Security trends for 2015

3,110 Comments

1. October 22, 2015 at 9:37 am

   Tomi Engdahl says:

   ‘Malicious time source’ can poison Network Time Protocol
   Think of this as an evil TARDIS dropping servers into a time rift
   http://www.theregister.co.uk/2015/10/22/malicious_time_source_can_poison_network_time_protocol/

   Get busy, sysadmins, there’s a bunch of network time protocol (NTP) bugs to squash.

   The BttF reference is in the lead vulnerability, NAK to the Future: NTP symmetric association authentication bypass vulnerability.

   An error in NTP’s crypto-NAK packet handling means an attacker can force someone’s ntpd process to peer with a “malicious time source” and fool around with their system clocks.

   The NTP Project says users should immediately install ntp-4.2.8p4 to get the fix, and implement BCP 38 ingress and egress filtering.

   Reply
2. October 22, 2015 at 9:42 am

   Tomi Engdahl says:

   Security researchers face wrath of spy agencies
   Academics deported, harassed, have contracts and clearances shredded after spookwork
   http://www.theregister.co.uk/2015/10/22/behind_the_headlines_apt_researchers_face_wrath_of_spy_agencies/

   Researchers tasked with revealing attacks by intelligence agencies are being harassed, locked out of tenders, and in some cases deported, Kaspersky researcher Juan Andrés Guerrero-Saade says.

   Retaliation by the unnamed agencies is in direct response to news of prominent advanced-persistent threat campaigns that have coloured information security reporting over recent years.

   Those reports are forcing researchers to reveal malware attacks by government spy agencies.

   Specific details on the harassment is tightly-held

   “In many places intelligence services tend to be more civilised than in others — you would be lucky to deal with them in the US versus wherever else, Latin America, Asia, or Eastern Europe where they take very different tactics, ” Guerrero-Saade says.

   Guerrero-Saade spoke on the back of his paper The ethics and perils of APT research: An unexpected transition into intelligence brokerage [pdf] which he says is a “meditation” that covers the perils faced by threat intelligence companies and researchers as the ultimately altruistic academics aggravate diplomatic and national interests.

   http://media.kaspersky.com/pdf/Guerrero-Saade-VB2015.pdf

   Reply
3. October 22, 2015 at 9:44 am

   Tomi Engdahl says:

   Oracle Fixes Java Vulnerability Used By Russian Cyberspies
   http://developers.slashdot.org/story/15/10/21/222252/oracle-fixes-java-vulnerability-used-by-russian-cyberspies

   Oracle said that it has fixed 154 security flaws in Java and a wide range of its other products, including one that Russian cyberespionage group Pawn Storm used to launch stealthy attacks earlier this year.

   Oracle slams door on Russian cyberspies who hacked Nato PCs through Java
   http://www.itworld.com/article/2995610/oracle-slams-door-on-russian-cyberspies-who-hacked-nato-pcs-through-java.html

   The Java vulnerability can be used to bypass the user confirmation requirement before a Web-based Java application is executed by the Java browser plug-in. This type of protection mechanism is commonly referred to as click-to-play.

   The flaw was reported to Oracle by security researchers from Trend Micro, who first spotted the vulnerability in July in attacks launched by a Russian hacker group dubbed Pawn Storm that commonly targets military and governmental institutions from NATO member countries.

   The vulnerability, tracked as CVE-2015-4902, was being used by the Pawn Storm attackers to enable the execution of a malicious Java application without user interaction. That application was designed to exploit a separate vulnerability that was also unpatched at the time, in order to install malware on computers.

   Reply
4. October 22, 2015 at 10:01 am

   Tomi Engdahl says:

   EFF’s Let’s Encrypt has support from super browser brothers
   Mozilla, Cisco, Akamai, IdenTrust and the University of Michigan are making good
   http://www.theinquirer.net/inquirer/news/2431393/effs-lets-encrypt-has-support-from-super-browser-brothers

   A SECURITY CERTIFICATE EFFORT involving the Electronic Frontier Foundation (EFF), Mozilla, Cisco, Akamai, IdenTrust and the University of Michigan has lived up to promises to be in order by 2015.

