Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.
3,110 Comments
Tomi Engdahl says:
Half the Fanbois in your office are unpatched ATTACK VECTORS
iOS 9 imminent, but they’d rather run 8.3
http://www.theregister.co.uk/2015/09/11/half_of_all_staff_are_unpatched_apple_attack_vectors/
Duo Labs researcher Mike Hanley says one in two iPhones connected to corporate networks are running outdated versions of iOS.
The poor patch performance means half of all iDevices are corporate attack vectors running April’s iOS version 8.3 or lower, and as a result are brimming with more than 100 vulnerabilities.
Almost a third of those exposed 50 percent run versions below iOS 8.2, Hanley says.
“We found that half of all iPhones in use today are running iOS 8.3 or lower, which was released five months ago,” Hanley says.
“All it takes is one vulnerable device accessing your network to put your entire organization at risk of a data breach.
Tomi Engdahl says:
US braces for WW3 with Cyber Command ‘Vision’ of integrated cyberops
No mention of Skynet or WOPR as yet
http://www.theregister.co.uk/2015/09/10/cybercom_vision_statement_us_rogers/
Admiral Michael S. Rogers, commander of the United States’ Cyber Command, has released his vision statement for the US’s warfighting arm in cyberspace, coincidentally advocating a much larger role for his command and agencies in the national defence apparatus.
Rogers, who is also head of the NSA and the Central Security Service, capitalised the word ‘Vision’ when he delivered his thoughts in a 14-page statement (PDF) titled “Beyond the Build: Delivering Outcomes Through Cyberspace”.
The ‘Vision’ does not depart from the Pentagon’s cyber-warfare strategy published earlier this year, but Rogers did more to acknowledge the difficulties facing the US Cyber Command (USCYBERCOM) as it prepares to ratchet up their cyberspace operations.
While the US “is working hard to maintain its edge over potential adversaries in cyberspace” the USCYBERCOM head stressed that the nation must acknowledge it now has “peer competitors” in the cyber domain:
States, groups, and individuals are using and developing sophisticated capabilities to conduct cyber coercion, cyber attacks, and cyber exploitation against the US and our allies.
The targets of their efforts extend well beyond government and into privately owned businesses.
US Cyber Command, teaming with federal, foreign, and industry partners, will help to mitigate, halt, and attribute acts of disruption and destruction and campaigns of cyber espionage; dissuade adversaries from malicious behavior; and strengthen the resilience of DoD systems to withstand attacks.
Beyond the Build
Delivering Outcomes through Cyberspace
The Commander’s Vision and Guidance for US Cyber Command
http://www.defense.gov/Portals/1/features/2015/0415_cyber-strategy/docs/US-Cyber-Command-Commanders-Vision.pdf
Tomi Engdahl says:
Security
3D printer blueprints for TSA luggage-unlocking master keys leak online
That padlock on your bag? Easy to open by anyone now
http://www.theregister.co.uk/2015/09/10/tsa_master_key_blueprints_leaked/
Tomi Engdahl says:
That’s a Tor order: Library gets cop visit for running exit relay in US
Feds not happy with potentially criminal traffic running through public-funded network
http://www.theregister.co.uk/2015/09/10/tor_library_unplugged/
A New England library is calling off its plan to host a Tor exit node after cops, tipped off by the US Department of Homeland Security, paid a visit.
The Kilton Library in Lebanon, New Hampshire, had been hosting an exit relay on the Tor network since July as part of a pilot program to safeguard citizens’ privacy online.
After meeting with the plod, however, the librarians have taken the box offline over fears it was being used for criminal activity.
Tomi Engdahl says:
New UK Security Guidelines: Password Re-Use OK, Frequent Changing a Waste
http://it.slashdot.org/story/15/09/10/202232/new-uk-security-guidelines-password-re-use-ok-frequent-changing-a-waste
New UK government guidance on how to handle passwords (PDF) “advocates a dramatic simplification of the current approach.
“Regular password changing harms rather than improves security, so avoid placing this burden on users.” And “given the infeasibility of memorising multiple passwords, many are likely to be re-used.”
Making security better: Passwords
https://cesgdigital.blog.gov.uk/2015/09/08/making-security-better-passwords/
Start talking with users about security and pretty quickly you end up on the topic of passwords.
Passwords are probably the security measure that everyone runs into on a daily basis. We have passwords for our IT systems at work, we have passwords for the services we use at home, we have passwords for the devices we use. There are passwords everywhere!
However, the conversation we’ve had with people all around the public sector hasn’t been a happy one when it comes to passwords. When every system needs a different password, the complexity settings for each system are set high, and password changes are enforced frequently, the outcome is not better security. Through research, in collaboration with the Research Institute in the Science of Cyber Security, we’ve learnt about how trying to make passwords “more secure” means systems end up less secure.
When we’re overloaded with passwords, we all end up “breaking the rules”: we use the same passwords across different systems; we use coping strategies to make passwords more memorable (and thus more easily guessed), and we store passwords insecurely. Jokes about passwords on sticky notes underneath keyboards aren’t jokes.
When we overload users with passwords, we also add cost. There’s the cost of dealing with increased password resets and account lockouts, and by putting up barriers in the name of security, we reduce the functionality of systems, and make it harder for people to do their jobs.
Worst of all, making all password policies “complex” doesn’t stop attacks; see Microsoft’s research paper on this subject. Attackers who have stolen a password database – even if hashed and salted – can generally brute force the majority of the passwords in a reasonable length of time, unless the passwords are so long as to be impossible to remember.
Attackers who only get a few tries at guessing passwords (such as with a well-designed online service, or enterprise IT network with throttling and lockout) will be stopped by a fairly short password. The vast majority of password policies are in the middle of this – they give us passwords that are far too short to prevent brute force attacks, but that are much more complicated than they need to be to prevent others. The result is that we’re asking users to put in more work remembering complicated passwords, for no actual extra security benefit.
Password Guidance
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/458857/Password_guidance_-_simplifying_your_approach.pdf
Tomi Engdahl says:
It’s 2015 and miscreants are still trying to dupe you with fake BSoDs
Blue Screen of Death? Darling, that’s so mid-2000s
http://www.theregister.co.uk/2015/09/11/tech_support_scam_bsod_ruse/
Tech support scammers have mocked up a web page with an even more dire version of Microsoft’s infamous Blue Screen of Death (BSoD) error page.
The website, registered behind an anonymity service on 1 September, wants to convince surfers tricked into visiting it that their PC has been derailed in order to dupe prospective marks into phoning scammers, who will attempt to extract a big fat fee for solving non-existent problems.
Victims are lured to scam pages via either spam messages or malicious advert redirects, according to Malwarebytes, the security software firm that spotted the BSoD scam page. Surfers with Javascript enabled will get nagged with a pop-up message featuring an even more dire warning until they kill the browser instance, something that might be tricky without resorting to the “CTRL+ALT+ DELETE” kill option.
“In a nutshell, should you see any form of messages in your browser claiming to be a BSoD, either close the window or disable Javascript then close it – and don’t call the number. If the various browser pop-ups make it impossible to access your Browser options for whatever reason (or you’re just not sure how to disable it), then hit CTRL+ALT+DEL and close it from the Task Manager.”
Tomi Engdahl says:
Former Ashley Madison CTO is suing Brian Krebs for reporting about the hack
Keep moving, fella
http://www.theinquirer.net/inquirer/news/2418367/hackers-breach-cheaters-website-ashleymadison-in-data-debrief-encounter
THE FORMER CHIEF TECHNOLOGY OFFICER (CTO) at dating site Ashley Madison is suing a security blogger for reporting on claims that he hacked into rival sites.
We might call this fanning the flames, but then we are not the affected party. That is former Ashley Madison CTO Raja Bhatia, who is suing Brian Krebs, according to Krebs, because of a story that was posted on the Krebs on Security site earlier this year.
