Security trends for 2015

Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.

Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.

According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.

Despite the high profile CryptoLocker takedown, ransomware scams remain an all-too-real threat. Crooks are developing more sophisticated encryption schemes to support their fraud.

The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.

There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?

Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.

It seems like year 2014 has almost been “The Year of PoS Breaches.”  Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers.  I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.

Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations.  Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.

Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.

As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.

Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.

Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.

It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.

Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.

Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.

Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.

Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.

There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.

Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.

More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.

Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.

Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.

You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before.  End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.

 

3,110 Comments

  1. Tomi Engdahl says:

    Daily Mail readers should be worried about the Angler exploit kit
    Coming over here, stealing our cyber security hacks and benefits
    http://www.theinquirer.net/inquirer/news/2430421/daily-mail-readers-should-be-worried-about-the-angler-exploit-kit

    MY, HASN’T THE ANGLER EXPLOIT GROWN? The overseas malware security threat has been caught flashing its side boob at the Daily Mail and affecting UK citizens with a foreign security threat.

    The Daily Mail is a sort of pornography site for people who would like to see pornography banned, and it expresses outrage at the drop of a hat.

    The publication manages to stay on top of important issues like errant nipples and ladies getting out of cars with pants on, but has fallen victim to malvertising, according to Malwarebytes.

    “There has been a lot of buzz about the powerful Angler exploit kit in recent days. One thing is for sure, the gangs using it are extremely resourceful and won’t let attempts at slowing them down get in the way,” said the security firm in a blog post.

    “This time it struck on popular British newspaper the Daily Mail which accounts for 156 million monthly visits, according to SimilarWeb.”

    “Malvertising has been one of the main infection vectors and continues to affect large publishers and ad networks through very distinct campaigns, very much like a whack-a-mole game,” Malwarebytes said.

    Reply
  2. Tomi Engdahl says:

    German police warn parents to stop posting photos of kids on Facebook
    https://thestack.com/world/2015/10/14/german-police-warn-parents-to-stop-posting-photos-of-kids-on-facebook/

    today’s practice of using social media has been cautioned against by Western German police. In a post earlier this week (ironically on Facebook), the statement urged parents to not post photos of their children on social media websites for everyone to see.

    In today’s advanced day and age, it’s common practice on social media sites such as Facebook, Twitter and Instagram – whether parents announce the birth of their first child, their child’s first birthday or their child’s first day at school with an accompanying photo.

    But the appeal from Hagen Police issued the caution on a number of levels – on a more light hearted note, the message said that while parents may consider the photos to be cute, in the near future, that son or daughter may not see it that way, instead finding them “endlessly embarrassing”.

    But on a more serious note, Hagen Police warned that such photos were open to use by bullies or paedophiles.

    Reply
  3. Tomi Engdahl says:

    Ukrainian Hacker Who Allegedly Tried to Frame Cyber-Security Expert Extradited to US
    http://abcnews.go.com/US/ukrainian-hacker-allegedly-frame-cyber-security-expert-extradited/story?id=34444896

    A Ukrainian man who allegedly tried to frame cyber-security expert Brian Krebs has been extradited to the United States and is due in Newark federal court today, prosecutors said.

    Sergey Vovnenko is accused of taking part in an international conspiracy to hack into the computer networks of individual users and corporations to steal log-in credentials and payment card data, prosecutors said.

    According to court records, Vovnenko operated a “botnet” — more than 13,000 computers infected with malicious computer software — programmed to gain unauthorized access to computers and to identify, store and export information from hacked computers.

    Hacker Who Sent Me Heroin Faces Charges in U.S.
    http://krebsonsecurity.com/2015/10/hacker-who-sent-me-heroin-faces-charges-in-u-s/

    A Ukrainian hacker who once hatched a plot to have heroin sent to my Virginia home and then alert police when the drugs arrived had his first appearance in a U.S. court today, after being extradited to the United States to face multiple cybercrime charges.

    Sergey Vovnenko, a.k.a. “Fly,” “Flycracker” and “MUXACC1” (muxa is transliterated Russian for “муха” which means “fly”), was set to appear in a Newark courtroom today on charges of stealing and selling credit card and banking data, emptying bank accounts, and running a botnet of more than 12,000 hacked computers and servers, among other alleged crimes.

    Reply
  4. Tomi Engdahl says:

    VXers eyeing ‘undetectable’ codeless code-injection technique
    Check your generic detection techniques at the door
    http://www.theregister.co.uk/2015/10/14/vxers_eyeing_undetectable_codeless_codeinjection_technique/

    Cyber Defence Summit enSilo founder Udi Yavo has detailed a new code injection technique he claims will become commonplace in coming months.

    The codeless code injection system is the latest in a series that is critical to the operation of malware and security software.

    Yavo revealed the attack at the Cyber Defence Summit in Washington DC today, but did not release the code.

    “It’s complex but we will soon see it out in the wild,” Yavo told El Reg.

    “We don’t want to give it straight to malware writers … but attacks we released January without code were still adopted by malware writer six months later.”

    Generic defensive techniques will not work, Yavo said, since discovering the attacks requires identification of artifacts.

    Those detection problems are becoming more common as injection techniques evolve.

    The attacks are becoming more specific since the creation of Powerloader, the first technique to use return oriented programming to change small code sequences to execute arbitrary operations.

    Reply
  5. Tomi Engdahl says:

    Kill Flash: Adobe says patch to fix under-attack hole still days away
    Disable the plugin – or enable click-to-play
    http://www.theregister.co.uk/2015/10/15/adobe_patch_for_critical_flash_flaw/

    Just a day after its monthly batch of security updates, Adobe has confirmed it will issue an emergency critical patch for Flash next week.

    With somewhat regrettable timing, given Adobe’s patching cycle, Trend Micro’s security researchers announced on Tuesday that it had discovered in the plugin a vulnerability, CVE-2015-7645, and that it was being used by hackers who were targeting officials in governments in NATO.

    Reply
  6. Tomi Engdahl says:

    Interpol is training police to fight crime on the Darknet
    http://www.zdnet.com/article/interpol-is-training-police-to-fight-crime-on-the-darknet/

    Police officers from around a dozen countries have just completed a five-day course on Tor hidden services, illegal marketplaces and cryptocurrencies to help them investigate crimes on the Darknet.

    Interpol has just completed its first training course designed to help police officers to use and understand the Darket. The five-day course was held in Singapore, and attended by officers from Australia, Finland, France, Ghana, Hong Kong, Indonesia, Japan, Netherlands, Singapore, Sri Lanka and Sweden. According to Interpol, the next course will be held in Brussels.

    The students did not, it seems, explore the Darknet itself. Interpol said in a statement that its Cyber Research Lab “created its own private Darknet network, private cryptocurrency and simulated marketplace, recreating the virtual ‘underground’ environment used by criminals to avoid detection.”

    Interpol, the International Criminal Police Organization, was founded in 1923 to help fight crime on a global basis, and 190 countries are members. It has no police officers, but enables the exchange of information about organized crime. drug trafficking, weapons smuggling, money laundering, child pornography, online crime and so on.

    Interpol Is Now Training Police to Fight Crime on “The Darknet”
    http://gizmodo.com/interpol-is-now-training-police-to-fight-crime-on-the-1721684556

    The arrest, trial and conviction of Silk Road founder Ross Ulbricht — and his sentence of life in prison — was a stark reminder that 21st century policing is a different game. And judging by the shitshow that was the Silk Road investigation, it’s one that the police need to get better at.

    Interpol is trying to help with preparing police forces for online crime by offering a training course in policing ‘the Darknet’. During the five-day course, officers from around the world got to play with a virtual online drug marketplace, acting as buyers, sellers and admins to get a better understanding of how Tor and Bitcoin, two fundamentals of illegal online marketplaces, actually function. They also got to practice seizing and taking down websites

    Given the decidedly global nature of online crime, it probably makes sense for police forces around the world to be learning from a similar playbook.

