Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.
3,110 Comments
Tomi Engdahl says:
The Hostile Email Landscape
http://tech.slashdot.org/story/15/10/19/1434236/the-hostile-email-landscape
As we consolidate on just a few major email services, it becomes more and more difficult to launch your own mail server. From the article: “Email perfectly embodies the spirit of the internet: independent mail hosts exchanging messages, no host more or less important than any other. Joining the network is as easy as installing Sendmail and slapping on an MX record. At least, that used to be the case. If you were to launch a new mail server right now, many networks would simply refuse to speak to you. The problem: reputation”
The Hostile Email Landscape
http://liminality.xyz/the-hostile-email-landscape/
Email today is dominated by a handful of major services. GMail boasted 425 million active users back in 2012. Outlook.com has at least 400 million users. It’s become increasingly unusual for individuals or businesses to host their own mail, to the point that new servers are viewed with suspicion.
Earlier this year I moved my personal email from Google Apps to a self-hosted server
I had no issues sending to other servers running Postfix or Exim; SpamAssassin happily gave me a 0.0 score, but most big services and corporate mail servers were rejecting my mail, or flagging it as spam
“IPs not previously used to send email typically don’t have any reputation built up in our systems. As a result, emails from new IPs are more likely to experience deliverability issues.”
Tomi Engdahl says:
Let’s talk about that NSA Diffie-Hellman crack
‘Logjam’ crypto bug researchers expand on theory in talk
http://www.theregister.co.uk/2015/10/19/nsa_crypto_breaking_theory/
Even before the leaks by former NSA sysadmin Edward Snowden, rumours had circulated for years that the agency could decrypt a significant fraction of encrypted internet traffic.
Now security researchers, who published a paper on their theory in May, have come forward with a detailed and credible theory on the technical foundations of this code-breaking capability. They presented a talk last week with a better explanation of how this fitted with the Snowden leaks.
The Edward Snowden documents revealed that that the NSA had the ability to intercept and decrypt VPN traffic. The on-demand decryption of some HTTPS and SSH connections was also possible because of unspecified but ground breaking cryptanalysis capabilities, according to the Snowden leaks.
Earlier this week, the 13-member research team presented a paper at the ACM Computer and Communications Security conference billed as an answer to this technical mystery.
Diffie-Hellman is a cornerstone of modern cryptography used for VPNs, HTTPS websites, email, and many other protocols. Bad implementation choices combined with advanced in number theory mean real-world users of Diffie-Hellman are likely vulnerable to state-level attackers, the researchers warned back in May.
The researchers estimate that breaking a single, common 1024-bit prime would allow NSA to passively decrypt connections to two-thirds of VPNs and a quarter of all SSH servers globally. Breaking a second 1024-bit prime would allow passive eavesdropping on connections to nearly 20 per cent of the top million HTTPS websites. In other words, a one-time colossal investment in power-lifting computation would make it possible to eavesdrop on trillions of encrypted connections.
Weak application of Diffie-Hellman is widespread in many standards and implementations. Security weaknesses are built into deployed systems unlikely to replaced for years, even given heightened concern prompted by the latest research.
The possibility of multiple governments attempting attacks illustrates the tension between the conflict between the NSA’s two prime missions of gathering intelligence and defending US computer security. If the researchers are correct then the NSA has been vigorously exploiting weak Diffie-Hellman, while doing little or nothing to help fix the problem. On the defensive side, NSA has recommended that implementers should transition to elliptic curve cryptography, which isn’t known to suffer from this loophole, but such recommendations tend to go unheeded without explicit justifications or demonstrations.
‘Logjam’ crypto bug could be how the NSA cracked VPNs
Johns Hopkins crypto boffin spots FREAK-like protocol bug
http://www.theregister.co.uk/2015/05/20/logjam_johns_hopkins_cryptoboffin_ids_next_branded_bug/
Tomi Engdahl says:
New York Post:
FBI and other federal agencies are investigating a teen who claims to have hacked CIA director’s AOL account, which contained work-related documents — Teen says he hacked CIA director’s AOL account — Hillary Rodham Clinton’s email scandal didn’t stop the head of the CIA from using …
Teen says he hacked CIA director’s AOL account
http://nypost.com/2015/10/18/stoner-high-school-student-says-he-hacked-the-cia/
Hillary Rodham Clinton’s email scandal didn’t stop the head of the CIA from using his own personal AOL account to stash work-related documents, according to a high school student who claims to have hacked into them.
CIA Director John Brennan’s private account held sensitive files — including his 47-page application for top-secret security clearance — until he recently learned that it had been infiltrated, the hacker told The Post.
Other emails stored in Brennan’s non-government account contained the Social Security numbers and personal information of more than a dozen top American intelligence officials, as well as a government letter about the use of “harsh interrogation techniques” on terrorism suspects, according to the hacker.
The FBI and other federal agencies are now investigating the hacker
“I can’t believe he did this to the head of the CIA,’’ the source added. “[The] problem with these older-generation guys is that they don’t know anything about cybersecurity, and as you can see, it can be problematic.”
The hacker contacted The Post last week to brag about his exploits, which include posting some of the stolen documents and a portion of Brennan’s contact list on Twitter.
And he also got into the online Comcast account of Homeland Security Secretary Jeh Johnson and posted a redacted screenshot of a billing page. He claimed that he listened to Johnson’s voicemails.
Tomi Engdahl says:
Ex-U.S. agent gets over six years for bitcoin theft in Silk Road probe
http://www.reuters.com/article/2015/10/19/us-usa-bitcoin-silkroad-idUSKCN0SD2IA20151019
A former U.S. federal agent was sentenced to 78 months in prison on Monday for stealing bitcoins during the government’s investigation of Silk Road and for secretly soliciting payment from the operator of the online black market for information on its probe.
Tomi Engdahl says:
Katie Collins / CNET:
China hack attacks on US continue despite commercial spying pact, security firm says — Hackers associated with the Chinese government targeted seven US companies in the last three weeks, CrowdStrike says.
China hack attacks on US continue despite commercial spying pact, security firm says
http://www.cnet.com/news/china-hack-attacks-continue-despite-commercial-spying-pact-with-us-security-firm-says/
Hackers associated with the Chinese government targeted seven US companies in the last three weeks, CrowdStrike says.
Seven US companies have been attacked by government-associated Chinese hackers in the three weeks since the US and China announced a pact that banned government spying on companies, a US security firm said Monday.
The hacks by “actors we have affiliated with the Chinese government” targeted five technology companies and two pharmaceutical companies, US security company CrowdStrike said in a blog post.
The Latest on Chinese-affiliated Intrusions into Commercial Companies
http://blog.crowdstrike.com/the-latest-on-chinese-affiliated-intrusions-into-commercial-companies/
Tomi Engdahl says:
Bloomberg Business:
Sources: last year’s cyberattacks on Polish stock exchange and German steel plant were tied to Russia’s growing hacking campaign against US and NATO
Cyberspace Becomes Second Front in Russia’s Clash With NATO
http://www.bloomberg.com/news/articles/2015-10-14/cyberspace-becomes-second-front-in-russia-s-clash-with-nato
German steel plant and Polish exchange said to be targeted
`They have let loose the hounds’ as criminals grow brazen
Russian computer attacks have become more brazen and more destructive as the country grows increasingly at odds with the U.S. and European nations over military goals first in Ukraine and now Syria.
