Security trends for 2015

3,110 Comments

1. September 16, 2015 at 2:56 pm

   Tomi Engdahl says:

   In EU-US data sharing we trust – but can we have that in writing, say MEPs
   Signs of split between EU apparatchiks and elected reps
   http://www.theregister.co.uk/2015/09/16/eu_us_data_sharing_can_we_have_that_meps/

   European lawmakers won’t blindly accept an EU-US agreement on new data sharing laws without important legal questions being answered and fine print being read, according to several prominent MEPs.

   After four years of talks, the EU and the US reached a “gentleman’s agreement” on data sharing for law enforcement last week.

   On Tuesday evening, the so-called Umbrella Agreement was presented to the European Parliament’s civil liberties committee by Paraskevi Michou, acting director general of the EU Commission’s justice department, which led negotiations from the east of the Atlantic.

   The new accord will allow the exchange of personal data between the EU and the US “for the purpose of prevention, detection, investigation and prosecution of criminal offences”, so long as it is not “processed beyond compatible purposes”.

   Reply
2. September 16, 2015 at 3:31 pm

   Tomi Engdahl says:

   Indian scientists develop algorithm to prevent cybercrime
   http://timesofindia.indiatimes.com/tech/tech-news/Indian-scientists-develop-algorithm-to-prevent-cybercrime/articleshow/48954633.cms

   Indian researchers have developed a new keystroke algorithm that can use unique human typing patterns to make online authentication processes more secure, reliable and cheap.

   The new method developed by researchers at the Department of Computer Science and Engineering, Jeppiaar Engineering College, Chennai, hopes to alleviate some of the common issues for internet users including loss of password, growing prowess of hackers, and easy access to methods such as phishing and usage of bots.

   Like fingerprint scans, retina scans and facial recognition, keystroke dynamics are a biometric — they measure a unique human characteristic.

   “As the typing pattern varies from person to person, this can be used as a suitable method for the authentication process more effective than others,” researchers J Visumathia and P Jesu Jayarin wrote in the Journal of Applied Security Research.

   This method is especially appealing for its relative ease of implementation, as the information needed to evaluate human typing patterns is already present in computers, researchers said.

   Reply
3. September 16, 2015 at 4:17 pm

   Tomi Engdahl says:

   Debian Project Aims to Keep the CIA Off Our Computers
   http://www.linuxjournal.com/content/debian-project-aims-keep-cia-our-computers?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+linuxjournalcom+%28Linux+Journal+-+The+Original+Magazine+of+the+Linux+Community%29

   Lunar, one of the lead developers on the Debian ReproducibleBuilds project, has recently outlined a serious security hole that could impact all open-source software, including most Linux distributions. It potentially exposes users to unwanted scrutiny from third parties, including security agencies. His project is designed to close this hole.

   One of the big advantages of open source software is that third parties can inspect the code to ensure it does what it’s supposed to. If any malicious code is present, it can be detected and eliminated. But when software is distributed in the form of a binary executable, there is a risk that malicious code (not present in the original source code) has been added.

   This may sound a little far-fetched, but in actual fact it is a real security concern. The Snowden leak has revealed that the CIA is working on ways to exploit these weaknesses to install snooping software onto consumer devices all over the world.

   At a recent conference organized by the CIA, a team of developers presented a proof of concept. They had managed to bypass Apple’s digital certificates to produce a corrupted version of XCode, Apple’s proprietary compiler.

   If Apple is a hot target, then Linux is an even more tempting one. Security conscious users who understand the risk of commercial platforms often use Linux for its tighter security features.

   Anti-virus software can detect fragments of known malware, but this is only possible after instances of the malware have been discovered and analyzed. It doesn’t protect against new or previously undetected malware infections. In short, anti-virus software is not enough to protect against this type of attack.

   The only way to be sure that a binary executable does not include any unexpected code is to compile the source code and compare the two files. If the freshly compiled file does not match the binary executable under test, it could have added code, possibly malware.

   While this is a basically sound idea, there is a major fly in the ointment. The source code for the majority of Linux packages is written in such a way that it doesn’t always compile to produce an identical binary file.

   There are several reasons why a compiled file may be different. This includes:

   Timestamps embedded in the code.
   Incremental build numbers.
   Differences between different file systems, so a binary compiled on my computer is different from one compiled on yours.
   File paths from the build machine are embedded into the binary – different computers could store resources and code in different locations.
   Random data from memory or the CPU embedded into the compiled file.
   And so on.

   The problem of producing reproducible builds requires a number of changes to be made:
   1: The source code must be changed so that variables are always initialized to static values (not dynamic values from memory, which can be random).
   2: Eliminate the use of timestamps, source code file paths, and build numbers.
   3: Specify the exact build environment, so that it can be reproduced on different computers.

   You can read more about the project at:
   https://wiki.debian.org/ReproducibleBuilds

   Reply
4. September 17, 2015 at 7:26 am

   Tomi Engdahl says:

   Schneider patches yet ANOTHER dumb vuln
   Smart buildings, dumb vulns, does it ever change?
   http://www.theregister.co.uk/2015/09/17/schneider_patches_another_vuln/

   Schneider Electric has pushed out a patch to an industrial control system which – stop me if you’ve heard this before – passes credentials between client and server in plain text.

   CVE-2015-3962 applies to the company’s Struxureware Building Expert, prior to version 2.15, and the company has released an update to the system (outlined in its advisory, PDF here).

   The vulnerable system handles air-conditioning, lighting, and metering.

   The ICS-CERT advisory accompanying the vuln says it hasn’t been exploited, which The Register would regard as astonishingly good fortune, since if someone obtained credentials and signed in using a valid admin user ID, how would anyone know?

   Advisory (ICSA-15-258-01)
   Schneider Electric StruxureWare Building Expert Plaintext Credentials Vulnerability
   https://ics-cert.us-cert.gov/advisories/ICSA-15-258-01

   Reply
5. September 17, 2015 at 7:27 am

   Tomi Engdahl says:

   Banks team to paint shared target on Target
   Class action lawsuit coming retailer’s way as breach bill soars past US$200 million
   http://www.theregister.co.uk/2015/09/17/banks_team_to_paint_shared_target_on_target/

   Financial institutions pursuing retailer Target have had a significant win after the US District Court said they can run a class action against the company.

   Target infamously managed to leak 40 million credit card numbers in 2013 and has been paying for its mistake ever since, spending up big on laywers and handing over US$10million to aggrieved card-holders. Banks and other institutions, however, are yet to have their day in court.

   That day is looming and will now be rather trickier for Target, as U.S. District Judge Paul Magnuson yesterday ruled that litigants can run a class action.

   Target’s already settled with banks that issue Visa cards to the tune of US$67 million, but at least one bank involved in that settlement is coming back for more in the class action. Issuers of MasterCards, who have previously walked away from a deal deemed inadequate, have come back for another round.

   Target’s already sent more than $200 million out the door in payments and post-hack expenses, including $21m that went mostly on “ legal and other professional services” in the first half of 2015. With the class action to come, the cost of the breach will likely rise.

   Reply
6. September 17, 2015 at 7:38 am

   Tomi Engdahl says:

   THE DUKES
   7 years of Russian cyberespionage
   https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf

   This whitepaper explores the tools – such as
   MiniDuke, CosmicDuke, OnionDuke, CozyDuke,
   etc- of
   the Dukes
   , a well-resourced, highly
   dedicated and organized cyberespionage
   group that we believe has been working for the
   Russian Federation since at least 2008 to collect
   intelligence in support of foreign and security
   policy decision-making

   Reply
7. September 17, 2015 at 7:48 am

   Tomi Engdahl says:

   Your finger is about to replace your bank password
   http://money.cnn.com/2015/06/05/technology/bank-fingerprint-reader/

   We already use our fingerprint to unlock our phones, and one day soon your finger could replace your bank password.

   Over the past year, U.S. banks have been ramping up efforts to incorporate biometric technology (iris scanners, fingerprint readers and facial recognition) into their systems.

   Biometric scanners could let you log in to you bank account on your phone or PC, letting you transfer money or send cash without entering a password. That could potentially be safer than using a password, since your fingerprint is unique to you. Passwords can be easily guessed or hacked.

   Bank of America Introduces Fingerprint and Touch ID Sign-in for Its Mobile Banking App
   http://www.marketwatch.com/story/bank-of-america-introduces-fingerprint-and-touch-id-sign-in-for-its-mobile-banking-app-2015-09-15

   Bank of America today announced a series of improvements to mobile and online banking to better meet customers’ changing needs and make it easier for users to manage their finances digitally. The new updates include the introduction of fingerprint and Touch ID sign-in, in addition to the launch of an Apple Watch mobile banking app, streamlined “Accounts Overview” page and new Security Center for more than 31 million active digital banking customers.

