are Wildly Easy to Hack
http://www.wired.com/2015/09/security-news-week-turns-baby-monitors-wildly-easy-hack/
This week, malware hit jailbroken (mostly Chinese) iPhones, stealing 225,000 iTunes login credentials. Leaked documents show that diplomatic officials in the Ecuadorean embassy in London considered smuggling WikiLeaks founder Julian Assange to freedom in a diplomatic bag. The FBI obtained an audio recording of an “off the record and on background” confession made by accused kidnapper Matthew D. Muller speaking with a local television reporter. And Edward Snowden pointed out that other people go to jail for what Hillary Clinton did with her email server.
And that’s not all.
Baby monitors are crazy easy to hack
If the thought of a hacker turning your baby monitor into a spy cam or using it to terrorize you or your child gives you nightmares, I’ve got bad news for you. When security firm Rapid 7 tested nine widely available internet-connected baby monitors for security vulnerabilities, the results weren’t pretty. “Eight of the nine cameras got an F and one got a D minus,” security researcher Mark Stanislav told Fusion’s Kashmir Hill. Security flaws included issues such as a lack of encryption, the use of default passwords, and access to Internet portals with the device’s serial number or account number.
Stanislav recommends Nestcam (formerly Dropcam) for security, though Hill points out that law enforcement sometimes sends search warrants for the video. Another option is a radio frequency-based baby monitor, which could only be hacked by someone intercepting the radio signal with a sniffing device outside your house, rather than everyone on the Internet.
Netflix releases an open source tool to track XSS vulnerabilities in secondary applications
Netflix released Sleepy Puppy, an open source tool developed in house which flags potential cross-site scripting (XSS) vulnerabilities in secondary applications.
The U.S. Droned an Isis Hacker
British citizen Junaid Hussain, who had been working as a hacker for the Islamic State, was killed by a U.S. drone strike while he was in a car in Raqqa, Syria.
China and Russia are Using Hacked Data to Target U.S. Spies
It was only a matter of time
Tomi Engdahl says:
Among the new Android phones found malware – cyber criminals or state espionage?
The German IT security company G Data has found several new Android phones pre-installed malware.
These phones are derived from Chinese manufacturers: Lenovo, among other things, Huawei and Xiaomi. Infected devices have been sold both in Asia and in Europe.
G Data Report (pdf), the number of discovered new malware on smartphones has increased by 25 per cent from one year ago. The company doing the test malware found a total of 26 new phone.
Source: http://www.tivi.fi/Kaikki_uutiset/uusista-android-puhelimista-loytyi-haittaohjelmia-taustalla-rikolliset-vai-valtiollinen-vakoilu-3482452
G DATA
MOBILE MALWARE REPORT
https://public.gdatasoftware.com/Presse/Publikationen/Malware_Reports/G_DATA_MobileMWR_Q2_2015_EN.pdf
Tomi Engdahl says:
Porn app took secret photos of users
http://www.bbc.com/news/technology-34173372
A malicious Android app that held people to ransom has been found by US security firm Zscaler.
Adult Player appeared to offer pornography, but secretly took pictures of users with the phone’s front-facing camera.
It then locked the user’s device and displayed a demand for $500 (£330) which was difficult to bypass.
One security expert told the BBC that ransomware was a lucrative and growing area of cybercrime.
In August, Intel Security said examples of ransomware had increased 127% since 2014 – primarily affecting desktop computers and laptops.
“One of the reasons for the increase is that it’s very easy to make,” said Raj Samani, chief technology officer for Intel Security in Europe.
“There are people you can pay to do the work for you, and it pays really well. One group we tracked made more than $75,000 in 10 weeks.
Smutty vid app snaps pics of users, displays them, demands ransom
And you thought it was a private moment between you and your phone
http://www.theregister.co.uk/2015/09/08/pr0n_app_takes_blackmail_pics_ransom/
A ransomware porn app on Android named “Adult Player” takes photos of its victims in the throes of, err, use and uploads those images on a screen, along with a ransom message.
Security firm Zscaler detected the app, which lures victims who assume it is a pornographic video player. When the victim starts using it, the app silently takes a photo of the victim and demands $500 (£327).
The ransom screen is designed to stay persistent even at reboot. It does not allow the user to operate the device and keeps the screen active with ransom messages, it said.
“During the course of our daily malware hunt, we came across a new mobile ransomware variant which leverages pornography to lure victims into downloading and installing it,” said the firm.
It is not the first time Android vulnerabilities have been exposed recently. Last month, fresh research revealed the mobile operating system’s ability to display a spoofed user interface, showing malicious apps masquerading as legit ones without any obvious cues.
Tomi Engdahl says:
Gloves on as Googler deposits foul zero day on Kaspersky lawn
Global patch makes for laborious long weekend.
http://www.theregister.co.uk/2015/09/08/kaspersky_0day/
Google security man Tavis Ormandy has revealed a dangerous remote zero day vulnerability in Kaspersky kit that grants attackers system privileges.
The bug is a remote “zero interaction” buffer overflow affecting default installation configurations of the latest anti virus software versions.
“So, about as bad as it gets,” Ormandy says on Twitter.
Kaspersky has promised patches will land within 24 hours of the public zero day disclosure. The company thanked Ormandy and made no mention of the public disclosure.
Tomi Engdahl says:
Time to patch your firmware! Backdoor discovered into Seagate NAS drives
http://betanews.com/2015/09/07/time-to-patch-your-firmware-backdoor-discovered-into-seagate-nas-drives/
you have not recently updated the firmware for your Seagate wireless NAS drives, now is the time to do so. Researchers at Tangible Security have discovered a series of vulnerabilities in a number of devices produced by Seagate that could allow unauthorized access to files and settings.
An undocumented Telnet feature could be used to gain control of the device by using the username ‘root’ and the hardcoded default password. There are also other vulnerabilities that allow for unauthorized browsing and downloading of files, as well as permitting malicious files to be uploaded. Tangible Security says that Seagate Wireless Plus Mobile Storage, Seagate Wireless Mobile Storage, and LaCie FUEL drives are affected, but there may also be others.
Tomi Engdahl says:
Law enforcement hawks want Apple in the dock over encryption
Could ‘cuffs on Cupertino crash your crypto keys?
http://www.theregister.co.uk/2015/09/08/law_enforcement_hawks_want_apple_in_the_dock_over_encryption/
It would be a long shot, but US officials have told the New York Times they might still do battle with Apple over customers’ encrypted communication.
The case in question pertains to the ongoing tug-of-war between the tech sector and the US government over the way that mathematics keeps thwarting agencies like the FBI, the Drug Enforcement Administration (DEA), the CIA and the NSA.
The DEA first stubbed its toe on iMessage in 2013, resulting in a court order the NYT says was granted “this summer” ordering Apple to hand over iMessage conversations “in real time”.
Apple’s response was to apparently reiterate previous statements: user messages are encrypted using asymmetric encryption, and users’ keys are held on their iThings. That arrangement renders renders the messages inaccessible to Apple, so whatever it were to hand over would be similarly useless to the DEA.
There are some circumstances under which messages could feasibly be accessible to Apple.
Tomi Engdahl says:
Windows Telemetry Rolls Out
http://yro.slashdot.org/story/15/09/07/1845214/windows-telemetry-rolls-out
Last week came the warning, now comes the roll out. One of the most most controversial aspects of Windows 10 is coming to Windows 7 and 8. Microsoft has released upgrades which enable the company to track what a user is doing. The updates – KB3075249, KB3080149 and KB3068708 – all add “customer experience and diagnostic telemetry” to the older versions
Windows 10 Worst Feature Now Installing On Windows 7 And Windows 8
http://www.forbes.com/sites/gordonkelly/2015/09/06/windows-10-worst-feature-now-installing-on-windows-7-and-windows-8/
Last week came the warning, now comes the roll out. The most criticised aspect of Windows 10 is coming to Windows 7 and Windows 8 after Microsoft released upgrades which enable the company to extensively track what users are doing. The releases bring good and bad news…
The Bad News
The three updates in question – KB3075249, KB3080149 and KB3068708 (which replaces KB3022345) – all add “customer experience and diagnostic telemetry” to Windows 7 and Windows 8. This is shorthand for monitoring how you use Windows and sending that data back to Microsoft HQ for evaluation.
Worse still software specialist site gHacks, which first discovered the tracking, notes these updates will ignore any previous user preferences:
“These four updates ignore existing user preferences stored in Windows 7 and Windows 8 (including any edits made to the Hosts file) and immediately starts exchanging user data with vortex-win.data.microsoft.com and settings-win.data.microsoft.com.”