   The promise was to provide a more secure way of providing secure certificates that is simple and good. Things are going well, according to the newest information from the IRSG, and it is close to lighting a rocket under the average website’s transition from HTTP to HTTPS.

   Reply
5. October 23, 2015 at 9:59 am

   Tomi Engdahl says:

   Fitbit Owners Not at Risk of Malware, Company Says
   http://www.nbcnews.com/tech/security/fitbit-owners-not-risk-malware-company-says-n449176

   Fitbit is defending itself against claims by a security researcher that its fitness trackers can be hacked wirelessly in 10 seconds and then be used to infect a computer with malware.

   Earlier this month, Axelle Apvrille from security firm Fortinet claimed to have found a way to hack into a Fitbit through its Bluetooth connection, which could theoretically be used to infect it with malware and distribute that malware to any devices or computers it synced with.

   Fitbit disputed those findings in a statement to NBC News.

   “These reports are false,” the company wrote. “In fact, the Fortinet researcher, Axelle Apvrille who originally made these claims has confirmed to Fitbit that this was only a theoretical scenario and is not possible.”

   ’10-second’ theoretical hack could jog Fitbits into malware-spreading mode
   Wristputer-pusher disputes claims from Fortinet
   http://www.theregister.co.uk/2015/10/21/fitbit_hack/

   Reply
6. October 23, 2015 at 10:15 am

   Tomi Engdahl says:

   Joomla patches critical core shop-pwning flaw
   No coupon? Just make yourself ADMIN.
   http://www.theregister.co.uk/2015/10/23/joomla_patches_critical_core_shoppwning_flaw/

   Popular content management system (CMS) Joomla has pushed three patches, including a critical fix for SQL injection vulnerabilities that allow attackers to become admins on most customer websites.

   The team issued fix 3.4.5 addressing the SQLi vulnerabilities (CVE-2015-7297, CVE-2015-7857, CVE-2015-7858) which exist in version 3.2 to 3.4.4 and were identified earlier this month.

   Joomla is used by the likes of Barnes and Noble, eBay, and Peugeot.

   Trustwave’s Asaf Orpani and PerimeterX’s Netanel Rubin quietly disclosed the bugs which were quickly patched.

   Reply
7. October 23, 2015 at 10:53 am

   Tomi Engdahl says:

   IBM’s SoftLayer cloud beats AWS, Azure … at spreading spam
   Mal-mail mavens say Big Blue’s got some security scraps to fight in near future
   http://www.theregister.co.uk/2015/10/23/ibm_softlayer_king_of_spam/

   IBM’s US$2 billion acquisition SoftLayer is the world’s largest source of spam, according to email vanguards Cloudmark and Spamhaus.

   Big Blue acquired the cloud company in June 2013 and since then net forums have been filled with chatter about the amount of cyber-chaff the Dallas-centred outfit’s users are spewing.

   Spam clearing station Spamhaus puts SoftLayer at the top of its 10 worst offenders noting it has 685 spam block list issues as of the time of writing.

   These included Dridex bots and hundreds of “massive sources of malware-distribution spam”.

   SoftLayer says it is working with authorities, SpamHaus, and IBM to end the spamming.

   “Current spam layers from SoftLayer are 600 percent higher than they were one year ago,”

   “Spam continues to plague the internet because a small number of internet service providers knowingly sell service to professional spammers for profit, or do not enough or nothing to prevent spammers operating from their networks,” the organisation says in a note that doesn’t mention SoftLayer.

   “Although nearly all ISPs claim to be anti-spam, some executives factor revenue made from hosting known spam gangs into corporate policy decisions to continue to sell services to spam operations.