    Reply
  7. Tomi Engdahl says:

    No change in US law, no data transfer deals – German state DPA
    Look for non-US alternatives, say Schleswig-Holstein officials
    http://www.theregister.co.uk/2015/10/15/data_protection_safe_harbor_schrems_facebook/

    The data protection authority at the German federal state of Schleswig Holstein has declared that any and all data protection workarounds for the transfer of data to the US after the European Court of Justice’s Schrems v Facebook judgment are going to be illegal.

    In its first declaration on the post-Schrems legal landscape, the influential DPA says in a written opinion (in German) that only a change in US law can make US companies compliant with European legislation and has advised companies to adjust their business relationships accordingly.

    Following the ECJ’s Schrems decision, US companies have invoked “model clauses” , or template contracts, in the hope of legitimising the transfer of personal data to countries regarded as unsafe… such as the US. Microsoft and Salesforce have invoked the clauses.

    But the ULD (Schleswig-Holstein DPA) says these are no cover – at least not in the northern German state.

    “A decision of the Commission on the adequacy of the level of data protection in the United States requires a comprehensive change in US law as well as the conclusion of an international agreement. Because neither changes are currently [under way], both options are eliminated in the short – or medium term,” the DPA reckons.

    Reply
  8. Tomi Engdahl says:

    In a first, Chinese hackers are arrested at the behest of the U.S. government
    https://www.washingtonpost.com/world/national-security/in-a-first-chinese-hackers-are-arrested-at-the-behest-of-the-us-government/2015/10/09/0a7b0e46-6778-11e5-8325-a42b5a459b1e_story.html

    The Chinese government has quietly arrested a handful of hackers at the urging of the U.S. government — an unprecedented step to defuse tensions with Washington at a time when the Obama administration has threatened economic sanctions.

    The action came a week or two before President Xi Jinping’s state visit to Washington late last month. The hackers had been identified by U.S. officials as having stolen commercial secrets from U.S. firms to be sold or passed along to Chinese state-run companies.

    Reply
  9. Tomi Engdahl says:

    Teenagers hack ATM by reading the instructions
    Not punished, but late back from lunch
    http://www.theinquirer.net/inquirer/news/2349210/teenagers-hack-atm-by-reading-the-instructions?utm_source=Outbrain&utm_medium=Cpc&utm_campaign=Inquirer%252BReferral&WT.mc_is=977=obinsource

    TWO 14 YEAR OLD boys ‘hacked’ into their local bank’s cash machine by bothering to read the instructions.

    While most hacking attacks seem to involve gangs of shadowy renegades in hidden dens, the teens – Matthew Hewlett and Caleb Turon from Winnipeg, Canada – realised that, like most electronic devices, there was likely to be a manual for the ATM available online.

    The Bank of Montreal ATM in the pair’s local grocery store displayed a model number and, after downloading the appropriate manual, they hacked it with a combination of Occam’s Razor and staff stupidity.

    The machine had not been changed from its default passcode, allowing the boys to follow the instructions to the letter into the supervisor mode.

    Having beaten the system, the boys decided not to steal any money, but rather change the welcome message to customers to “Go Away. This machine has been hacked.” At this point they went into their local bank branch to report the discovery to rather bemused staff.

    Reply
  10. Tomi Engdahl says:

    ‘Traditional’ forms of thuggery decline in UK, cybercrime on the rise
    Or survey-takers misunderstood the question…
    http://www.theregister.co.uk/2015/10/15/cybercrime_uk_2015_statistics/

    The Office for National Statistics (ONS) has released information suggesting cybercrime incidents are growing more prevalent in British society than traditional criminal incidents, and has noted that this may be due to more criminal enterprises transitioning to the digital world.

    Reply
  11. Tomi Engdahl says:

    Hijacking Quadcopters with a MAVLink Exploit
    http://hackaday.com/2015/10/15/hijacking-quadcopters-with-a-mavlink-exploit/

    Not many people would like a quadcopter with an HD camera hovering above their property, and until now there’s no technical resource to tell drone pilots to buzz off. That would require actually talking to a person. Horrors. Why be reasonable when you can use a Raspberry Pi to hijack a drone? It’s the only reasonable thing to do, really.

    The folks at shellIntel have been messing around with quads for a while, and have recently stumbled upon a vulnerability in the Pixhawk flight controller and every other quadcopter that uses the MAVLink protocol. This includes the Parrot AR.drone, ArduPilot, PX4FMU, pxIMU, SmartAP, MatrixPilot, Armazila 10dM3UOP88, Hexo+, TauLabs and AutoQuad. Right now, the only requirement to make a drone fall out of the sky is a simple radio module and a computer. A Raspberry Pi was used in shellIntel’s demo.

    The exploit is a consequence of the MAVLink sending the channel or NetID used to send commands from the transmitter to the quadcopter in each radio frame.

    Unfortunately, this also means anyone with a MAVLink radio using the same NetID can disarm a quadcopter remotely, and anyone with a MAVLink radio can tell a quad to turn off, or even emulate the DJI Phantom’s ‘Return to China’ function.

    The only required hardware for this exploit is a $100 radio and three lines of code.

    http://www.shellntel.com/blog/2015/9/25/drone-code-execution

    https://en.wikipedia.org/wiki/MAVLink
    MAVLink or Micro Air Vehicle Link is a protocol for communicating with small unmanned vehicle. It is designed as a header-only message marshaling library. MAVLink was first released early 2009[1] by Lorenz Meier under LGPL license.
    It is used mostly for communication between a Ground Control Station (GCS) and Unmanned vehicles, and in the inter-communication of the subsystem of the vehicle. It can be used to transmit the orientation of the vehicle, its GPS location and speed.

    Reply
  12. Tomi Engdahl says:

    How to listen to (and delete) everything you’ve ever said to Google
    http://www.theguardian.com/technology/2015/oct/13/google-voice-activity-listen-delete-recordings

    Whether you’re asking directions or drunkenly swearing, Google never forgets, recording everything you’ve ever said to it. Do you dare listen back?

    Users of Google’s voice-control features such as OK Google are probably aware that the company stores the voice recordings it receives when they talk to it. But it’s still a bit of a shock to be confronted with a list of all the recordings the company has ever made of you.

    Google’s voice and audio activity page isn’t promoted heavily by the company, and visiting it gives a hint as to why. If you have (or have ever had) an Android phone with Google’s “OK Google” voice-control system, the page should show a list of every command you have ever given it – replete with a little play button next to it.

    The feature is one of a number of attempts by the company to demystify its data-collection service. Similarly, Google offers a location history, showing users any location the company has tracked them to, through apps such as Google Maps as well as simply using an Android phone.

    Turning voice Activity off doesn’t stop Google storing your recordings, but it means they get kept with an anonymous identifier, and can’t be easily linked back to your account.

    https://accounts.google.com/Login?continue=https://history.google.com/history/audio&hl=fi#identifier

    Reply
  13. Tomi Engdahl says:

    How The NSA Can Read Your Emails
    http://hackaday.com/2015/10/15/how-the-nsa-can-read-your-emails/

    Since [Snowden]’s release of thousands of classified documents in 2013, one question has tugged at the minds of security researchers: how, exactly, did the NSA apparently intercept VPN traffic, and decrypt SSH and HTTP, allowing the NSA to read millions of personal, private emails from persons around the globe? Every guess is invariably speculation, but a paper presented at the ACM Conference on Computer and Communications Security might shed some light on how the NSA appears to have broken some of the most widespread encryption used on the Internet (PDF).