PCWorld also confirms gHacks observation that KB3075249, KB3080149 and KB3068708 all bypass user privacy settings in the Windows hosts file, so the easiest option for Windows 7 and Windows 8 users is to uninstall and then hide it.
Tomi Engdahl says:
3l33t haxxors don’t need no botnet, they just pinch passwords
Crooks can thrive by ‘living off the land’ rather than forging elaborate schemes
http://www.theregister.co.uk/2015/09/08/dell_secureworks_malwareless/
Half of all breaches Dell’s SecureWorks outfit has responded to over the last year have been a result of attackers using legitimate admin tools and stolen credentials.
Dell’s threat research unit says the “living off the land” hack tactic makes security controls that seek malware and hacking infrastructure redundant, especially when command and control infrastructure are not used or run only briefly.
Researchers cited three recent investigations where companies had been popped using administrator credentials.
In one case, attackers stole the network credentials a manufacturing company staffer which were then used to log into the corporate Citrix platform and tap internal corporate resources.
Those crims also used the unnamed client’s Altiris software distribution platform to pivot laterally through the company’s network and yank intellectual property.
“Detecting threat actors who are ‘living off the land’, using credentials, systems, and tools they collect along the way instead of backdoors, can be challenging for organizations that focus their instrumentation and controls primarily on the detection of malware and indicators such as command and control IP addresses, domains, and protocols,” the researchers say.
“They will leverage legitimate remote access solutions for entry and valid system administrator tools for lateral movement, if possible.”
Tomi Engdahl says:
Hacker drops zero-day, opens FireEye fire sale
Claims bugs fell on deaf ears
http://www.theregister.co.uk/2015/09/08/fireeye_0day/
US security consultants Kristian Hermansen and Ron Perris have dropped a zero day remote file disclosure vulnerability affecting FireEye kit and say they have another three flaws for sale.
The vulnerability disclosure dropped on Exploit-DB Sunday claims the web server runs as root in some FireEye kit, among other security SNAFUs.
In a note Hermansen says he had attempted to report the vulnerabilities over the last 18 months to FireEye without success. “[This is] just one of many handfuls of FireEye / Mandiant zero day,” Hermansen says.
FireEye said in a statement to Vulture South that it has reached out to Hermansen and urges other researchers to report through the security bug portal.
“This morning, FireEye learned of four potential security issues in our products from Kristian Hermansen’s public disclosure of them being available for purchase,” it says
Tomi Engdahl says:
Law Professor: Tech Companies Are Our Best Hope At Resisting Surveillance
http://yro.slashdot.org/story/15/09/08/0118219/law-professor-tech-companies-are-our-best-hope-at-resisting-surveillance
Fusion has an op-ed where Ryan Calo, Assistant Professor of Law at the University of Washington, argues Google, Apple, and Microsoft pushing back against government surveillance may be our only real hope for privacy. He writes: “Both Google and Yahoo have announced that they are working on end-to-end encryption in email. Facebook established its service on a Tor hidden services site, so that users can access the social network without being monitored by those with access to network traffic. Outside of product design, Twitter, Facebook and Microsoft have sent their formidable legal teams to court to block or narrow requests for user information. Encryption tools have traditionally been unwieldy and difficult to use; massive companies turning their attention to better and simpler design, and use by default, could be a game changer”
http://fusion.net/story/193583/tech-companies-may-be-our-best-hope-for-resisting-government-surveillance/
Tomi Engdahl says:
Vulnerabilities In WhatsApp Web Affect Millions of Users Globally
http://it.slashdot.org/story/15/09/08/1256231/vulnerabilities-in-whatsapp-web-affect-millions-of-users-globally
Check Point researcher Kasif Dekel, according to NetSecurity.Org, has discovered that “to exploit the vulnerability, an attacker simply needs to send a WhatsApp user a seemingly innocent vCard contact card, containing malicious code.”
Vulnerabilities in WhatsApp Web affect 200 million users globally
http://www.net-security.org/secworld.php?id=18828
Significant vulnerabilities can exploit WhatsApp Web, the web-based extension of the popular WhatsApp application for phones.
The exploit can allow attackers to trick victims into executing malware on their machines in a new, sophisticated way.
Check Point security researcher Kasif Dekel found that to exploit the vulnerability, an attacker simply needs to send a WhatsApp user a seemingly innocent vCard contact card, containing malicious code. Once opened in WhatsApp Web, the executable file in the contact card can run, further compromising computers by distributing malware including ransomware, bots, remote access tools (RATs), and other types of malicious code.
Tomi Engdahl says:
Cal State data breach hits nearly 80,000 students
http://www.latimes.com/local/lanow/la-me-ln-cal-state-data-breach-20150908-story.html
A data breach at eight Cal State campuses exposed the personal information of nearly 80,000 students enrolled in an online sexual violence prevention course, officials said Tuesday.
The Cal State system had hired the vendor We End Violence to provide the noncredit class on sexual harassment, which is required of all students under state law. Students who took the training with that company had their data hacked.
Two other vendors were also providing the classes but the data of students in those classes were not compromised, Cal State spokeswoman Toni Molle said.
Tomi Engdahl says:
TorrentLocker scum have better email lists than legit devs, telcos
Scammers hate email bounce-backs too
http://www.theregister.co.uk/2015/09/09/torrentlocker_scum_send_better_email_than_software_devs_telcos/
Spammers deploying the TorrentLocker ransomware are so good at targeting victims that their poison emails hit the mark more frequently than those sent by legitimate software companies and professional marketers.
Trend Micro’s just analysed the malware in a report titled TorrentLocker Landscape: Targeting Even More Victims in Australia (PDF) and among other things finds that emails used to lure suckers into the scam “were seemingly delivered to a carefully selected address list with less than 1% sent to invalid ones [email addresses].”
Tomi Engdahl says:
Seller invented a gold mine: body cameras mounted Police officers dropped the use of force and complaints
US police use of force has been repeatedly the subject of criticism of citizens. The situation has not eased Ferguson’s case, where the local police shot a black young man.
However, Birmingham in Alabama Police Department has found a way to reduce the complaints of police tasks: it has equipped the police body attachable cameras. Cameras have also made the officers more cautious.
The cameras have reduced complaints, with 71 percent of the officers duties and reduced the police use of force by 38 percent.
Body Cameras have worked so well that the police department is considering the acquisition of those still 300 more TASER International. The aim is that everyone dressed in uniform also bears constantly telling the camera.
Cameras have brought to the police department of another problem, which is indeed unnecessary use of force significantly lower. The cameras produce data at the pace that its preservation and management is a challenge. Petabytes of data per year accumulates.
The police department has purchased Taserin Evicence.comilta based on Amazon Web Services cloud storage service 5 terabytes of storage. Even a couple of months amounted to 1.5 terabytes of data.
“The biggest problem of this system is recording price,”
Mere cameras cost Birmingham for around $ 180 000 per year.
The analyst estimates that police departments pay $ 25-30 per camera per month to Taser for recording.
Recording makes it important that the videos can be used as evidence: In practice, the material must be preserved for the entire duration of criminal proceedings.
Source: http://www.tivi.fi/Kaikki_uutiset/myyja-keksi-kultakaivoksen-poliiseille-asennetut-vartalokamerat-pudottivat-voimankayton-ja-valitukset-3482580
Tomi Engdahl says:
Kaspersky thanks Google engineer for exposing a hole in its antivirus system
FireEye also in the firing line after holiday weekend disclosure
http://www.theinquirer.net/inquirer/news/2425008/kaspersky-thanks-google-engineer-for-exposing-a-hole-in-its-antivirus-system
RUSSIAN SECURITY FIRM Kaspersky Lab has issued a thank you note to a Google engineer who found a vulnerability in its antivirus software.
The person being thanked is researcher Tavis Ormandy, who tweeted evidence of the threat on a holiday weekend in the US and described it as being a very bad thing indeed.
“It’s a remote, zero interaction system exploit in default config. So, about as bad as it gets,” he said.
Tomi Engdahl says:
Google lets CAPTCHA-busters back into Play digital bazaar
Premium SMS abuse gate thwarted.
http://www.theregister.co.uk/2015/09/09/captcha_sweat_shop_popping_malware_rips_250k_from_android_fans/
CAPTCHA-busting malware wormed its way into apps hosted on Google Play, reaping up to US$250,000 from infected victims.
So says BitDefender which has fingered the “MKero.A” malware as the source of the attack and says it spread across European social networks late last year, hitting Russians hardest, before being turfed out of app stores.