   Reply
8. October 23, 2015 at 10:58 am

   Tomi Engdahl says:

   Hackers hit NATO, White House – then aimed at MH17 air disaster probe
   Pawn Storm gang set sights on crash investigators
   http://www.theregister.co.uk/2015/10/22/pawn_storm_hackers_targeted_mh17/

   The Pawn Storm hackers who tried to infiltrate NATO and White House networks have been spotted bothering another sensitive target: the team investigating the downed Malaysia Airlines MH17 flight.

   Researchers at Trend Micro found suspicious SFTP, VPN, and Outlook Web Access servers configured to collect usernames and passwords from officials probing the aircraft disaster.

   Team Trend reckons the malware-slinging Pawn Storm crew set up the servers in September and October as the officials prepared to publish their findings. It is likely the hackers sent spear-phishing emails to the investigators, hoping they would follow the links and enter their login credentials, believing the servers to be valid.

   “These discoveries show that it is very likely that Pawn Storm coordinated attacks against different organizations to get sensitive information on the MH17 plane crash,” said Trend Micro senior threat researcher Feike Hacquebord.

   Reply
9. October 23, 2015 at 10:59 am

   Tomi Engdahl says:

   Security Flaws Discovered in NTP, Protocol Used for Synchronizing Clocks
   http://news.softpedia.com/news/security-flaws-discovered-in-ntp-protocol-used-for-synchronizing-clocks-495077.shtml

   Eight security vulnerabilities have been discovered by Cisco researchers in the Network Time Protocol (NTP) used by Linux, Mac, and BSD OS distributions.

   If this were April 1, we would think this is a bad joke. Why? Because the vulnerabilities were announced on October 21, 2015, the date on which Michael J. Fox traveled to the future in the famous “Back to the Future 2″ movie.

   Surprisingly, one of the 8 security vulnerabilities discovered by Cisco’s engineers allows attackers to manipulate a target’s clock, making the victim believe they traveled to the future.

   All jokes aside, the vulnerabilities identified by Cisco’s staff affect the Network Time Protocol daemon (ntpd), responsible for synchronizing time across computer networks (like the Internet, Intranets or smaller LANs).

   The reported vulnerabilities include an error handling logic error that bypassed proper authentication, procedures letting attackers change local system time; multiple memory corruption issues that open the protocol for buffer overflow or use-after-free attacks; multiple vulnerabilities that caused DoS (Denial of Service) states by crashing the daemon or making it enter an infinite loop; and a directory traversal and file overwrite issue that allowed attackers to overwrite ntpd configs.

   All versions between NTP 4.2.5p186 and 4.2.8p3 are vulnerable

   Reply
10. October 23, 2015 at 11:08 am

    Tomi Engdahl says:

    Cisco Identifies Multiple Vulnerabilities in Network Time Protocol daemon (ntpd)
    http://blog.talosintel.com/2015/10/ntpd-vulnerabilities.html

    CVE-2015-7871 – NAK to the Future: NTP crypto-NAK Symmetric Association Authentication Bypass Vulnerability

    CVE-2015-7849 – Network Time Protocol Trusted Keys Memory Corruption Vulnerability
    CVE-2015-7852 – Network Time Protocol ntpq atoascii Memory Corruption Vulnerability
    CVE-2015-7853 – Network Time Protocol Reference Clock Memory Corruption Vulnerability
    CVE-2015-7854 – Network Time Protocol Password Length Memory Corruption Vulnerability

    CVE-2015-7848 – Network Time Protocol Multiple Integer Overflow Read Access Violations
    CVE-2015-7850 – Network Time Protocol Remote Configuration Denial of Service Vulnerability

    Known Vulnerable Versions
    ntp 4.2.5p186 though ntp 4.2.8p3
    ntp-dev.4.3.70

    Reply
11. October 23, 2015 at 11:11 am

    Tomi Engdahl says:

    Network Time Protocol flaws defy HTTPS, cause network chaos
    http://www.zdnet.com/article/network-time-protocol-flaws-defy-https-cause-network-chaos/

    Serious flaws have been discovered in NTP which can be exploited to cause wholesale destruction on a network — because of a clock.