   Bank of America adds fingerprint logins to its Android and iOS apps
   http://www.engadget.com/2015/09/15/bank-of-america-adds-fingerprint-logins-to-its-android-and-ios-a/

   Bank Of America Apps For Android And iOS Now Support Fingerprint Sign-In
   http://www.ubergizmo.com/2015/09/bank-of-america-apps-for-android-and-ios-now-support-fingerprint-sign-in/

   Bank of America today released updated apps for iOS and Android with support for fingerprint and Touch ID sign-in, this means that users will be able to access their finances by simply authenticating their identity with a fingerprint. Fingerprint sensors have gradually become common on smartphones with Google going so far as to add support for sensors right into Android 6.0 Marshmallow whereas Touch ID has been open to third-party developers for over a year now so it’s about time that BoA embraced this technology.

   Fingerprint and Touch ID sign-in is going to enable users on Android and iOS devices to log into the mobile app using their fingerprint, it will allow access to the most common functionality of the app without requiring users to punch in a passcode.

   Reply
8. September 17, 2015 at 7:54 am

   Tomi Engdahl says:

   Surprise mobile networks: 80 percent of malware has come from other than mobile phones

   Mobile networks detected malware surprisingly many works on your computer and mobile devices. Motive Security Lab estimates that 80 percent of operating mobile data networks from malware can be traced to Windows-based computers.

   The situation has changed in two years: 2013 and 2014 half of the detected malicious programs were Android devices, and the other half for Windows devices.

   Motive Security Lab is part of the network equipment manufacturer Alcatel-Lucent. The company released the first half of 2015 on the malware situation report.

   Source: http://www.tivi.fi/Kaikki_uutiset/yllatys-mobiiliverkoissa-haittaohjelmista-80-prosenttia-tuleekin-muualta-kuin-kannykoista-3483519

   Motive Security Labs
   Malware Report – H1 2015
   http://media.ne.cision.com/l/uxmbdwgr/resources.alcatel-lucent.com/asset/189669

   Reply
9. September 17, 2015 at 8:11 am

   Tomi Engdahl says:

   Richard Stallman ‘basically’ has no problem with the NSA using GNU/Linux
   http://www.itworld.com/article/2946683/linux/richard-stallman-basically-has-no-problem-with-the-nsa-using-gnulinux.html

   Credit: Swapnil Bhartiya
   It’s Stallman’s philosophy that ‘a program must not restrict what jobs its users do with it’ — and that includes the NSA.

   If you have been keeping an eye on what the NSA has been up to while they were busy reading your emails, you might be aware of the XKEYSCORE program run by the agency. According to Edward Snowden, as told to Glenn Greenwald, the program was used to “sweep up countless people’s Internet searches, emails, documents, usernames and passwords, and other private communications.”

   This is old news, you say. We’ve all known about it since 2013. So what’s the big deal and why am bringing it up now?

   The big deal is that the NSA was allegedly running the program on ‘Free and Open Source’ software. Greenwald disclosed it yesterday on The Intercept:

   XKEYSCORE is a piece of Linux software that is typically deployed on Red Hat servers. It uses the Apache web server and stores collected data in MySQL databases. File systems in a cluster are handled by the NFS distributed file system and the autofs service, and scheduled tasks are handled by the cron scheduling service. Systems administrators who maintain XKEYSCORE servers use SSH to connect to them, and they use tools such as rsync and vim, as well as a comprehensive command-line tool, to manage the software.

   This story generated mixed responses from the Open Source community.

   I recalled a discussion around the same topic with Richard M Stallman in India a few years ago. But I had vague recollection of it so I reached out to him and asked him outright: “Should free software care or dictate who should use it? Shouldn’t any such free project be agnostic to ‘who’ uses it?”

   He came back with a simple reply: “I basically agree with you.” And pointed me to an FSF article where he discussed the issue. I highly recommend that everyone interested in this story read his blog in it entirety. But the key takeaway is this: “A program must not restrict what jobs its users do with it.”

   nd the fact remains that the herculean task that the NSA decided to take on is better done with Free Software than proprietary software.

   Reply
10. September 17, 2015 at 10:11 am

    Tomi Engdahl says:

    Malware links Russians to 7-year global cyberspy campaign
    These Dukes of Hazzard don’t drive a 1969 Dodge Charger. As far as we know
    http://www.theregister.co.uk/2015/09/17/russian_cyberspy_dukes_campaign/

    Security researchers have shone the spotlight on an ongoing campaign by Russian cyberspies to snoop on western governments and NGOs, as well as targets in Georgia, using the Dukes malware.

    The Dukes group of attackers employ a family of unique malware toolsets used to steal information by infiltrating computer networks, before siphoning off compromised data.

    The group has been using malware toolkits to support Russian intelligence gathering for at least seven years, according to Finnish security firm F-Secure.

    Reply
11. September 17, 2015 at 10:51 am

    Tomi Engdahl says:

    German data retention law prompts EU backlash – but not for the reason you think
    ‘We won’t sue Merkel & Co, honest’ says Commish
    http://www.theregister.co.uk/2015/09/17/german_data_retention_law_eu_backlash_surprising/

    “We are neither opposing nor advocating the introduction of national data retention laws. Suggestions that the Commission is considering court action against the German draft data retention law are misleading. The College of Commissioners is not contemplating such action,” said the Commish in a statement.

    The reality is far more convoluted.

    After the European Court of Justice ruled the 2006 Data Retention Directive was illegal last year, Germany set out a draft law in May that would force telcos to store call and email records such as number called, call duration and IP addresses for 10 weeks. Phone location data will also be stored for four weeks.

    The problem is that the draft law specifies this so-called Vorratsdatenspeicherung (VDS) data must be stored on German soil, something international companies offering services in Germany might have trouble with. This law could therefore be interpreted as a barrier to cross-border EU trade.

    Reply
12. September 17, 2015 at 11:08 am

    Tomi Engdahl says:

    Paul Mozur / New York Times:
    China asks US tech firms to pledge compliance for questionable practices including sharing user data and intellectual property — China Tries to Extract Pledge of Compliance From U.S. Tech Firms — HONG KONG — The Chinese government, which has long used its country’s vast market as leverage …

    China Tries to Extract Pledge of Compliance From U.S. Tech Firms
    http://www.nytimes.com/2015/09/17/technology/china-tries-to-extract-pledge-of-compliance-from-us-tech-firms.html?_r=0

    The Chinese government, which has long used its country’s vast market as leverage over American technology companies, is now asking some of those firms to directly pledge their commitment to contentious policies that could require them to turn user data and intellectual property over to the government.

    The government distributed a document to some American tech companies earlier this summer, in which it asked the companies to promise they would not harm China’s national security and would store Chinese user data within the country, according to three people with knowledge of the letter who spoke on the condition of anonymity.

    The letter also asks the American companies to ensure their products are “secure and controllable,” a catchphrase that industry groups said could be used to force companies to build so-called back doors — which allow third-party access to systems — provide encryption keys or even hand over source code.

    Reply
13. September 17, 2015 at 9:46 pm

    Tomi Engdahl says:

    SUCEFUL: Next Generation ATM Malware
    https://www.fireeye.com/blog/threat-research/2015/09/suceful_next_genera.html

    You dip your debit card in an automated teller machine (ATM) and suddenly realize it is stuck inside, what happened?

    a) You took too much time entering details.
    b) There was an error in the network connection to the bank.
    c) The machine is infected with malware and your card was intentionally retained to be ejected to the crooks once you walk away asking for help.

    If you answered ‘c’ you might be correct! FireEye Labs discovered a new piece of ATM malware (4BDD67FF852C221112337FECD0681EAC) that we detect as Backdoor.ATM.Suceful (the name comes from a typo made by the malware authors), which targets cardholders and is able to retain debit cards on infected ATMs, disable alarms, or read the debit card tracks.

    ATM malware is not new

    Potential SUCEFUL capabilities in Diebold or NCR ATMs include:

    Reading all the credit/debit card track data
    Reading data from the chip of the card
    Control of the malware via ATM PIN pad
    Retention or ejection of the card on demand: This could be used to steal physical cards
    Suppressing ATM sensors to avoid detection

    Conclusion

    Since it is impossible to ascertain whether a retained card is due to this malware, keep the contact number for your bank in your phone and call it while keeping eyes on the ATM.

    SUCEFUL is the first multi-vendor ATM Malware targeting cardholders, created to steal the tracks of the debit cards but also to steal the actual physical cards, which is definitely raising the bar of sophistication of this type of threats.

    Reply
14. September 18, 2015 at 6:30 am

    Tomi Engdahl says:

    D-Link Accidentally Publishes Private Code Signing Keys
    http://mobile.slashdot.org/story/15/09/17/1752210/d-link-accidentally-publishes-private-code-signing-keys

    As part of the GPL license, D-Link makes its firmware source code available for many of its devices. When looking through the files I accidentally stumbled upon 4 different private keys used for code signing.