Along with reported computer breaches of a French TV network and the White House, a number of attacks now being attributed to Russian hackers and some not previously disclosed have riveted intelligence officials as relations with Russia have deteriorated. These targets include the Polish stock market, the U.S. House of Representatives, a German steel plant that suffered severe damage and The New York Times.
U.S. officials worry that any attempt by the Russian government to use vulnerabilities in critical infrastructure like global stock exchanges, power grids and airports as pressure points against the West could lead to a broader conflict, according to two people familiar with the debate inside government and who asked to not to be named when discussing intelligence matters.
As in other domains, Russians acting directly for the government or with its approval are testing the boundaries of the cyberbattlefield, according to an assessment by U.S. intelligence agencies. The attacks are often called state sponsored by security companies working to arrest the damage, though it is difficult to ascertain which ones might have been done by intelligence agencies and which ones by criminals with access to sophisticated tools hoping to curry government favor.
“They have let loose the hounds,” said Tom Kellermann, chief security officer at Trend Micro, a Tokyo-based security firm.
Russia is called America’s biggest cyberthreat by U.S. Director of National Intelligence James Clapper, and it appears more willing than ever to push up against U.S. doctrine, which holds that destructive hacking attacks could be considered acts of war. So far, the U.S. has not made any public response to the suspected acts.
Cyberspace is a messy arena for fighting. Miscalculations, even by skilled operators, are common, fueling concerns about what could happen to essential infrastructure. And Russia is one of the few nations that intelligence officials say can successfully mask its identity in cyberspace, even from the U.S. National Security Agency.
Raising alarms in Europe, Russian hackers damaged a blast furnace early last year at a plant in Germany owned by ThyssenKrupp AG, the country’s biggest steelmaker, according to four people familiar with the attack.
Kilian Roetzer, a spokesman for ThyssenKrupp, denied any such attack occurred, as has every other company operating a blast furnace in Germany. A furnace attack was disclosed by the German government last year without naming any company or perpetrator.
Russian hackers have stepped up surveillance of power grids and energy supply networks in the U.S., Europe and Canada, a provocative move given government sensitivity to tampering with essential infrastructure for millions of people, according to two people familiar with that activity.
U.S. authorities who spoke on condition of anonymity interpret it as a warning. “Russia is exceptionally skilled,”
“They’re being successful. If you’re doing something that’s working, you’re going to keep doing it,”
Sophisticated Hackers
Putin enjoys some significant advantages over his adversaries in cyberspace. Russia is home to the most sophisticated collection of cybercriminals anywhere in the world, and the government maintains close relationships with many of them, according to assessments by the Federal Bureau of Investigation and U.S. intelligence agencies.
“These guys have been untouchable for years and now they are coming back to the stable to pay homage,”
Google Analysis
Bloomberg News obtained a copy of Google’s 41-page analysis, which shows how X-Agent users can swap in various modules for most any conceivable mission, much like the RATs used by the NSA’s elite teams, according to a person familiar with that software.
The APT 28 group was also behind an attack last year on the New York Times
A different group of Russian hackers hit the White House and State Department in incidents disclosed over the last year. That group is called APT 29
U.S. and European intelligence agencies have struggled in recent months to assess what they see as Russia’s newly bellicose behavior in cyberspace.
Physical Destruction
The steel mill attack was a rare example of computers being used to cause physical destruction, carrying strong political overtones for the German government.
The hackers hijacked a computer that controlled the blast furnace, inserting malware that caused the machine to overheat and melt down, according to three people familiar with the incident and Germany’s Federal Office for Information Security, or BSI, which disclosed the attack in November 2014 without linking it to Russia. The result was “massive damage,” according to the BSI report.
Security specialists initially speculated the damage might have been an accident by hackers trying to gather data on how the mill operates, but details have since emerged that point to intentional destruction.
Sometime in late 2013 or early 2014, the hackers began by penetrating the mill’s office computers with spear-phishing e-mails and social-engineering tricks against employees
Digital traces left in the system immediately pointed back to Russia
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Researchers find 256 iOS apps using a third-party advertising SDK to collect users’ personal info; Apple says it will ban them — Researchers find 256 iOS apps that collect users’ personal info — Apps are “definitely the kind of stuff that Apple should have caught,” researcher says.
Researchers find 256 iOS apps that collect users’ personal info
Apps are “definitely the kind of stuff that Apple should have caught,” researcher says.
http://arstechnica.com/security/2015/10/researchers-find-256-ios-apps-that-collect-users-personal-info/
Researchers said they’ve found more than 250 iOS apps that violate Apple’s App Store privacy policy forbidding the gathering of e-mail addresses, installed apps, serial numbers, and other personally identifying information that can be used to track users.
The apps, which at most recent count totaled 256, are significant because they expose a lapse in Apple’s vetting process for admitting titles into its highly curated App Store. They also represent an invasion of privacy to the one million people estimated to have downloaded the apps.
Tomi Engdahl says:
Accidental homicide: how VoLTE kills old style call accounting
It’s all data, all the way down, so tracking voice sessions gets tedious, fast. And dangerous
http://www.theregister.co.uk/2015/10/20/volte_kills_voice_call_billing/
Korean and US telco researchers have sounded what’s probably the first death-knell of voice calls, demonstrating a variety of problems – some fundamental – with how Voice-over-LTE (VoLTE) works.
The Carnegie-Mellon CERT has wrapped the problems up in this advisory, based on this ACM paper.
The problems, which we’ll describe in more detail below, include denial-of-service vectors, over-billing risks, and ways for users to game the network for free calls.
The basic problem is that VoLTE abandons the legacy cellular network model of dedicated voice and data channels. Instead, voice is a SIP-based (session initiation protocol) application carried on the plentiful (in LTE) data channel.
The carriers that Hongil Kim of Korean institute KAIST and collaborators from KAIST and Georgia Tech studied were in Korea and not named, but in their paper they warn other operators could be making similar mistakes in their VoLTE implementations.
The problems all arise in how the voice application interacts with session initiation protocol (SIP). Under VoLTE, the voice application is handled by a phone’s application processor instead of being a couple of basic commands on the baseband processor. From the paper “A legitimate user who has control over the AP can potentially control and exploit the call setup process to establish a VoLTE channel.”
It’s obvious, really: since VoLTE runs as an application, it’s trivial to write a voice application to run on an LTE mobile – and that means any mistake the operator makes can be exploited by a malicious application.
That leaves users open to a variety of possible attacks:
It’s easy to make the voice application place calls from a phone without alerting the user. That’s got all sorts of malware possibilities: for example, infecting a phone so it quietly places calls to premium numbers.
Because SIP is just data, there’s no need to place calls through the operator’s SIP server: instead, users can just set up peer-to-peer SIP sessions to bypass call accounting.
If SIP servers don’t authenticate messages properly, phone numbers can be spoofed, creating some pretty juicy fraud opportunities.
Bad session management in SIP servers – for example, allowing one application to call lots of numbers simultaneously – leaves networks open to control-plane denial-of-service attacks.
Vulnerability Note VU#943167
Voice over LTE implementations contain multiple vulnerabilities
http://www.kb.cert.org/vuls/id/943167
Tomi Engdahl says:
LTE 4G Networks Put Android Users at Risk of Overbilling and Phone Number Spoofing
http://news.softpedia.com/news/lte-4g-networks-put-android-users-at-risk-of-overbilling-and-phone-number-spoofing-494840.shtml
Carnegie Mellon University’s CERT security vulnerabilities database has issued an alert regarding the current status of LTE (Long-Term Evolution) mobile networks, which are plagued by four vulnerabilities that allow attackers to spoof phone numbers, overbill clients, create DoS (Denial of Service) states on the phone and network, and even obtain free data transfers without being charged.