Krebs seems particularly unmoved by the legal approach and does not appear to be rushing towards making any changes
“Libel lawsuits in the US are usually quite difficult and expensive for the plaintiff to win. But in Canada, where Bhatia’s attorney and Ashley Madison’s parent company Avid Life Media are headquartered, the libel laws are more complex for defendants,”
Ashley Madison users are suing Amazon Web Services (AWS) and GoDaddy for hosting websites that leaked the dating site’s pilfered customer data.
The CEO of Avid Live Media (ALM), parent company of controversial, ‘discreet’ dating website Ashley Madison, stepped down last week.
Ashley Madison is facing a class action lawsuit that accuses the company of not doing enough to protect personal and private information.
The class action case, from two Canadian law firms, argues that the hook-up station failed users by not protecting their information and not deleting it after a fee had been paid to ensure its deletion. The suit seeks $578m in damages.
“They are outraged that AshleyMadison.com failed to protect its users’ information,” attorney Ted Charney told the paper. “In many cases, the users paid an additional fee for the website to remove all of their user data, only to discover that the information was left intact and exposed.”
The implications of the hack on the infidelity website are already bad. It puts personal information in harm’s way and it puts philandering lotharios at risk of sour moods and awkward evenings, never mind divorce courts and the resulting legal fees.
The fallout, messy and grubby as it is, is pretty fascinating, however, and shows that, wherever you go in the world, you have a strong chance of being approached for a no-strings – unless that is your thing – night in a hotel room with an otherwise legally attached stranger.
“Data is the new currency and the breach at Ashley Madison shows attackers are not only looking to steal consumer information for profit but to hold companies hostage,” said Eric Chiu, president and co-founder of cloud security company HyTrust.
“Dating sites have lots of very personal information, including contact information, dates of birth and sexual preferences.
Krebs said that some 37 million philandering users have dangled their privates in the direction of non-spouses in a way that they probably imagined would never happen.
“We’re not denying this happened,” said ALM chief executive Noel Biderman. “Like us or not, this is still a criminal act.”
The firm explained that it has called in support from forensic and security industry specialists to aid in its investigation of the attack.
Tomi Engdahl says:
Mary-Ann Russon / International Business Times:
Companion: Tens of thousands using safety app that lets friends digitally walk you home at night
http://www.ibtimes.co.uk/companion-tens-thousands-using-safety-app-that-lets-friends-digitally-walk-you-home-night-1518197
Tens of thousands of people around the world are now using a free personal-safety mobile app that allows friends to virtually walk you home at night. The Companion app, created by five students from the University of Michigan, enables users to request a friend or family member to keep them company virtually and track their journey home via GPS on an online map.
Although they can do so, the friend or family member does not need to have the Companion app installed, which is available for both Android and iOS. The user can send out several requests to different phone contacts in case people are not available to be a companion or not with their phones at the time.
Those contacted then receive an SMS text message with a hyperlink in it that sends them to a web page with an interactive map showing the user walking to their destination. If the user strays off their path, falls, is pushed, starts running or has their headphones yanked out of their phone, the app detects these changes in movements and asks the user if they’re OK.
If the user is fine, they press a button on the app to confirm within 15 seconds. If they do not press the button, or a real emergency is occurring, the Companion app transforms the user’s phone into a personal alarm system that projects loud noises to scare criminals from the scene, and gives you the option to instantly call the police.
As the app was originally designed to aid students in walking home at night across university campuses, if the user calls 911, the app will also alert the person’s relevant university campus safety department within the US, but this feature is only applicable to universities that have signed up to work with Companion.
At the same time, the app will send an alert to the contact who is keeping you company, and that person can choose to call the police and give them your location, as well as call you to find out if you are OK.
“Both men and women from all demographics have emailed us saying they’d love to use the app, lots of parents want to use the app for their children, and some people want their elderly parents to use it too to make sure they don’t get lost.”
As the app is meant to remain as a free product for users, the creators are monetising the app by working with universities.
Tomi Engdahl says:
FireEye takes security firm to court over vulnerability disclosure
http://www.cio.com/article/2983141/fireeye-takes-security-firm-to-court-over-vulnerability-disclosure.html
A spat between two security companies shows just how sensitive reporting software vulnerabilities can be, particularly when it involves a popular product.
The kerfuffle between FireEye and ERNW, a consultancy in Germany, started after an ERNW researcher found five software flaws in FireEye’s Malware Protection System (MPS) earlier this year.
One of the flaws, found by researcher Felix Wilhelm, could be exploited to gain access to the host system, according to an advisory published by ERNW.
As is customary in the industry, ERNW contacted FireEye in early April with details of the problems.
ERNW planned to release an advisory after a 90-day disclosure period, wrote the company’s founder, Enno Rey, in a blog post Thursday. But in the next few months, relations between the two companies became strained.
FireEye, which reviewed ERNW’s proposed notification, contended it contained too much technical detail about the inner workings of its MPS product, Rey wrote.
“We can only speculate what the intentions are from their side,” he wrote. “In general, we consider it an inappropriate strategy to sue researchers responsibly reporting security vulnerabilities.”
Tomi Engdahl says:
Paul Mozur / New York Times:
CloudFlare transfers technology to Baidu in partnership to make foreign sites more accessible in China, receives revenue split as part of virtual joint venture
Partnership Boosts Users Over China’s Great Firewall
http://www.nytimes.com/2015/09/14/business/partnership-boosts-users-over-chinas-great-firewall.html?_r=0
It is one of the best-guarded borders in the world, and one of the most time-consuming to cross. Yet in the past few months, a new agreement has let people speed over it billions of times.
The border is the digital one that divides China from the rest of the world. It is laden with inefficiencies and a series of filters known as the Great Firewall, which slows Internet traffic to a crawl as it travels into and out of China.
Now, a partnership between an American start-up and a Chinese Internet behemoth has created a sort of fast lane to speed traffic across the border. In the process, the two companies are establishing a novel business model with implications for other American technology firms looking to do business in China’s politically sensitive tech industry.
Using a mixture of CloudFlare’s web traffic technology and Baidu’s network of data centers in China, the two created a service that enables websites to load more quickly across China’s border. The service, called Yunjiasu, began operating in December. It has a unified network that makes foreign sites more easily accessible in China, and allows Chinese sites to run in destinations outside the country.
Tomi Engdahl says:
7 worst apps that violate your privacy
http://www.foxnews.com/tech/2015/09/12/7-worst-apps-that-violate-your-privacy/
When you’re browsing through the millions of apps available from the Apple and Android app stores, you’ll notice that close to 98 percent of them are free to download. That’s great if you’re looking to fill up your gadget, but many free apps, and some paid ones, do come with a hidden price — your privacy.
When apps install on your gadget, they request permission to access certain information or phone features. Sometimes they need this information and sometimes it’s not necessary.
Most people just hit “Accept” and install apps without reading what they do. Want to see something funny? Watch people’s reactions when they actually read the permissions they’re approving.
Apple gadgets let you approve or deny each permission individually. You can go to Settings>>Privacy and open a feature like the Camera to see and control what apps have permission to access it. Or you can go to Settings and scroll to the bottom and tap a particular app to see and control its permissions.
A similar system is coming to Android in the future version 6, dubbed Marshmallow. Until then, however, it’s all or nothing for Android users. So, you need to decide just how badly you want the app.
A few years ago, Carnegie Mellon University set up a site called PrivacyGrade that analyzes popular Android apps to find out what permissions they ask for and how they use the information. Then, it gives each one a grade from A to D.
Here are 7 popular apps that PrivacyGrade gives a low score and why you should think twice before downloading them.