    A Dutch news site published the full story (translated to english with Google Translate).
    http://tweakers.net/nieuws/105137/d-link-blundert-met-vrijgeven-privesleutels-van-certificaten.html
    https://translate.google.com/translate?sl=nl&tl=en&js=y&prev=_t&hl=nl&ie=UTF-8&u=http%3A%2F%2Ftweakers.net%2Fnieuws%2F105137%2Fd-link-blundert-met-vrijgeven-privesleutels-van-certificaten.html&edit-text=&act=url

    Malware writers can use the certificates to sign their malicious code, which for example is Windows look like legitimate software. The certificate is a guarantee that the programs will actually come from the relevant company.

    The blunder was discovered by bartvbl, who pointed to the editorial on the issue. He had purchased the DCS-5020L-surveillance camera from D-Link and wanted to download the firmware. D-Link firmware source code of many open source under a GPL license available. “It turned out what to look through the files that were in private keys to sign with code”, reports bartvbl, “In fact, in some batch files were the commands and pass phrases that were needed.”

    The user was able to verify that the key could be used to create a file that was not D-Link with a certificate signing. In early September expired certificates, so the trick no longer works. Even after providing the expiration date remains signed software that is to be seen as valid.

    Security firm Fox-IT request, confirms the findings of the user. Yonathan Klijnsma, researcher at the company: “T he code signing certificate is indeed a firmware packages, firmware version 1.00b03 whose source February 27 this year, was released this certificate was therefore issued for expired, a big mistake.”. He even found four other certificates in the same folder.

    D-Link has released new versions of the firmware, where the certificates no longer in it.

    Reply
15. September 18, 2015 at 6:30 am

    Tomi Engdahl says:

    What’s In Your Hand? This Malware Knows
    http://games.slashdot.org/story/15/09/17/1514257/whats-in-your-hand-this-malware-knows

    An anonymous reader writes with the story that ESET researchers have uncovered spyware targeting online poker players, called Odlanor, which works by sending screenshots of a player’s game (along with that player’s in-game identity) to the attacker; the attacker can then search for the player with that ID, and enjoy an unfair advantage.

    The Trojan Games: Odlanor malware cheats at poker
    http://www.welivesecurity.com/2015/09/17/the-trojan-games-odlanor-malware-cheats-at-poker/

    Reply
16. September 18, 2015 at 7:02 am

    Tomi Engdahl says:

    Hack Brief: Oh Good, Anyone Can Access a List of Unpatched Firefox Bugs
    http://www.wired.com/2015/09/hack-brief-bugzilla/

    Earlier this month, it was reported that hackers managed to breach the bug database of Mozilla. From here, the attackers accessed 185 non-public bugs for the popular Internet browser Firefox, 53 of which were categorized as “severe vulnerabilities.” At least one of these has been used in the wild, against visitors of a Russian news site.

    Now, it might not just be Mozilla’s non-public bugs that are under threat. A security company has discovered how to obtain high-level permissions on Bugzilla, the vulnerability database used by Mozilla as well as a host of open-source projects and private businesses. These databases contain all sorts of sensitive information, including details on vulnerabilities that organizations have been told about, but are yet to fix. From here, it is potentially possible for an attacker to view details on unpatched problems, which could then be deployed against people who use Mozilla products, or any of the other affected pieces of software.

    The Hack

    When an organization employee or contributor, likely part of a security team, creates an account on Bugzilla, they will be sent a verification email, to check they do indeed own the address. But the bug, discovered by PerimeterX and written up by senior vulnerability researcher Netanel Rubin, allows anybody to create an account looking like it comes from a specific organization, even if they don’t work for it.

    By registering on Bugzilla with an email address of exactly 255 bytes, including the domain of the target organization, instead of rejecting the large string, Bugzilla’s database trims the data down so it fits into the appropriate column. On the end of this, a hacker attaches a domain they own.

    This results in the verification email to join Bugzilla being sent to an account controlled by the hacker, but being given the access allowed to the target.

    Reply
17. September 18, 2015 at 7:06 am

    Tomi Engdahl says:

    New Crypto Tool Makes Anonymous Surveys Truly Anonymous
    http://www.wired.com/2015/09/new-crypto-tool-makes-anonymous-surveys-truly-anonymous/

    At the end of a semester teaching an undergraduate math course a few years ago, Cornell Tech researcher and crypto professor Rafael Pass asked his students to fill out the usual anonymous online course evaluation. One of his brighter students stayed after class to ask him a question: Was the survey truly anonymous?

    As a cryptographer, Pass had to confess that no, the survey wasn’t cryptographically anonymous. Students had to blindly trust that the university wouldn’t access their identifying information. “The data is there,” Pass says he admitted.

    In fact, on the web, anonymous surveys usually aren’t, according to Pass and Shelat, his fellow cryptography researcher at Cornell Tech. To prevent ballot stuffing and spam responses, surveys often require a unique identifier like an email address. And the anonymity of the survey depends entirely on the survey service—or any hacker who can access its servers—choosing not to reveal the links between its supposedly anonymous responses and those identifiers.

    “When you use Survey Monkey, you just have to hope that it ensures your anonymity. It’s a very dangerous assumption,”

    So Pass and Shelat have built a free alternative called Anonize, designed to enable fully, cryptographically anonymous surveys.

    Anonize pulls off that trick through a series of cryptographic sleights of hand. Respondents download the Anonize app to their smartphone, and the app generates a secret key derived from their email address that will never leave their device. When a survey administrator—say, a class professor—creates a survey, the Anonize server generates a PGP-style public key that’s derived from the email addresses of all the authorized respondents—in this example, her students. The respondents write their answer in the Anonize app and then either submit it from the phone or from a desktop by scanning a QR code.

    When a student makes that submission, the app uses the survey public key and respondent secret key together to “sign” the text

    the string of data that the person submits doesn’t offer any hint of their actual email address.

    And the string is created using what cryptographers call a “zero knowledge proof”, a method of proving a mathematical statement is true without knowing anything else about it. The server can check for proof that someone is authorized without learning anything of their identity.

    That link exists only on their phone, which altogether inaccessible to the admin. “The data carries no information about who it came from,” says Pass. “With just that string of data, it’s unconditionally secure.”

    Of course, anyone who gets hold of a survey respondent’s phone can access their private key and identify them. But that’s still far better than merely trusting the owner of the survey server or any hacker who breaks into it not to identify respondents.

    Pass and Shelat have already made Anonize available at Anonize.org, and they plan to open-source its code in the coming months so that others can audit and verify their security claims.

    https://anonize.org/

    Reply
18. September 18, 2015 at 7:07 am

    Tomi Engdahl says:

    Hacker Lexicon: A Guide to Ransomware, the Scary Hack That’s on the Rise
    http://www.wired.com/2015/09/hacker-lexicon-guide-ransomware-scary-hack-thats-rise/

    Ransomware is malware that locks your keyboard or computer to prevent you from accessing your data until you pay a ransom, usually demanded in Bitcoin. The digital extortion racket is not new—it’s been around since about 2005, but attackers have greatly improved on the scheme with the development of ransom cryptware, which encrypts your files using a private key that only the attacker possesses, instead of simply locking your keyboard or computer.

    The Ransom Business Is Booming

    Just how lucrative is ransomware? Very. In 2012, Symantec gained access to a command-and-control server used by the CryptoDefense malware and got a glimpse of the hackers’ haul based on transactions for two Bitcoin addresses the attackers used to receive ransoms. Out of 5,700 computers infected with the malware in a single day, about three percent of victims appeared to shell out for the ransom. At an average of $200 per victim, Symantec estimated that the attackers hauled in at least $34,000 that day (.pdf). Extrapolating from this, they would have earned more than $394,000 in a month. And this was based on data from just one command server and two Bitcoin addresses; the attackers were likely using multiple servers and Bitcoin addresses for their operation.

    Symantec has estimated, conservatively, that at least $5 million is extorted from ransomware victims each year.

    Ransomware:
    A Growing Menace
    http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/ransomware-a-growing-menace.pdf

    Reply
19. September 18, 2015 at 7:11 am

    Tomi Engdahl says:

    Lifelock Once Again Failed at Its One Job: Protecting Data
    http://www.wired.com/2015/07/lifelock-failed-one-job-protecting-data/

    Customers who hired the infamous ID theft-protection firm Lifelock to monitor their identities after their data was stolen in a breach were in for a surprise. It turns out Lifelock failed to properly secure their data.

    According to a complaint filed in court today by the Federal Trade Commission, Lifelock has failed to adhere to a 2010 order and settlement that required the company to establish and maintain a comprehensive security program to protect sensitive personal data users entrust to the company as part of its identity-theft protection service.