    Network admins take note: A set of vulnerabilities can bypass HTPPS with ease and result in spying, outages and authentication bypass.

    Discovered on Wednesday by Cisco’s security intelligence and research group Talos, the critical bugs are found within the Network Time Protocol (NTP), designed to synchronize the clocks of computers over a network. Developed before 1985, the protocol is one of the oldest still in use.

    The error lies within NTPD’s handling of certain crypto-NAK packets — unauthenticated packets — which results in vulnerabilities that give attackers the chance to force NTPD processes to link to malicious time sources and change network clocks.

    In most configurations, NTPD decides which other daemons to peer with through controls specified by admins within the ntp.conf configuration file. However, NTP can create peer associations on the fly — as long as a packet received has been authenticated under a trusted key.

    Reply
12. October 23, 2015 at 2:21 pm

    Tomi Engdahl says:

    Intel Pulling the Plug On McAfee/MX Logic Anti-Spam
    http://it.slashdot.org/story/15/10/23/1224219/intel-pulling-the-plug-on-mcafeemx-logic-anti-spam

    Intel today announced that it is killing the MX Logic/McAfee/Intel Security spam protection service

    McAfee Email Security Solutions End of Life Frequently Asked Questions
    http://www.mcafee.com/resources/faqs/faq-eol-email-security.pdf

    Reply
13. October 23, 2015 at 2:31 pm

    Tomi Engdahl says:

    Hackers pop grease monkeys’ laptops to disable Audi airbags
    Just when VW thought it was back under control, a nasty 0-day pulls up
    http://www.theregister.co.uk/2015/10/23/hackers_pop_mechanics_laptops_to_silently_disable_car_airbags/

    Hackers can quietly disable airbags in cars sold by Volkswagen using a zero day vulnerability in software popular with car mechanics.

    The attacks demonstrated on an Audi TT require a mechanic’s computer to be first compromised or for a malicious USB device to be plugged in for the exploit to work.

    The attack can allow intruders to conceal the disabling of airbags and other car functions from mechanics by falsifying read outs from the car.

    Buttyán told Vulture South the third-party software is widely-used and compatible with cars sold by the Volkswagen Group (which includes Audi), adding that two other platforms also appear affected.

    “… it works with other cars in the VW group too without any modification,” Buttyán says.

    “Anything that can be switched on or off from the diagnostic application could have been switched on or off.

    “After switching off the airbag, we can consistently report to the application that it is still switched on.”

    Buttyán stresses that the flaw “has nothing to do with VW itself” and relates solely to third-party software.

    “It is not the specific software which makes our work interesting, but the main message that embedded devices are typically managed from PCs and they can be infected [and used] as stepping stones.”

    The team’s attack works by replacing the FTDI DLL used to communicate with the diagnostic cable, with a malicious version.

    The attack is risky because it is more likely that a mechanic’s PC would contain vulnerabilities than a car would sport remotely-accessible holes.

    Still Buttyán says the attack could be made more dangerous if it becomes possible to update a car’s embedded control unit firmware through the OBD2 port. That could allow an attacker to insert a hidden functionality to be triggered by a condition later on – such as cutting a critical system while the car is in motion.

    Reply
14. October 26, 2015 at 8:18 am

    Tomi Engdahl says:

    Joomla SQL-Injection Flaw Affects Millions of Websites
    http://it.slashdot.org/story/15/10/25/1244239/joomla-sql-injection-flaw-affects-millions-of-websites

    Joomla has just issued a patch that fixes a SQL-injection vulnerability discovered by a researcher at Trustwave SpiderLabs. The flaw allowed malicious users to extract a browser cookie assigned to a site’s administrator, giving them access to restricted parts of the server. The flaw first appeared in Joomla 3.2

    Joomla SQL Injection Vulnerability Exploit Results in Full Administrative Access
    https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/?page=1&year=0&month=0

    Trustwave SpiderLabs researcher Asaf Orpani has discovered an SQL injection vulnerability in versions 3.2 through 3.4.4 of Joomla, a popular open-source Content Management System (CMS). Combining that vulnerability with other security weaknesses, our Trustwave SpiderLabs researchers are able to gain full administrative access to any vulnerable Joomla site.