1. Draw Something Free – D
2. Words With Friends – D
3. GO Locker – D
4. GO Weather Forecast & Widgets – D
5. Camera360 Ultimate – D
6. Angry Birds – C
7. My Talking Tom – D
PrivacyGrade: Grading The Privacy Of Smartphone Apps
http://privacygrade.org/
Grades are assigned using a privacy model that we built. This privacy model measures the gap between people’s expectations of an app’s behavior and the app’s actual behavior. For example, according to studies we have conducted, most people don’t expect games like Cut the Rope to use location data, but many of them actually do. This kind of surprise is represented in our privacy model as a penalty to an app’s overall privacy grade. In contrast, most people do expect apps like Google Maps to use location data. This lack of surprise is represented in our privacy model as a small or no penalty.
Tomi Engdahl says:
Storage device reported stolen from insurer RSA’s data centre
Names, addresses, bank account and sort code details waltzed out the door
http://www.theregister.co.uk/2015/09/14/storage_device_reported_stolen_from_insurer_rsas_data_centre/
The insurance company formerly known as Royal & Sun Alliance but now going by the confusing-for-Reg readers “RSA” says “a data storage device has been reported as stolen from one of our data centres.”
The firm’s sparse customer notice and press statement say the device contained contained names and addresses, bank account and sort code details.” The company adds “We have no evidence to suggest that this data has been misused in any way.”
If you are unlucky enough to have been among those whose details walked out the data centre door, RSA has written to you and offered two years’ worth of services from fraud prevention outfit Cifas.
RSA reponds on customer data loss
https://news.rsagroup.com/pressrelease/view/1833
RESPONSE: Official response to the recently reported loss of a data storage device
“Unfortunately a data storage device has been reported as stolen from one of our data centres.”
“We recognise this should never have happened and apologise to all customers who have been impacted.”
Tomi Engdahl says:
Yokogawa patches widespread SCADA vulnerability
Networking process crashed by crafted packets
http://www.theregister.co.uk/2015/09/14/yokogawa_patches_widespread_scada_vulnerability/
One of the world’s major suppliers of industrial networking kit, Japanese company Yokogawa, has alerted the world to a vulnerability in 21 of its products.
The ICS-CERT advisory, here, identifies the company’s CENTUM, ProSafe-RS, STARDOM, FAST/TOOLS and other systems as being at risk.
The vulns are “stack-based buffer overflow vulnerabilities”, the advisory states.
The overflows are in systems both with a Windows interface, and with embedded versions (such as the ProSafe’s human-machine interface).
There are two denial-of-service vulnerabilities that can be triggered by a remote attacker by sending a crafted packet to “the process that executes over network communications”, cutting off communications to the targeted system.
More seriously, the network communication process can also be crashed by a crafted packet allowing the attacker to execute arbitrary code.
Tomi Engdahl says:
Curiosity Rover’s OS has backdoor bug
Fixes on the way for Wind River’s VxWorks, which also runs lots of stuff on Earth
http://www.theregister.co.uk/2015/09/14/curiosity_rovers_os_has_back_door_bug/
Canadian security researcher Yannick Formaggio has detailed a significant flaw in VxWorks, the real-time operating system (RTOS) made by Intel subsidiary Wind River.
Speaking at the 44CON event made famous last week, Formaggio detailed how an integer overflow mess allows remote code execution in the operating system. Formaggio discovered the flaw after fuzzing the OS at the request of a client keen to understand its workings better. That effort led the researcher to declare that Wind River generally generally does a fine job of security and takes it seriously, but hadn’t considered what might happen when a credential was set to a negative value.
Formaggio also found that the operating system’s “FTP server is susceptible to ring buffer overflow when accessed at a high speed” and crashes when sent a “specially crafted username and password”.
Versions 5.5 through 6.9.4.1 have the problem, which means many millions of devices need patching. Wind River has acknowledged the flaw and is in the process of providing patches.
Tomi Engdahl says:
US military funds Mission Impossible ‘vanishing’ tech
http://www.bbc.com/news/technology-26082700
The US military is funding a project to develop electronics that can self-destruct like the secret messages in the Mission Impossible TV show.
Darpa, the US Defense Advanced Research Projects Agency, has awarded computing giant IBM a $3.5m (£2.1m) contract to work on its Vanishing Programmable Resources (VAPR) project.
It is looking to develop a class of “transient” electronics that can be destroyed by remote control.
The kit could be used in combat zones.
IBM’s proposal involves the use of a radio frequency trigger that could shatter a glass coating on a silicon chip and turn it into powder.
“A trigger, such as a fuse or a reactive metal layer will be used to initiate shattering, in at least one location, on the glass substrate,” the US government said in its grant award notice.
Darpa wants to develop large distributed networks of sensors that can collect and transmit data for a limited period and then be destroyed instantly to prevent them falling into enemy hands.
VAPR tech could also have applications in medical diagnosis and treatment, Darpa believes, if sensors can be developed that the body can reabsorb.
Why we should design a computer chips to self-destruct
http://www.themarketbusiness.com/2015-09-13-why-we-should-design-a-computer-chips-to-self-destruct
Xerox Parc’s new chip isn’t quite on store shelves yet. It doesn’t really even do much. But as a proof of DARPA-funded concept, it has one gigantic advantage that could help security-minded computer users and paranoid Mr. Robot fans: it can self destruct.
Made out of materials similar to smartphone display glass, modified to already have minute stress fractures. A circuit was laid throughout the surface, and a laser activated transistor placed at the bottom. Once the laser was shined, it created a cascading effect, including pieces that continued to shatter into smaller pieces until all that was left was irrecoverable fragments.
It could be used as a storage method for security fobs, encrypted passwords, and more. In the event of a data breach, storage fabricated on the chip could be destroyed within seconds, making the data physically irretrievable. Conversely, it could make for a great hackathon for people to figure out how to break into a system and shatter the chips (supposing a triggering element is installed internally) in order to either further strengthen the security, or just to be a butthead.
Tomi Engdahl says:
Hackers’ Latest Targets: Google’s Webmaster Tools
http://tech.slashdot.org/story/15/09/13/1220223/hackers-latest-targets-googles-webmaster-tools
The latest attack vector hackers are taking advantage of: Google’s Webmaster tools, which allow domain owners to index new pages for searching and react quickly to Google-detected malware
“According to the Sucuri researchers, by becoming verified owners for compromised websites, attackers can track how well their BHSEO campaigns perform in Google Search.”
Website hackers hijack Google webmaster tools to prolong infections
http://www.itworld.com/article/2983261/website-hackers-hijack-google-webmaster-tools-to-prolong-infections.html
Webmasters should regularly check the list of verified owners for their websites in the Google Search Console
Hackers who compromise websites are also increasingly verifying themselves as the owners of those properties in Google’s Search Console. Under certain circumstances this could allow them to remain undetected longer than they otherwise would be, researchers warn.
The Google Search Console, formerly known as the Google Webmaster Tools, is a very useful service for administrators to understand how their websites perform in search results.
In addition to providing analytics about search queries and traffic, it also allows webmasters to submit new content for crawling and to receive alerts when Google detects malware or spam issues on their websites.
That last part is very important, because website infections can quickly lead to lost traffic and reputation. Users who click on links in search results that lead to websites hosting malware or spam will receive scary warnings until those websites are cleaned by their owners.
Tomi Engdahl says:
Obama: China cyber attacks ‘unacceptable’
http://www.bbc.com/news/world-us-canada-34229439
US President Barack Obama has said that alleged Chinese cyber attacks are “not acceptable”, ahead of a visit from Chinese leader Xi Jinping.
Several hacks on US institutions have been blamed on China, including one involving millions of government staff.
Mr Obama said the US needed to be more rapid in its response to such attacks.
Separately, the White House said Mr Obama will no longer stay at New York’s Waldorf Astoria hotel, which was bought by a Chinese company last year.
‘We will win’
Mr Obama made his remarks after meeting members of the US military at Fort Meade, Maryland, with Mr Xi due in Washington later this month.