    The relevant encryption discussed in the paper is Diffie–Hellman key exchange (D-H), the encryption used for HTTPS, SSH, and VPN. D-H relies on a shared very large prime number. By performing many, many computations, an attacker could pre-compute a ‘crack’ on an individual prime number, then apply a relatively small computation to decrypt any individual message that uses that prime number. If all applications used a different prime number, this wouldn’t be a problem. This is the difference between cryptography theory and practice; 92% of the top 1 Million Alexa HTTPS domains use the same two prime numbers for D-H. An attacker could pre-compute a crack on those two prime numbers and consequently be able to read nearly all Internet traffic through those servers.

    https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf

    Reply
  14. Tomi Engdahl says:

    Slacker vendors’ one-fix-a-year effort leaves 88% of Androids vulnerable
    Nexus runs rings around rivals.
    http://www.theregister.co.uk/2015/10/16/slacker_vendors_onefixayear_effort_leaves_88_of_androids_vulnerable/

    Android vendors are hopeless at distributing patches and users of new handsets can expect just one update a year, leaving most exposed to critical vulnerabilities according to a new study.

    Cambridge University trio Daniel R Thomas, Alastair R Beresford, and Andrew Rice probed 20,400 devices and found 87.7 per cent contained at least one bad vulnerability that could leave handsets hosed.

    They say in the Security Metrics for the Android Ecosystem (PDF) the 11 vulnerabilities allowed attacks like dynamic link loading and injection, and could let malware to hijack traffic, brick phones, replace apps, and steal user credentials.

    Security Metrics for the Android Ecosystem
    https://www.cl.cam.ac.uk/~drt24/papers/spsm-scoring.pdf

    The security of Android depends on the timely delivery of
    updates to x critical vulnerabilities. In this paper we map
    the complex network of players in the Android ecosystem
    who must collaborate to provide updates, and determine
    that inaction by some manufacturers and network operators
    means many handsets are vulnerable to critical vulnerabilities.

    CONCLUSION
    The security of Android depends on the timely delivery
    of updates to x critical vulnerabilities. Unfortunately few
    devices receive prompt updates, with an overall average of
    1.26 updates per year, leaving devices unpatched for long
    periods. We showed that the bottleneck for the delivery of
    updates in the Android ecosystem rests with the manufac-
    turers, who fail to provide updates to x critical vulnera-
    bilities. This arises in part because the market for Android
    security today is like the market for lemons: there is infor-
    mation asymmetry between the manufacturer, who knows
    whether the device is currently secure and will receive up-
    dates, and the consumer, who does not.
    Consequently there is little incentive for manufacturers to
    provide updates.

    Reply
  15. Tomi Engdahl says:

    Malware, restoring data: What keeps data center techies up all night
    Runaway software nasties are nightmare fuel for IT security pros, says survey
    http://www.theregister.co.uk/2015/10/15/data_center_cloud_security_survey_sans/

    A majority of organizations polled in a data center and cloud security survey are dissatisfied with their malware containment and recovery times.

    More than half (55 per cent) of survey respondents were dissatisfied with the length of time it takes them to contain and recover from hacker infiltrations and malware infections, with more than 17 per cent of respondents needing more than a week to contain an contagion. About 37 per cent reported containment times of up to eight hours.

    The wide range of response times may be the result of the inability of some traditional security tools to assist organizations in detecting and managing assault scenarios. Most survey respondents use traditional security tools such as firewalls, IDSs (intrusion detection systems), intrusion prevention systems, identity and access management, and anti-malware.

    “When it comes to limiting damage and preventing data breaches, time continues to be the biggest challenge for security and risk professionals,” said SANS analyst Dave Shackleford. “Most respondents said they use traditional tools to monitor traffic between data centers and internal or external clouds, and are unhappy with the level of visibility and containment speeds they get. If our security stance is going to improve, we need better visibility, the ability to make configuration changes faster, and to contain attacks more quickly.”

    The State of Dynamic Data Center and Cloud Security in the Modern Enterprise
    http://cdn2.hubspot.net/hubfs/407749/Downloads/The-State-of-Dynamic-Data-Center-and-Cloud-Security_in-the-Modern-Enterprise.pdf

    Reply
  16. Tomi Engdahl says:

    Privacy Debate Flares in Smart City
    http://www.eetimes.com/author.asp?section_id=36&doc_id=1328011&

    Mia Nyegaard wants her privacy. It’s both a reasonable request and a tall order in this digital age of information.

    “I’d like to see a privacy-by-design plan,” she told a recent gathering on smart cities. “Only take the data needed, only keep it for the time needed. I want privacy to be a default rather than something I need to think about,” she said.

    Like many urban centers, Copenhagen wants to be a smart city. It’s developing a big data platform with partners and recently launched an investment fund with 500 million Danish kroner for companies testing applications in a new solutions lab there.

    Among other projects it has smart bus and cycling programs in the works – more than half of Copenhagen’s working population commute to work via bicycle. The town is also part of Almanac, a smart city research project managed by the European Commission that also involves Turin and Stockholm.

    It’s all good, but it can easily go all wrong from Nyegaard’s perspective. “We get Christmas lights in our eyes when we see these new technologies, and don’t think about people misusing data,” she said.

    She cites Edward Snowden who leaked details about the U.S. government’s extensive computer surveillance program. “Saying you don’t care about privacy because you have nothing to hide is like arguing against free speech because you have nothing to say,” she said.

    “We can’t live in a zero-risk society, but we can live in one that quantifies the risks,”

    “This is a data management problem,” said Thestrup vowing to help draft a data privacy charter for Copenhagen. “We already have an EU directive on the right to be forgotten and minimal data collection…I’d like to see a data management brand in the form of a CE mark for privacy,” he said referring to Europe’s safety logo for electronic devices.

    Reply
  17. Tomi Engdahl says:

    Deborah Gage / Wall Street Journal:
    Cloud computing company Bracket raises $45M from Fidelity, Goldman Sachs, and others, bringing total funding to more than $130M

    Bracket Raises $45 Million to Make Cloud Computing Easier
    http://blogs.wsj.com/venturecapital/2015/10/14/bracket-raises-45-million-to-make-cloud-computing-easier/

    A year after emerging with technology to protect corporate customers from some of the downsides of cloud computing, Bracket Computing Inc. has added $45 million to its coffers, taking total funding in the young company to more than $130 million.

    Fidelity Management and Research Co. and Goldman Sachs GS +3.04% participated in the round, along with several current investors. Valuation wasn’t disclosed, but it is less than $1 billion, the company said.

    The company has developed software, called the Computing Cell, that envelops a customer’s applications, data and associated security, networking and data management into a single construct. The cell can run across multiple public clouds and in the customer’s own data center, offering security and protection from the performance changes that can occur in cloud computing.

    Customers hold the digital keys to their data, which is encrypted, and Bracket runs it, reserving hardware at cloud providers when necessary and distributing the data across multiple machines to smooth performance and improve speed.

    Reply
  18. Tomi Engdahl says:

    Katie Collins / CNET:
    US, UK, and EU law enforcement shuts down Dridex banking malware that stole $31M from UK bank accounts

    Hackers siphon off $31 million from British bank accounts
    http://www.cnet.com/news/hackers-siphon-off-31-million-from-british-bank-accounts/

    Crime agencies from across Europe partner with the FBI to investigate and shut down the spread of Dridex banking malware.

    malware called Dridex, first detected around November 2014. Once a computer has been infected with Dridex, hackers can gain access and steal the owner’s bank details. Money can then be slowly siphoned out of an account on a monthly basis.

    Only British bank accounts have been affected so far, but financial institutions worldwide have been targeted by Dridex. The malware was created by highly adept cybercriminals from Eastern Europe, the crime agencies said, and has been designed to go unnoticed. That makes the hackers themselves extremely difficult to track down.

    Malware attacks aimed at nabbing people’s banking information have been around since the advent of online banking. But they increased 9 percent last year, according to security researcher Kaspersky Labs. Before Dridex, there was Cridex, and before Cridex there were many other types of malware. As consumers grow increasingly wise to malware attacks, hackers become ever-more accomplished at disguising them.

    “Those who commit cybercrime are very often highly skilled and can be operating from different countries and continents,” Robert Anderson, executive assistant director of the FBI, said in a statement. “They can and will deploy new malware and we, along with our partners, are alive to this threat and are constantly devising new approaches to tackle cybercrime.”