    This is ironic, of course, because Lifelock promotes its services to companies that experience data breaches and urges them to offer a complimentary Lifelock subscription to people whose data has been compromised in a breach. To properly monitor victims’ credit accounts to protect them against ID theft, Lifelock requires a wealth of sensitive data, including names and addresses, birth dates, Social Security numbers, and bank card information.

    Protecting that data should be a primary concern to Lifelock, particularly in light of the fact that many of its customers have already been victims of a breach.

    For an annual subscription fee, Lifelock promised customers that it would place fraud alerts on their credit accounts with the three credit reporting agencies.

    Lifelock also promised customers that sensitive data they provided the company to perform its protection services would be encrypted and protected in other ways on Lifelock’s servers and accessed only by authorized employees on a need-to-know basis.

    But it turned out that none of that data was encrypted. The company also had poor password management practices for employees and vendors who accessed the information, and Lifelock failed to limit access to sensitive data to only people who needed access.

    What’s more, the company failed to apply critical security patches and updates to its network and “failed to employ sufficient measures” to detect and prevent unauthorized access to its network, “such as by installing antivirus or antispyware programs on computers used by employees to remotely access the network or regularly recording and reviewing activity on the network,” the FTC found.

    FTC Takes Action Against LifeLock for Alleged Violations of 2010 Order
    FTC Asserts LifeLock Failed to Institute Security Program And Misled Consumers About Its Identity Protection Services
    https://www.ftc.gov/news-events/press-releases/2015/07/ftc-takes-action-against-lifelock-alleged-violations-2010-order

    In documents filed with the U.S. District Court for the District of Arizona, the FTC charged that LifeLock failed to live up to its obligations under the 2010 settlement, and asked the court to impose an order requiring LifeLock to provide full redress to all consumers affected by the company’s order violations.

    “It is essential that companies live up to their obligations under orders obtained by the FTC,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection. “If a company continues with practices that violate orders and harm consumers, we will act.”

    Reply
20. September 18, 2015 at 7:14 am

    Tomi Engdahl says:

    Lifelock’s stock price dropped 50 percent, from $16 to $8, following news of the FTC’s new complaint against the company.

    Source: http://www.wired.com/2015/07/lifelock-failed-one-job-protecting-data/

    Reply
21. September 18, 2015 at 7:19 am

    Tomi Engdahl says:

    Stagefright Android exploit exposes the problem with patching
    https://itsecuritything.com/stagefright-android-exploit-exposes-problem-with-patching-android/?utm_source=outbrain&utm_medium=ppc&utm_campaign=tmt-itst

    The Stagefright Android exploit, MMS message vulnerability, reported to Google back in April, and made public in July, is still not fixed even if you have already patched it.

    The Stagefright vulnerability was big news back in July, and for very good reason: around a billion Android devices were at risk of enabling attackers to steal data just by sending remotely executed code via a malicious MMS message that the recipient didn’t even have to open.

    According to the Zimperium zLabs researcher, Joshua Drake, who discovered the vulnerability and responsibly disclosed it to Google well ahead of going public, said that this was a vulnerability that could impact “95 per cent of Android devices.”

    The official disclosure stated that “Attackers can remotely execute code via a specially crafted media file delivered via MMS. A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited.”

    Reply
22. September 18, 2015 at 7:19 am

    Tomi Engdahl says:

    “This lag time between having a fix in hand and distributing it to the user base is simply too slow to be reasonably safe. If malicious actors choose to exploit this set of vulnerabilities in the meantime, there seems to be nothing everyday users can do to defend themselves.

    Source: https://itsecuritything.com/stagefright-android-exploit-exposes-problem-with-patching-android/?utm_source=outbrain&utm_medium=ppc&utm_campaign=tmt-itst

    Reply
23. September 18, 2015 at 10:22 am

    Tomi Engdahl says:

    Dan Goodin / Ars Technica:
    Malicious Cisco router backdoor found on 79 more devices, 25 in the US

    Malicious Cisco router backdoor found on 79 more devices, 25 in the US
    SYNful Knock implant appears to be much bigger than first reported, researchers say.
    http://arstechnica.com/security/2015/09/malicious-cisco-router-backdoor-found-on-79-more-devices-25-in-the-us/

    The highly clandestine attacks hitting Cisco Systems routers are much more active than previously reported. Infections have hit at least 79 devices in 19 countries, including an ISP in the US that’s hosting 25 boxes running the malicious backdoor.

    That discovery comes from a team of computer scientists who probed the entire IPv4 address space for infected devices. As Ars reported Tuesday, the so-called SYNful Knock router implant is activated after receiving an unusual series of non-compliant network packets followed by a hardcoded password. By sending only the out-of-sequence TCP packets but not the password to every Internet address and then monitoring the response, the researchers were able to detect which ones were infected by the backdoor.

    Security firm FireEye surprised the security world on Tuesday when it first reported the active outbreak of SYNful Knock. The implant is precisely the same size as the legitimate Cisco router image, and it’s loaded each time the router is restarted. It supports up to 100 modules that attackers can tailor to the specific target. FireEye found it on 14 servers in India, Mexico, the Philippines, and Ukraine. The finding was significant, because it showed an attack that had long been theorized was in fact being actively used. The new research shows it’s being used much more widely, and it’s been found in countries including the US, Canada, the UK, Germany, and China.

    What is clear now is the SYNful Knock is a professionally developed and fully featured backdoor device that almost certainly is actively infecting many more devices than previously seen by FireEye. It’s plausible some of the devices the scientists witnessed were honeypots

    As FireEye reported Tuesday, there’s no evidence SYNful Knock is exploiting a vulnerability in any Cisco device. Rather, the unknown attackers behind the implant—who FireEye executives say are probably state-sponsored—appear to be taking advantage of routers that use passwords that are factory default or are somehow otherwise known. The researchers said it wouldn’t be surprising if networking gear from other manufacturers are being infected with a similar backdoor.

    Reply
24. September 18, 2015 at 11:09 am

    Tomi Engdahl says:

    ‘Intrusion’ at ceph.com makes for red faces at Red Hat
    Signed downloads perused by parties unknown, who haven’t done anything evil … yet
    http://www.theregister.co.uk/2015/09/18/intrusion_at_cephcom_makes_for_red_faces_at_red_hat/

    Red Hat software has revealed “an intrusion on the sites of both the Ceph community project (ceph.com) and Inktank (download.inktank.com)” that resulted in signed code being accessed.

    The company says ceph.com and download.inktank.com, both hosted “outside of Red Hat infrastructure”, were accessed by someone Red Hat doesn’t trust. Which is bad news because inktank “provided releases of the Red Hat Ceph product for Ubuntu and CentOS operating systems … signed with an Inktank signing key (id 5438C7019DCEEEAD).” Ceph.com held “upstream packages for the Ceph community versions signed with a Ceph signing key (id 7EBFDD5D17ED316D).”

    To date, Red Hat says, “our investigation has not discovered any compromised code available for download on these sites.” The company’s playing it safe, adding that “We can not not fully rule out the possibility that some compromised code was available for download at some point in the past.”

    Reply
25. September 18, 2015 at 11:49 am

    Tomi Engdahl says:

    Hidden password-stealing malware lurking in your GPU card? Intel Security thinks not
    Neat trick but not undetectable
    http://www.theregister.co.uk/2015/09/01/intel_security_downplays_gpu_malware_fears/

    Fears that malware is hiding in people’s graphics chipsets may be overclocked, according to Intel Security.

    Earlier this year, researchers from the self-styled “Team JellyFish” released a proof-of-concept software nasty capable of exploiting GPUs to swipe passwords and other information typed in by a PC’s user. The same research raised doubts about whether security tools can defend against this kind of malicious code.

    McAfee Labs enlisted members of Intel’s Visual and Parallel Computing Group to assess the threat posed by GPU malware. The team concluded that the doom scenario – a totally undetectable autonomous superbug hidden from antivirus packages running on the computer’s main processor cores – is unlikely.

    It’s true that hackers could be tempted to run malicious code on graphics cards or motherboard chipsets to evade malware detectors, executing code and storing data where traditional defense software fears to tread. Although moving portions of malicious code off the CPU and out of main RAM reduces the visibility of this malware, hints of evil activity can still be spotted, thus giving the game away, according to Intel Security.

    This means that endpoint security products can catch such threats as and when they arise. Such threats are, in any case, not wholly new.

    Reply
26. September 18, 2015 at 11:50 am

    Tomi Engdahl says:

    Ransomware-as-a-service business up for grabs to highest bidder
    Buy my racket or I DECRYPT my victims, says student scumbag
    http://www.theregister.co.uk/2015/06/05/ransomwareasaservice_business_up_for_grabs_to_highest_bidder/

    A self-aggrandising web skiddie is attempting to sell access to victims of the Tox ransomware.