“We have been very clear to the Chinese that there are certain practices that they are engaging in, that we know are emanating from China and are not acceptable.”
He suggested the two sides would have to agree on common rules in cyberspace, arguing “there comes a point at which we consider this a core national security threat and we will treat it as such”.
But he said that China should fear confrontation online: “I guarantee you we will win if we have to.”
Aside from China’s suspected involvement in the attack on the Office of Personnel Management, US prosecutors last year charged five Chinese army officers with economic espionage.
Tomi Engdahl says:
How did jihadists hack into top UK ministerial emails if no security breach took place?
Answers on a postcard from Syria, please
http://www.theregister.co.uk/2015/09/13/gchq_hack_attack_no_security_breach/
GCHQ has declined to comment on a report in the Daily Telegraph this weekend, which claimed that UK cabinet ministers’ emails had been hacked, but that – bafflingly – no breach had occurred.
Which is a bit like saying “nothing happened, but we’re going to write a story anyway.”
But you’d be forgiven for thinking something went seriously wrong, with some kind of major security breach taking place affecting top government bods, if you read the Torygraph’s report, which carried the headline “Cabinet ministers’ email hacked by Isil spies”.
To reiterate, the cyber attack in which no security breach occurred. Geddit?
Tomi Engdahl says:
Interesting article:
Confession: I was a teenage computer virus author
Did your PC crash a lot in the 90s? Yes, sorry about that
http://www.theregister.co.uk/2015/09/14/i_was_a_teenage_virus_author/
Special feature I was 17 years old, I had nothing to do, and I wanted to teach myself programming. So I decided to write a computer virus.
Don’t worry. The two viruses that I ended up writing – Leprosy and Leprosy-B – were designed to infect MS-DOS computers. They knew nothing about the internet, because neither did I at the time, and these days they’re as dead as smallpox.
My reasons for wanting to write software that trashed other people’s PCs were manifold.
This was 25 years ago, in 1990, and the underground computer scene lived on bulletin board systems (BBSs). These were social chat servers that you would login to by dialing a phone number with your modem. Most often they were run out of people’s homes. That meant that probably only one person could be on the system at a time; only the posh ones paid for more than one phone line.
The underground at the time was interested in various things. Software piracy was a big one for me. A 17-year-old doesn’t have a lot of money to buy software. Then there were the phone phreaks, who liked to find ways to make free long-distance phone calls. Some people just wanted to talk about drugs. And then there were the virus folks.
The tipping point for me was when I came across a virus called (crassly enough) AIDS. The way it worked was it would find .COM files (executable programs) on your disk and write itself over them, so the next time you tried to run those programs you would actually run the virus again, and so on. Eventually your whole system would be trashed. And every time it tricked you into running it, the virus would print out a message taunting you about how stupid you were.
That’s all it did! None of this stealthy business of hanging around and re-installing itself after you tried to remove it. It just blasted itself around your disk and waited for you to run it by mistake.
To me, it was the software equivalent of a whoopee cushion.
Tomi Engdahl says:
FireEye:
FireEye: reported vulnerability affected only .005% of customers; ERNW injunction was about protecting sensitive proprietary info, not the overall disclosure
Bug Bounties, (Non) Lawsuits and Working with the Research Community
https://www.fireeye.com/blog/executive-perspective/2015/09/bug_bounties_non.html
This week two issues related to how FireEye works with the research community received a healthy dose of media attention. We want to clear a few things up about how FireEye works with security researchers, whose efforts we wholeheartedly support. Our relationship with this community is a key part of the security ecosystem.
To bug bounty or not to bug bounty
This process recently faced a challenge, beginning with a very vocal researcher publically releasing the details of a vulnerability in a FireEye product. This was reported to FireEye via public notification on September 7, 2015, without prior specifics of the vulnerabilities. Based on the information published, the vulnerability impacted legacy versions of our HX products, which could potentially impact less than .005% of our customers. But, if you were following the news, you might have the impression that this issue had broad implications for the FireEye products, in reality this was NOT the case.
We have considered a bug bounty program but as with all things, there are trade-offs that make it more complicated than simply writing a check. For example, once a program is in place, more researchers will submit potential vulnerability, drawing security and engineering resources away from their current work. More of these submitted vulnerabilities will be false positives and once a vulnerability is discovered, how should a reward be priced? Is $10,000 an appropriate price for a vulnerability that impacts .005% of our customers? How can we ensure a researcher feels rewarded for his work if our perception of the impact varies?
Protecting our customers with every available tool – and a little background on a (non) lawsuit
FireEye made multiple requests that ERNW remove the sensitive information from the report, yet ERNW continued to produce drafts that included it.
Tomi Engdahl says:
Hey, Oracle, what’s in that VirtualBox security update? *crickets*
Debian team bit miffed about secretive vuln fixes in hypervisor software
http://www.theregister.co.uk/2015/09/15/oracle_virtualbox_security_updates/
It’s not just Microsoft keeping schtum on exactly what’s inside its software updates.
Oracle is keeping details of security patches for its VirtualBox hypervisor software a secret, members of the Debian team pointed out this week.
Back in July, Oracle emitted a big batch of updates for its products, including new features in VirtualBox and a fix for a vulnerability in the application labeled CVE-2015-2594. All we were told at the time about the bug was that it involves guest OSes using bridged networking over Wi-Fi, and affects versions prior to 4.3.30 on Windows, Linux and Mac OS X hosts.
Gianfranco Costamagna, one of the small team who packages VirtualBox for GNU/Linux Debian users, asked the VBox developers for more info – or at least a separate patch for just the security side of the update – at the time, but got no response.
Tomi Engdahl says:
Intelligence Start-Up Goes Behind Enemy Lines To Get Ahead of Hackers
http://it.slashdot.org/story/15/09/14/2135217/intelligence-start-up-goes-behind-enemy-lines-to-get-ahead-of-hackers
The Times profiles a company called ISight, which sells computer security intelligence gathered by professionals from the “dark web”. From the article: “ISight’s investors, who have put $60 million into the company so far, believe that its services fill a critical gap in the battle to get ahead of threats. Most security companies, like FireEye, Symantec, Palo Alto Networks and Intel’s security unit, focus on blocking or detecting intrusions as they occur or responding to attacks after the fact. ISight goes straight to the enemy. Its analysts — many of them fluent in Russian, Mandarin, Portuguese or 21 other languages — infiltrate the underground, where they watch criminals putting their schemes together and selling their tools.”
Intelligence Start-Up Goes Behind Enemy Lines to Get Ahead of Hackers
http://www.nytimes.com/2015/09/14/technology/intelligence-start-up-goes-behind-enemy-lines-to-get-ahead-of-hackers.html
Tomi Engdahl says:
Records: Energy Department struck by cyber attacks
http://www.usatoday.com/story/news/2015/09/09/cyber-attacks-doe-energy/71929786/
Attackers successfully compromised U.S. Department of Energy computer systems more than 150 times between 2010 and 2014, a review of federal records obtained by USA TODAY finds.
Cyber attackers successfully compromised the security of U.S. Department of Energy computer systems more than 150 times between 2010 and 2014, according to a review of federal records obtained by USA TODAY.
The records, obtained by USA TODAY through the Freedom of Information Act, show DOE components reported a total of 1,131 cyberattacks over a 48-month period ending in October 2014. Of those attempted cyber intrusions, 159 were successful.
“The potential for an adversary to disrupt, shut down (power systems), or worse … is real here,” said Scott White, Professor of Homeland Security and Security Management and Director of the Computing Security and Technology program at Drexel University. “It’s absolutely real.”
Energy Department officials would not say whether any sensitive data related to the operation and security of the nation’s power grid or nuclear weapons stockpile was accessed or stolen in any of the attacks, or whether foreign governments are believed to have been involved.