The trojan was woven into legitimate games and has since incorporated sufficient anti-analysis techniques that it again slipped past Google’s Bouncer security defences and into the devices of those who downloaded it.
Once installed BitDefender researchers say the malware maintains operates stealthily: users don’t know it’s there.
Once the malicious app runs it pings command and control servers and signs users up to premium SMS subscriptions. To do that, it needs to crack the CAPTCHAS that such services use to prevent bogus sign-ups.
App actors pay about half a cent for CAPTCHAs to be cracked, thereby disarming premium text services’ most common too to prevent abuse.
To do this it uses the image-to-text human slave recognition service antigate.com, a service heavily promoted in cybercrime sites that charges up to $1 for 1000 CAPTCHAS to be solved and pays workers about 35 cents for the work.
It has found great success. Two trojanised apps have been downloaded 100,000 and 500,000 times each “raising the potential victim count to staggering numbers” according to BitDefender researchers.
“The total financial losses could amount to a staggering $250,000 purely from the minimum $0.05 charge by subscribed SMS messages,”
Tomi Engdahl says:
Proposed MAC Sniffing Dongle Intended To Help Recover Stolen Electronics
http://yro.slashdot.org/story/15/09/08/1638238/proposed-mac-sniffing-dongle-intended-to-help-recover-stolen-electronics
An anonymous reader writes to say that an Iowa City police officer is developing a new concept to help police find more stolen property. The Gazette has a short report that officer David Schwindt, inspired by a forensics class, is working on L8NT, a specialized wireless dongle to help police officers locate stolen electronics (any of them with wireless capabilities and a MAC address, at least) by scanning for MAC addresses associated with stolen goods. The idea is to have police scan as they drive for these MAC entries, and match them against a database.
The article notes a few shortcomings in this concept, but does not point out an even bigger one: MAC addresses are usually mutable
Iowa City officer develops software to find stolen Wi-Fi-enabled devices
L8NT can be used on squad car laptop
http://www.thegazette.com/subject/news/public-safety/iowa-city-officer-develops-software-to-find-stolen-wi-fi-enabled-devices-20150907
Next month, an Iowa City police officer will introduce technology at the International Association of Chiefs of Police Conference in Chicago that could help law enforcement recover Wi-Fi-capable devices.
David Schwindt said his software product, L8NT — which stands for latent analysis of 802.11 network traffic — won’t be used to find the occasional stolen iPod or laptop, but instead will help police solve bigger cases.
“I foresee law enforcement using L8NT software to solve higher-level crimes,” said Schwindt, a 14-year veteran of the department.
“If your cellphone is stolen from a bar … that’s not necessarily what L8NT is intended for. But, if your home is burglarized and your cellphone is stolen, now, as a police chief, I’m interested” in that technology.
Schwindt’s product — which is software that operates through a thumb drive sized-antenna that plugs into a squad car laptop’s USB por — works by searching for media control access, or MAC, addresses from a database of known stolen items.
MAC addresses are unique to individual Wi-Fi-enabled devices such as laptops, smartphones and gaming systems.
Law enforcement officers using L8NT would plug the USB device into their in-car laptops. The device would scan MAC addresses, looking for matches to known stolen items. The device has a range of about 300 feet and can be attached to a directional antenna to allow police to determine where the signal is coming from and obtain a warrant.
Tomi Engdahl says:
Microsoft in SaaS-y cloud data security slurp
Cloud DLP and audit concern Adallom lets Redmond hug it into new phase of existence
http://www.theregister.co.uk/2015/09/09/microsoft_in_saasy_cloud_security_slurp/
Microsoft has acquired cloud security outfit Adallom.
Adallom was founded in 2012 and follows the “R&D in Israel, sales in Silicon Valley” template for a range of data security products for clouds. The company’s wares bring data loss prevention and reporting to cloud storage services, offering users the chance to see just who’s accessed what data and to set policies to control that sort of thing.
Microsoft says it acquired the company because it “expands on Microsoft’s existing identity assets, and delivers a cloud access security broker, to give customers visibility and control over application access as well as their critical company data stored across cloud services.”
Tomi Engdahl says:
Wikipedia founder backs site’s systems after extortion scam
http://www.theguardian.com/technology/2015/sep/06/wikipedia-founder-backs-sites-systems-after-extortion-scam
Jimmy Wales says system is secure after users posed as senior editors and demanded payment from businesses
The founder of Wikipedia, Jimmy Wales, has spoken out in defence of the online encyclopedia’s systems for detecting and dealing with abuse for the first time since an extortion scam was uncovered, which led to hundreds of Wikipedia editor accounts being blocked.
Wales said the blocking of 381 Wikipedia editor accounts for “black hat” editing as part of an attempt to extort money from people and businesses was proof that the site’s systems for detecting and dealing with abuse were working.
Wales said: “We’ve seen coordinated editing and attempts to do paid advocacy, but we’ve not seen it be so bluntly dishonest in trying to deceive the victims.”
More than 200 Wikipedia articles created by deceptive accounts, known as sock puppets, were removed after a network of deceptive accounts was found to be approaching businesses and individuals and demanding payment to create pages about them and then protect them from being negatively edited – while pretending to be senior Wikipedia editors.
Wales said: “It was the result of an investigation into some suspicious behaviour uncovered by the community, which was followed up on to figure out what was going on. And we solved the problem by banning this cluster of accounts. For us, it’s a validation of how we do things: how it’s supposed to work.”
Tomi Engdahl says:
Roll up, roll up, for the latest bout in Microsoft versus the Feds
Court to hear arguments in the battle for those pesky Irish emails
http://www.theregister.co.uk/2015/09/09/roll_up_roll_up_latest_bout_in_microsoft_versus_the_feds/
An appeals court in New York will hold an oral hearing in the Feds vs Microsoft battle today, with the so-called Microsoft warrant case having been dragging on for nearly two years, as the tech giant resists efforts to force it to hand over customer emails stored in its Irish data centre.
The American Justice Department wants the emails as part of a drug-trafficking investigation, and judge Loretta Preska ruled in July 2014 that Microsoft should hand them over regardless of where they are stored because it has “control over” them.
However, Microsoft maintains that the data is secured under EU data protection laws.
Part of the problem is that an existing international agreement would have allowed the US to contact the Irish authorities to gain access to the emails through legal means via a Mutual Legal Assistance Treaty (MLAT).
But, to the Irish government’s annoyance, the American court instead decided to cut Ireland out of the equation.
Tomi Engdahl says:
The “Executive” IT Security Problem – Lessons Learned from Hillary Clinton
http://www.securityweek.com/executive-it-security-problem-lessons-learned-hillary-clinton
Executives have always been privileged users. As security practitioners we tend to think of privileged users as those administrators with outsized access to sensitive information, necessitated by their role in keeping IT services running, presenting risk that requires dedicated mitigation efforts. But when we consider the access rights that executives have to sensitive information, and the authority they wield, we find hidden risk that may not be fully appreciated.
This is evident in the recent revelations of a private email server used by Hillary Clinton during her tenure as Secretary of State. In the ultimate example of shadow IT, she and her staffers took it upon themselves to stand up an IT service, hosted in her own home, which escaped the purview of the Department of State’s IT team.
The rising risk of executive policy evasion
We can leave the discussion of motivation and the legality of Secretary Clinton’s actions to the political class. But it does provide a public example of how tempting it is for executives to operate outside of policy.
The implications of executive policy circumvention
In the case of Secretary Clinton, while there are some political costs, the security implications have yet to be determined. But we know that Top Secret information was transmitted over what is likely a network that wasn’t equipped to safeguard it. The US Government applies the Top Secret classification to information that, if disclosed, “could be expected to cause exceptionally grave damage to the national security.”
Addressing the risks
Although executives are privileged users, they are likely to chafe at the kind of restrictions typically placed on administrators. Privileged identity management techniques include password vaulting, controls over commands a user can execute, and monitoring and recording activity. While executives are unlikely to accept a need to check out credentials from a password vault, more passive security techniques, specifically user activity monitoring, may be an acceptable alternative.
If they understand what is at stake, unobtrusive monitoring that doesn’t restrict their work can identify abnormal use of their access that could indicate an abuse of privileges by an outsider.
To mitigate the risk of attackers obtaining executive credentials, multi-factor authentication (MFA) should also be considered. We know that if it is inconvenient, though, executives will circumvent or avoid the use of security controls. So selection of easy-to-use authentication methods, such as effective thumbprint readers or a YubiKey, is critical.