The vulnerabilities stem from classic VoIP-related attacks, LTE mobile networks using an internal structure that employs packet switching and the IP protocol (just like VoIP), instead of traditional circuit-switched mobile networks.
As CERT’s team explains, the four vulnerabilities (CWE-732, CWE-284, CWE-287, and CWE-384) allow attackers to take advantage of some things like incorrectly set call permissions, the ability to establish direct sessions between phones, improper authentication for SIP messages, and a bug that enables attackers to establish multiple sessions with the same phone number.
Tomi Engdahl says:
Sites cling to a million flawed, fading SHA-1 certificates: Netcraft
250,000 cry: ‘SHA-1 or death!’
http://www.theregister.co.uk/2015/10/20/sites_cling_to_a_million_flawed_fading_sha1_certificates_netcraft/
British security bod Paul Mutton says scores of websites including big ticket companies like Deloitte are among a million outfits using outdated and vulnerable SHA-1-coded certificates which researchers have recently badged deceased.
The hash function was this month busted by a crypto cadre with $US75,000 of cloud computing resources, undercutting estimates by US$100,000 and putting such an attack within reach of even modestly-resourced groups.
SHA-1′s a known dud of a cipher that’s been recommended for retirement in 2017.
Netcraft’s Mutton says some 120,000 SHA-1 certificates were issued this year of which more than a quarter of a million are scheduled to live beyond 2017.
“SHA-2 eventually overtook SHA-1 in May 2015, but there are still nearly a million certificates currently using SHA-1,” Mutton says.
“The owners of these certificates will undoubtedly need to replace them months — or in some cases, years — before they are due to expire.
Tomi Engdahl says:
CIA boss uses AOL email – and I hacked it, claims stoner teen
And now there’s sensitive files in kid’s hands – and all over the internet
http://www.theregister.co.uk/2015/10/19/cia_aol_hack/
A teenager claims to have hacked the CIA director’s AOL email account and laid his hands on sensitive government files within.
The kid bragged he managed to trick staff at AOL parent Verizon into reseting the password to CIA boss John Brennan’s personal account, allowing the youngster to hijack it.
After apparently rifling through the inbox and pulling out records on intelligence agency staffers, plus Brennan’s own application for top-level security clearance, the teen started posting the sensitive information on Twitter and text-hosting websites.
Tomi Engdahl says:
Temperature of Hell drops a few degrees – Microsoft emits SSH-for-Windows source code
Redmond hasn’t forgotten about that promise
http://www.theregister.co.uk/2015/10/19/microsoft_openssh_code_release/
Microsoft has published early source code for its OpenSSH-for-Windows port for developers to pick apart and improve.
In a blog post on Monday, Steve Lee – the PowerShell team’s principal software engineer manager – said Redmond has finished early work on a Windows port of OpenSSH 7.1, built in a joint-effort with remote-access developer NoMachine.
Here’s Redmond’s rough road map for the OpenSSH port:
Update NoMachine port to OpenSSH 7.1 [Done]
Leverage Windows crypto api’s instead of OpenSSL/LibreSSL and run as Windows Service
Address POSIX compatibility concerns
Stabilize the code and address reported issues
Production quality release
Tomi Engdahl says:
Security experts split on whether China is breaking no-hack pact
The hacks go on…but are they state-sponsored?
http://www.theregister.co.uk/2015/10/19/china_no_hack_pact_violation_suspicion/
Security intelligence firm CrowdStrike has released a report alleging that Chinese hacking crews which they claim are likely state-sponsored are still attacking the US despite a anti-economic espionage pact agreed just a month ago when the Chinese president visited the US.
The Latest on Chinese-affiliated Intrusions into Commercial Companies
http://blog.crowdstrike.com/the-latest-on-chinese-affiliated-intrusions-into-commercial-companies/
Tomi Engdahl says:
First Firms Blocked Porn. Now They Scan for Child Sex Images
Only Ericsson wanted to talk about it.
http://www.bloomberg.com/news/articles/2015-10-19/first-firms-blocked-porn-now-they-scan-for-child-sex-images
Tomi Engdahl says:
Neutrino exploit kit attacks hit thousands of Magento shops
Hackers raise drop-dead-dumb red flag
http://www.theregister.co.uk/2015/10/20/neutrino_exploit_kit_attacks_hit_thousands_of_magento_shops/
Researchers are warning of a bumbling but large campaign against Magento-powered ecommerce sites that is redirecting users to the Neutrino exploit kit.
It is unclear how many sites have been popped, but admins will notice this drop-dead dumb hint: the attack includes a file named neutrino.php.
Websites using eBay’s Magento commerce platform are being targeted through a suspected but as-yet undefined vulnerability in the platform, malware analysts Jerome Segura and Denis Sinegubko say.
Google has blocked more than 8200 sites – and counting – linked to the attacks. The number is increasing by hundreds each day.
The pair warn that users running vulnerable versions of Adobe Flash can be exploited and served the Andromeda or Gamarue malware, which steal banking credentials and enlist machines into a large botnet.
Tomi Engdahl says:
Google publishes crypto mandate for Android 6.0
Ad giant tries again … on devices with enough memory and AES acceleration, anyhow
http://www.theregister.co.uk/2015/10/20/ok_lets_try_that_again_google_publishes_crypto_mandate_for_android_60/
Google’s put the issue of mandatory Android encryption back on the table, publishing a compatibility document that mandates it (with caveats) in Android 6.0 Marshmallow.
First noticed by Android Police, the Android Compatibility Definition seeks to mandate that devices with enough memory and processor power encrypt both private and shared storage – the /data and /sdcard partitions.
The Chocolate Factory first tried this in Android 5.0, but earlier this year had to backtrack and put the idea in the too-hard basket.
Tomi Engdahl says:
Online pharmacy slapped with £130,000 fine for flogging customer data
Privacy group: Must be a ban on all marketing to patients
http://www.theregister.co.uk/2015/10/20/online_pharmacy_slapped_with_130000_fine/
Online pharmacy Pharmacy 2U has been slapped with a £130,000 fine by the Information Commissioner’s Office for flogging customers to a marketing company without their consent.
The ICO said Pharmacy 2U offered the customer names and addresses for sale through an online marketing list company.
The ICO investigation found that Pharmacy 2U had not informed its customers that it intended to sell their details, and that the customers had not given their consent for their personal data to be sold on. This was in breach of the Data Protection Act.
Tomi Engdahl says:
How NSA successfully Broke Trillions of Encrypted Connections
Friday, October 16, 2015 Swati Khandelwal
http://thehackernews.com/2015/10/nsa-crack-encryption.html
Yes, it seems like the mystery has been solved.
We are aware of the United States National Security Agency (NSA) powers to break almost unbreakable encryption used on the Internet and intercept nearly Trillions of Internet connections – thanks to the revelations made by whistleblower Edward Snowden in 2013.
However, what we are not aware of is exactly how did the NSA apparently intercept VPN connections, and decrypt SSH and HTTPS, allowing the agency to read hundreds of Millions of personal, private emails from persons around the globe.