Records show 90 of the 159 successful cyber intrusions over the four-year period were connected to the DOE’s Office of Science, which directs scientific research and is responsible for 10 of the nation’s federal energy laboratories.
Tomi Engdahl says:
“123456″ Maintains the Top Spot on SplashData’s Annual “Worst Passwords” List
http://splashdata.com/press/worst-passwords-of-2014.htm
The 2014 list of worst passwords demonstrates the importance of keeping names, simple numeric patterns, sports and swear words out of your passwords.
Rank Password Change from 2013
1 123456 No Change
2 password No Change
3 12345 Up 17
4 12345678 Down 1
5 qwerty Down 1
6 123456789 No Change
7 1234 Up 9
8 baseball New
9 dragon New
10 football New
Tomi Engdahl says:
IoT security is RUBBISH says IoT vendor collective
Online Trust Alliance calls on gadget vendors to stop acting like clowns
http://www.theregister.co.uk/2015/08/12/iot_security_is_rubbish_says_iot_vendor_collective/
A vendor group whose membership includes Microsoft, Symantec, Verisign, ADT and TRUSTe reckons the Internet of Things (IoT) market is being pushed with no regard to either security or consumer privacy.
In what will probably be ignored by the next startup hoping to get absorbed into Google’s Alphabet’s Nest business, the Online Trust Alliance (OTA) is seeking comment on a privacy and trust framework for the Internet of Things.
Stunt-hacks and bad implementations have demonstrated that IoT security is currently pretty hopeless. The OTA says that won’t change if manufacturers and services keep pumping out gewgaws and gadgets without caring about risks.
Announcing the framework, the OTA warns against letting the Internet of Things market repeat history and ignore the product lifecycle in their security considerations.
Tomi Engdahl says:
Can the Government Fine Your Company for Lax Security?
http://blog.centrify.com/ftc-punish-firms-for-lax-security/
A few years back I wrote a blog called “Buckle up with Cybersecurity … It’s the Law” in which I discussed how state laws regarding data breach notification were popping up all over. But I also noted that the SEC had just published disclosure obligations relating to cybersecurity risks and incidents. The thought process with the SEC was that if millions of dollars of intellectual property was being stolen due a data breach, it would be material to report in regulatory filings — and failure to do so could result in fines.
I wrote at the time that while the disclosure guidance does help investors know more regarding material events and significant risks vis a vis cybersecurity incidents (that companies may in the past have kept silent on), this does put company officers in a bind. First they will have to make a judgment call on the materiality and future impact of a breach and whether to disclose in regulatory filings. Of course in not disclosing, they run the risk of being sued by shareholders if it was later deemed they did not reveal (or reveal enough) about a cyberincident that later caused a material loss. Second, if a company reveals too much about an attack, it may tip the hand of future attackers in terms of what to go after and how to go after it.
But up until now the government could in theory fine you if you did not report a breach, not because you’ve been breached.
In fact, not only can a firm get fined, but per Network World quoting an expert, the FTC could “tie them up with consent decrees that force them to submit to third-party security assessments every two years for 20 years.”
Passwords, especially those associated with privileged accounts, continue to be the bane of our security existence. I just read about another attack in which 10 million customer records were stolen. The culprit? “Attackers gained administrative privileges to the IT systems.” Which is exactly the same thing that happened at the OPM and JP Morgan and myriad of other recent high profile breaches.
Tomi Engdahl says:
Mariella Moon / Engadget:
EFF project “Let’s Encrypt”, with Mozilla and Cisco, releases its first free HTTPS certificate
‘Let’s Encrypt’ project issues its first free certificate
http://www.engadget.com/2015/09/15/lets-encrypt-first-certificate/
Last year, the Electronic Frontier Foundation along with Mozilla and Cisco launched an initiative called “Let’s Encrypt” that promised to hand out free certificates anyone can use. Today, the team has released its first one — it’s only available to beta testers for now, but everyone can see it in action on the group’s website. The project aims to make HTTPS implementation easier for website and online shop owners, in order to ensure the safety of customers’ data. According to the EFF, participants can forget “muddling through complicated programming to set up encryption on a website, or yearly fees.” The team did mention when the project launched that all users have to do to use the free certificate is to run a program.
Folks who want to participate in the beta testing phase can sign up and submit their domains for consideration. Major browsers still don’t recognize Let’s Encrypt’s certificate as a trusted authority, though
Tomi Engdahl says:
Intel Takes On Car Hacking, Founds Auto Security Review Board
Chipmaker establishes new Automotive Security Review Board for security tests and audits
http://www.eetimes.com/document.asp?doc_id=1327696&
After a summer full of car hacking revelations, Intel, today, announced the creation of a new Automotive Security Review Board (ASRB), focused on security tests and audits for the automobile industry.
The potential for modern connected cars to be attacked and remotely controlled by malicious hackers is a topic that has received considerable attention recently from security experts, industry stakeholders, regulators, lawmakers, and consumers.
Intel Takes On Car Hacking, Founds Auto Security Review Board
http://www.darkreading.com/vulnerabilities—threats/intel-takes-on-car-hacking-founds-auto-security-review-board/d/d-id/1322172
Chipmaker establishes new Automotive Security Review Board for security tests and audits
After a summer full of car hacking revelations, Intel, today, announced the creation of a new Automotive Security Review Board (ASRB), focused on security tests and audits for the automobile industry.
The potential for modern connected cars to be attacked and remotely controlled by malicious hackers is a topic that has received considerable attention recently from security experts, industry stakeholders, regulators, lawmakers, and consumers.
Demonstrations like one earlier this year where two security researchers showed how attackers could take wireless control of a 2014 Jeep Cherokee’s braking, steering, and transmission control systems, have exacerbated those concerns greatly and lent urgency to efforts to address the problem.
Intel also released a whitepaper describing a preliminary set of security best practices for automakers, component manufactures, suppliers, and distributors in the automobile sector.
ASRB members will have access to Intel automotive’s development platforms for conducting research. Findings will be published publicly on an ongoing basis, Intel said. The member that provides the greatest cybersecurity contribution will be awarded a new car or cash equivalent.
Intel’s security best practices whitepaper, also released today, identified several existing and emerging Internet-connected technologies in modern vehicles that present a malicious hacking risk.
Modern vehicles have over 100 electronic control units, many of which are susceptible to threats that are familiar in the cyber world, such as Trojans, buffer overflow flaws, and privilege escalation exploits, Intel said. With cars connected to the external world via Wi-Fi, cellular networks, and the Internet, the attack surface has become substantially broader over the last few years.
The whitepaper identifies 15 electronic control units that are particularly at risk from hacking. The list includes electronic control units managing steering, engine, and transmission, vehicle access, airbag and entertainment systems. “Current automotive systems are vulnerable,” Intel noted. “Applying best-known practices and lessons learned earlier in the computer industry will be helpful as vehicles become increasingly connected.”
Concerns have been growing in recent times about critical security weaknesses in many of the Internet-connected components integrated in new vehicles these days. Chrysler for instance, recalled 1.4 million vehicles after two security researchers showed how they could bring a Jeep Cherokee traveling at 70 mph to a screeching halt by hacking into its braking system from 10 miles away.
A report released by Senator Edward Markey (D-MA) in February, based on input from 16 major automakers, revealed how 100 percent of new cars have wireless technologies that are vulnerable to hacking and privacy intrusions. The report found that most automakers were unaware or unable to say if their vehicles had been previously hacked while security measures to control unauthorized access to control systems were inconsistent.
Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk
http://www.markey.senate.gov/imo/media/doc/2015-02-06_MarkeyReport-Tracking_Hacking_CarSecurity%202.pdf
Tomi Engdahl says:
Heartland hack: Russian bloke coughs to role in 160m credit card theft
Vladimir Drinkman swallows medicine, awaits sentencing
http://www.theregister.co.uk/2015/09/16/doj_scores_guilty_plea_heartland_hack/
The US Department of Justice says a Russian national, Vladimir Drinkman, has just coughed to being part of a ring that compromised as many as 160 million credit cards two years ago.