    Reply
  19. Tomi Engdahl says:

    Nicole Lee / Engadget:
    Yahoo Mail offers password-less login, which ties authentication to your smartphone with an Account Key app, and adds third-party email support to updated apps

    Yahoo Mail drops passwords and adds third-party email support for new apps
    http://www.engadget.com/2015/10/15/yahoo-mail-update/

    Reply
  20. Tomi Engdahl says:

    Don’t underestimate the value of EMC II’s experience solving hardware and software integration issues. EMC knows more about enterprise storage than any other company on the planet, and enterprise storage is – next to information security – the hardest thing there is to design and build in IT.

    The storage bits don’t matter so much. What matters is the experience of integrating complicated and outright miserable software with eleventy squillion odd quirks onto commodity hardware that falls over in a gentle breeze. Designing not only the hardware and software, but the development, support and business processes to put out equipment that the whole world quite literally bets people’s lives on is what I’m talking about.

    RSA is critical, and was irresponsibly underused and horrifically mismanaged under EMC’s stewardship.

    The problem with security is that most of those working in IT today – either at the sharp end or the business end – treat it as an afterthought. People who actually live and breathe information security are their own category, separate and distinct from other nerds.

    Dell/EMC will have to make some security purchases in the future to flesh out its security offerings

    Information security is going to be one of the most important revenue streams of the next 50 years of computing, if not the most important. Though RSA is overlooked by almost everyone in this acquisition, it is the seed of the future for a large part of Dell’s revenues. Properly cared for it may be to Dell what VMware was to EMC.

    Source: http://www.theregister.co.uk/2015/10/16/dell_bought_emc_is_this_the_end_salvation/?page=2

    Reply
  21. Tomi Engdahl says:

    Documents Expose the Inner Workings of Obama’s Drone Wars
    http://news.slashdot.org/story/15/10/16/0314236/documents-expose-the-inner-workings-of-obamas-drone-wars?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29

    A little over 2-years-ago Edward Snowden leaked a giant batch of NSA documents, Chelsea Manning handed Wikileaks a pile of government secrets in 2010, and now another source has leaked an equally impressive cache of papers focusing on Obama’s drone program.

    A Second Snowden Has Leaked a Mother Lode of Drone Docs
    http://www.wired.com/2015/10/a-second-snowden-leaks-a-mother-lode-of-drone-docs/?mbid=social_twitter

    Perhaps most eye-opening is the disclosure that as much as 90% of attacks over a five month period hit the wrong targets.

    The Assassination Complex
    Secret military documents expose the inner workings of Obama’s drone wars
    https://theintercept.com/drone-papers/the-assassination-complex/

    Reply
  22. Tomi Engdahl says:

    Protection, Privacy and Playoffs
    http://www.linuxjournal.com/content/protection-privacy-and-playoffs?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+linuxjournalcom+%28Linux+Journal+-+The+Original+Magazine+of+the+Linux+Community%29

    I’m not generally a privacy nut when it comes to my digital life. That’s not really a good thing, as I think privacy is important, but it often can be very inconvenient.

    Somewhere I don’t like to slack off on security is when I’m out and about, especially on someone else’s network. Make that a public Wi-Fi network, and my paranoia level skyrockets. I always have a VPN set up at home so I can connect remotely, but sometimes my home bandwidth is just too slow for comfortable remote use. Recently I paid $39.95 for a year subscription to http://www.privateinternetaccess.com, and I couldn’t be any happier with my decision.

    PIA offers PPTP, OpenVPN, L2TP/IPSec and the ability to connect up to five devices at the same time. That means I can protect my network (I don’t really trust Charter) and connect my laptop while on the road. PIA offers unlimited bandwidth, it doesn’t log traffic, and even the account purchasing is anonymous.

    Reply
  23. Tomi Engdahl says:

    A Second Snowden Has Leaked a Mother Lode of Drone Docs
    http://www.wired.com/2015/10/a-second-snowden-leaks-a-mother-lode-of-drone-docs/

    It’s been just over two years since Edward Snowden leaked a massive trove of NSA documents, and more than five since Chelsea Manning gave WikiLeaks a megacache of military and diplomatic secrets. Now there appears to be a new source on that scale of classified leaks—this time with a focus on drones.

    Reply
  24. Tomi Engdahl says:

    Experts Have No Confidence That We Can Protect Cars and Streets From Hackers
    http://tech.slashdot.org/story/15/10/16/1211228/experts-have-no-confidence-that-we-can-protect-cars-and-streets-from-hackers

    Cars and streets are now connecting to the Internet for a long list of transportation and safety benefits but the new tech has drawbacks. Experts from government, industry, and academia say they have no confidence they’ll develop a secure system that can protect users from tracking and privacy breaches. Their opinions were captured in a recent survey (PDF) from the Government Accountability Office.

    Experts have no confidence that we can protect next-gen streets and cars from hackers
    http://www.dailydot.com/politics/vehicle-to-infrastructure-internet-connected-roads-security-gao-survey/

    Our cars are quickly transforming into 5,000-pound computers with wheels—one of the most dangerous weapons a hacker can attack.

    The streets themselves will soon connect to the Internet in networks called V2I (vehicle-to-infrastructure), which carry significant transportation and safety benefits but also offer more targets for hackers. Can the networks be protected from attacks that might track vehicles or steal personal information?

    Security is the foremost challenge for the emerging V2I technology, according to a Government Accountability Office (GAO) survey of government experts, academics, and industry specialists. Fewer than half of the experts surveyed said that it would be possible to develop a secure system.

    In the not-so-distant future, your car will talk to traffic lights over a wireless connection to warn you not to run red lights. Roads will tell you when weather has made driving unsafe, and intersections will tell you the most environmentally friendly speed at which to drive.

    The Department of Transportation is currently researching how to keep these new networks secure, and so far, they don’t have the answer.

    At this point, it’s not clear who would even run such a system. Previous plans pointed toward car industry control, but the Transportation Department is now looking into playing “a more active leadership role” for V2I as well as V2V (vehicle-to-vehicle) networks. That role would include setting security and privacy standards when V2I and V2V networks become operational.

    Privacy will be a key component of the new road networks. Data generated by V2I networks may be given to academics, government agencies, and private companies for research purposes. The Transportation Department is only just beginning to research the best ways to protect that data.

    Japan already operates V2I technology, and Japanese officials have urged their American counterparts to use strong encryption and delete old data. Japan doesn’t share its V2I data with industry or academic partners and has had no security issues with its system thus far.

    The Transportation Department will provide up to $100 million in the next five years to deploy V2I technology. Its goal is to make 20 percent of U.S. intersections V2I-capable by 2025, and 80 percent by 2040.

    Vehicle-to-Infrastructure Technologies Expected to Offer Benefits, but Deployment Challenges Exist
    http://www.gao.gov/assets/680/672548.pdf

    Reply
  25. Tomi Engdahl says:

    Uber Exposed The Personal Information Of Hundreds Of Drivers
    http://www.forbes.com/sites/abigailtracy/2015/10/14/uber-data-leak-exposed-personal-information-hundreds-of-drivers/

    Uber failed to protect the personal information of its drivers and exposed the Social Security numbers, tax information and drivers license numbers of hundreds.

    Motherboard and Gawker were the first media outlets to report on the information leak but it was Uber drivers who first learned of the apparently accidental data breach.

    Reply
  26. Tomi Engdahl says:

    What Does Security Mean to the “Unwashed Masses”?
    http://www.securityweek.com/what-does-security-mean-unwashed-masses

    There is a great deal of wisdom contained in the well-known idea that we can each learn something from everyone we meet. As you may have already guessed, I’d like to take a look at this concept from a security perspective. To understand what I mean by this, and how we can learn security lessons from everyone, let’s dig a bit deeper into the idea.

    when I ask non-security people what security means to them, I generally get one of four responses:

    1) Don’t you fix laptops? / It’s all computers, right? / Can you help me fix my laptop?