    Joomla had a 6.6 percent share of the market for website CMSs as of October 20, 2015 according to W3Techs—second only to WordPress. Internet services company BuiltWith estimates that as many as 2.8 million websites worldwide use Joomla.

    CVE-2015-7297, CVE-2015-7857, and CVE-2015-7858 cover the SQL injection vulnerability and various mutations related to it.

    Reply
15. October 26, 2015 at 8:30 am

    Tomi Engdahl says:

    Court to Wikimedia: Your NSA spying evidence is inadmissable, so you can’t prove NSA spying
    Catch-22: It’s the best catch there is
    http://www.theregister.co.uk/2015/10/25/court_to_wikimedia_you_cant_get_evidence_about_the_nsa_so_you_cant_prove_the_nsa_is_spying/

    The Wikimedia Foundation’s attempt to stop the National Security Agency (NSA) from spying on its users has foundered because it’s impossible to offer court-acceptable evidence of the NSA’s activities.

    Wikimedia and its co-plaintiffs, a who’s-who of human rights organisations, announced their lawsuit back in March.

    However, they’ve been blocked by the problem that previously killed off a 2013 case in which Amnesty International and other organisations tried to take on the NSA over snooping. In that case (summary at Wikipedia), the United States Supreme Court ruled that the case was too speculative to proceed.

    The Wikimedia case had tried to use the scale of the organisation as part of the basis for its case – that with a trillion annual connections, snooping on its traffic represents a significant chunk of the ‘net’s users.

    About that, the court was dismissive, with the judge writing that Wikimedia didn’t put the number in context: “For example, one trillion dollars are of enormous value, whereas one trillion grains of sand are but a small patch of beach.”

    Reply
16. October 26, 2015 at 9:09 am

    Tomi Engdahl says:

    New York Times:
    US officials concerned that increased Russian naval operations indicate plans to cut undersea cables carrying most of global Internet data in times of conflict — Russian Presence Near Undersea Cables Concerns U.S. — WASHINGTON — Russian submarines and spy ships are aggressively operating near

    Russian Ships Near Data Cables Are Too Close for U.S. Comfort
    http://www.nytimes.com/2015/10/26/world/europe/russian-presence-near-undersea-cables-concerns-us.html

    WASHINGTON — Russian submarines and spy ships are aggressively operating near the vital undersea cables that carry almost all global Internet communications, raising concerns among some American military and intelligence officials that the Russians might be planning to attack those lines in times of tension or conflict.

    The issue goes beyond old worries during the Cold War that the Russians would tap into the cables — a task American intelligence agencies also mastered decades ago. The alarm today is deeper: The ultimate Russian hack on the United States could involve severing the fiber-optic cables at some of their hardest-to-access locations to halt the instant communications on which the West’s governments, economies and citizens have grown dependent.

    While there is no evidence yet of any cable cutting, the concern is part of a growing wariness among senior American and allied military and intelligence officials over the accelerated activity by Russian armed forces around the globe.

    Inside the Pentagon and the nation’s spy agencies, the assessments of Russia’s growing naval activities are highly classified and not publicly discussed in detail.

    “I’m worried every day about what the Russians may be doing,” said Rear Adm. Frederick J. Roegge, commander of the Navy’s submarine fleet in the Pacific, who would not answer questions about possible Russian plans for cutting the undersea cables.

    “The level of activity,” a senior European diplomat said, “is comparable to what we saw in the Cold War.”

    Advertisement
    Continue reading the main story

    One NATO ally, Norway, is so concerned that it has asked its neighbors for aid in tracking Russian submarines.