    The hacker claims to be a student and says he has been inundated with customers for a ransomware-as-a-service racket that offers to infect victims in return for a 70 percent cut of ransoms (paid as Bitcoin, natch).

    The scam uses the Tox malware that McAfee threat research head Jim Walter revealed last week, noting its code is crude while raising the red flag.

    Reply
27. September 19, 2015 at 9:07 pm

    Tomi Engdahl says:

    Dear TSA: This is Why You Shouldn’t Post Pictures of Your Keys Online
    http://hackaday.com/2015/09/18/dear-tsa-this-is-why-you-shouldnt-post-pictures-of-your-keys-online/

    We have to hand it to the Transportation Security Administration (TSA). They seem to have a perfect track record of screwing up – and that’s not an easy thing to accomplish if you think about it.

    The most recent TSA folly seemed to practically fall into the Internet’s lap when a reporter for the The Washington Post published a hi-res picture of the entire set of TSA master keys while writing an article about how the TSA handles your bags after checking them at the counter. Well, the lock picking community when nuts and in a short time had 3D printed versions available and working. You can see it in action in the (twitter) video after the break.

    For those that are not familiar with travel in the US, you are not allowed to use just any old lock on your bags. It has to be approved by the TSA – and that means that they have to be able to open it. So the TSA agents have a set of master keys that can open any bag if they need to look inside for some reason. If you put a non-TSA approved lock on the bag, that can make them a little angry, and you risk having your bag delayed or even cut open.

    Of course, you can get into just about any suitcase with a ball point pen, so maybe this isn’t a real “security” issue, but it sure isn’t what you want to see from the agency that is supposed to protect you.

    Reply
28. September 19, 2015 at 9:12 pm

    Tomi Engdahl says:

    David E. Sanger / New York Times:
    Sources: US and China negotiating accord to refrain from using cyberweapons to cripple the other’s critical infrastructure during peacetime

    U.S. and China Seek Arms Deal for Cyberspace
    http://www.nytimes.com/2015/09/20/world/asia/us-and-china-seek-arms-deal-for-cyberspace.html?_r=0

    The United States and China are negotiating what could become the first arms control accord for cyberspace, embracing a commitment by each country that it will not be the first to use cyberweapons to cripple the other’s critical infrastructure during peacetime, according to officials involved in the talks.

    While such an agreement could address attacks on power stations, banking systems, cellphone networks and hospitals, it would not, at least in its first version, protect against most of the attacks that China has been accused of conducting in the United States, including the widespread poaching of intellectual property and the theft of millions of government employees’ personal data.

    Reply
29. September 19, 2015 at 9:45 pm

    Tomi Engdahl says:

    Jacob Demmitt / GeekWire:
    AT&T sues former workers and California-based Swift Unlocks, alleging scheme to download malware to AT&T computers to unlock hundreds of thousands of phones

    AT&T sues former workers, alleging secret scheme to unlock hundreds of thousands of phones
    http://www.geekwire.com/2015/att-sues-former-employees-alleging-they-were-secretly-paid-to-unlock-hundreds-of-thousands-of-phones/

    AT&T has filed suit against former employees alleged to have been paid tens of thousands of dollars to install malware on company computers to help “hundreds of thousands” of AT&T customers unlock their smartphones without permission.

    California-based Swift Unlocks, which allegedly orchestrated the scheme and in turn sold the illicit unlocking services to AT&T customers, is also being sued.

    Reply
30. September 19, 2015 at 9:47 pm

    Tomi Engdahl says:

    D-Link Accidentally Leaks Private Code-Signing Keys
    https://threatpost.com/d-link-accidentally-leaks-private-code-signing-keys/114727/

    A simple mistake by networking gear manufacturer D-Link could have opened the door for costly damage.

    Private keys used to sign software published by D-Link were found in the company’s open source firmware packages. While it’s unknown whether the keys were used by malicious third parties, the possibility exists that they could have been used by a hacker to sign malware, making it much easier to execute attacks.

    “I think this was a mistake by whoever packaged the source code for publishing. The code signing certificate was only present in one of the source code packages with a specific version,”

    Klijnsma said he found certificates not only from D-Link but also from Starfield Technologies, KEEBOX Inc., and Alpha Networks. All of the certificates have since expired or been revoked. The D-Link cert, however, was published on Feb. 27 and was exposed more than six months before it expired Sept. 3.

    Leaking a legitimate code-signing certificate has potentially serious consequences. The use of stolen digital certificates is a common tactic among malware authors and attackers looking for a way to get their code past security systems. Many security technologies will trust files that are signed and let them pass.

    Many APT groups have made use of lost or stolen certs to sign malware used in targeted attacks; underground services exist as well providing code-signing services. For example, the Destover wiper malware used in the attacks against Sony Pictures Entertainment was signed using a certificate stolen from Sony. A similar tactic was used by the attackers behind the Duqu 2.0 APT campaign, using a cert stolen from a Chinese technology manufacturer to sign malware.

    Reply
31. September 19, 2015 at 9:52 pm

    Tomi Engdahl says:

    Yashaswini Swamynathan / Reuters:
    Comcast settles with California for $33M after posting personal details of 75K customers online

    Comcast reaches $33 million settlement with California over privacy violations
    http://www.reuters.com/article/2015/09/17/us-comcast-settlement-idUSKCN0RH36A20150917

    Comcast Corp has reached a $33 million settlement with California over allegations that the cable company posted personal details of customers online, state Attorney General Kamala Harris said in a statement on Thursday.

    As part of the agreement with the California Department of Justice and the California Public Utilities Commission, Comcast must pay $25 million in penalties and investigative costs to the to the two departments, the statement said.

    Comcast will also pay about $8 million in additional restitution to customers whose numbers were improperly disclosed.

    “This settlement provides meaningful relief to victims (and) brings greater transparency to Comcast’s privacy practices,” Harris said.

    The departments alleged that Comcast had posted names, phone numbers and addresses of “tens of thousands” of customers who had paid for unlisted voice over internet protocol (VOIP) phone service.

    Reply
32. September 20, 2015 at 5:44 am

    Tomi Engdahl says:

    SONY HACK WAS WAR says FBI, and ‘we’re still struggling to hire talent’
    Cybercrims may be safe at home, but Feds dare them to go on holiday
    http://www.theregister.co.uk/2015/09/18/sony_hack_was_war_says_fbi_still_struggling_to_hire_talent/

    Cloudsec Yesteryear’s hack of Sony Pictures was an act of war, stated FBI Supervisory Special Agent Timothy Wallach, who delivered the FBI’s gradation system of cybercriminals to net security conference Cloudsec on Thursday, 17 September.

    US agencies have fingered the North Korean government for the Sony attack repeatedly, initially to much scorn as the nation is popularly believed to be residing in the technical dark ages.

    However, the Norks role in the breach has been increasingly accepted, as information about the NSA’s role in attribution has been made public.

    Presenting the act of war at one end of the spectrum, with hacktivists at the other end, FBI Supervisory Special Agent Timothy Wallach told Cloudsec about the agency’s ongoing efforts to deal with cybercrime.

    Wallach made it clear the FBI distinguished hacktivists – a term he suggested covered ideological actors, including everyone from LOIC and Lizard Stresser ego-hackers, through to those defacing police websites following the shootings of young African American men – from those cybercriminals who were motivated by financial gain or espionage.

    The hack of Sony pictures, he suggested, was an act of warfare, though it remains unclear how it might be considered a military act of sabotage, other than its nation-state backing.

    According to Wallach, who is currently assigned to lead the Cyber Task Force in the Seattle Field Office of the FBI, reports of breaches increased by 55 per cent between 2013 and 2014.

    These breaches often targeted personal identifiable information, although an increasing number went after healthcare information, which Wallach regards as a larger target.

    Reply
33. September 20, 2015 at 5:48 am

    Tomi Engdahl says:

    AVG Proudly Announces It Will Sell Your Browsing History To Online Advertisers
    http://yro.slashdot.org/story/15/09/19/1319201/avg-proudly-announces-it-will-sell-your-browsing-history-to-online-advertisers

    AVG, the Czech antivirus company, has announced a new privacy policy in which it boldly and openly admits it will collect user details and sell them to online advertisers for the purpose of continuing to fund its freemium-based products. This new privacy policy is slated to come into effect starting October 15.

    AVG Proudly Announces It Will Sell Your Browsing History to Online Advertisers
    http://news.softpedia.com/news/avg-proudly-announces-it-will-sell-your-browsing-history-to-online-advertisers-492146.shtml

    “We collect non-personal data to make money from our free offerings so we can keep them free, including:

    - Advertising ID associated with your device;

    - Browsing and search history, including meta data;

    - Internet service provider or mobile network you use to connect to our products; and

    - Information regarding other applications you may have on your device and how they are used.”

    Because “free” is only “free” for users

    AVG has mentioned that it will not sell personal data like name, emails, addresses, or credit card details, but that these might sometimes leak inside the browsing history.