Now, computer scientists Alex Halderman and Nadia Heninger have presented a paper at the ACM Conference on Computer and Communications Security that advances the most plausible theory as to how the NSA broke some of the most widespread encryption used on the Internet.
According to the paper, the NSA has exploited common implementations of the Diffie-Hellman key exchange algorithm
However, a serious vulnerability in the way the Diffie-Hellman key exchange is implemented is allowing the intelligence agencies and spies to break and eavesdrop on trillions of encrypted connections.
However, according to researchers, only a few prime numbers are commonly used that might have fit well within the agency’s $11 Billion-per-year budget dedicated to “groundbreaking cryptanalytic capabilities.”
Around 92% of the top 1 Million Alexa HTTPS domains make use of the same two primes for Diffie-Hellman, possibly enabling the agency to pre-compute a crack on those two prime numbers and read nearly all Internet traffic through those servers.
According to the duo, this NSA technological project to crack crypto on a scale has “not seen since the Enigma cryptanalysis during World War II.”
Imperfect Forward Secrecy:
How Diffie-Hellman Fails in Practice
https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf
Tomi Engdahl says:
When a Leak Isn’t a Leak
https://blog.agilebits.com/2015/10/19/when-a-leak-isnt-a-leak/
Over the weekend Dale Myers wrote a blog post that examined our .agilekeychain format. The post featured a good discussion and analysis of our older data format, but it raised some questions among 1Password users and the wider technology community.
Dale states that he plans to continue using 1Password and has no concerns over the safety of his passwords themselves, but his main concern was how the AgileKeychain handles item URLs. While we widely documented this design decision and shared it publicly, Dale was surprised to find out that we didn’t encrypt URLs within the keychain.
Switching to OPVault
Despite the security of AgileKeychain remaining intact, Dale reminded us that its time to move on. The OPVault format is really great in so many ways and we should start sharing it with as many users as possible.
We’ve already started making changes to use OPVault as the default format. In fact, the latest beta of 1Password for Windows does this already. Similar changes are coming to Mac and iOS soon, and we’re planning on using the new format in Android in the future.
Tomi Engdahl says:
eFast malware hijacks browser with Chrome clone
https://thestack.com/security/2015/10/20/efast-malware-hijacks-browser-with-chrome-clone/
eFast Browser, a new malicious adware which disguises itself as Google Chrome, has hijacked internet users’ systems in an apparent effort to serve its own ads and harvest user activity to sell to third-party advertisers.
According to security bloggers at Malwarebytes, the malware installs itself as the default internet browser and the default program for various popular file types, including .html, .jpg, .gif and .pdf, as well as a number of web links such as http, https and irc.
‘The installer for eFast also deletes all the shortcuts to Google Chrome on your taskbar and desktop, most likely hoping to confuse the user with their very similar icons,’
eFast is able to mirror the aesthetics of Chrome as it uses the same source code, available across the open-source project Chromium. According to industry experts, this is an inadvertent positive for Google, which has invested heavily in upgrading its security. “Major props to the Chrome team that it’s getting so hard to hijack Chrome that malware literally has to replace it to effectively attack,” tweeted Swift on Security.
The Chrome replacement can be easily removed by opening ‘Programs and Features’, locating the culprit and uninstalling it.
Tomi Engdahl says:
Twitter, Yelp and Wikipedia are latest to join CISA opposition camp
Four star review from supporters
http://www.theinquirer.net/inquirer/news/2430753/google-facebook-and-yahoo-sweat-over-controversial-cybersecurity-information-sharing-act-of-2015
MORE TECHNOLOGY COMPANIES have applied their weight to the campaign to oppose the controversial CISA legislation.
“Twitter is joining a growing chorus of major technology companies that have recently come out strongly against the latest version of CISA, echoing concerns from security experts and privacy advocates that CISA would fail to prevent cyber attacks while dramatically expanding government surveillance and undermining user privacy,”
Tomi Engdahl says:
WordPress blogger patch foot-drag nag: You’re tempting hackers
Brute force allows attacker to bypass web server rate limits
http://www.theregister.co.uk/2015/10/20/wordpress_security_flap_xml_rpc_brute_force/
Misconfigured and unpatched WordPress sites are causing a rash of problems both to themselves and the wider internet. In fact, this ever-present internet security threat has flared up again over the last week because of several new issues.
The most pressing problem involves a recent brute force amplification attack on WordPress-based website via the XML-RPC API. Researchers at Sucuri discovered a way to carry out the attacks against WordPress’ built-in XML-RPC feature.
More details of a proof of concept demo of the flaw can be found here.
The vulnerability allows an attacker to bypass web server rate limits. The practical upshot is instead of limiting websites to one query with a one password at a time, the flaw means a hacker can now send one query with 500 passwords via XML-RPC API.
https://github.com/zendoctor/wpbrute-rpc
Tomi Engdahl says:
X-Ray Scans Expose an Ingenious Chip-and-Pin Card Hack
http://www.wired.com/2015/10/x-ray-scans-expose-an-ingenious-chip-and-pin-card-hack/
The chip-enabled credit card system long used in Europe, a watered down version of which is rolling out for the first time in America, is meant to create a double check against fraud. In a so-called “chip-and-PIN” system, a would-be thief has to both steal a victim’s chip-enabled card and be able to enter the victim’s PIN. But French forensics researchers have dissected a real-world case in which criminals outsmarted that system with a seamless chip-switching trick—and pulled off the feat with a slip of plastic that’s almost indistinguishable from a normal credit card.
French computer security researchers at the École Normale Supérieure university and the science and technology institute CEA late last week published a paper detailing a unique case of credit card fraud they analyzed as investigators in a criminal case.
The French fraudsters took advantage of a long-known but theoretical vulnerability in chip-and-PIN systems to execute what the researchers describe as a “man-in-the-middle” attack that takes advantage of how cards and card readers communicate. When a buyer inserts his or her card and enters a PIN, the card reader queries the card’s chip as to whether the PIN is correct. A fraudulent chip can listen for that query and pre-empt the real chip with its own answer: a “yes” signal regardless of whatever random PIN the fraudster has entered. “The attacker intercepts the PIN query and replies that it’s correct, whatever the code is,” says ENS researcher Rémi Géraud. “That’s the core of the attack.”
The ENS and CEA forensic researchers note that the vulnerabilities used by the French fraud they analyzed have since been fixed—at least in Europe—though they declined to fully detail the new security measures.
The PIN-spoofing trick the French forensics team detected was first demonstrated in 2010 by a group of Cambridge University security researchers. But their proof-of-concept attack relied on an FPGA
The French criminals, by contrast, miniaturized that backpack setup into a tiny FUNcard chip, a cheap, programmable device used by DIY hobbyists.
That FUNcard chip, unlike the Cambridge researchers’ FPGA kit, was no bigger than the normal security chip used in credit cards; the fraudsters could remove the chip from a stolen card, solder it to the FUNcard chip, and glue both chips back-to-back onto the plastic body of another stolen card. The result was a stealthy device capable of performing the Cambridge researchers’ PIN-bypass technique while appearing to be little more than a slightly bulging credit card.
The fraudsters eventually created 40 of the PIN-spoofing forgeries from credit cards stolen in France
examined one of the devices with non-invasive X-ray scans that revealed a hidden FUNcard logo on a chip inside
For the Cambridge researchers, the French attack is an “I-told-you-so” moment. Five years ago, EMVCo and the UK Cards Association both dismissed their attack as improbable or impossible. “Optimistic would be a polite way to describe the response we got,”
The French researchers write in their paper that EMVCo has since created new countermeasures to the vulnerabilities the fraudsters exploited and implemented them both in card readers and in banking networks.