Tomi Engdahl says:
Rethinking Mobile Security – Why Apps Come First
http://www.securityweek.com/rethinking-mobile-security-why-apps-come-first
Enterprise mobility management (EMM) has a place in today’s mobile environment, however, it is only the starting point when thinking about mobile security.
Mobile security technologies must provide security and trust regardless of the user, enable application-level visibility and control, and protect from vulnerabilities in the current mobile landscape—capabilities EMMs can’t deliver on their own. Why?
EMM, with mobile device management (MDM) at its core, emerged as IT tried to keep up with the flood of mobile devices entering the workplace. Devices required configuration to help organizations manage them and allow the provisioning of company-sanctioned mobile apps. But despite the prevalence of EMM solutions in the enterprise, it’s predominantly used as a management platform that relies heavily on managing devices and users. Today’s mobile world requires a different focus – one that emphasizes BYOD, apps, increased usability, and unique associated security challenges. We simply can’t get visibility low enough in the operating system to see what is going on, and thus can never fully trust the device. We must layer on protections that we control regardless of the state of the device or the app.
Anybody can be an App Developer
With the growing focus on mobile, enterprise CIOs are under pressure to accommodate end-user demands—provisioning secure apps to lines of business and partners, and ensuring fast time to market for customer facing apps. As a result, a host of mobile application development platforms (MADP) and rapid mobile application development (RMAD) tools that facilitate app creation have emerged—there are now nearly 90 choices—that make it easier for the technical and non-technical alike to create apps. Now that anyone can create a mobile app, this has led to inconsistency in the security knowledge of a mobile app “developer”.
The App Explosion
We’ve quickly moved from just a handful of critical business apps like email, calendar and browser to hundreds of thousands of productivity apps—and their potential inherent vulnerabilities present a bigger attack surface back into sensitive enterprise data. Sensitive information is constantly being exposed as employees become their own IT departments, loading unsecured apps onto their devices and keeping the real IT department up at night. A recent survey by LogMeIn found that 70 percent of enterprises have some presence of “bring your own application” (BYOA), and the same study found that 64 percent of respondents will download their own solution even when one is already in place.
Tomi Engdahl says:
John McAfee announces he’s running for President
http://money.cnn.com/2015/09/08/news/john-mcafee-for-president/index.html?sr=fbmoney090815mcafee730story
John McAfee, the antivirus software magnate who fled Belize after police tried to question him for murder, confirmed to CNNMoney that he plans to run for President in 2016 and that he’d created his own party — the Cyber Party.
McAfee explained that he decided to run after being encouraged by “almost everyone” he knows and meets.
“I have a huge underground following on the web,” McAfee said. “I promise you I will win because I have the votes.”
McAfee said the desire to respond to terrorist attacks had opened citizens up to excessive surveillance.
“The government can spy on people using their mobile phones while they’re with their wives and husbands,” McAfee said.
Tomi Engdahl says:
Tech Firms Make Lots of Money Off Your Face—Here’s How
http://www.wired.com/2015/09/tech-firms-make-lots-money-off-faceheres/
They’re watching you. Very closely. Tech companies are beginning to use facial recognition software to make your life easier—and to profit from who you are, how you feel, and what you want. “Facial recognition will let firms do offline what the Internet made it possible for them to do online, which is to track individual behavior,” says Carnegie Mellon privacy researcher Alessandro Acquisti. Here’s how your face will give you away.
They know who you are.
Using artificial intelligence, companies can compare photos of you, noting facial features and patterns (like the distances between your nose, eyes, and ears) to create a model of your face. Facebook uses it to suggest whom you should tag in a photo; Google groups pics of you, even as a kid, in its new photo app; and Microsoft’s Xbox Kinect signs you in when it recognizes you. The tech may soon gain wider adoption for digital security too. Alibaba and Daon have demonstrated that your face could serve to verify your identity before, say, you make a purchase or access your bank account.
Tomi Engdahl says:
F-Secure Research Reveals Online Tracking Slows Down Web Browsing and Wastes Data
http://finance.yahoo.com/news/f-secure-research-reveals-online-163249005.html
Research Shows That F-Secure’s Freedome VPN Can Speed Up Web Browsing by as Much as 89 percent, and Save Data by Blocking Third Party Tracking
Using tracking protection can reduce loading times while browsing the web — in some cases by as much as 89 percent. That’s according to a new study conducted by online security provider F-Secure and researchers say the results highlight the extent to which third party tracking cookies are being abused by websites. Without proper measures in place, this “digital pollution” can turn web browsing into a sluggish experience, and force customers to use data without their consent.
F-Secure Labs conducted the study by browsing through 50 high-ranking Alexa sites* with and without Freedome’s Tracking Protection. The experiment found that popular websites consistently loaded faster and used less bandwidth when Freedome’s Tracking Protection was in use. Load times decreased between three and 89 percent, with an average reduction of 30 percent. Page sizes were reduced between three and 55 percent, with an average reduction of 13 percent. Some websites contained as many as 95 trackers, which people can now see for themselves by using Freedome’s new Tracker Mapper feature.
Freedome’s Tracking Protection works by completely blocking requests from tracking services and by removing cookies that belong to advertising networks. Blocking this data gathering cuts down the amount of data being transferred online, which is why Freedome was able to increase browsing performance.
Tomi Engdahl says:
Root password flaw leaves wireless Seagate drives open to attack
http://www.engadget.com/2015/09/07/root-password-flaw-leaves-wireless-seagate-drives-open-to-attack/?ncid=rss_semi
Own a wireless hard drive? Was it made by Seagate? You’ll want to download an update. Researchers at Tangible security have discovered a vulnerability in certain Seagate wireless drives that could give unauthorized users root access to the device. The flaw? A default username and password that activates undocumented Telnet services. It’s a terrifyingly simple vulnerability. Luckily, the fix is almost as simple — all you have to do is patch your drive’s firmware.
Tomi Engdahl says:
TSA Luggage Lock Master Keys Are Compromised
http://it.slashdot.org/story/15/09/09/1143206/tsa-luggage-lock-master-keys-are-compromised
As the FBI demand encryption master keys for Apple, Microsoft and Google made devices, photographs of the master keys for the TSA Travel Sentry suitcases have now been published in multiple places online
Cory Doctorow points out this makes it much easier for thieves to open luggage undetectably, without leaving any signs of lock picking.
this shows the risk of backdoors in security systems, especially since the TSA has not given any warning about this compromise, which seems to have occurred in 2014 or earlier.
TSA Master Keys
https://www.schneier.com/blog/archives/2015/09/tsa_master_keys.html
Someone recently noticed a Washington Post story on the TSA that originally contained a detailed photograph of all the TSA master keys. It’s now blurred out of the Washington Post story, but the image is still floating around the Internet. The whole thing neatly illustrates one of the main problems with backdoors, whether in cryptographic systems or physical systems: they’re fragile.
TSA “Travel Sentry” luggage locks contain a disclosed backdoor which is similar in spirit to what Director Comey desires for encrypted phones. In theory, only the Transportation Security Agency or other screeners should be able to open a TSA lock using one of their master keys. All others, notably baggage handlers and hotel staff, should be unable to surreptitiously open these locks.
Unfortunately for everyone, a TSA agent and the Washington Post revealed the secret. All it takes to duplicate a physical key is a photograph, since it is the pattern of the teeth, not the key itself, that tells you how to open the lock.
So the TSA backdoor has failed: we must assume any adversary can open any TSA “lock”. If you want to at least know your luggage has been tampered with, forget the TSA lock and use a zip-tie or tamper-evident seal instead, or attach a real lock and force the TSA to use their bolt cutters.
Tomi Engdahl says:
New York Times:
The DoJ got court order demanding Apple turn over iMessages in real time; Apple said it could not comply; iMessages backed up to iCloud not encrypted end-to-end
Apple and Other Tech Companies Tangle With U.S. Over Data Access
http://www.nytimes.com/2015/09/08/us/politics/apple-and-other-tech-companies-tangle-with-us-over-access-to-data.html?_r=0
In an investigation involving guns and drugs, the Justice Department obtained a court order this summer demanding that Apple turn over, in real time, text messages between suspects using iPhones.
Apple’s response: Its iMessage system was encrypted and the company could not comply.
Government officials had warned for months that this type of standoff was inevitable as technology companies like Apple and Google embraced tougher encryption. The case, coming after several others in which similar requests were rebuffed, prompted some senior Justice Department and F.B.I. officials to advocate taking Apple to court, several current and former law enforcement officials said.