    When this happens, the company claims it will take precautionary measures to filter out personal details from the browsing history before selling it.

    AVG also adds that personal, identifiable information like addresses, age, or IPs, even if not sold, may sometimes be shared with collaborators.

    Reply
34. September 20, 2015 at 5:50 am

    Tomi Engdahl says:

    Crash Google Chrome with one tiny URL: We cram a probe in this bug
    How clicking on or even rolling your mouse over it will knacker browser
    http://www.theregister.co.uk/2015/09/20/chrome_url_crash/

    You can crash the latest version of Google Chrome with a simple tiny URL.

    Just rolling your mouse over it in a page, launching it from another app such as an email client, or pasting it into the address bar, will kill either that tab or the whole browser.

    It’s perfect for pranking friends by sending it to them in emails and messages.

    We’ve tested it on Chrome 45.0.2454.93 on OS X El Capitan and Windows 10, and both flavors of the browser are vulnerable. Chromebooks are also crashed by the URL, and Opera 32.0 which is based on Chromium 45, we’re told. Android’s Chrome is not affected, it seems.

    “Unfortunately no reward was awarded as this was deemed to be only a denial-of-service vulnerability,” wrote Atteka. “Anyway, making secure software is much harder than finding issues in it. Thanks Google.”

    Reply
35. September 20, 2015 at 5:53 am

    Tomi Engdahl says:

    Ask Slashdot: What To Do About Android Malware?
    http://ask.slashdot.org/story/15/09/19/1944236/ask-slashdot-what-to-do-about-android-malware

    What’s your approach to detecting and dealing with Android malware? I have a fairly new, fairly fancy phone running Android Lollipop, the recently degraded performance of which leads me to believe that it’s infected with malware. That, and a friend who noticed a lot of strange activity coming from my phone’s IP — sorry,

    Comments:

    Wipe it. Flash a new ROM; don’t install any other app stores, don’t download sketchy apps.
    If you have malware, that’s cause you (or someone with access to your phone) installed it. Don’t do that.

    In other words voluntarily lock yourself into a walled garden? But isn’t one of the biggest advantages of Android the freedom to install anything you want from any place you want?

    Unlike iOS Android allows you to side load apps *officially* but in this case all bets are off and you MUST understand what you’re doing. With Apple there’s no such freedom (unless you root your phone which is unsafe and voids your warranty) at all.

    So, Google’s walled garden is at your full discretion. If you like the feeling of safety you stay in it. If you want freedom, you can leave it any time you want. Most Android phones even allow you to have root if you’re hellbent on having total freedom [to destroy your device].
    Flag as Inappropriate

    The Amazon and F-Droid app stores are fine. Just avoid the less reputable ones until you learn the basics of computer use, like not installing dodgy cracked apps or “free” virus scans etc.

    The difference with a PC is that when a security vulnerability is found on a Dell running Windoes and Microsoft releases a patch, you don’t have to wait for Dell and Best Buy to hopefully allow you to update your PC.

    When Google releases a patch for Android, you have to hope that you phone manufacturer and your carrier push the patch to you.

    Reply
36. September 20, 2015 at 6:00 am

    Tomi Engdahl says:

    Two-week-old WordPress malware attack is blossoming into a real threat
    Sucuri research says that the attack is gaining weight
    http://www.theinquirer.net/inquirer/news/2426659/two-week-old-wordpress-malware-attack-is-blossoming-into-a-real-threat

    MALWARE DETECTING, preventing and protecting company Sucuri has warned the world about a problem in WordPress that is two weeks into the threat charts already and is rising rapidly.

    The malware is called VisitorTracker, and its aim should be self-explanatory. Sucuri said that incidents of infection have had a sharp uptick in recent days, and the firm – which reported on it just two weeks ago – hopes that its reprise and update of the information will inform WordPress and encourage it to take action to mitigate the problem.

    “This malware campaign is interesting. Its final goal is to use as many compromised websites as possible to redirect all their visitors to a Nuclear Exploit Kit landing page. These landing pages will try a wide variety of available browser exploits to infect the computers of unsuspecting visitors,” he said.

    “If you think about it, the compromised websites are just a means for the criminals to get access to as many endpoint desktops as they can. What’s the easiest way to reach out to endpoints? Websites, of course.”

    Reply
37. September 20, 2015 at 6:01 am

    Tomi Engdahl says:

    “We detected thousands of sites compromised with this malware just today and 95 percent of them are using WordPress. We do not have a specific entry point determined yet, but it seems to be a campaign targeting the latest vulnerabilities in plugins,” the firm said.

    Source: http://www.theinquirer.net/inquirer/news/2426659/two-week-old-wordpress-malware-attack-is-blossoming-into-a-real-threat

    Reply
38. September 20, 2015 at 6:09 am

    Tomi Engdahl says:

    Irony alert: Kardashian websites were easy to access and open to the public
    Oh noes! Such attention!
    http://www.theinquirer.net/inquirer/news/2426648/irony-alert-kardashian-websites-were-easy-to-access-and-open-to-the-public

    ANTI-PRIVACY COLLECTIVE the Kardashian family has exposed some of its fans, as opposed to its own posteriors, to the internet thanks to bad APIs and what we assume is a large collection of vacuous websites and applications.

    The Kardashians are about as open as the Bilderberg group is closed.

    If there was an app that told people when you were on the toilet they would probably be on it. The app that is, not the toilet.

    If they could live in a glass house under constant camera (and essential makeup and wardrobe) surveillance, they might even go for that. They like being the focus of attention.

    They might bask in the spotlight of the great unwashed and uninspired, but perhaps their fans would prefer a bit of privacy and not to have everything about them shared and scrutinised.

    Well, tough shit. A bit of apparently crappy software work has exposed 600,000 Kardashian fans, or subscribers, to the threat of online attacks, according to a post on TechCrunch.

    Kardashian Website Security Issue Exposes Names, Emails Of Over Half A Million Subscribers, Payment Info Safe
    http://techcrunch.com/2015/09/16/kardashian-website-security-issue-exposes-names-emails-of-over-half-a-million-subscribers-payment-info-safe/#.b5imzi:TJNd

    Alongside the launch of the Kardashian and Jenner mobile apps, which are now dominating the App Store after seeing hundreds of thousands of downloads apiece in their first days on the market, the celeb sisters also released new websites designed to help them better connect with their fans while offering a more personal look inside their lives.

    However, one enterprising young developer dug around those websites and immediately found an issue. Due to a misconfiguration, he was able to access the full names and email addresses of over 600,000 users who signed up for Kylie Jenner’s website as well as pull similar user data from the other websites.

    In addition, the developer said he had the ability to create and destroy users, photos, videos and more, though we understand he didn’t actually take those actions.

    On blogging site Medium, Smith explained how he was able to access the user data from Kylie Jenner’s website.

    As this was clearly a major issue in terms of security, and a surprising find given the high-profile nature of the websites, the developer immediately blogged about the problem on Medium where he posed the question: “should users trust not only their personal information, but also payment information with these apps?”

    In case you’ve been living under a rock, what he’s referring to is the fact that the new websites and apps from Kim Kardashian West, Khloé Kardashian, Kendall Jenner and Kylie Jenner, released earlier this week, offer up exclusive content to paid subscribers who provide their payment information.

    We reached out to the company behind the sites and apps, Whalerock Industries, to confirm the details of the data breach and the patch.

    For what it’s worth, the majority of the payments related to the sisters’ new tech properties were handled through the app stores, not via the web. We’ve also confirmed that Whalerock has been working with a third-party e-commerce provider to handle online payments. That means they were never hosting payment information on their own servers – something the team is likely thanking its lucky stars for right now.

    But from the sounds of things, the young developer probably didn’t realize just what he was getting himself into when he compromised the security surrounding the hottest celebrity tech launches of the year, nor how risky it was to openly disclose such a thing to the world, no matter if he had done so without malicious intentions in mind.

    Reply
39. September 20, 2015 at 6:11 am

    Tomi Engdahl says:

    Dan Goodin / Ars Technica:
    Active malware campaign has hijacked thousands of WordPress sites in just 15 days, has spiked to over 5K new infections daily — Active malware campaign uses thousands of WordPress sites to infect visitors — 15-day-old campaign has spiked in past 48 hours, with >5,000 new infections daily.

    Active malware campaign uses thousands of WordPress sites to infect visitors
    15-day-old campaign has spiked in past 48 hours, with >5,000 new infections daily.
    http://arstechnica.com/security/2015/09/active-malware-campaign-uses-thousands-of-wordpress-sites-to-infect-visitors/

    Attackers have hijacked thousands of websites running the WordPress content management system and are using them to infect unsuspecting visitors with potent malware exploits, researchers said Thursday.