Drinkman was one of five people charged in 2013 over the mass breach, in which they breached card security at names like NASDAQ, 7-Eleven, and Dow Jones.
Just three of the targets suffered losses amounting to US$300 million, the original indictment said.
Now, the Department of Justice has released a statement saying that Drinkman has entered a guilty plea to one count of unauthorised computer access, and one count of conspiracy to commit wire fraud
The group’s long program of intrusion and data theft dates back to 2008, with the first arrests, over the Heartland Payment Systems attack, resulting in American Albert Gonzalez copping a 20-year sentence in 2010.
The compromise of its systems cost Heartland dearly, with the company having to fork out to MasterCard and Amex to settle claims against it.
The DoJ statement says the attackers used SQL injection to gain entry to systems, and used that access to drop malware on targets, thereby creating the backdoor that yielded them credit card data.
Tomi Engdahl says:
Microsoft’s ‘anti-malware Device Guard’ in Windows 10: How it works, what you need
Redmond unbuttons shirt to reveal more detail on hypervisor-based tech
http://www.theregister.co.uk/2015/09/16/microsoft_windows_10_device_guard/
Microsoft has published a technical guide to its new Device Guard features in Windows 10 – including how to configure the anti-malware technology, and what hardware you’ll need to use it.
That zone is guarded by the IOMMU and other mechanisms in the computer’s processor that ensures kernel-level drivers and other privileged code, as well as devices plugged into the machine, cannot interfere with these vital parts of the OS
Microsoft has confirmed, or rather, gone into length about how Device Guard is supposed to work. “The same type-1 hypervisor technology that is used to run virtual machines in Microsoft Hyper-V is used to isolate core Windows services into a virtualization-based, protected container,” the TechNet article, quietly published at the end of last week, explained.
“This isolation removes the vulnerability of these services from both the user and kernel modes and acts as an impenetrable barrier for most malware used today.”
In other words, Microsoft has moved the bits of Windows that check whether or not drivers and kernel-level code are legit into a container that malware (in theory) cannot reach. That means even if (or when) a software nasty manages to get into the Windows operating system, it shouldn’t be able to crack this final layer of protection. With that in mind, all the other features of Device Guard can be built on this foundation, we’re told.
Code signing
Device Guard is aimed at enterprises and other large organizations, and parts of it looks like the protection mechanisms in Windows RT and Windows Phone with the serial numbers filed off. Tablets and smartphones running Windows RT and Phone are locked down in that only code cryptographically signed by Microsoft or your IT department is allowed to run. Now that’s been popped into Windows 10.
“Historically, UMCI [user mode code integrity] has been available only in Windows RT and on Windows Phone devices, which has made it difficult for these devices to be infected with viruses and malware,” the TechNet piece claims.
“In Windows 10, these same successful UMCI standards are available. Historically, most malware has been unsigned. By simply deploying code integrity policies, organizations will immediately protect themselves against unsigned malware, which is estimated to be responsible for more than 95 percent of current attacks.”
Crucially, it optionally turns your work PC into an Apple-like mobile phone, which can only run vetted software
Tomi Engdahl says:
Brown kid with Arab name arrested for bringing home-made clock to school
Dallas cops cuff hardware hacker for making ‘movies bomb’
http://www.theregister.co.uk/2015/09/16/brown_kid_with_arab_name_arrested_for_bringing_homemade_clock_to_school/
It should come as no surprise in a paranoid world addicted to security theatre: a 14-year-old hacker – in the old sense of the word – has been arrested in Dallas for bringing a home-made clock to school.
While the device the student brought to school was harmless, The Dallas Morning News reports that 9th-grader and electronics enthusiast Ahmed Mohamed might still be charged with “making a hoax bomb”.
The apparent contents of the “bomb” were a circuit board, a power supply, and a digital display
“We have no information that he claimed it was a bomb. He kept maintaining it was a clock”
Tomi Engdahl says:
Nine of the World’s Biggest Banks Form Blockchain Partnership
https://recode.net/2015/09/15/nine-of-the-worlds-biggest-banks-form-blockchain-partnership/
Nine of the world’s biggest banks, including Goldman Sachs and Barclays, have joined forces with New York-based financial tech firm R3 to create a framework for using blockchain technology in the markets, the firm said on Tuesday.
It is the first time banks have come together to work on a shared way in which the technology that underpins bitcoin — a controversial, Web-based “cryptocurrency” — can be used in finance.
Over the past year, interest in blockchain technology has grown rapidly. It has already attracted significant investment from many major banks, which reckon it could save them money by making their operations faster, more efficient and more transparent.
The new project, the result of more than a year’s worth of consultations between R3, the banks and other members of the financial industry, will be led by R3 CEO David Rutter, formerly CEO of electronic trading at ICAP Electronic Trading, one of the world’s largest interdealer brokers.
Those that have signed up for the initiative so far are JP Morgan, State Street, UBS, Royal Bank of Scotland, Credit Suisse, BBVA and Commonwealth Bank of Australia.
The blockchain works as a huge, decentralized ledger of every bitcoin transaction ever made that is verified and shared by a global network of computers and therefore is virtually tamper-proof. The Bank of England has a team dedicated to it and calls it a “key technological innovation.”
The data that can be secured using the technology is not restricted to bitcoin transactions. Two parties could use it to exchange any other information, within minutes and with no need for a third party to verify it.
Rutter said the initial focus would be to agree on an underlying architecture
“These new technologies could transform how financial transactions are recorded, reconciled and reported -– all with additional security, lower error rates and significant cost reductions,”
Tomi Engdahl says:
Implanted Cisco routers are coming after you and your insecurities
Mandiant has its eyes on SYNful Knock
http://www.theinquirer.net/inquirer/news/2426047/implanted-cisco-routers-are-coming-after-you-and-your-insecurities
SECURITY COMPANY Mandiant has warned that the mythical router implant security attack is a real thing, and that it has seen at least 14 incidents in the wild.
The SYNful Knock threat has been found in Cisco routers in India, Mexico, the Philippines and the Ukraine, and represents a new attack method and a way of parting companies from their data, Mandiant warned.
“We believe that the detection of SYNful Knock is just the tip of the iceberg when it comes to attacks using modified router images (regardless of vendor),” the company said in a statement that acts as a lure to a full report on the subject.
“As attackers focus their efforts on gaining persistent access, it is likely that other undetected variants of this implant are being deployed throughout the globe. Addressing this new threat vector will require a different type of approach and will certainly reveal information about previously unknown compromises.”
“The implant uses techniques that make it very difficult to detect. A clandestine modification of the router’s firmware image can be used to maintain perpetual presence in an environment. However, it mainly surpasses detection because very few, if any, are monitoring these devices for compromise.”
Cisco and Mandiant worked together on the problem, and Cisco has released tools for picking up, and taking out, the vulnerability
Tomi Engdahl says:
WordPress 4.3.1 Security and Maintenance Release
https://wordpress.org/news/2015/09/wordpress-4-3-1/
WordPress 4.3.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.
This release addresses three issues, including two cross-site scripting vulnerabilities and a potential privilege escalation.
WordPress versions 4.3 and earlier are vulnerable to a cross-site scripting vulnerability when processing shortcode tags (CVE-2015-5714). Reported by Shahar Tal and Netanel Rubin of Check Point.
A separate cross-site scripting vulnerability was found in the user list table. Reported by Ben Bidner of the WordPress security team.
Finally, in certain cases, users without proper permissions could publish private posts and make them sticky (CVE-2015-5715). Reported by Shahar Tal and Netanel Rubin of Check Point.