The conflicts with Apple and Microsoft reflect heightened corporate resistance, in the post-Edward J. Snowden era, by American technology companies intent on demonstrating that they are trying to protect customer information.
“It’s become all wrapped up in Snowden and privacy issues,” said George J. Terwilliger III, a lawyer who represents technology companies and as a Justice Department official two decades ago faced the challenge of how to wiretap phone networks that were becoming more digital.
“Clearly, if the U.S. government wins, the door is open for other governments to reach into data centers in the U.S.,”
Still, the nation’s phone companies ultimately supported legislation requiring them to build access points into their digital networks so they could comply with legal wiretap orders. (Tech companies like Apple and Google are not telecommunications firms and not covered by the wiretap law.)
The businesses say they are seeing greater demand than ever for built-in encryption
“It’s important that we do not let these technological innovations undermine our ability to protect the community from significant national security and public safety challenges,” Sally Q. Yates, the deputy attorney general, told Congress this summer.
At issue are two types of encoding. The first is end-to-end encryption, which Apple uses in its iMessage system and FaceTime, the video conversation system. Companies like Open Whisper Systems, the maker of Signal, and WhatsApp have adopted such encryption for stand-alone apps, which are of particular concern to counterterrorism investigators.
With Apple, the encryption and decryption are done by the phones at either end of the conversation; Apple does not keep copies of the message unless one of the users loads it into iCloud, where it is not encrypted.
The second type of encoding involves sophisticated encryption software on Apple and Android phones, which makes it all but impossible for anyone except the user of the phone to open stored content — pictures, contacts, saved text messages and more — without an access code.
“There’s another attack on our civil liberties that we see heating up every day — it’s the battle over encryption,”
“If you put a key under the mat for the cops, a burglar can find it, too.” If criminals or countries “know there’s a key hidden somewhere, they won’t stop until they find it,” he concluded.
“People want to know what law will be applied to their data,” Mr. Smith of Microsoft said. “French want their rights under French law, and Brazilians under Brazilian law. What is the U.S. government going to do when other governments reach into the U.S. data centers, without notifying the U.S. government?”
Chinese firms already have plans to build facilities on American soil that would store electronic communications, so the question may be more than hypothetical.
Tomi Engdahl says:
Hackers Abuse Satellite Internet Links To Remain Anonymous
http://it.slashdot.org/story/15/09/09/141235/hackers-abuse-satellite-internet-links-to-remain-anonymous
Poorly secured satellite-based Internet links are being abused by nation-state hackers, most notably by the Turla APT group, to hide command-and-control operations, researchers at Kaspersky Lab said today. Active for close to a decade, Turla’s activities were exposed last year
Turla APT Group Abusing Satellite Internet Links
https://threatpost.com/turla-apt-group-abusing-satellite-internet-links/114586/
Poorly secured satellite-based Internet links are being abused by nation-state hackers, most notably by the Turla APT group, to hide command-and-control operations, researchers at Kaspersky Lab said today.
Active for close to a decade, Turla’s activities were exposed last year; the Russian-speaking gang has carried out espionage campaigns against more than 500 victims in 45 countries, most of those victims in critical areas such as government agencies, diplomatic and military targets, and others.
Its use of hijacked downstream-only links is a cheap ($1,000 a year to maintain) and simple means of moving malware and communicating with compromised machines, Kaspersky researchers wrote in a report. Those connections, albeit slow, are a beacon for hackers because links are not encrypted and ripe for abuse.
“Once an IP address that is routed through the satellite’s downstream link is identified, the attackers start listening for packets coming from the internet to this specific IP,” the researchers wrote. “When such a packet is identified, for instance a TCP/IP SYN packet, they identify the source and spoof a reply packet (e.g. SYN ACK) back to the source using a conventional Internet line.”
Abuse of satellite links is not solely the domain of Turla. HackingTeam command and control servers, for example, were found to be using such links to mask operations, as were links traced to Rocket Kitten and Xumuxu, two APT groups that are government-backed or have governments as customers, Kaspersky said.
Kaspersky speculates that APT groups turn to satellite-based Internet links for C&C for a number of reasons, including as a countermeasure against botnet takedowns by law enforcement and ISPs, which open an avenue for researchers to determine who is behind an operation. Using these satellite links, however, is not without its risks to the attacker.
“On the one hand, it’s valuable because the true location and hardware of the C&C server cannot be easily determined or physically seized. Satellite-based Internet receivers can be located anywhere within the area covered by a satellite, and this is generally quite large,” the researchers wrote. “The method used by the Turla group to hijack the downstream links is highly anonymous and does not require a valid satellite Internet subscription. On the other hand, the disadvantage comes from the fact that satellite-based Internet is slow and can be unstable.”
Satellite Turla: APT Command and Control in the Sky
How the Turla operators hijack satellite Internet links
https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/
Although relatively rare, since 2007 several elite APT groups have been using — and abusing — satellite links to manage their operations — most often, their C&C infrastructure. Turla is one of them. Using this approach offers some advantages, such as making it hard to identify the operators behind the attack, but it also poses some risks to the attackers.
Real satellite links, MitM attacks or BGP hijacking?
Purchasing satellite-based Internet links is one of the options APT groups can choose to secure their C&C traffic. However, full duplex satellite links can be very expensive: a simple duplex 1Mbit up/down satellite link may cost up to $7000 per week. For longer term contracts this cost may decrease considerably, but the bandwidth still remains very expensive.
Another way of getting a C&C server into a satellite’s IP range is to hijack the network traffic between the victim and the satellite operator and to inject packets along the way. This requires either exploitation of the satellite provider itself, or of another ISP on the way.
These kinds of hijacking attacks have been observed in the past and were documented by Renesys (now part of Dyn) in a blogpost dated November 2013.
The hijacking of satellite DVB-S links has been described a few times in the past and a presentation on hijacking satellite DVB links was delivered at BlackHat 2010 by the S21Sec researcher Leonardo Nve Egea.
While the dish and the LNB are more-or-less standard, the card is perhaps the most important component. Currently, the best DVB-S cards are made by a company called TBS Technologies. The TBS-6922SE is perhaps the best entry-level card for the task.
The TBS card is particularly well-suited to this task because it has dedicated Linux kernel drivers and supports a function known as a brute-force scan which allows wide-frequency ranges to be tested for interesting signals.
Unlike full duplex satellite-based Internet, the downstream-only Internet links are used to accelerate Internet downloads and are very cheap and easy to deploy. They are also inherently insecure and use no encryption to obfuscate the traffic. This creates the possibility for abuse.
Companies that provide downstream-only Internet access use teleport points to beam the traffic up to the satellite. The satellite broadcasts the traffic to larger areas on the ground, in the Ku band (12-18Ghz) by routing certain IP classes through the teleport points.
To attack satellite-based Internet connections, both the legitimate users of these links as well as the attackers’ own satellite dishes point to the specific satellite that is broadcasting the traffic. The attackers abuse the fact that the packets are unencrypted. Once an IP address that is routed through the satellite’s downstream link is identified, the attackers start listening for packets coming from the Internet to this specific IP. When such a packet is identified, for instance a TCP/IP SYN packet, they identify the source and spoof a reply packet (e.g. SYN ACK) back to the source using a conventional Internet line.
At the same time, the legitimate user of the link just ignores the packet as it goes to an otherwise unopened port, for instance, port 80 or 10080.
During the analysis, we observed the Turla attackers abusing several satellite DVB-S Internet providers, most of them offering downstream-only connections in the Middle East and Africa
Tomi Engdahl says:
EU-US data sharing deal for cops edges closer as usual suspects moan
Euro Commission says the text is set in stone and WILL take effect… in due course
http://www.theregister.co.uk/2015/09/09/eu_us_data_sharing_deal_for_law_enforcement/
After four years of talks, the EU and the US have finally reached a “gentleman’s agreement” on data sharing for law enforcement.
The so-called Umbrella Agreement should allow the exchange of personal data between the EU and the US “for the purpose of prevention, detection, investigation and prosecution of criminal offences” so long as it is not “processed beyond compatible purposes.”
“Once in force, this agreement will guarantee a high level of protection of all personal data when transferred between law enforcement authorities across the Atlantic. It will in particular guarantee that all EU citizens have the right to enforce their data protection rights in US courts. The finalisation of the Umbrella Agreement negotiations is therefore an important step to strengthen the fundamental right to privacy effectively and to rebuild trust in EU-US data flows,” said EU Justice Commissioner Věra Jourová.