    2) I’ve gotten a new credit card four times in the last two years.

    3) Someone hacked my email account. How did that happen?

    4) Why do hackers keep stealing so much information from government and business? Why does this keep happening and why are we letting them get away with it?

    If you think these four responses sound elementary, childish, or uneducated, then I would ask you to reconsider that viewpoint. These responses give us stark insight into the way that most people outside of our profession think about security. They focus on how it affects them and want to understand why if affects them. Because of that, we need to take a lesson from these responses. But what lesson should we take?

    Let’s face it. Most people in the world in which we live are not very security literate.

    If we are to have any chance of reaching the non-security masses with our security message, we have to do it in terms they are comfortable with. That means relaying, communicating, and socializing complex security topics, concepts, practices, and explanations in everyday terms. It means embracing people’s thirst for knowledge, rather than condescending, casting them aside, or looking upon them unfavorably because they aren’t in the know. Educate. Try to help. Don’t lecture. Don’t mock. Don’t condescend. Don’t think you’re better.

    Reply
  27. Tomi Engdahl says:

    “Probability” – The Red Herring Killing Security
    http://www.securityweek.com/probability-red-herring-killing-security

    Many people in security are talking about “risk.” But like Inigo Montoya says, “You keep using that word, but I do not think it means what you think it means.” Perhaps the most important thing that I’ve learned that too many of us are doing terribly wrong is using probability in our formulas. Here’s why.

    Most of the simple risk formulas I’ve seen used are based off probability * impact. That sounds reasonable at first glance, and I think it’s fair to say that most of us don’t give it a second thought. The problem is that in the edge case where impact is very large but probability is very low you end up with a low risk. That’s completely wrong.

    The problem this approach illustrates is that if something has a high impact the probability basically doesn’t matter… it’s still a high risk. In security we need to understand this and stop with the bad math problems that illustrate how we simply don’t understand what we’re doing. Security folks have been accused of not really “getting” risk, and that’s fair. I think most don’t. Questionable (or just wrong) math doesn’t help.

    If not probability, then what? The answer lies in something even more difficult to gather than the magic that is probability metrics. What we need to make the formula work is asset value. A simplistic formula of value * impact will give us an ‘at-risk’ metric that is usable for security.

    There also is the issue of giving assets a price tag. I would go out on a limb to say that many in IT simply don’t know but take bad guesses. This is why you want someone outside of IT to provide these answers. What are these assets you’re trying to protect worth to the enterprise? What is the impact if they are disabled/lost/stolen? I think these types of discussions are what security professionals, at all levels, need to have with the people who drive the enterprise. I believe when it comes to having concrete discussions about risk, the simpler the better.

    Reply
  28. Tomi Engdahl says:

    Security: An Innovation Enabler for Retailers
    http://www.securityweek.com/security-innovation-enabler-retailers

    To better protect POS systems and innovate to improve customer satisfaction and operational efficiency, retailers need to think differently about security

    Last year retail data breaches were in the news like never before. While the actual number of data breaches was fewer than the number experienced by government agencies and financial institutions according to the 2015 Verizon Data Breach Investigations Report (VDBIR), they were more visible since they involved brands we all know so well. The breaches affected more than 100 million consumers who shop at these popular stores – and those are just the ones we know about in the U.S.

    When retailers experience a high-profile breach, profits fall, customer dissatisfaction lingers, executives lose their jobs, and breach-related financial expenses soar. With large amounts of financial, personal, and even medical information on their networks, the retail industry will continue to be an attractive target to attackers for years to come. In fact, opportunities for attackers will likely increase as retailers, striving to remain competitive, jump on the latest trends, including:

    Creating a hyper-relevant experience for consumers. The means enabling a shopper to accomplish what they want to do at that moment – be it maximizing loyalty points, getting through a checkout line quickly, or obtaining help from a store associate. To accomplish this level of real-time service new Internet of Everything (IoE) technologies such as sensors, Wi-Fi, beacons, mobile devices, and RFID tags must become part of the IT infrastructure.

    Adopting mobile Point of Sale (mPOS) systems. As legacy POS systems are refreshed, mPOS systems are being rapidly adopted. Using mobile devices for POS brings the checkout experience closer to the consumer but these systems must be able to quickly access consumer data and provide an efficient, secure experience.

    A typical POS attack unfolds in the following manner:

    1. Attackers first gain a foothold in a system. This may be by exploiting a vulnerability, spear-phishing a third party vendor, or even employee involvement.

    2. Having gained access, attackers exploit vulnerabilities and weaknesses to gain full control over the system.

    3. The attackers then survey the internal network to find ways to expand the breach and take further control, ultimately reaching the POS systems.

    4. Attackers install malware on POS systems by exploiting vulnerabilities or by compromising system update functionality.

    5. Once installed on the POS system, the malware collects financial and personal data.

    6. Stolen data is transferred to a system with Internet access.

    7. Stolen data is exfiltrated outside of the organization to the attacker.

    What’s needed is a threat-centric approach to security with protection along the full attack continuum – before, during, and after an attack.

    Before an attack there’s more you can do besides applying prevention-based controls. You need total visibility into your environment including new mPOS systems; network segmentation

    During an attack you need the ability to continuously detect and block malware that has already penetrated the network as well as contextual awareness

    After an attack you need to be able to marginalize the impact of that attack

    Reply
  29. Tomi Engdahl says:

    Think your mobile calls and texts are private? It ain’t necessarily so
    SS7 vulns expose us all – even location can be tracked
    http://www.theregister.co.uk/2015/10/16/ss7_security_flaws_mobile_networking/

    Mobile networks around the world have been penetrated by criminals and governments via bugs in signalling code.

    Security holes have been found in a technology known as Signalling System 7 (SS7), which helps to interconnect international mobile networks across the globe.

    AdaptiveMobile has uncovered evidence of global SS7 network attacks causing damage to mobile operators around the world after partnering with mobile operators and networks to analyse and secure the SS7 traffic across their networks.

    Exploits, including location tracking and call interception, are said to be rife. The study also uncovered evidence of attempted fraud, focusing on Europe, Middle East and the Americas.

    The results are a serious concern but not entirely surprising. Flaws in SS7 have been known about for years and readily lend themselves to surveillance, both targeted and on a grand scale, allowing miscreants to tap into calls, read text messages and divert traffic.

    In one well documented case, SS7 flaws were used to redirect sensitive conversations of targeted individuals on the MTS Ukraine network to a Russian mobile operator.

    By contrast, SS7 is far more robust when it comes to the security and integrity of billing functionality. Even so, some studies have suggested SS7 loopholes can be abused to move credit between mobile accounts.

    Attacks such as ”silent SMS pings” can be used to locate mobile phones anywhere in the world via SS7.

    Details of SS7 vulnerabilities were publically revealed for the first time at the Chaos Communication Congress hacker conference in Hamburg last December. El Reg’s story on the CCC presentation provides more info on how the ageing SS7 protocol works as well potential attacks.

    AdaptiveMobile’s SS7 Protection service, launched in February 2015, aims to analyse and secure the SS7 traffic travelling through operator networks. The firm uses the combination of an SS7 Firewall, advanced reporting and threat intelligence to identify and combat threats.

    White hats do an NSA, figure out LIVE PHONE TRACKING via protocol vuln
    SS7 hole already used in Ukraine & Russia
    http://www.theregister.co.uk/2014/12/26/ss7_attacks/

    Reply
  30. Tomi Engdahl says:

    Emil Protalinski / VentureBeat:
    Google removes “OK Google” hotword to trigger voice search from Chrome for Mac, Linux, and Windows — Google removes ‘OK Google’ voice search from Chrome — Google this week released Chrome 46, adding a slew of new developer features and simplifying the page’s security icon.