    Reply
17. October 26, 2015 at 9:29 am

    Tomi Engdahl says:

    Dell Cameron / The Daily Dot:
    DoJ says courts should require Apple to decrypt data on iOS devices because software is “licensed, not sold” to customers

    DOJ dismisses Apple’s arguments against decrypting iOS communications
    http://www.dailydot.com/politics/apple-ios-encryption-unlocking-doj-reply/

    The U.S. government rejected Apple’s arguments in federal court that unlocking iOS devices for police would damage the tech giant’s public image and overburden its employees and resources.

    Federal courts should require Apple to unlock encrypted data because the operating system is “licensed, not sold,” to customers, the Justice Department argued in a reply brief in the U.S. District Court for the Eastern District of New York.

    “Apple designed, manufactured, and sold [the phone] that is the subject of the search warrant,” the government told U.S. Magistrate Judge James Orenstein. “But that is only the beginning of Apple’s relationship to the phone and to this matter. Apple wrote and owns the software that runs the phone, and this software is thwarting the execution of the warrant.”

    The government noted in its reply that Apple has openly admitted that it licenses iOS, meaning it does not fully transfer the attendant rights and responsibilities of ownership to its customers. “Apple’s software licensing agreement specifies that iOS 7 software is ‘licensed, not sold’ and that users are merely granted “a limited non-exclusive license to use the iOS Software,” the brief said.

    But Apple argued in its brief that, while decrypting a single phone was not particularly onerous, doing so would set a precedent that would unduly burden the company in the future. Routinely aiding law enforcement, the company said, would substantially tax its resources, diverting employees, software, and equipment from daily operations. “This burden,” it argued, “increases as the number of government requests increases.”

    The Justice Department dismissed this argument. “Apple asserts that its burden ‘increases as the number of government requests increases,’” the government replied on Thursday, “but it makes no attempt to quantify this burden or demonstrate that such orders have in fact cumulatively burdened it significantly.

    Apple had also argued that decrypting user data for police would damage its reputation at a time when “public sensitivity to issues regarding digital privacy and security is at an unprecedented level.”

    “The government sort of waved its hand and said ‘those aren’t relevant concerns here.’”

    Reply
18. October 26, 2015 at 9:46 am

    Tomi Engdahl says:

    How to Fix the Internet of Broken Things
    http://www.eetimes.com/author.asp?section_id=36&doc_id=1328085&

    As an industry, we need to start to address the security limitations inherent in the Internet of Things. A new hardware-led approach needs to be at the heart of the solution.

    The Internet of Things is already permeating every part of our lives — from healthcare to aviation, automobiles to telecom. Unfortunately, its security is fundamentally broken.

    In my previous two blogs, 4 Security Challenges That Threaten to Tear Apart the Internet of Things and A Matter of Life and Death: Why We Must Take IoT Flaws Seriously, I’ve shown how vulnerabilities found by security researchers could have catastrophic consequences for end users. This isn’t just about data breaches and reputational damage anymore — lives are quite literally on the line. The challenges are many: most vendors operate under the misapprehension that security-by-obscurity will do — and lobby for laws preventing the disclosure of vulnerabilities; a lack of security subject matter expertise creates major vulnerabilities; firmware can too easily be modified; and a lack of separation on the device opens up further avenues for attackers.

    However, there is something we as an industry can do about it — if we take a new hardware-led approach. This is all about creating an open security framework built on interoperable standards; one which will enable a “root of trust” thanks to secure boot capabilities, and restrict lateral movement with hardware-based virtualization.

    Open security
    Microsoft Windows, Adobe Flash, and Oracle Java — what do these software products have in common? They’re all proprietary closed source. And they’re all among the most vulnerable and exploited on the planet. Many mainstream browsers don’t even run Java; Flash is such a security concern that modern browsers offer the option to activate plugins on a per-page basis, while system administrators will be well aware that Windows receives numerous security updates every single month —the Common Vulnerabilities and Exposures (CVE) database reports 120 Windows 7 vulnerabilities in 2015 alone, as of October 2015. The problem is that the security-by-obscurity mantra that many firms and IoT makers hold so dear is simply not effective any more. Security researchers, and those with more malicious intent, can quite easily extract binary code from devices via JTAG, or find it online in the form of updates, and reverse engineer via one of the many tools readily available.