When Organized Crime Applies Academic Results
A Forensic Analysis of an In-Card Listening Device
http://eprint.iacr.org/2015/963.pdf
Tomi Engdahl says:
Brian Fung / Washington Post:
Apple, Dropbox, Yelp, reddit, Twitter, Wikimedia, join Google, Facebook, and Yahoo in voicing opposition to current CISA proposal days before vote
Apple and Dropbox say they’re against a key cybersecurity bill, days before a crucial vote
https://www.washingtonpost.com/news/the-switch/wp/2015/10/20/apple-says-its-against-a-key-cybersecurity-bill-days-before-a-crucial-vote/?ooiuoiuer
Apple and Dropbox said Tuesday that they oppose a controversial cybersecurity bill that, according to critics, would give the government sweeping new powers to spy on Americans in the name of protecting them from hackers.
The announcement by the two companies comes days before the Senate expects to vote on the legislation, known as the Cybersecurity Information Sharing Act, or CISA.
“We don’t support the current CISA proposal,” Apple said in a statement. “The trust of our customers means everything to us and we don’t believe security should come at the expense of their privacy.”
Tomi Engdahl says:
Brad Smith / Microsoft on the Issues:
Microsoft outlines four-step proposal in wake of Safe Harbor decision, to balance privacy, a global Internet, and public safety, in a new legal framework — The collapse of the US-EU Safe Harbor: Solving the new privacy Rubik’s Cube — When people who care about technology look back at the year 2015 …
The collapse of the US-EU Safe Harbor: Solving the new privacy Rubik’s Cube
http://blogs.microsoft.com/on-the-issues/2015/10/20/the-collapse-of-the-us-eu-safe-harbor-solving-the-new-privacy-rubiks-cube/
Tomi Engdahl says:
Wall Street Journal:
Comcast is in talks with TV networks and audience measurement firms to share data harnessed from set-top boxes and apps — Comcast Seeks to Harness Trove of TV Data — Cable giant is in talks with TV networks and measurement firms to license viewing data from set-top boxes, apps
Comcast Seeks to Harness Trove of TV Data
Cable giant is in talks with TV networks and measurement firms to license viewing data from set-top boxes, apps
http://www.wsj.com/article_email/comcast-seeks-to-harness-trove-of-tv-data-1445333401-lMyQjAxMTE1NTIwMDgyMjA2Wj
Comcast Corp. is sitting on a potential treasure trove of data on how Americans watch TV. Now, the cable giant is working to unlock that information in ways that it hopes could save the $70 billion U.S. television advertising market.
Comcast is seeking to harness viewing data from the set-top boxes and streaming apps used by its millions of cable-TV subscribers to create products it can license to other companies, according to people familiar with its plans. That will require organizing a vast pool of details into “dashboards” that TV networks and marketers can use to tap specific slices of data.
In recent months, Comcast rebuffed an offer from TV-ratings specialist Nielsen, which was willing to pay roughly $100 million for an exclusive license to the data, these people said, though the two companies are deep in talks about other potential partnerships.
Comcast is betting the industry, armed with the company’s data, could better compete with Web-based rivals, such as Google parent Alphabet Inc. and Facebook Inc., whose ad-targeting capabilities are a big draw for marketers.
TV networks also are interested in using data to evaluate their programming—to assess, for instance, whether a show with a small audience is worth keeping on the air because it has an avid group of return viewers.
Tomi Engdahl says:
Abhimanyu Ghoshal / The Next Web:
Mozilla-backed Let’s Encrypt says its free HTTPS certificates are now trusted by all major browsers
Let’s Encrypt is one step closer to offering free HTTPS certificates to everyone
http://thenextweb.com/insider/2015/10/20/lets-encrypt-is-one-step-closer-to-offering-free-https-certificates-to-all-sites/
Let’s Encrypt has announced that its free security certificates are now trusted by all major browsers, bringing the organization’s mission to offer free HTTPS encryption to all sites one step closer to reality.
As an open certificate authority run by the Internet Security Research Group (ISRG) and sponsored by the likes of Mozilla and Automattic, Let’s Encrypt aims to equip legitimate sites of every size and function with TLS/SSL certificates that help browsers identify them correctly and serve encrypted data so users’ browsing activity and transactions are safe from snooping.
Let’s Encrypt will begin issuing free certificates in November. hat should help sites adopt HTTPS encryption more easily, as well as lowering the cost significantly.
Tomi Engdahl says:
Andrew Cunningham / Ars Technica:
New Android phones and tablets that ship with Marshmallow must enable full-disk encryption by default if their AES crypto perfomance exceeds 50 MiB/s
Android 6.0 re-implements mandatory storage encryption for new devices
As long as you meet the minimum speed requirements, that is.
http://arstechnica.com/gadgets/2015/10/android-6-0-re-implements-mandatory-device-encryption-for-new-devices/
Shortly after the announcement of iOS 8 in 2014, Google made headlines by saying that it would make full-device encryption mandatory for new Android devices running version 5.0. It then made more headlines several months later when we discovered that the company backed down, “strongly recommending” that Android device makers enable encryption but stopping short of actually requiring it.
Now Google has published an updated version of the Android Compatibility Definition Document (PDF) for Android 6.0, and it looks like mandatory encryption is back with a couple of exceptions. New devices that come with Marshmallow and have AES crypto performance above 50MiB-per-second need to support encryption of the private user data partition (/data) and the public data partition (/sdcard).
Tomi Engdahl says:
German Govt mulls security standards for SOHOpeless routers
WPA2 with 20-character passwords? Ja! No firmware updates and CSRF? Nein.
http://www.theregister.co.uk/2015/10/21/german_govt_mulls_security_tests_of_sohopeless_routers/
The German Government is mulling an assessment of the security chops of consumer routers in a bid to lift current abysmal standards and help inform buyers.
Berlin’s Ministry of the Interior IT security office says it wants to test routers for support of security features like WPS, encryption, and brute force protection of passwords. MAC address filtering and firewalls will also make the list.
The agency points out in a draft document (PDF in German) that poorly-secured routers can lead to mass compromise of users.
It says the increased functionality of SOHO routers with things like network attached storage and the ability to place voice-over-internet-protocol calls makes security of “paramount importance”.
Attackers can do things like enslave users into botnets, place premium phone calls, and deny net access, the agency says, using a multitude of previously disclosed and un-patched vulnerabilities.
The agency would look at simple and deeper security measures including holes like cross-site request forgery, the integrity of guest networks, and various defences against external attack.
Routers that advise users of an available firmware update on login to the web admin interface are winners, as are those that rock WPA2 with a key spinning out to at least 20 characters, and units with WPS that is disabled by default and generates new random PINs on activation.
Tomi Engdahl says:
Western Digital self-encrypting hard drives riddled with security flaws
Encrypted data is often easily recovered, in some cases with no password required.
http://arstechnica.com/security/2015/10/western-digital-self-encrypting-hard-drives-riddled-with-security-flaws/
Several versions of self-encrypting hard drives from Western Digital are riddled with so many security flaws that attackers with physical access can retrieve the data with little effort, and in some cases, without even knowing the decryption password, a team of academics said.