    Google removes ‘OK Google’ voice search from Chrome
    http://venturebeat.com/2015/10/16/google-removes-ok-google-voice-search-from-chrome/

    The removal of this feature only affects the desktop version of Chrome: Windows, Mac, and Linux users no longer have the ability to use the “OK Google” voice action. Users of Chrome for mobile, as well as Chromebooks, will still be able to say “OK Google” and start searching.

    Furthermore, we want to emphasize that this doesn’t mean voice search in Chrome for desktop is going away. You can still access the functionality on the New Tab Page and on any Google.com page — you’ll just have to click on the mic icon first.

    Reply
  31. Tomi Engdahl says:

    Julia Fioretti / Reuters:
    EU privacy regulators give EU, U.S. three months to find new data pact
    http://www.reuters.com/article/2015/10/16/us-eu-privacy-idUSKCN0SA2GA20151016

    Companies could face action from European privacy regulators if the European Commission and United States do not come up with a new system enabling them to shuffle data across the Atlantic in three months, the regulators said on Friday.

    The highest EU court last week struck down a system known as Safe Harbour used by over 4,000 firms to transfer personal data to the United States, leaving companies without alternatives scrambling to put new legal measures in place to ensure everyday business could continue.

    Under EU data protection law, companies cannot transfer EU citizens’ personal data to countries outside the EU deemed to have insufficient privacy safeguards, of which the United States is one.

    Reply
  32. Tomi Engdahl says:

    SMTP bug-hunt turns up vuln in LibreSSL
    Code review: it works
    http://www.theregister.co.uk/2015/10/19/snmp_bughunt_turns_up_vuln_in_libressl/

    Code reviewers looking over a mail daemon have turned up a couple of reasonably serious bugs in the Libre SSL code base – and along the way provided a handy illustration of the deep interdependencies between software.

    What they’ve found is that there’s a companion memory leak (CVE-2015-5333) and buffer overflow (CVE-2015-5334) in the SSL replacement candidate.

    The memory leak provides a path for an attacker to cause a denial-of-service attack, and also permits triggering of the buffer overflow.

    Reply
  33. Tomi Engdahl says:

    Google, Facebook, Microsoft and Yahoo sweat over controversial CISA bill
    Trade group lets off a warning about technology treaties
    http://www.theinquirer.net/inquirer/news/2430753/google-facebook-and-yahoo-sweat-over-controversial-cybersecurity-information-sharing-act-of-2015

    A CLUSTERWANG OF TECHNOLOGY COMPANIES has warned against the latest controversial legislative proposition from the US government, the onerous-sounding Cybersecurity Information Sharing Act (CISA).

    The CISA is up for debate in the dusty Senate in the next few weeks. It is painted as a benefit in terms of terrorism and information sharing, but the Computer & Communications Industry Association (CCIA), which supports such aims, sees it as a big negative and would like to see it rewritten.

    “The CCIA fully supports [the] goal. However, the CCIA is unable to support CISA as it is currently written. CISA’s prescribed mechanism for the sharing of cyber threat information does not sufficiently protect users’ privacy or appropriately limit the permissible uses of information shared with the government,” said the CCIA in a blog post.

    Reply
  34. Tomi Engdahl says:

    Kashmir Hill / Fusion:
    Law enforcement requesting suspects’ DNA data from databases of Ancestry and 23andMe

    Cops are asking Ancestry.com and 23andMe for their customers’ DNA
    http://fusion.net/story/215204/law-enforcement-agencies-are-asking-ancestry-com-and-23andme-for-their-customers-dna/

    When companies like Ancestry.com and 23andMe first invited people to send in their DNA for genealogy tracing and medical diagnostic tests, privacy advocates warned about the creation of giant genetic databases that might one day be used against participants by law enforcement. DNA, after all, can be a key to solving crimes. It “has serious information about you and your family,” genetic privacy advocate Jeremy Gruber told me back in 2010 when such services were just getting popular.

    Now, five years later, when 23andMe and Ancestry both have over a million customers, those warnings are looking prescient. “Your relative’s DNA could turn you into a suspect,” warns Wired, writing about a case from earlier this year, in which New Orleans filmmaker Michael Usry became a suspect in an unsolved murder case after cops did a familial genetic search using semen collected in 1996.

    The FBI maintains a national genetic database with samples from convicts and arrestees, but this was the most public example of cops turning to private genetic databases to find a suspect. But it’s not the only time it’s happened, and it means that people who submitted genetic samples for reasons of health, curiosity, or to advance science could now end up in a genetic line-up of criminal suspects.

    Both Ancestry.com and 23andMe stipulate in their privacy policies that they will turn information over to law enforcement if served with a court order.

    “It has this really Orwellian state feeling to it,” Murphy said to the Advocate.

    Reply
  35. Tomi Engdahl says:

    1Password Leaks Your Data
    http://myers.io/2015/10/22/1password-leaks-your-data/

    Seriously.

    For those of you who don’t know, 1PasswordAnywhere is a feature of 1Password which allows you to access your data without needing their client software. 1Password originally only used the “Agile Keychain” format to store their data (not including when they were OS X keychain only). This format basically stores your data as a series of JavaScript files which are decrypted your data when you supply your master password. Since the files are JavaScript and implementations of various crypto algorithms exist in JavaScript, there was no reason why AgileBits couldn’t come along and make a HTML and JavaScript client for viewing your data, so they did.

    If you browse to your .agilekeychain “file” on disk, you find that it is actually a directory. Inside this directory is a file named “1Password.html”. If you access this file over HTTP (note that using the file protocol won’t work), you will be greeted with a grey page which has a lock image and a password field. Enter your password and your keychain will unlock and you have a read only view of your data.

    So what’s the problem? Well, it turns out that your metadata isn’t encrypted.

    For those of you thinking “So what?”, perhaps you have nothing of interest in there, but there are other considerations

    Anyone who knows the link to the main log in page for my keychain can just alter the link and get this file. They can go through and find out exactly what shady sites I have accounts on, what software I have licences for, the bank card and accounts I hold, the titles of any secure notes I have, any anything else I’ve decided to store in there.

    The second concern, and possibly larger concern, is that the login location is stored with the entry title. In other words, if I sign in at https://example.com/login then that is stored with the keychain entry. In 99% of cases this isn’t an issue. It’s the 1% of cases which are a concern.

    But it gets worse. I decided to have a look and see just how bad things were.

    So what do we do now?

    Well, in December 2012, AgileBits changed the format of their keychain from the Agile Keychain, to OPVault. So how is this new format?

    Let me summarise: Do not use the Agile Keychain format. It leaks your data. If you are using it, convert it to the OPVault format immediately.

    I’ve used 1Password for a few years now. In that time I’ve watched password managers rise and fall due to security holes. 1Password stood solidly against this onslaught and I stood by it. After this my confidence has been shaken. However, I will continue to use 1Password.

    Reply
  36. Tomi Engdahl says:

    Bloomberg: Attackers hit the Dow Jones, tried to make money

    Russian hacker suspected to have benefited from yet unpublished information about share deals, news agency Bloomberg says on the basis of anonymous sources.

    Russian hacker group suspected of being hacked in the American economy in the Dow Jones, the publisher’s servers. The group is suspected of having stolen information, and they have benefited from the stock market, the news agency Bloomberg says. The news agency set up their stories of four wished to remain anonymous source data.

    If hackers have got hold of yet unpublished information envisaged by such companies as mergers and acquisitions, they have been able to get a valuable competitive advantage over other stock exchange operators themselves.

    According to sources, the US Federal Bureau of Investigation, the secret services and the securities market supervisor SEC lead the investigation.

    Dow Jones has not confirmed that the investigation would be running.

    Dow Jones recently told Unobtrusive data breach, in which hackers had sought the Dow Jones customer contact and payment information.