Although the final text has not been published and the negotiations were conducted behind closed doors, the European Commission has confirmed some elements.
According to the Commish: “Individuals’ personal data may not be retained for longer than necessary or appropriate. These retention periods will have to be made publicly available. Any individual will be entitled to access their personal data and request it to be corrected if it is inaccurate.”
EU citizens will also have the same rights as Americans to seek judicial redress before US courts if US authorities deny access or rectification, or unlawfully disclose personal data, said Jourova.
Tomi Engdahl says:
State cyberspies wriggle into satellites for super-duper sneaky ops
Hackers hide exfiltrated material in legit data streams of innocent users
http://www.theregister.co.uk/2015/09/09/turla_apt_satellite_stealth/
A group of state-sponsored hackers have taken to hiding their location and activities by exploiting satellite communications.
A Russian-speaking cyber-espionage group which exploits the Turla malware is using satellites to achieve greater anonymity, according to new research from Kaspersky Lab. The group is exploiting security weaknesses in global satellite networks as part of its tradecraft.
Turla is a sophisticated cyber-espionage group that has been active for more than eight years, infecting hundreds of computers in more than 45 countries including Kazakhstan, Russia, China, Vietnam and the United States. Government institutions and embassies, as well as military, education, research and pharmaceutical companies have all been targeted by the Turla APT crew at one time or another.
Initially the group uses the Epic backdoor to profile victims. In rare cases – for the most high profile targets – the hackers use satellite-based communication in the later stages of attacks, in an apparent effort to hide their tracks.
Tomi Engdahl says:
End mass snooping and protect whistleblowers, MEPs yell at EU
Lest we pass another legally unenforceable resolution
http://www.theregister.co.uk/2015/09/09/eu_meps_endorse_anti_mass_surveillance_report/
The European Parliament on Tuesday voted to adopt the conclusions of a report – as a non-legally binding resolution – that defends encryption, anonymity and digital freedom.
The report (PDF), which was narrowly approved by 371 votes in favour to 293 against, said “the active complicity of certain EU member states in the NSA’s mass surveillance of citizens and spying on political leaders, as revealed by Edward Snowden, has caused serious damage to the credibility of the EU’s human rights policy.”
However, it’s not just the US that has come in for a bashing in the resolution that was drafted by Dutch Liberal MEP Marietje Schaake. David Cameron’s ideas about banning encryption or allowing backdoor exploits for spying are also roundly condemned.
The European Parliament said the EU should “counter the criminalisation of the use of encryption, anti-censorship and privacy tools by refusing to limit the use of encryption within the EU, and by challenging third-country governments that criminalise such tools.”
“It also condemns the weakening and undermining of encryption protocols and products, particularly by intelligence services seeking to intercept encrypted communications,” said the institution, which, despite being one of the legislative bodies of the EU, cannot initiate legislation.
Schaake wants “end-to-end” encryption standards as a matter of course for all communication services.
The resolution also pushes open source and open standards, wants the possibility of granting whistleblowers international protection from prosecution (here’s looking at you, Snowden), and warns against the privatisation of law enforcement through internet companies and ISPs.
Tomi Engdahl says:
Lockpickers 3-D Print TSA Master Luggage Keys From Leaked Photos
http://www.wired.com/2015/09/lockpickers-3-d-print-tsa-luggage-keys-leaked-photos/
The TSA is learning a basic lesson of physical security in the age of 3-D printing: If you have sensitive keys—say, a set of master keys that can open locks you’ve asked millions of Americans to use—don’t post pictures of them on the Internet.
A group of lock-picking and security enthusiasts drove that lesson home Wednesday by publishing a set of CAD files to Github that anyone can use to 3-D print a precisely measured set of the TSA’s master keys for its “approved” locks—the ones the agency can open with its own keys during airport inspections. Within hours, at least one 3-D printer owner had already downloaded the files, printed one of the master keys, and published a video proving that it opened his TSA-approved luggage lock.
Those photos first began making the rounds online last month, after the Washington Post unwittingly published (and then quickly deleted) a photo of the master keys in an article about the “secret life” of baggage in the hands of the TSA. It was too late. Now those photos have been used to derive exact cuts of the master keys so that anyone can reproduce them in minutes with a 3-D printer or a computer-controlled milling machine.
“Honestly I wasn’t expecting this to work, even though I tried to be as accurate as possible from the pictures.”
Bolduc says he doesn’t know the brand of the luggage lock he opened, but based on the “TSA” inscription on the bottom, he can conclude it is on the approved list. The problem likely extends well beyond one brand, anyway; the leaked master keys include those that open every type of TSA-approved lock made by companies such as Master Lock, Samsonite and American Tourister.
Of course, none of those companies are to blame for following the TSA’s master key guidelines. The real security blunder, as Berkeley computer security researcher Nicholas Weaver noted after the key photos were first published, was made by the TSA and the Washington Post, who released the photos on the Post’s website.
ublishing photos of sensitive keys, after all, is a well-understand screwup in the world of physical security, where researchers have shown for years that a key can be decoded and reproduced even from a photo taken from as far away as 200 feet and at an angle
The Github release of those printable master key files, according to one of the lockpickers who decoded the master key photo, is meant to prove to anyone who uses the TSA-approved locks that they should no longer expect them to offer much security. “People need to be aware that even though someone says ‘use these approved locks,’ don’t take their word for it,”
Even so, the TSA’s master key leak doesn’t exactly represent a critical security crisis, argues University of Pennsylvania computer science professor and noted lock picker Matt Blaze. The TSA-approved luggage locks were never very high security devices to begin with. “I’m not sure anyone relied on these kinds of locks for serious security purposes,” he says. “I find it’s actually quicker to pick the TSA’s locks than to look for my key sometimes.”
Tomi Engdahl says:
Redmond yells ‘CUT’ on Hacking Team horror movie exploit
Media Player attack closed off
http://www.theregister.co.uk/2015/09/10/redmond_yells_cut_on_hacking_team_horror_movie_exploit/
Another of exploits against Microsoft Windows that hit as a zero day after Hacking Team was hacked has been fixed.
Trend Micro threat bod Kenney Lu says the fix for CVE-2015-2509 was among the 56 of this week’s Patch Tuesday bug-splat.
Hacking Team’s remote code execution exploit works on Windows Vista through to 8 and works if a victim opens a crafted Media Center link file which contains malcode.
Lu says the exploit works ‘perfectly’ on Windows Media Centre.
“This vulnerability is related to a previously unreported zero-day exploit discovered in the Hacking Team leaked emails,” Lu says.
Tomi Engdahl says:
Cryptographers Brace For Quantum Revolution
http://it.slashdot.org/story/15/09/09/1938206/cryptographers-brace-for-quantum-revolution
An article in Scientific American discusses the actions needed to address the looming advent of quantum computing and its ability to crack current encryption schemes. Interesting tidbits from the article: “‘I’m genuinely worried we’re not going to be ready in time,’ says Michele Mosca, co-founder of the Institute for Quantum Computing (IQC) at the University of Waterloo.
Online security braces for quantum revolution
Encryption fix begins in preparation for arrival of futuristic computers.
http://www.nature.com/news/online-security-braces-for-quantum-revolution-1.18332
It is an inevitability that cryptographers dread: the arrival of powerful quantum computers that can break the security of the Internet. Although these devices are thought to be a decade or more away, researchers are adamant that preparations must begin now.
Computer-security specialists are meeting in Germany this week to discuss quantum-resistant replacements for today’s cryptographic systems — the protocols used to scramble and protect private information as it traverses the web and other digital networks. Although today’s hackers can, and often do, steal private information by guessing passwords, impersonating authorized users or installing malicious software on computer networks, existing computers are unable to crack standard forms of encryption used to send sensitive data over the Internet.
Tomi Engdahl says:
Plug In an Ethernet Cable, Take Your Datacenter Offline
http://hardware.slashdot.org/story/15/09/09/2117211/plug-in-an-ethernet-cable-take-your-datacenter-offline
The Next Web reports on a hilarious design failure built into Cisco’s 3650 and 3850 Series switches, which TNW terms “A Network Engineer’s Worst Nightmare”. By plugging in a hooded Ethernet cable, you…well, you’ll just have to see the picture and laugh.
This hilarious Cisco fail is a network engineer’s worst nightmare
http://thenextweb.com/insider/2015/09/07/this-hilarious-cisco-fail-is-a-network-engineers-worst-nightmare/
In 2013, Cisco issued a ‘field notice’ warning of a problem with its very expensive 3650 and 3850 Series Switches, used in many datacenters around the world.