The paper, titled got HW crypto? On the (in)security of a Self-Encrypting Drive series, recited a litany of weaknesses in the multiple versions of the My Passport and My Book brands of external hard drives. The flaws make it possible for people who steal a vulnerable drive to decrypt its contents, even when they’re locked down with a long, randomly generated password. The devices are designed to self-encrypt all stored data, a feature that saves users the time and expense of using full-disk encryption software.
Most of the disks studied encrypt and decrypt data using a USB bridge that connects a computer to the external drive’s SATA interface. The interface is supposed to be off limits until after the computer user has entered the correct password, and to prevent cracking attacks that try billions of password guesses each second, the plain-text passcode is cryptographically salted and subjected to 1,000 iterations of the SHA256 hash function.
But a constellation of errors makes it possible to crack the password in a short amount of time. In one case, the underlying key was predictable because the random numbers used to generate it was derived from the current time on the computer clock.
Yet another flaw constitutes the equivalent of a backdoor that could allow an attacker to decrypt data without knowing or cracking the user password at all. The drives ship with a default password, but in cases where it has been changed to a user-defined password only once, the key corresponding to the default password remains stored on the device, making it trivial for adversaries to decrypt it.
got HW crypto?
On the (in)security of a Self-Encrypting Drive series
http://eprint.iacr.org/2015/1002.pdf
Tomi Engdahl says:
Some Popular ‘Self Encrypting’ Hard Drives Have Really Bad Encryption
http://motherboard.vice.com/read/some-popular-self-encrypting-hard-drives-have-really-bad-encryption
Western Digital Claims to Be Unaware of Alleged NSA Spy Program
Read more: http://sputniknews.com/us/20150217/1018397423.html#ixzz3pBix7Hv1
Tomi Engdahl says:
The NYPD Is Using Mobile X-Ray Vans to Spy on Unknown Targets
http://www.theatlantic.com/politics/archive/2015/10/the-nypd-is-using-mobile-x-rays-to-spy-on-unknown-targets/411181/?single_page=true
New York City won’t reveal how often cops bombard places, vehicles, or people with radiation—or if there are health risks for residents.
Tomi Engdahl says:
The CIA director’s email hack: 4 security lessons for the rest of us
http://www.geekwire.com/2015/the-cia-directors-email-hack-4-security-lessons-for-the-rest-of-us/
A computer criminal called the New York Post this week to say he’d hacked into CIA Director John Brennan’s personal AOL email account.
Once you get over the shock that the director of America’s intelligence agency was using an AOL account, you’ll realize that the elements of the attack sound all-too-familiar.
Wired’s Kim Zetter reported that the hacker told her he’d tricked Verizon into divulging Brennon’s personal information by pretending to be a Verizon employee. Armed with those personal details – which reportedly included the last four digits of a bank card – the hacker and his partners went to AOL and fooled the service’s “forgot your password” function, and used it to repeatedly reset the password and hijack the account.
Making matters much, much worse: Brennan had forwarded some sensitive (but not classified) information from his “work” email to his personal email.
But there’s serious lessons to be learned here.
“Forgot your password” is every hacker’s favorite tool. We’ve known this for years. People forget passwords. When they do, there must be a way to recover or reset the password. This method is almost always less secure than the login credentials.
Work and pleasure mix. They just do: Everybody forwards work emails to their personal email address. Don’t lie (Sorry for the ambivalence on that one). It’s just too convenient. It’s too easy.
Those F%^%^ING attachments. They are the source of so much trouble. Attachments are the main delivery mechanism for virus attacks that infiltrate companies. Spear phishing emails with fake “resumes” or “spreadsheets” lead to corporate espionage.
It can happen to anyone. Here is yet another example proving that even people whose lives and careers depend on security have lapses in judgment. Really? The CIA director getting caught by a teenager with his pants down, using an AOL account to store sensitive (if not Top Secret or Classified) information. You can be secure and make smart choices 23 hours and 59 minutes a day, but it only takes a momentary lapse of reason to make a big mistake.
Tomi Engdahl says:
Western Digital’s hard drive encryption is useless. Totally useless
Rookie errors make it child’s play to decrypt data
http://www.theregister.co.uk/2015/10/20/western_digital_bad_hard_drive_encryption/
The encryption systems used in Western Digital’s portable hard drives are pretty pointless, according to new research.
WD’s My Passport boxes automatically encrypt data as it is written to disk and decrypt the data as it is read back to the computer. The devices use 256-bit AES encryption, and can be password-protected: giving the correct password enables the data to be successfully accessed.
Now, a trio of infosec folks – Gunnar Alendal, Christian Kison and “modg” – have tried out six models in the WD My Passport family, and found blunders in the software designs.
Western Digital – My Passport / My Book self-encrypting external hard drive series – Multiple vulnerabilities
http://seclists.org/fulldisclosure/2015/Oct/79
Vulnerabilities disclosed:
==========================
Multiple vulnerabilities, including:
* Multiple authentication backdoors, bypassing password authentication
* AES factory key recovery attacks, exposing user data on all affected devices, regardless of user password
* Exposure of HW PRNGs used in cryptographic contexts
* Unauthorized patching of FW, facilitating badUSB/evil-maid attacks
Tomi Engdahl says:
Firefox is testing marking any page that sends passwords over HTTP as insecure
http://thenextweb.com/apps/2015/10/21/firefox-is-testing-marking-any-page-that-sends-passwords-over-http-as-insecure/
A huge, but simple change in the latest Firefox Nightly build is a great step forward for the Web.
The browser now marks sites that show password fields but aren’t sent over HTTPS as insecure. A warning, with crossed out lock will appear in the address bar and explain that your credentials may be compromised if sent.
When clicked on, Firefox now provides further information about why the site is considered insecure, saying that “information sent over the internet without encryption can be seen by other people.”
Tomi Engdahl says:
Edward Snowden interview: ‘Smartphones can be taken over’
http://www.bbc.com/news/uk-34444233
Smartphone users can do “very little” to stop security services getting “total control” over their devices, US whistleblower Edward Snowden has said.
The former intelligence contractor told the BBC’s Panorama that UK intelligence agency GCHQ had the power to hack into phones without their owners’ knowledge.
Mr Snowden said GCHQ could gain access to a handset by sending it an encrypted text message and use it for such things as taking pictures and listening in.
The UK government declined to comment.
Mr Snowden talked about GCHQ’s “Smurf Suite”, a collection of secret intercept capabilities individually named after the little blue imps of Belgian cartoon fame.
“Dreamy Smurf is the power management tool which means turning your phone on and off without you knowing,” he said.
“Nosey Smurf is the ‘hot mic’ tool. For example if it’s in your pocket, [GCHQ] can turn the microphone on and listen to everything that’s going on around you – even if your phone is switched off because they’ve got the other tools for turning it on.
“Tracker Smurf is a geo-location tool which allows [GCHQ] to follow you with a greater precision than you would get from the typical triangulation of cellphone towers.
Mr Snowden also referred to a tool known as Paronoid Smurf.
“It’s a self-protection tool that’s used to armour [GCHQ's] manipulation of your phone.”
Once GCHQ had gained access to a user’s handset, Mr Snowden said the agency would be able to see “who you call, what you’ve texted, the things you’ve browsed, the list of your contacts, the places you’ve been, the wireless networks that your phone is associated with.
“And they can do much more. They can photograph you”.
Mr Snowden also explained that the SMS message sent by the agency to gain access to the phone would pass unnoticed by the handset’s owner.