    Source: http://www.digitoday.fi/tietoturva/2015/10/19/bloomberg-hyokkaajat-iskivat-dow-jonesiin-yrittivat-lyoda-rahoiksi/201513607/66?rss=6

    Reply
  37. Tomi Engdahl says:

    New Facebook security feature:

    Notifications for targeted attacks
    https://www.facebook.com/notes/facebook-security/notifications-for-targeted-attacks/10153092994615766

    The security of people’s accounts is paramount at Facebook, which is why we constantly monitor for potentially malicious activity and offer many options to proactively secure your account. Starting today, we will notify you if we believe your account has been targeted or compromised by an attacker suspected of working on behalf of a nation-state.

    It’s important to understand that this warning is not related to any compromise of Facebook’s platform or systems, and that having an account compromised in this manner may indicate that your computer or mobile device has been infected with malware. Ideally, people who see this message should take care to rebuild or replace these systems if possible.

    Reply
  38. Tomi Engdahl says:

    Facebook to warn users about state-sponsored attacks
    Firm will recommend a reaction
    http://www.theinquirer.net/inquirer/news/2430927/facebook-to-warn-users-about-state-sponsored-attacks

    PEOPLE HARVESTER Facebook is making a move to further secure its flock and will alert its subjects to attacks that look and smell like they are state sponsored.

    China and Russia are often accused of such attacks, and Facebook will now alert potential victims whenever it gets a sniff of one.

    “The security of people’s accounts is paramount at Facebook, which is why we constantly monitor for potentially malicious activity and offer many options to proactively secure your account,” said Facebook chief security officer and Flash nemesis Alex Stamos in a blog post.

    “Starting today, we will notify you if we believe your account has been targeted or compromised by an attacker suspected of working on behalf of a nation state.”

    Stamos presents an example of the sort of message that cattle users will receive, showing that Facebook will first worry them with a threat and then console them with the offer of some two-factor, mobile phone-based authentication and a whack of advice.

    “We do this because these types of attacks tend to be more advanced and dangerous than others, and we strongly encourage affected people to take the actions necessary to secure all of their online accounts.

    Reply
  39. Tomi Engdahl says:

    Chrome dumps “OK Google” eavesdropping extension because nobody actually uses it
    Now you’ll have to, ugh, click a button instead of just shouting at your computer.
    http://arstechnica.com/information-technology/2015/10/chrome-dumping-ok-google-eavesdropping-extension-because-nobody-actually-uses-it/

    Chrome 46 will no longer listen in to everything you say on certain Web pages on the off chance that you might invoke a Web search with the magical utterance, “OK Google.”

    Since Chrome 35, released in May of last year, Chrome on Windows, Linux, and OS X has included an “OK Google” extension as a built-in feature that lets you speak to the browser and conduct searches without having to actually do anything so gauche as use the keyboard. Merely visiting google-dot-com was enough; from there, speaking did the rest.

    VentureBeat reports that it’s now gone from the regular browser, too. While Chromebooks and Android phones will still support “OK Google,” the desktop browser does not. In news that will surprise no-one—because really, who likes talking to their computer—VentureBeat writes that the feature was pulled because virtually nobody ever bothered to use it.

    Reply
  40. Tomi Engdahl says:

    Connected kettles boil over, spill Wi-Fi passwords over London
    Pen-tester’s killer cuppas made in cracked iKettle
    http://www.theregister.co.uk/2015/10/19/bods_brew_ikettle_20_hack_plot_vulnerable_london_pots/

    A security man has mapped and hacked insecure connected kettles across London, proving they can leak WiFi passwords.

    The iKettle is designed to save users precious seconds spent waiting for water to boil by allowing the kitchen staple to be turned on using a smartphone app.

    Pen Test Partners bod Ken Munro says hackers can make more than a cuppa, however: armed with some social engineering data, a directional antenna, and some networking gear they can “easily” cause the iKettle to spew WiFi passwords.

    attackers will need to find their own victims using the WIGLE.net WiFi probing service, users chatting about thier appliances over Twitter, and correlating that data with directories like 192.com

    Reply
  41. Tomi Engdahl says:

    Security updates available for Adobe Flash Player
    https://helpx.adobe.com/security/products/flash-player/apsb15-27.html

    Adobe has released security updates for Adobe Flash Player. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.

    Adobe is aware of a report that an exploit for CVE-2015-7645 is being used in limited, targeted attacks.

    Reply
  42. Tomi Engdahl says:

    ‘All Android devices’ vulnerable to new LTE security flaw
    http://www.zdnet.com/article/at-t-t-mobile-verizon-vulnerable-to-several-lte-flaws/

    Devices on AT&T and Verizon networks are vulnerable to “loss of privacy, incorrect billing, and data spoofing.”

    AT&T and Verizon’s implementations of LTE are said to be vulnerable to “to several issues” that could result in eavesdropping, data spoofing, and over-billing for potentially millions of phones.

    Android devices on these networks are at most risk because the software “does not have appropriate permissions model” for LTE

    LTE (also known as 4G) relies on packet switching, a common way of sending data across the internet, rather than the old method of circuit switching. This new method of sending data allows for new kinds of attacks, particularly against the Session Initiation Protocol (SIP), nowadays more commonly used in voice calls and instant messaging.

    Researchers have found a method that exploits the way that SIP works, by spoofing phone numbers for calls or text messages. It’s also possible for an attacker to obtain free bandwidth for more data-intensive activities, like video calling, without incurring any additional costs.

    T-Mobile and Verizon were both identified as being at-risk from the peer-to-peer attacks. The researchers had not conducted full testing on AT&T but said it was likely at risk.

    The researchers warned create a peer-to-peer network within that cell carrier’s network

    In one example, a malicious Android app could quietly make phone calls without the user’s knowledge. That could be used to generate money on premium lines, over-billing, as well conducting targeted eavesdropping.

    Reply
  43. Tomi Engdahl says:

    Vulnerability Note VU#943167
    Voice over LTE implementations contain multiple vulnerabilities
    http://www.kb.cert.org/vuls/id/943167

    The Android operating system does not have appropriate permissions model for current LTE networks; the CALL_PHONE permission can be overruled with only the INTERNET permission by directly sending SIP/IP packets. A call made in such a manner would not provide any feedback to the user. Continually making such calls may result in overbilling or lead to denial of service.

    Impact

    A remote attacker on the provider’s network may be able to establish peer-to-peer connections to directly retrieve data from other phones, or spoof phone numbers when making calls. A malicious mobile app for Android may be able to silently place phone calls without the user’s knowledge.

    Reply
  44. Tomi Engdahl says:

    First Firms Blocked Porn. Now They Scan for Child Sex Images
    Only Ericsson wanted to talk about it.
    http://www.bloomberg.com/news/articles/2015-10-19/first-firms-blocked-porn-now-they-scan-for-child-sex-images

    The first alarm came within a week. It meant an Ericsson AB employee had used a company computer to view images categorized by law enforcement as child sexual abuse.

    “It was faster than we would have wanted,” says Nina Macpherson, Ericsson’s chief legal officer.

    In a bid to ensure none of its 114,000 staff worldwide were using company equipment to view illegal content, in 2011 the Swedish mobile networks pioneer installed scanning software from Netclean Technologies AB. While many companies since then have adopted similar measures, few have been willing to discuss their experience publicly.

    Ericsson’s move may have made it the first big company to scan employee’s computers for indecent images of children rather than just blocking online pornography, according to Michael Moran, a director at Interpol’s child exploitation unit.

    “You can actually save a kid from the abuse they are experiencing by recognizing, reporting and removing it.”

    Netclean’s software scans web searches, e-mail, hard drives and memory sticks for specific images or videos already classified as child pornography. It uses image fingerprinting to ensure that it recognizes blacklisted photos even if they are moved around the internet, between computers, or modified. Netclean says its software finds illegal images on about 1-in-1,000 computers across the hundreds of clients it now serves.

    ‘No False Positives’

    The alerts – invisible to the person who triggers them – are sent via e-mail and text message to Ericsson’s group security adviser, Patrik Håkansson, a former detective chief inspector from Sweden’s National Police IT Crime Squad.