    The campaign began 15 days ago, but over the past 48 hours the number of compromised sites has spiked, from about 1,000 per day on Tuesday to close to 6,000 on Thursday,

    “If you think about it, the compromised websites are just means for the criminals to get access to as many endpoint desktops as they can,”

    On Thursday, Sucuri detected thousands of compromised sites, 95 percent of which are running on WordPress. Company researchers have not yet determined how the sites are being hacked, but they suspect it involves vulnerabilities in WordPress plugins. Already, 17 percent of the hacked sites have been blacklisted by a Google service that warns users before they visit booby-trapped properties.

    Sucuri has dubbed the campaign “VisitorTracker,”

    Reply
40. September 20, 2015 at 5:01 pm

    Tomi Engdahl says:

    Centrify:
    IoT, the “Illusion of Trust” — Many businesses are placing trust in the cloud like they did for internal networks, without proper consideration for the challenges and deeper issues at hand. But the added convenience of cloud applications also comes with some serious potential downsides.

    IoT, the “Illusion of Trust” — Moving Trust from the Network to Users and Devices
    http://blog.centrify.com/internet-of-things-trust-cloud/

    Our always on, always connected world has fundamentally changed how businesses operate. Communicating with customers and employees will never be the same again with cloud solutions bringing many benefits by making things easier for businesses, and it’s happening whether we like it or not.

    But many businesses are placing trust in the cloud like they did for internal networks, without proper consideration for the challenges and deeper issues at hand. The added convenience of cloud applications also comes with a potential downside, such as potential security threats and surrender of control.

    Many people are familiar with the acronym “IoT,” and we understand it to mean the Internet of Things. This is a catch-all term nowadays all things cloud and smart connected devices. We believe there’s another meaning for these three letters — “Illusion of Trust.” We call it the Illusion of Trust because business owners don’t realize that cloud security is an issue. When businesses move their intranet services and data to cloud providers, they are likely placing “blind trust” in a traditional network security model that is not entirely reliable anymore.

    Leading organizations like Google, Coca-Cola, Verizon Communications Inc. and Mazda Motor Corp however are showing us examples that when they move their corporate applications to the Internet, they are also taking a new approach to enterprise security. It means flipping common corporate security practice on its head, shifting away from the idea of a trusted privileged internal corporate network secured by perimeter devices such as firewalls, in favor of a model where corporate data can be accessed from anywhere with the right device and user credentials.

    The new enterprise security model should hence assume that the internal network is as dangerous as the Internet. Access should depend on the employee’s device and user credentials.

    With this approach, trust is moved from the network level to the device level. Employees can only access corporate applications with a device that is procured and actively managed by the company.

    Then comes a cloud identity service that performs single sign-on, a user authentication portal that validates employee use against the user database and group database, validates correct device security posture against the device inventory database, then generates short-lived authorization for access to specific resources and steps-up to strong authentication using mobile MFA for critical resources.

    As companies adopt mobile and cloud technologies, the perimeter is becoming increasingly difficult to enforce, and it has made control and security harder — business owners are demanding solutions from their IT partners and providers, and this is where cloud identity providers play an important role to win the trust of businesses and cloud application providers.

    Reply
41. September 20, 2015 at 5:05 pm

    Tomi Engdahl says:

    Lorenzo Franceschi-Bicchierai / Motherboard:
    The US Army, Navy, DARPA, others do not implement STARTTLS, a basic email encryption protocol

    How the US Military Fails to Protect Its Soldiers’ Emails
    http://motherboard.vice.com/read/how-the-us-military-fails-to-protect-soldiers-emails

    Many government agencies, including the US military, are leaving the emails of soldiers and government employees potentially in danger of being intercepted by spies and hackers by failing to implement a commonly used encryption technology.

    In the wake of the revelations of mass surveillance brought forth by Edward Snowden, the movement to promote the use of encryption technology across the internet has been seemingly unstoppable. Even the White House jumped on the “encrypt all the things” bandwagon this year, asking all government websites to use HTTPS web encryption to improve the security and privacy of their users.

    But as encryption spreads to government sites, it hasn’t reached government emails yet. Most of the military as well as the intelligence community do not use encryption to protect emails travelling across the internet.

    “This is a pervasive problem in the government,” Chris Soghoian, the principal technologist at the American Civil Liberties Union (ACLU), who’s been pushing for the adoption of more encryption for years, told Motherboard. “And in many ways it affects the parts on the government that should be more focused on security—they’re doing it worse.”

    “The military should not be sending any email that isn’t encrypted, period.“

    In fact, according to an online testing tool, among the military only the Air Force encrypts emails in transit using a technology called STARTTLS, which has existed since 2002. Other branches of the Pentagon, including the Army, the Navy, the Defense Security Service, and DARPA, don’t use it. Even the standard military email provider mail.mil, doesn’t support STARTTLS.

    In 1995, Bruce Schneier described email as nothing more than “a postcard that anyone can read along the way.” That’s been true for many years, and it is still true depending on your email provider. But that’s started to change in the last couple of years, with the rise of STARTTLS.

    STARTTLS is a protocol that encrypts emails travelling from email server to email server. When your email provider doesn’t support STARTTLS, your email might be encrypted going from your computer to your provider, but it will then travel across the internet in the clear (unless you used end-to-end encryption.)

    When your email provider, and the email provider of the person you’re sending the email to, both support STARTTLS, then the email is protected as it travels across.

    “I can’t think of a single technical reason why they wouldn’t use it,” he told Motherboard in a phone interview. “It’s absurd.”

    The risk of not encrypting emails in transit is that the messages sent and received by soldiers deployed outside of the United States could be intercepted by foreign governments controlling the internet infrastructure.

    Reply
42. September 21, 2015 at 11:34 am

    Tomi Engdahl says:

    APNewsBreak: Researchers say South Korea-backed child monitoring app was wide open to hackers
    http://www.foxbusiness.com/markets/2015/09/20/apnewsbreak-researchers-say-south-korea-backed-child-monitoring-app-was-wide/

    Security researchers say they found critical weaknesses in a South Korean government-mandated child surveillance app — vulnerabilities that left the private lives of the country’s youngest citizens open to hackers.

    In separate reports released Sunday, Internet watchdog group Citizen Lab and German software auditing company Cure53 said they found a catalogue of worrying problems with “Smart Sheriff,” the most popular of more than a dozen child monitoring programs South Korea requires for new smartphones sold to minors.

    “There was literally no security at all,” Cure53 director Mario Heiderich said. “We’ve never seen anything that fundamentally broken.”

    Smart Sheriff and its fellow surveillance apps are meant to serve as electronic baby sitters, letting parents know how much time their children are spending with their phones, keeping kids off objectionable websites and even alerting parents if their children send or receive messages with words like “bully” or “pregnancy.”

    In April, Seoul required new smartphones sold to those 18 and under to be equipped with such software — a first-of-its-kind move, according to Korea University law professor Park Kyung-sin. The Korean Communications Commission has promoted Smart Sheriff and schools have sent out letters to parents encouraging them to download the app.

    Sometime afterward, Citizen Lab, based at the University of Toronto’s Munk School of Global Affairs, and Cure53, acting on a request from the Washington-based Open Technology Fund, began sifting through Smart Sheriff’s code.

    What they found was “really, really bad,” Heiderich said.

    Children’s phone numbers, birth dates, web browsing history and other personal data were being sent across the Internet unencrypted, making them easy to intercept. Authentication weaknesses meant Smart Sheriff could easily be hijacked, turned off or tricked into sending bogus alerts to parents.

    “Smart Sheriff is the kind of baby sitter that leaves the doors unlocked and throws a party where everyone is invited,

    Citizen Lab said it alerted MOIBA, the association of South Korean mobile operators that developed and operated the app, to the problems on Aug. 3. When contacted Friday, MOIBA said the vulnerabilities had been fixed.

    The researchers were skeptical.

    “We suspect that very little of these measures taken actually remedy issues that we’ve flagged in the report,”

    Kwon Seok-chul, chief executive of computer security firm Cuvepia Inc., said the lingering weaknesses meant children’s data was still at risk.

    “From a hacker’s point of view, (the door) stays open,” he said.

    Many smartphone applications are unsafe, leaking private data or sending or storing it in risky ways.

    “This is not just a fitness tracker,” Deibert said. “It’s an application meant to satiate parents’ concerns about their children’s use of mobile or social media, which is in fact putting them at more risk.”

    Park, the law professor, said the security flaws should push the government “to revisit the whole idea of requiring a personal communication device to be equipped with software that allows another person to monitor and control that device.”

    Reply
43. September 21, 2015 at 11:36 am

    Tomi Engdahl says:

    Skype and Amazon fell – “The whole business with rotation of the cloud is soooo good idea”

    According to Skype, the service “is being a little overwhelmed.” The company says on Twitter that it is aware of the problem and seeks to correct it as soon as possible.