“It’s called an ‘exploit’,”
Describing the relationship between GCHQ and its US counterpart, he said: “GCHQ is to all intents and purposes a subsidiary of the NSA.
“They [the NSA] provide technology, they provide tasking and direction as to what they [GCHQ] should go after.”
New laws to allow spies to hack into smartphones and computers ‘to be introduced in the coming weeks’
The Government has pledged to bring back major powers to Britain’s spying agencies
http://www.independent.co.uk/life-style/gadgets-and-tech/news/new-laws-to-allow-spies-to-hack-into-smartphones-and-computers-to-be-introduced-in-the-coming-weeks-a6702301.html
Britain’s spies are about to be given huge new powers that will allow them to look in on people’s phones and computers, according to reports.
A revived and re-named version of the hugely-controversial “Snoopers’ Charter” is set to give spies a “dizzying” range of surveillance and hacking powers, The Times has reported. The new legislation will be introduced next month, the paper reported.
Tomi Engdahl says:
Apple tells U.S. judge ‘impossible’ to unlock new iPhones
http://www.reuters.com/article/2015/10/21/us-apple-court-encryption-idUSKCN0SE2NF20151021
Apple Inc (AAPL.O) told a U.S. judge that accessing data stored on a locked iPhone would be “impossible” with devices using its latest operating system, but the company has the “technical ability” to help law enforcement unlock older phones.
In court papers, Apple said that for the 90 percent of its devices running iOS 8 or higher, granting the Justice Department’s request “would be impossible to perform” after it strengthened encryption methods.
Those devices include a feature that prevents anyone without the device’s passcode from accessing its data, including Apple itself.
The feature was adopted in 2014 amid heightened privacy concerns following leaks by former National Security Agency contractor Edward Snowden about NSA surveillance programs.
Tomi Engdahl says:
Oh, OK then: Ireland will probe Max Schrems’ Facebook complaints
Euro court verdict meant it couldn’t say no any longer
http://www.theregister.co.uk/2015/10/21/ireland_probe_max_schrems_facebook_complaints/
Facebook crusader Max Schrems returned to the Irish courts today to hear the nation’s Data Protection Commissioner (the DPC) solemnly promise that yes, it would investigate data flows out of Europe.
The court ordered the DPC, which had refused to investigate, to pay Schrems’ costs.
The ruling had the effect of taking concerns raised by European individuals into the hands of the data protection authorities in each of the EU’s 29 member states
The ECJ invalidated the ‘Safe Harbour’ legal arrangement that US companies have with the European superstate. The court ruled that because of permissive legislation in the USA, and the PRISM programme, Europeans couldn’t be ensured that their data was safe once transferred outside the EU, to the USA. Therefore the legal fudge of ‘Safe Harbour’ – a fudge worked out at EU level – couldn’t be maintained.
Tomi Engdahl says:
Security company Trend Micro to buy TippingPoint for 300 million dollars from HP.
Manufactures TippingPoint intrusion prevention systems and related network security solutions. Trading Trend Micro security technology transfer, intellectual property rights, special expertise in the industry, as well as more than 3,500 corporate customers, the companies say in a statement.
Trend Micro and HP have worked together in partnership to last year. The partnership will also continue after the transaction.
Source: http://www.tivi.fi/Kaikki_uutiset/trend-micro-lohkaisee-palan-hp-n-bisnesta-300-miljoonalla-6059579
Tomi Engdahl says:
Deadly IT problem:
US Army IT system ‘down’ during Afghan hospital strike
http://www.bbc.com/news/technology-34591855
A US Army intelligence network was not operational during the recent mistaken attack on a hospital in Afghanistan, according to a member of Congress.
Representative Duncan Hunter, a frequent critic of the Distributed Common Ground System (DCGS), has written to Defence Secretary Ash Carter about the incident.
DCGS is a communications network for military and intelligence units.
Twenty-two people died at the Medecins Sans Frontieres hospital on 3 October.
There is no clear indication yet that any disruption of the DCGS network had a direct impact on the decision to attack the hospital.
However, it has not yet been explained why military commanders made that decision, given that the Pentagon has commented the strike was not “intentional”.
“The attack lasted for more than an hour and the bombing didn’t stop, despite our calls to US officials in Kabul and Washington to make it stop. “
Tomi Engdahl says:
Ernesto / TorrentFreak:
Google urges US government not to require whole-site removal of copyright infringing domains
Google Opposes Whole-Site Removal of “Pirate” Domains
By Ernesto on October 21, 2015
Breaking
https://torrentfreak.com/google-opposes-whole-site-removal-of-pirate-domains-151021/
Google is rejecting calls from copyright holders to remove entire domain names from Google search based on copyright infringements. In a letter to the U.S. Government the company points out that this would prove counterproductive and lead to overbroad censorship.
In recent years the movie and music industries have continually pressured Google to take action against online piracy.
Ideally, groups including the MPAA and RIAA want search engines to remove clearly infringing websites from their search results entirely, especially if courts have previously found them to be acting illegally.
Just recently the MPAA reiterated this stance in recommendations to U.S. Intellectual Property Enforcement Coordinator (IPEC) Daniel Marti.
However, Google disagrees and is now urging the Government not to facilitate or promote so-called “whole-site” removals. According to the search giant this may lead to overbroad censorship.
“Unfortunately, whole-site removal is ineffective and can easily result in censorship of lawful material,” Google writes.
according to Google the current DMCA takedown system is both effective and efficient enough to deal with all infringing content
“The DMCA provides copyright owners with an effective and efficient framework for removing any infringing page on a site,” Google stresses, noting that it has removed hundreds of millions of URLs already this year.
Removing or blocking entire websites might not only chill free speech but also prove counterproductive, Google says.
“Whole site removal would simply drive piracy to new domains, legitimate sites, and social networks,” the company notes, adding that copyright holders should go after the site’s revenue sources instead.
Another downside of whole-site removal is that the U.S. would send the wrong message to the rest of the world.
If the U.S. is prepared to censor entire websites based on copyright violations, then other regimes may find it easier to demand the same based on local laws. For example, by demanding the removal of news sites based on political statements, or insults to religion.
“This would jeopardize free speech principles, emerging services, and the free flow of information online globally and in contexts far removed from copyright,” Google notes.
Tomi Engdahl says:
Thousands of “Spies” Are Watching Trackerless Torrents
https://torrentfreak.com/thousands-of-spies-are-watching-trackerless-torrents-151004/
BitTorrent is a very efficient way to share large files, but not a very private one. It’s commonly known that anti-piracy outfits monitor users through public trackers. However, new research reveals that BitTorrent’s DHT is also full of “spies” who actively harvest IP-addresses.
The beauty of BitTorrent is that thousands of people can share a single file simultaneously to speed up downloading. In order for this to work, trackers announce the IP-addresses of all file-sharers in public.
The downside of this approach is that anyone can see who’s sharing a particular file. It’s not even required for monitoring outfits to actively participate.
This ‘vulnerability’ is used by dozens of tracking companies around the world, some of which send file-sharers warning letters, or worse. However, the “spies” are not just getting info from trackers, they also use BitTorrent’s DHT.
Through DHT, BitTorrent users share IP-addresses with other peers.
The spies are not hard to find and many monitor pretty much all torrents hashes they can find. Blocking them is not straightforward though, as they frequently rotate IP-addresses and pollute swarms.