Tomi Engdahl says:
Opera 32 introduces VPN as a ‘universal right’
Such secure. So Scandi. Wow
http://www.theinquirer.net/inquirer/news/2426098/opera-32-introduces-vpn-as-a-universal-right
OPERA SOFTWARE has announced a crop of additional functionality for its desktop edition which graduates today to become Opera 32.
The Norwegian browser firm has a relatively small but very loyal market share of 1.27 percent.
Front and centre is the integration of SurfEasy, the VPN service bought by Opera in March. Customers can now run completely anonymous browsing sessions from within Opera 32.
Other browsers offer ‘anonymous browsing’, but this does not protect your browsing of robot sex doll sites from your ISP or your search engine. With a VPN you can be sure that whatever you get up to is secret.
Opera product manager Zhenis Beisekov said in the Opera Blog: “Your security online has always been our highest concern. We want to move it another step forward, because we believe that privacy online is a universal right.”
Tomi Engdahl says:
Hacked US Census Bureau staff to take anti-phishing classes
What was that about horses, stable doors and bolts?
http://www.theregister.co.uk/2015/07/28/us_census_bureau_phishing_training/
The US Census Bureau has asked for additional IT security training for its staff – including tips on how not to fall for phishing emails
The bureau said in a blog post over the weekend that the hackers who managed to pull employee records from its computers did so by targeting the Federal Audit Clearinghouse – which is a service provided by the bureau for the federal government.
Despite downplaying the severity of the leak, it appears that the US Census Bureau is indeed scrambling to improve security in the wake of the network breach. Among the top priorities are training for its staff members on security best practices.
Tomi Engdahl says:
Researcher reveals easy as pie Android Lollipop lockscreen bypass
http://www.cso.com.au/article/584585/researcher-reveals-easy-pie-android-lollipop-lockscreen-bypass/
Don’t misplace your Nexus phone if you haven’t received Google’s September patch for Android Lollipop and happen to use a password and not a pattern or code to lock the device.
Google’s first monthly patch for Android last Friday for its own Nexus devices included a fix for the bug CVE02015-3860, which it described as a “moderate” severity issue that allowed elevation of privilege from the lockscreen.
In a nutshell, the attack involves overloading the password field with characters when the camera is active, which causes the lock screen to to crash to the unprotected home screen, giving the attacker the ability to run whatever apps they want and full access to data stored on the device.
Two qualifications are that the attacker needs to have possession of the device and that the device is configured with a password lock rather than a pattern or PIN lock.
Tomi Engdahl says:
First-ever monthly Android security updates start to roll out
Nexus device images are out. Samsung, LG, and cell carriers, you’re on the clock.
http://arstechnica.com/gadgets/2015/09/first-ever-monthly-android-security-updates-start-to-roll-out/
Stagefright was the scariest Android vulnerability to come along in some time. A bug in Android’s “Stagefright” media library could, if fully weaponized, allow an attacker to execute malicious code just by sending an MMS message to a user. Luckily exploit mitigation techniques in newer versions of Android stopped the Stagefright vulnerability from becoming a pwning free-for-all, but the bug shined a bright light on Android’s sub-par security situation.
The publicity got the Android device ecosystem—Google, OEMs, and carriers—to at least start paying attention to delivering security updates to users in a timely manner. Google, Samsung, and LG scrambled to get fixes out to their flagship devices and promised monthly security updates for their devices. That was 36 days ago.
Today, Google has posted the first of those monthly security updates for Nexus device owners. The Nexus system image page added Android 5.1.1 build “LMY48M” for the Nexus 4, 5, 6, 7, 9, and 10, along with build “LMY48N” for the Android TV-based Nexus Player. LMY48M hit Google’s public AOSP repository yesterday (September 9).
Tomi Engdahl says:
Homeland Insecurity: OIG audit identifies numerous deficiencies
‘May allow unauthorized individuals access to sensitive data’. You don’t say
http://www.theregister.co.uk/2015/09/16/dhs_cyber_audit_2015_deficiencies/
An Office of the Inspector General audit into the US Department of Homeland Security has identified a range of deficiencies across the agency, which is responsible for America’s cybersecurity.
The 36-page audit (PDF) was published with the positive title “[Department of Homeland Security (DHS)] Can Strengthen its Cyber Mission Coordination Efforts” and was publicly released yesterday, Tuesday, 15 September.
The auditors identified a hatstand of vulnerabilities on the internal websites at both Immigration and Customs Enforcement (ICE) and the United States Secret Service (USSS) “that may allow unauthorized individuals to gain access to sensitive data”.
The auditors said: “ICE stated that its selected websites are not scanned with a vulnerability assessment tool.”
Tomi Engdahl says:
4 new cybercrime trends threaten your business
http://www.itworld.com/article/2981484/security/4-new-cybercrime-trends-threaten-your-business.html
A mid-year report shows that people aren’t necessarily getting smarter about security, even in the face of increased attacks from cybercriminals.
In addition to the return of an old friend, the cybersecurity company also found more targeted attacks towards businesses, heightened activity around social media and a shift in the volume and accuracy of the bad stuff that ends up in your inbox, looking to take your money.
Click the attachment
Target the bean counters
Mind the social media gap
Less is more (more effective, that is)
Tomi Engdahl says:
U.S. Department of Homeland Security websites are open doors to hackers, audit finds
http://www.dailydot.com/politics/homeland-security-vulnerabilities-hacking/
The Department of Homeland Security—the agency charged with protecting the U.S. government from hackers—can be hacked.
Critical vulnerabilities exist on internal Homeland Security agency websites allowing attackers to gain access to sensitive data from both the U.S. Secret Service (USSS) and U.S. Immigration and Customs Enforcement (ICE) agencies, according to an audit by the department’s Inspector General.
Tomi Engdahl says:
Even the LastPass Will be Stolen Deal with It!
https://www.blackhat.com/eu-15/briefings.html#even-the-lastpass-will-be-stolen-deal-with-it
Password managers have become very popular as a solution to avoid reusing passwords. With that in mind, password managers are a prized target for pentesters and attackers. If a password manager is compromised, the consequences are catastrophic as all the victim’s secrets reside in the vault. One breach to get it all.
LastPass is arguably one of the most popular password managers in the market. Over 10,000 corporate customers ranging in various sizes including Fortune 500′s rely on LastPass to protect all their data.
Research has been done on how to attack password managers but it has all focused on leaking specific credentials from the vault. LastPass not only stores credentials, but also bank accounts, ssh keys, personal records, etc.
LastPass Security Notice
https://blog.lastpass.com/2015/06/lastpass-security-notice.html/
Tomi Engdahl says:
Cyber Insecurity: Can We Take Up Arms Against a Sea of Troubles?
http://www.securityweek.com/cyber-insecurity-can-we-take-arms-against-sea-troubles
Insecurity of any time stems from a common psychological cause — fear. Fear is generally a reaction to something immediate that threatens your security or safety, triggering a sense of dread, alerting you to the possibility that your physical self might be harmed, which in turn motivates you to protect yourself.
This negative emotion is amplified by an inability to take action, to impose action that removes or prevents fear itself. Fear itself can harm one’s judgment and prevent teams from taking action.
There is a parallel in today’s overheated information security environment. The breach-a-minute pounding corporate and information technology professionals face every day can make many of us feel like Hamlet: fearful, paralyzed not sure what is the best course of action to take. The overwhelming number of reports detailing the scape and scope of breaches, the enormous troves of confidential and national security information, and the speed and sophistication of shadowy enemies is enough to make you want to put the pillow over your head and not get out of bed in the morning. Indeed, more and more money has been spent on perimeter and mobile security, yet companies believe they are less secure.
Here are four organization and technology initiatives that can strengthen both security and confidence in the IT and business community.
1. Security must not be run in a silo.
2. Security must adapt to today continuous delivery model.
3. Breaches must be found rapidly.
4. Containment is as important as discovery.
We certainly live in interesting, even dangerous times. But we can “take up arms against a sea of troubles,” restore confidence in our IT systems, and lower our emotional and actual exposure to cyber insecurity.