    Last night there were still problems in the Amazon in Web Services and with it a number of other online services, such as Netflix. Cloud services, problems have raised questions about the operational reliability.

    “Yeah, the whole business with rotation of the cloud is really sooooo much better idea,” commented Indeed, a user on Twitter.

    Source: http://www.tivi.fi/Kaikki_uutiset/skype-ja-amazon-kaatuivat-koko-bisneksen-pyorittaminen-pilvessa-onkin-niiiin-hyva-idea-3483921

    Reply
44. September 21, 2015 at 9:20 pm

    Tomi Engdahl says:

    Apple’s iOS 9 breaks VPNs
    https://thestack.com/security/2015/09/21/apples-ios-9-breaks-vpns/

    Apple’s iOS 9 has been built to meet various security standards, but researchers have discovered that the latest update also breaks a key security feature – Virtual Private Network (VPN) connections to corporate servers.

    The flaw was first detected in the iOS 9 beta, and has not been fixed in the released version. Neither has the bug been removed in the current iOS 9.1 beta.

    “Most notable is that when doing split tunneling, the Tunnel All DNS option no longer functions as expected.”

    Due to this incompatibility, DNS resolution will not work for some users depending on their network setup. Some corporate servers will no longer be available to users, even after successful login.

    VPN’s are a continual source of controversy, with many organisations and countries ready to ban the secure network tool. Russia in particular has taken an extremely aggressive stance against its use

    Reply
45. September 21, 2015 at 9:33 pm

    Tomi Engdahl says:

    Robert McMillan / Wall Street Journal:
    IBM is developing its own blockchain tech, plans to open source it in the next few months

    IBM Adapts Bitcoin Technology for Smart Contracts
    http://www.wsj.com/article_email/ibm-adapts-bitcoin-technology-for-smart-contracts-1442423444-lMyQjAxMTA1MjEzNjExODYyWj

    Tech giant developing its own version of blockchain technology, plans to release open source software within next few months

    International Business Machines Inc. thinks the technology that underpins the bitcoin digital currency can do a lot more than support cash 2.0. Within the next few months, the venerable tech giant plans to release open source software that could be used to create digital contracts that—like bitcoin transactions—would be recorded publicly and securely on a world-wide computer network.

    IBM is zeroing in on a technology called blockchain, which serves as bitcoin’s online ledger. Blockchain allows the bitcoin network to track the currency’s movement from one online wallet to another. But it could be used to log other types of transactions.

    “Blockchain, as a technology, is extremely interesting and intriguing,” said Arvind Krishna, senior vice president of IBM Research.

    Reply
46. September 22, 2015 at 9:16 am

    Tomi Engdahl says:

    Symantec employees fired for issuing rogue HTTPS certificate for Google
    Unauthorized credential was trusted by all browsers, but Google never authorized it.
    http://arstechnica.com/security/2015/09/symantec-employees-fired-for-issuing-rogue-https-certificate-for-google/

    Symantec has fired an undisclosed number of employees after they were caught issuing unauthorized cryptographic certificates that made it possible to impersonate HTTPS-protected Google webpages.

    “We learned on Wednesday that a small number of test certificates were inappropriately issued internally this week for three domains during product testing,” Symantec officials wrote in a blog post published Friday. “All of these test certificates and keys were always within our control and were immediately revoked when we discovered the issue. There was no direct impact to any of the domains and never any danger to the Internet.”

    The post went on to say that the unnamed employees were terminated for failing to follow Symantec policies. Symantec officials didn’t identify the three domains the test certificates covered, but in a separate blog post, Google researchers said Symantec’s Thawte-branded certificate authority service issued an Extended Validation pre-certificate for the domains google.com and http://www.google.com.

    “This pre-certificate was neither requested nor authorized by Google,” they wrote.

    The unauthorized certificate came to light after Google employees monitored logs associated with Google’s Certificate Transparency project. The program is designed to fix several structural flaws in the way HTTPS certificates are issued by providing an easy way to monitor their generation in real time. Among other things, the project makes it possible to detect transport layer security credentials that have been mistakenly issued by a browser-trusted certificate authority.

    The incident came five months after Google warned of a separate batch of bogus certificates that had been issued for several of its domains, including *.google.com, *.google.com.eg, *.g.doubleclick.net, *.gstatic.com, http://www.google.com, http://www.gmail.com, and *.googleapis.com. They were issued by Egypt-based MCS Holdings, an intermediate certificate authority that operates under the China Internet Network Information Center (CNNIC).

    A Tough Day as Leaders
    http://www.symantec.com/connect/blogs/tough-day-leaders

    We learned on Wednesday that a small number of test certificates were inappropriately issued internally this week for three domains during product testing. All of these test certificates and keys were always within our control and were immediately revoked when we discovered the issue. There was no direct impact to any of the domains and never any danger to the Internet. Further, we are in the process of proactively notifying the domain owners and our major partners.

    While our processes and approach are based on the industry best practices that we helped create, we have immediately put in place additional processes and technical controls to eliminate the possibility of human error.

    In addition, we discovered that a few outstanding employees, who had successfully undergone our stringent on-boarding and security trainings, failed to follow our policies.

    Reply
47. September 22, 2015 at 10:39 am

    Tomi Engdahl says:

    Techie finds 1.5 MEELLION US medical records exposed on Amazon’s AWS
    Systema Software investigates what went wrong
    http://www.theregister.co.uk/2015/09/21/amazon_medical_gaffe/

    The private health records and contact information for as many as 1.5 million Americans have been found out in the open on Amazon’s cloud services.

    It has been claimed that the names, addresses, and phone numbers, along with biological health information including existing illnesses and current medications, were posted in the clear to Amazon S3 storage servers by insurers using Systema Software.

    The records were stored in an SQL database, and found under the URL sys-prod.s3.amazonaws.com.

    Texan techie Chris Vickery spotted the files on Amazon web servers and reported the breach to Systema Software.

    The company has since warned its affected customers and had began an investigation into what went wrong.

    He estimated that roughly one million social security numbers, five million financial transactions, and hundreds of thousands of injury reports had been exposed.

    The databases also included password hashes, login names and session information.

    Databreaches.net first reported the breach and said that exposed information included billing prices, various patient identification numbers, and some 4.7 million note entries including data on fraud investigations.

    Reply
48. September 22, 2015 at 10:39 am

    Tomi Engdahl says:

    AVG to flog your web browsing, search history from mid-October
    Your secrets sold to advertisers
    http://www.theregister.co.uk/2015/09/21/avg_freemium_browsing_history_slurp/

    Changes in the privacy policy of AVG’s free antivirus doodad will allow it to collect your web browsing and search history – and sell it to advertisers to bankroll its freemium security software products.

    The changes will come into play on 15 October, according to the Czech-based biz in a blog post.

    Understanding AVG’s new privacy policy
    http://now.avg.com/understanding-the-new-privacy-policy/

    Reply
49. September 22, 2015 at 10:40 am

    Tomi Engdahl says:

    Oops! Error by Systema Software exposes millions of records with insurance claims data and internal notes (Update2)
    http://www.databreaches.net/oops-error-by-systema-software-exposes-millions-of-records-with-insurance-claims-data-and-internal-notes/

    Reply
50. September 22, 2015 at 10:43 am

    Tomi Engdahl says:

    LinkedIn infosec bod proffers DIY Ubiquiti fix for automation zero day
    WiFi men prefer blog-snuffing to patching.
    http://www.theregister.co.uk/2015/09/22/linkedin_infosec_bod_proffers_diy_ubiquiti_fix_for_automation_zero_day/

    LinkedIn application Security Luca Carettoni has proffered a homebrew patch to close off a dangerous zero day hole that allows remote attackers to hijack home automation Ubiquiti mFi controllers.

    The holes in the automation systems remain officially unpatched despite working exploit code and vulnerability details being published and remaining accessible.

    Carettoni says the patch is a simple fix that Ubiquiti should have rushed out after the initial quiet disclosure was made in July.

    “It is reasonable to assume that the security flaw can be easily abused by unsophisticated attackers,” Carettoni says

    “… a quick search on Google is sufficient to find the exploit for this bug. Despite the public exposure, Ubiquiti has yet to publish a patch.

    “After waiting patiently for a few weeks, I created my own patch.”

    The mFiPatchMe fix took the application security man about an hour to brew without having any knowledge of the Ubiquiti codebase.

    SecuriTeam researchers describe how the mFi authentication mechanism can be bypassed.

    “Ubiquiti Networks mFi Controller Server installs a web management interface which … offers a login screen where only the administrator user can monitor and control remotely the configured devices,” they say.

    “Because of two errors inside the underlying (redacted) class, it is possible to bypass the authentication mechanism.

    “… a remote attacker could then login and perform unauthorised operations as administrator through the secure web interface.”

    Reply