Tomi Engdahl says:
How To Make VPNs Even More Secure
https://torrentfreak.com/how-to-make-vpns-even-more-secure-120419/
From being a niche product used by the few, in the past few years VPN services have hit the big time. These days more and more Internet users see running a privacy enhancing service as a requirement rather than just a luxury. Today we take a look at a few tips and tricks that can enhance the security of any VPN.
Tomi Engdahl says:
Russell Brandom / The Verge:
Wikileaks publishes documents from CIA director John Brennan’s personal email account
http://www.theverge.com/2015/10/21/9583464/wikileaks-cia-email-hack-published-download
Wikileaks has published data from CIA director John Brennan’s private email account, in a release the group is calling The CIA Files. The documents include a form provided for background investigation during Brennan’s confirmation, as well as position papers on Iran and the intelligence community at large.
The documents originate in a hack of Brennan’s personal email account at AOL, announced earlier this week. Much of the data has been previewed on the attacker’s twitter account @_CWA_, which has since been suspended. According to an interview with the New York Post, the hacker obtained Brennan’s email archive through a social engineering attack on Verizon, which provided the necessary information to reset Brennan’s AOL password. The larger email archive includes numerous messages between Brennan and other government officials, although it’s unclear if any of the messages were officially classified. Still, much of it is clearly sensitive, and early releases have included social security numbers for a number of high-ranking government officials.
Tomi Engdahl says:
National Cyber Security Awareness Month 2015
http://www.dhs.gov/national-cyber-security-awareness-month
We now live in a world that is more connected than ever before. The Internet touches almost all aspects of everyone’s daily life, whether we realize it or not. Recognizing the importance of cybersecurity to our nation, President Obama designated October as National Cyber Security Awareness Month. National Cyber Security Awareness Month is designed to engage and educate public and private sector partners through events and initiatives with the goal of raising awareness about cybersecurity and increasing the resiliency of the nation in the event of a cyber incident.
Recognizing the importance of cybersecurity to our nation, President Obama designated October as National Cyber Security Awareness Month. National Cyber Security Awareness Month is designed to engage and educate public and private sector partners through events and initiatives with the goal of raising awareness about cybersecurity and increasing the resiliency of the nation in the event of a cyber incident. National Cyber Security Awareness Month takes place each October and is sponsored by the Department of Homeland Security in cooperation with the National Cyber Security Alliance and the Multi-State Information Sharing and Analysis Center.
Tomi Engdahl says:
Smart Cards Used To Hack Smart Cards
http://hackaday.com/2015/10/21/smart-cards-used-to-hack-smart-cards/
The backdoors that enabled these satellite pirates have long been closed, but these devices for stealing HBO have now evolved into stealing €600,000 worth of goods using a most unlikely source: chip and pin card terminals. A gang of criminals in Belgium have successfully broken chip and pin, and although the exploit has now been closed, the researchers behind the investigation have published their war story for one of the most interesting hacks in recent memory.
Chip and pin verification for Point of Sale (PoS) transactions are a relatively simple process; during a transaction, the PoS system asks for the user’s PIN and transmits it to the card. The card then simply answers ‘yes’ or ‘no’. In 2010, a vulnerability to this system was discovered, making it a simple matter for anyone to break chip and pin systems.
The problem of implementing this system into something that was easily concealable was simply a matter of miniaturization. Thanks to the proliferation of smart cards over the last 20 years, very tiny microcontrollers are available that could manage this man-in-the-middle attack on a chip and pin system.
To pull off this exploit, an engineer in the gang of criminals used a FUNcard, a development platform for smart cards loaded up with an Atmel AVR AT90S8515 microcontroller and an EEPROM packaged in a small golden square. By removing the chip from this chipped card and replacing the chip in a stolen credit card, the criminals were able to reproduce the 2010 exploit in the wild, netting them €600,000 in stolen merchandise before they were caught.
How were they caught? The ‘buyer’ of the gang kept shopping at the same place. Rookie mistake, but once security researchers got their hands on this illegal hardware, they were amazed at what they found
Before this exploit was made public, the researchers developed a countermeasure for this attack that was swiftly installed in PoS terminals.
When Organized Crime Applies Academic Results
A Forensic Analysis of an In-Card Listening Device
http://eprint.iacr.org/2015/963.pdf
Tomi Engdahl says:
Got an Apple Mac, iThing? Update it right now – there’s a shedload of security holes fixed
OS X, iOS, watchOS, iTunes for Windows all get bug fixes
http://www.theregister.co.uk/2015/10/21/apple_updates_ios_os_x_and_watchos/
Apple has posted security updates and feature improvements for its desktop, mobile, and developer gear.
Tomi Engdahl says:
WikiLeaks leaks CIA director’s private emails – including his nat sec clearance dossier
Letters, memos, personal info, all dumped online
http://www.theregister.co.uk/2015/10/21/wikileaks_posts_cia_directors_emails/
Days after a teenage stoner hacked the AOL email account of CIA director John Brennan, WikiLeaks has published highly sensitive files from the spymaster’s inbox.
The documents include Brennan’s application for national security clearance, with address, phone number, passport details, and the names and addresses of associates including former CIA boss George Tenet. None of the information has been redacted, which poses a major headache for the director and his agency.
Also included in the trove are two attachments regarding the use of torture during the interrogation of suspects by the CIA.
Tomi Engdahl says:
‘Get a VPN to defeat metadata retention’ is good advice. Sometimes
Test shows tethering to VPN-on-smartphone is no magic data-erasing rainbow
http://www.theregister.co.uk/2015/10/21/get_vpn_advice_only_from_experts/
With the kind-of-launch of the Australian government’s telecommunications data retention regime, there’s been a plethora of advice everywhere – from “lad mags” to the tech press to political parties – with one theme: “get a virtual private network” (VPN).
Which moves Vulture South to idly wonder: do people know that a VPN on Android might only protect data emanating from the phone, and not (for example) a laptop tethered to its WiFi?
This isn’t news, it’s just an observation that consumer-level advice about information security is not to be trusted. To make recommendations about security you have to be the kind of obsessive that assumes nothing, takes nothing at face value and checks everything.
Tomi Engdahl says:
Firefox might shoot shoddy SHA-1 in July
Cracking research shakes up browser baron.
http://www.theregister.co.uk/2015/10/22/mozilla_sha1_patch/
Every time someone asks “how bad is the SHA-1 cipher?” the answer is “easier to crack than you thought”, so Mozilla’s considering killing it off six months ahead of schedule, on 1 July 2016.
The outdated and vulnerable hashing algorithm was this month found to be rather breakable for attackers willing to splurge just $US75,000 on cloud computing resources.
That feat undercut older estimates by US$100,000 and means cracking crypto is well and truly within the reach of even modestly-resourced cracking groups.
Mozilla had previously flagged the algorithm for retirement in 2017, but Firefox security boss Richard Barnes now says the company is considering writing-off SHA-1 web server and intermediate certificates from 1 July, six months earlier than the 1 January 2017 cut-off agreed to by web browser barons.
“We are re-evaluating when we should start rejecting all SHA-1 SSL certificates regardless of when they were issued,” Barnes says.
“SHA-2 eventually overtook SHA-1 in May 2015, but there are still nearly a million certificates currently using SHA-1,” Mutton says.
The National Institute of Standards and Technology blesses only SHA-2 and SHA-3 algorithms with SHA-256 to SHA-512 permitted by the Browser Forum’s baseline requirements for publicly-trusted certificates