That field notice detailed a major problem with the switches, discovered after they were released: plugging in a cable could wipe them entirely in just a few seconds.
The cables, which are sometimes accidentally used in datacenters, feature a protective boot that sticks out over the top
That boot would hit the reset button which happened to be positioned directly above port one of the Cisco switch, which causes the device to quietly reset to factory settings.
Such a situation could cause a problem in any size datacenter, where these switches and cables are commonly used. If someone plugged in a cable to port one unknowingly pushing the button, they’d possibly be taking down the entire network without even realizing it. If your switches are configured right, however, the blip should be only brief.
It’s amazing that Cisco didn’t catch this before the device was released, let alone that the ‘fix’ for the problem which suggests using a different cable or cutting off the boot.
Tomi Engdahl says:
Scams change: the caller demanded in the name of Nordea bank accounts
The network of access codes fishers have started to call after the people who do not respond for theie scam messages.
Facebook has released a video in which Nordea’s representative asserted themselves as the caller says updated data and therefore wants to hear the next key figure from the list the customer’s bank figures. The customer will not be fooled, but says the wrong number, showing which bank employees scammer responds that the number is not working.
Source: http://www.tivi.fi/Kaikki_uutiset/huijaukset-muuttuvat-harskimmiksi-soittaja-vaati-nordean-nimissa-pankkitunnuksia-3482788
Tomi Engdahl says:
Nuke all your computer passwords, says Intel exec
http://uk.businessinsider.com/intel-wants-to-nuke-all-your-passwords-2015-9?r=US&IR=T
Let’s face it: no one likes passwords.
With all the different websites and devices you log into, it’s become almost impossible to keep track of all the passwords you have.
But what if you could forget about passwords and log in instantly using something else, like your face or finger prints?
Intel thinks that’s a real possibility — and something you can do right away.
“We want to eliminate all passwords from computing,” Kirk Skaugen, Senior VP and general manager of Intel’s Client Computing Group said at the Citi Global Technology Conference held on Tuesday. “I can confidently say today, you can eliminate all your passwords today, if you buy a 6th Generation Core system.”
Skaugen was referring to the new 6th Generation Core chips Intel released last week, which powers some of the latest Windows 10 devices that come with some of the new facial recognition software, like Windows Hello. To enjoy the full functionality of Windows Hello, you also need Intel’s RealSense 3D Camera, which looks at multiple angles to detect the photo’s depth and heat to determine the user’s identity.
Windows Hello: can identical twins fool Microsoft and Intel?
http://www.theaustralian.com.au/business/in-depth/windows-hello-can-identical-twins-fool-microsoft-and-intel/story-fnw66tov-1227490164701
Windows 10, released last month by Microsoft, replaces the hackable password system with biometric recognition. You log in using your fingerprints, and with eye and face recognition.
The new feature is called Windows Hello. If you have an iPhone or recent Samsung smartphone, you will know how convenient fingerprint recognition is, and it has proved consistent and reliable.
But a large number of notebooks coming on to the market with Windows 10 offer face recognition as an alternative to passwords for accessing your account.
The face recognition process involves a RealSense camera made by Intel, which sits embedded above the display. Three cameras — featuring an infra-red lens, a regular lens and a 3-D lens — use photographic analysis, heat detection and depth detection to decide who is at your computer display.
Personally I found face recognition worked a treat. The Lenovo Thinkpad Yoga 14 we used quickly identified who I was among several account holders, and in a flash logged me in.
Tomi Engdahl says:
Toronto police report two suicides associated with Ashley Madison hack
http://www.theguardian.com/world/2015/aug/24/toronto-suicides-ashley-madison-hack
Local police in Canada say two suicides are being investigated together because of the leak of millions of customer profiles for extramarital dating service
Unconfirmed reports suggest that two people in Toronto have killed themselves over the Ashley Madison hack, local police said in a briefing providing details about the beginning of the leak.
Evans said the nature of the dating site for married people was “of no interest to us as the investigative teams”.
Security analyst Brian Krebs said last week he feared exactly that outcome. “There’s a very real chance that people are going to overreact. I wouldn’t be surprised if we saw people taking their lives because of this, and obviously piling on with ridicule and trying to out people is not gonna help the situation,” Krebs, who first reported the hack, said on Wednesday.
The hack, in which some 33m profiles from the service were published online, has been the focus of extortion and phishing attempts. Among them are “hack checking” websites that compile the emails of the curious entered into them and then send malicious software to those emails.
Evans also said that a new scam, claiming to erase names from the Ashley Madison database in order to preserve users’ privacy, had sprung up in the few days since the hack.
Pastor outed on Ashley Madison commits suicide
http://money.cnn.com/2015/09/08/technology/ashley-madison-suicide/index.html
In his suicide note, Gibson chronicled his demons. He also mentioned Ashley Madison.
“He talked about depression. He talked about having his name on there, and he said he was just very, very sorry,” Christi said. “What we know about him is that he poured his life into other people, and he offered grace and mercy and forgiveness to everyone else, but somehow he couldn’t extend that to himself.”
Ashley Madison was hacked in July, and hackers released users’ personal information in August. Since then, authorities in Toronto have said they’re investigating suicides that could be linked to the data dump. Hackers have also sent extortion emails to people who were on the list.
Tomi Engdahl says:
Turla Hiding in the Sky: Russian Speaking Cyberespionage Group Exploits Satellites to Reach the Ultimate Level of Anonymity
http://www.kaspersky.com/about/news/virus/2015/Turla-Hiding-in-the-Sky-Russian-Speaking-Cyberespionage-Group-Exploits-Satellites-to-Reach-the-Ultimate-Level-of-Anonymity
Tomi Engdahl says:
Olivia Solon / Bloomberg Business:
Cyber-Extortionists Targeting the Financial Sector Are Demanding Bitcoin Ransoms
http://www.bloomberg.com/news/articles/2015-09-09/bitcoin-ddos-ransom-demands-raise-dd4bc-profile
A cybercriminal group going by the name “DD4BC” is blackmailing financial institutions, threatening to take down their customer websites unless they pay a hefty bitcoin ransom.
DD4BC – which stands for “DDoS for Bitcoin” (Distributed Denial of Service for Bitcoin) – has been targeting firms since mid-2014, so far evading international police forces.
The group initially hit bitcoin mining companies, exchanges and online casinos with a handful of attacks per month. But over the last few months it has ramped up activity and turned its attention to the financial sector – banks, brokerages and automated clearing houses in Europe, Australia and the U.S. To date, the group has carried out almost 150 attacks, 58 percent of which have been directed at financial service companies, according to research by Akamai published on Wednesday
The U.K. National Computer Emergency Response Team (CERT UK), which runs a national cyber-threat data-sharing initiative, confirms a “marked increase” in reports of DDoS attacks by DD4BC against its partners – which include Lloyd’s Bank and BAE Systems, though there is no suggestion they have been hit.
As cyber-attacks go, DDoS is a blunt instrument. It involves hammering a target website with traffic using a distributed network of computers under the control of one attacker. The aim is to flood the site with traffic to the point that its web server crashes and the site goes offline.
There is a commercial impact – estimated by Neustar to cost up to $100,000 per hour – but these attacks predominantly damage brand perception. “It represents vulnerability,” says Cisco’s Adam Philpott, who heads up cybersecurity in Europe. “If I can’t access the service of an organization that’s handling a significant amount of my money, how can I trust it?”
DDoS extortion is not new, but DD4BC is particularly prolific.
“They’ve been industrializing their operation – doing it at a scale and level that has not been seen before,”
Tomi Engdahl says:
The Latest on Stagefright: CVE-2015-1538 Exploit is Now Available for Testing Purposes – See more at: https://blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/#sthash.81xPR2uV.dpuf
Tomi Engdahl says:
Huawei new telephone arrived in Finland – appearance more important than security
Huawei’s own version of Android slowing down do with security updates, the company admits.
Huawei launches today the sale of Finland, the new Honor 7 phones.
Release spoken to the conference, Huawei Honor phones in Eastern and Northern European Product Manager Jin Yiming admits that its own security-sensitive user interface has a problem.
- Upgrading is a problem. EmotionUI-based version of Android with Android code so deep that the repairs to be slow. Instead, we offer customers our user interface looked like, says Yiming.
When asked Yiming admits appearance before going to security.