Tomi Engdahl says:
The Two Most Valuable Pieces of Information You’re Likely Throwing Away
http://www.securityweek.com/two-most-valuable-pieces-information-youre-likely-throwing-away
With enough data, any problem can be understood. Solving it is another matter.
I’ve used that phrase a few times, and it continues to ring true. The challenge to this bit of wisdom comes from my security industry colleagues in the form of a complaint that we simply don’t have enough data. We see this thinking in the “log everything” mandates going out from information security departments, and the fact that almost every security organization I’ve met in the last six months is evaluating various threat intelligence and other data feeds for their already overloaded SIEM platforms.
With all the available internal data from logs across the hundreds or thousands (or tens of thousands and so on) of endpoints you likely own, there is a virtual deluge of information available. It’s like trying to squeeze a hippopotamus through a doggy door. In many cases enterprise security is not even taking advantage of two key pieces of data that already should be available to them. I say should because there are a few exceptions here.
What, pray tell, are these two key pieces of information? Simple! Your DNS query records and your IP address information from your DHCP infrastructure.
These two key pieces of data from your network infrastructure are invaluable to your security analysis – yet you likely don’t ever look at it, you most certainly don’t have access to it and you probably wouldn’t be able to make sense of it if you had it. Again, such a shame.
Tomi Engdahl says:
The Security Operations Hierarchy of Needs
http://www.securityweek.com/security-operations-hierarchy-needs
Some time ago, I met with an organization that had asked to speak with me because of my experience in the security operations realm. After a few minutes, it became apparent that the organization had many of the same challenges I often see in organizations that have immature security operations functions.
These challenges include, but are not limited to, incomplete logging, lack of visibility into network traffic and endpoints, no communicated leadership vision, no formal process, alert fatigue, low signal-to-noise-ratio, no unified work queue of events, incomplete staffing, inadequate training, and other challenges. That didn’t surprise me in the least, as these are common challenges. What did surprise me was the direction in which the organization wanted to take the conversation.
In my experience, there is a hierarchy of needs — almost like Maslow’s hierarchy of needs, but for security operations. Before looking to address higher order needs, foundational needs need to be met. That hierarchy looks something like this:
Awareness
Vision
Process
Instrumentation
Content
Unified Work Queue
Staffing
Training
Operations
Intelligence
Information Sharing
This hierarchy is high level and only scratches the surface, but you can see that a mature security operations function doesn’t build itself. It’s important to note the interdependence of each of the steps
Tomi Engdahl says:
Should You Be Worried About BGP Hijacking your HTTPS?
http://www.securityweek.com/should-you-be-worried-about-bgp-hijacking-your-https
A BGP route monitoring firm, Qrator, released a paper at Blackhat 2015 titled “Breaking HTTPS with BGP Hijacking.” I’ll say more about this paper in a little bit, but let’s set up the basics of BGP first.
BGP is the Border Gateway Protocol that governs how traffic flows around the Internet, both globally—between one service provider (SP) and another—and locally—to the customers of each SP.
Routes change for many reasons, and when they do, the changes are sent to all SPs via BGP. Every now and then, a mistake happens (or be assigned) a network that they don’t really own. If the mistake is big enough, a large portion of the world’s traffic will begin flowing in the wrong direction.
In some cases, a route is mis-advertised on purpose, by a malicious party or law enforcement, and this is known as BGP hijacking.
There have been designs for fixing the security of BGP for years, but these designs aren’t anywhere close to implementation. BGP will remain insecure for years to come.
Hijacking a TLS certificate
According to the Qrator white paper, with a well-timed BGP hijack, an attacker could issue themselves a real TLS certificate from a real certificate authority. The attacker would advertise that they owned the target’s domain, and request a certificate for that domain from a certificate authority.
For a basic TLS certificate, the Certificate Authority (CA) asks that requestors prove that they own the associated domain. While many approaches are used to provide this proof, one of the most common is having the requestor post specific content at a URL on that domain. When a domain has been temporarily hijacked, the attacker can post the content and then be issued a domain-validated (DV) certificate within minutes.
Let’s be clear, I’ve never heard any reports of BGP hijacking against certificate authorities actually happening in the wild, either publically or privately.
Not so fast
If Qrator is letting a cat out of the bag with its “Breaking HTTPS via BGP Hijacking” white paper, then we may start seeing more fraudulent certificates in the wild. They will not be EV certificates, though. And with projects like Let’s Encrypt making SSL certificates free and browsers pushing to make SSL the default, I suspect we will see more sites migrate from DV to EV certificates.
Secure BGP is a long way off, but the window for obtaining fraudulent certificates via BGP hijacking may be closing anyway, as HTTP pinning sees more and more adoption.
Tomi Engdahl says:
Bug in iOS and OSX Allows Writing of Arbitrary Files Via AirDrop – See more at: https://threatpost.com/bug-in-ios-and-osx-allows-writing-of-arbitrary-files-via-airdrop/114681/#sthash.a8qwQ6Np.dpuf
Tomi Engdahl says:
OKCupid Still Dragging Its Heels On HTTPS
Popular Dating Site Has No Love for Strong Security
https://www.eff.org/deeplinks/2015/09/okcupid-still-dragging-its-heels-https
Back in 2012, EFF first called out OKCupid for failing to safeguard user data by not implementing HTTPS site-wide.
Three years later, OKCupid still hasn’t fixed the problem. For users who haven’t upgraded to paid accounts, their emails, chat sessions, searches, clicked links, pages viewed, and usernames are transmitted over the Internet in unencrypted plaintext, where they can be intercepted and read by anyone on the network.
“HTTPS” is standard web encryption that ensures information sent and received online is encrypted. OKCupid enables some HTTPS encryption on the site—for example, for paid users and during initial log-in. But OKCupid does not enable HTTPS across the entire site. This means that while OKCupid doesn’t leak passwords entered during log in, it does leak a lot of other data about most users.
Tomi Engdahl says:
MariaDB bakes native encryption into 10.1RC – with some Google loving
No performance sacrifice, open source DBMS developer says
http://www.theregister.co.uk/2015/09/16/mariadb_bakes_google_encryption_into_101rc/
MariaDB is beefing up security with the latest upgrade of the open source database, MariaDB 10.1, courtesy of encryption technology donated by Google. The upgrade can be downloaded today as a release candidate and general availability is slated for October.
By migrating to 10.1, current MariaDB and MySQL users can natively and transparently encrypt their databases “without sacrificing performance and cost” and without having to make changes to existing applications.
New security features in 10.1 include better password management, role based control improvements and, Google’s contribution, data-at-rest- encryption – all lovely for compliance with data protection regulations.
MariaDB Corp. contrasts its upgrade with the approach taken by commercial DMBS providers, which typically use expensive and slow third party extensions for database encryption
Tomi Engdahl says:
Intel infosec folk TEE off open source app dev framework
World+dog can TEE off too, without spending megabucks
http://www.theregister.co.uk/2015/06/30/opentee_an_open_virtual_trusted_execution_environment/
A trio of Intel boffins have broken a vendor lock-down on trusted execution environments (TEEs) with the release of an open source framework that could help developers to build more secure apps.
Intel wonks Brian McGillion, Tanel Dettenborn, and Thomas Nyman (plus N. Asokan of Aalto University and University of Helsinki) released the OpenTEE software framework for developers as an alternative to expensive or non-existent TEE tools.
Developers can use what the team calls an efficient and easy-to-use tool to develop and debug trusted applications such that it can be compiled for any hardware TEE.
“Despite widespread deployment of hardware-based TEEs in mobile devices, application developers have lacked the interfaces to use TEE functionality to protect their applications and services,” the authors write in the paper Open-TEE — An Open Virtual Trusted Execution Environment [PDF ].
http://open-tee.github.io/