    “There are no false positives; the technology won’t show up any pictures of children on the beach,” says Håkansson.

    His job is to confirm that the illegal pictures have indeed been handled on company equipment, and by whom. In the U.S. the FBI must be called immediately. In other markets Ericsson can carry out some internal investigations before involving law enforcement.

    The perpetrator is typically fired, unless digital forensic investigators can establish there has been a genuine mistake, Macpherson says.

    No Privacy

    Netclean says its software is unique and effective, but British lawyer Myles Jackman urges caution, warning that companies could trigger a “witch hunt” based on what he sees as potentially flawed evidence. Jackman, an obscenity law specialist, denounces genuine indecent material, calling it “reprehensible.” But while the technology may not deliver false positives, he says he knows of numerous occasions where police have misclassified images as illegal. Misclassified images, once in the police database, would still trigger a Netclean alarm.

    “The reality is that the basic data-entry inputting is done by humans and humans get things wrong. It happens in every database,” says Jackman.

    Ericsson employees sign a form consenting to being observed. Does that equate to spying on staff? As long as companies are upfront and explain to employees they are being monitored, there “can’t be any expectation of privacy,’’ says Stuart Neilson, a London-based employment lawyer.

    Reply
  45. Tomi Engdahl says:

    Dropbox Refuses to Explain Its Mysterious Child Porn Detection Software
    http://gizmodo.com/dropbox-refuses-to-explain-its-mysterious-child-porn-de-1722573363

    The Dropbox detail struck me as strange not because there’s something objectionable about companies trying to stop pedophiles exploiting children (I’m not a complete crazy asshole), but because I wondered what else Dropbox could proactively search my files for: Could it look for pirated movies? Could it look for evidence of drug dealing, illegal sex work, illegal gambling? Short answer: Yep!

    Looking at its Terms of Service, Dropbox states that it can search through your files to see if they comply with its ToS and Acceptable Use Policy. The company can look for way more than just vile child exploitation images—it can search for hate speech, any illegal porn, and anything that infringes on someone else’s privacy.

    Reply
  46. Tomi Engdahl says:

    GCHQ to pore over blueprints of Chinese built Brit nuke plants
    Concerns that software backdoors planted on plants
    http://www.theregister.co.uk/2015/10/19/gchq_nuke_plant_security_review/

    UK spies will go through the blueprints of computer systems of nuclear plants due to be built by Chinese firms in the UK in a bid to allay security concerns, The Times reports.

    GCHQ’s role in the assessment was confirmed on the eve of Chinese President Xi Jinping’s four-day state visit to the UK.

    Security chiefs have reportedly raised concerns with ministers about the security implications of deciding to allow Chinese companies with links to the military establishment to obtain a stake in three planned nuclear power plants.

    “GCHQ has a remit to support the cybersecurity of private-sector-owned critical national infrastructure projects, including in the civil nuclear sector and nuclear new builds, when invited to do so by the lead government department involved,” a spokesman said.

    Spies guard nuclear sites from China cyberattack
    http://www.thetimes.co.uk/tto/news/politics/article4589761.ece

    British spies will scrutinise computer systems and cybersecurity at nuclear plants built by Chinese companies, amid fears that Beijing could use new commercial deals to threaten the UK’s national security.

    The role of the listening station GCHQ in protecting Britain’s energy network from cyberattack has been confirmed as President Xi lands in London tonight on a four-day state visit hailed by David Cameron as the start of a “golden era” in Britain’s relationship with Beijing.

    Reply
  47. Tomi Engdahl says:

    The Latest on Chinese-affiliated Intrusions into Commercial Companies
    http://blog.crowdstrike.com/the-latest-on-chinese-affiliated-intrusions-into-commercial-companies/

    It has been nearly three weeks since the announcement on September 25th of the landmark Cyber agreement between the United States and China in which both nations agreed not to “conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”

    Today, we would like to give a public report of our observations. Over the last three weeks, CrowdStrike Falcon platform has detected and prevented a number of intrusions into our customers’ systems from actors we have affiliated with the Chinese government.

    We assess with a high degree of confidence that these intrusions were undertaken by a variety of different Chinese actors, including DEEP PANDA, which CrowdStrike has tracked for many years breaking into national-security targets of strategic importance to China, as well as commercial industries such as Agriculture, Chemical, Financial, Healthcare, Insurance, Legal, Technology and many others.

    So does this evidence of ongoing intrusions into the commercial sector from China indicate the failure of the U.S.-China cyber agreement? That depends on what we do about it, and how long the current situation persists.

    Reply
  48. Tomi Engdahl says:

    Americans Show ‘Surprising Willingness’ To Accept Internet Surveillance
    http://yro.slashdot.org/story/15/10/19/1335205/americans-show-surprising-willingness-to-accept-internet-surveillance

    Researchers from BYU recently took a survey of internet users (PDF), mostly from the U.S., to determine how they balanced opinions of security and privacy. They found, perhaps surprisingly, that over 90% of users are fine with somebody snooping their encrypted traffic, so long as they were informed of the snooping.

    Most Americans would be fine with some Internet surveillance if they were notified
    http://www.dailydot.com/politics/internet-surveillance-survey-notification-consent/

    Despite increasingly heated rhetoric from opponents of government surveillance, a recent survey shows that most Americans would be okay with many kinds of Internet snooping as long as the snoopers told them first.

    The results showed “a surprising willingness by participants to accept the inspection of encrypted traffic, provided they are first notified,” according to the researchers behind the survey, which was titled “At Least Tell Me.”

    Although the respondents put up with surveillance, half of them said that they believed it constituted an invasion of privacy.

    Surveillance tools can create security vulnerabilities that permit hacking, illegal spying, privacy violations, and identity theft. But around 75 percent of respondents agreed that Internet service providers should be allowed to surveil traffic as long they notified users and received consent.

    Most respondents also agreed that employers should be able to monitor the encrypted Internet connections of employees even without notification or consent, especially when an employee used a company computer. There was less agreement when it came to employees using personal devices; approximately a third of respondents opposed surveillance in that case.

    The survey asked specifically about TLS interception proxies, software that intercepts and examines encrypted Internet traffic. Such proxies are used for protecting computers against malware, identity theft, and surveillance. Anyone with enough money can buy a TLS proxy. The same technique can be replicated with fake security certificates, rogue authorities, or clever attacks.

    Despite accepting surveillance in a number of situations, 60 percent of respondents said that they would react negatively if they discovered that a network they currently use employed TLS proxies.

    “I would be angry and would feel that organization violated my trust,” one anonymous responder said. “

    The researchers described “confusion, doubt, worry, equivocation, and reasoned conclusions” among the participants as they wrestled with the big questions of privacy and security.

    “I think it is perfectly acceptable for organizations (companies, schools, libraries, etc.) to use TLS proxies because it protects their computers,” one participant wrote.

    Reply
  49. Tomi Engdahl says:

    Samsung promises to release monthly mobile security updates
    Galaxy S5 first under the spotlight
    http://www.theinquirer.net/inquirer/news/2431011/samsung-promises-to-release-monthly-mobile-security-updates

    CAN-DO KOREAN COMPANY Samsung is taking inspiration from other firms and promising monthly security packages for customers of its handsets and tablets.

    Samsung’s monthly bundle follows the same sort of thing from Microsoft and Adobe, although perhaps it will not be quite as active as that pair.

    The first update contains a suite of fixes curated and collected by Samsung and Google.

    This all came to being in the wake of Stagefright malware, when Samsung was compelled to tell customers that it was ready, willing and able to beat such opponents off.

    “Since software is constantly exploited in new ways, developing a fast response process to deliver security patches to our devices is critical to keep them protected.”

    SMR-OCT-2015
    http://security.samsungmobile.com/smrupdate.html

    Samsung Mobile is releasing a maintenance release for select models as part of the monthly Samsung Android Security Update process.
    This security update package includes patches from Google and Samsung.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*