Huawei Consumer Products Group Senior Vice President Mika Engblom points out that in many other Android manufacturers are having trouble getting the software patches on the market
Source: http://www.digitoday.fi/mobiili/2015/08/27/huawein-uutuuspuhelin-tuli-suomeen–ulkonako-tarkeampaa-kuin-tietoturva/201510976/66
Tomi Engdahl says:
Once seen as bulletproof, 11 million+ Ashley Madison passwords already cracked
Programming errors make 15.26 million accounts orders of magnitude faster to crack.
http://arstechnica.com/security/2015/09/once-seen-as-bulletproof-11-million-ashley-madison-passwords-already-cracked/
When the Ashley Madison hackers leaked close to 100 gigabytes’ worth of sensitive documents belonging to the online dating service for people cheating on their romantic partners, there seemed to be one saving grace. User passwords were cryptographically protected using bcrypt, an algorithm so slow and computationally demanding it would literally take centuries to crack all 36 million of them.
Now, a crew of hobbyist crackers has uncovered programming errors that make more than 15 million of the Ashley Madison account passcodes orders of magnitude faster to crack. The blunders are so monumental that the researchers have already deciphered more than 11 million of the passwords in the past 10 days. In the next week, they hope to tackle most of the remaining 4 million improperly secured account passcodes
The cracking team, which goes by the name “CynoSure Prime,” identified the weakness
The source code led to an astounding discovery: included in the same database of formidable bcrypt hashes was a subset of 15.26 million passwords obscured using MD5, a hashing algorithm that was designed for speed and efficiency rather than slowing down crackers.
The bcrypt configuration used by Ashley Madison was set to a “cost” of 12, meaning it put each password through 212, or 4,096, rounds of an extremely taxing hash function. If the setting was a nearly impenetrable vault preventing the wholesale leak of passwords, the programming errors—which both involve an MD5-generated variable the programmers called $loginkey—were the equivalent of stashing the key in a padlock-secured box in plain sight of that vault. At the time this post was being prepared, the blunders allowed CynoSure Prime members to positively crack more than 11.2 million of the susceptible passwords.
“Instead of cracking the slow bcrypt$12$ hashes which is the hot topic at the moment, we took a more efficient approach and simply attacked the MD5 … tokens instead.”
Cracking each token requires only that the cracking software supply the corresponding user name found in the password database, adding the two colons, and then making a password guess. Because the MD5 is so fast, the crackers could try billions of these guesses per second. Their task was also aided by the fact that the Ashley Madison programmers had converted the letters of each plaintext password to lower case before hashing them, a function that reduced the “keyspace” and, with it, the number of guesses needed to find each password.
How we cracked millions of Ashley Madison bcrypt hashes efficiently
http://cynosureprime.blogspot.fi/2015/09/how-we-cracked-millions-of-ashley.html
Having the solved md5 tokens however, did not mean that we “knew” the original password. The token used only the lowercase value of the password and thus a secondary step to toggle the case of each character generating each variant was necessary, in order to properly crack the bcrypt hashes. Fortunately, this was a fixed-set problem with each bcrypt hash, thus only one salt needed to be checked for each bcrypt against the case variants.
Tomi Engdahl says:
Lorenzo Franceschi-Bicchierai / Motherboard:
ICANN parent IANA officially recognizes .onion TLD, giving Tor domains basic security features like SSL and TLS certificates
Internet Regulators Just Legitimized The Dark Web
http://motherboard.vice.com/read/internet-regulators-just-legitimized-the-dark-web
The so-called dark web is often mistakenly believed to be just an unsanctioned space of the internet that hosts dingy, illegal websites. But in reality, it’s home to websites such as Facebook, and countless whistleblower platforms hosted on the privacy-protecting and anonymizing Tor network.
On Wednesday, thanks to newly announced decisions by internet regulators, these sites are getting some official recognition, and will be able to more easily offer better security to their users.
The Internet Assigned Numbers Authority (IANA)—a department within the organization that oversees the domains of the internet known as the Internet Corporation for Assigned Names and Numbers (ICANN)—along with the Internet Engineering Task Force (IETF), designated the .onion domain, used for sites hosted on the Tor network, as a “Special Use Domain,” giving it an official status that it previously lacked.
With this change, the IETF and IANA “recognize that there are legitimate reasons to use the Tor anonymity network and its hidden services,” Runa Sandvik, a security researcher who has worked with the Tor Project in the past, told Motherboard in an email.
For Jacob Appelbaum, a security researcher who proposed this change to the IETF along with Facebook security engineer Alec Muffett, this is good news for internet users.
It means that the IETF is “starting to take privacy seriously,” and “working towards privacy by design,” he told Motherboard in an encrypted chat.
Tomi Engdahl says:
GCHQ wants to set your passwords. In a good way
Enough already with the strength meters and frequent changes says security agency
http://www.theregister.co.uk/2015/09/11/blightys_spy_agency_nails_rejigged_good_password_advice/
Britain’s spy agency the GCHQ has changed its password security guidance in a new document offering sensible advice that, if followed, should harden systems and make life easier for admins and users.
The guidance advocates a ban on password strength meters, mandatory resets, and predictable combinations, instead encouraging brute force rate limiting and reduced access controls.
The advice is not for the likes of GCHQ itself who should maintain their own air-gapped faraday cages security systems according to risk appetite.
The guide covers the obvious such as how passwords can be cracked and the need to change from pre-installed defaults, but also offers solid advice that admins should only doll out passwords where they are required and allowing the use of password storage lockers.
Tomi Engdahl says:
FireEye Tries to Bury Keynote Reporting That It Ran Apache As Root On Security Servers
http://yro.slashdot.org/story/15/09/10/2018242/fireeye-tries-to-bury-keynote-reporting-that-it-ran-apache-as-root-on-security-servers?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
Leading network security company FireEye, which has customers in government and the Fortune 500 list, has caused a controversy at a London security conference today after its legal attempts to stop a keynote speech detailing the repair of major security loopholes in its customer-facing systems this year. Reported among these now-fixed vulnerabilities were the running of a significant number of FireEye’s Apache-based security servers as ‘root’
Major web security company sought to conceal that it ran compromised servers
https://thestack.com/security/2015/09/10/major-web-security-company-sought-to-conceal-that-it-ran-compromised-servers/
A controversy has erupted today at London security conference 44CON as details emerge of U.S. security company FireEye’s attempts to stifle any public disclosure of a major series of vulnerabilities in its suite – all of which have now been patched.
The vulnerabilities are said to have included the default use of the ‘root’ account on a significant number of the Apache servers providing services to FireEye’s clients.
Apache is designed to be started by a ‘root’ user – who has absolute power over all the functionality of the software – and quickly passed to normal operation via a user account with far fewer privileges. An attacker able to compromise the server would face no further permissions barriers in obtaining any data and starting or manipulating any connections or file/database operations of which the server is capable. For a security suite, that’s about as bad as it gets.
FireEye, founded in 2004, is a leading network security company focused on protecting businesses from malware, zero-day exploits and other cyber attacks. The U.S.-based firm has over 2,500 customers globally, including Fortune 500 companies and many federal departments. FireEye was tightly involved in cyber investigations following the high-profile attacks on Sony Pictures and Anthem.
Tomi Engdahl says:
GM Performs Stealth Update To Fix Security Bug In OnStar
http://mobile.slashdot.org/story/15/09/10/1539239/gm-performs-stealth-update-to-fix-security-bug-in-onsta
Back in 2010, long before the Jeep Cherokee thing, some university researchers demonstrated remote car takeover via cellular (old story here). A new Wired article reveals that this was actually a complete exploit of the OnStar system (and was the same one used in that 60 Minutes car hacking episode last year). Moreover, these cars stayed vulnerable for years — until 2014, when GM created a remote update capability and secretly started pushing updates to all the affected cars.
GM Took 5 Years to Fix a Full-Takeover Hack in Millions of OnStar Cars
http://www.wired.com/2015/09/gm-took-5-years-fix-full-takeover-hack-millions-onstar-cars/
When a pair of security researchers showed they could hack a Jeep over the Internet earlier this summer to hijack its brakes and transmission, the impact was swift and explosive: Chrysler issued a software fix before the research was even made public. The National Highway Traffic and Safety Administration launched an investigation. Within days Chrysler issued a 1.4 million vehicle recall.
But when another group of researchers quietly pulled off that same automotive magic trick five years earlier, their work was answered with exactly none of those reactions. That’s in part because the prior group of car hackers, researchers at the University of California at San Diego and the University of Washington, chose not to publicly name the make and model of the vehicle they tested, which has since been revealed to be General Motors’ 2009 Chevy Impala. They also discreetly shared their exploit code only with GM itself rather than publish it.