    Tools like IDA and Binwalk, just to name a few, have reached amazing levels of intelligence and sophistication. Security by obscurity simply doesn’t exist anymore — if ever. Instead we need to look to open source and open security.

    What’s more, thanks to the strength, dedication and sheer size of the open source community, security flaws are routinely fixed within hours of discovery. It’s not uncommon to have a rolling process producing and making available near-real-time updates — e.g. the Linux Debian security model. This is certainly not the case with proprietary code — Google just recently announced its commitment to monthly updates for Android.

    How to Fix the Internet of Broken Things
    http://www.ebnonline.com/author.asp?section_id=3809&doc_id=278996&%22target=%22new%22

    Reply
19. October 26, 2015 at 9:56 am

    Tomi Engdahl says:

    Survey: Cars Contain Few Barriers to Hackers
    ‘OEMs don’t yet have desire, skills, tools or processes to make a secure car’
    http://www.eetimes.com/document.asp?doc_id=1328103

    Recent survey results on car cybersecurity, conducted in July 2015, have revealed that the automotive industry is still ill-equipped to protect connected vehicles from hackers—regardless of the industry’s assertions to regulators, the media and consumers.

    Ponemon Institute, who asked questions—via telephone, secure Web and direct interviews—of 500 automotive developers, engineers, and executives primarily from automotive OEMs and Tier One suppliers, produced a damning report entitled “Car Cybersecurity: What Do the Automakers Really Think?”

    The report found that automotive developers do not believe their companies are either taking security seriously enough, or empowering them to make software more secure.

    the most shocking revelation was that “security was a priority for less than half of respondents.”

    According to the report, only 41 percent of developers polled agree that secure software is a priority for their companies. In fact, 28 percent disagreed.

    Even worse, 69 percent of these developers believe that securing the applications are difficult/very difficult, and nearly half believe that a major overhaul of the car’s architecture is required to make it more secure.

    The survey further revealed that at least 44 percent of the developers queried believe that hackers are actively targeting automobiles.

    The survey concluded: “OEMs and their suppliers do not yet have the desire, skills, tools or processes to make a secure car.”

    That sounds pretty harsh.

    But the survey results showed also that there is fundamental knowledge gap—among automakers—about how to move forward to avoid security failures.

    In defense of automakers, the report says that this lack of knowledge doesn’t mean that automakers are sitting still.

    The survey found that 63 percent are running automated software scans during development. Half are running scans after the application has been released, and 36 percent are conducting penetration tests.

    Most significantly, though, the survey found only a quarter of those surveyed say that “they are adhering to secure coding standards or conducting high-level assessments such as threat models.”

    According to the report, “Surprisingly, 43 percent felt that white hat hackers should be subject to the Digital Millennium Copyright Act (DMCA), which means hackers could be potentially arrested for experimenting on automotive application code.” Further, of the 42 percent that believe white hat hackers shouldn’t be subject to the DMCA, 54 percent of respondents said these hackers shouldn’t be encouraged to test car software.

    Over the last several years, carmakers in general chose complacency over action. Among their reasons for this complacency were: “it can’t happen here,” “too much effort for too little reward,” and “no known actual breaches,”

    The automotive industry’s behavior has not changed.

    By this summer, though, several celebrated hacking incidents had emerged. These include the vulnerabilities found in Chrysler Jeeps, which resulted in Chrysler’s recall of 1.4 million vehicles, and a flaw in General Motors’ OnStar RemoteLink system, through which a hacker found a way to remotely unlock doors and start engines. These incidents contradicted carmakers’ arguments that such incidents are “unlikely scenarios” and “scare mongering.”

    CAN Bus Can Be Encrypted, Says Trillium
    http://www.eetimes.com/document.asp?doc_id=1328081&

    Until the recent wave of carmakers rolling out more and more connected cars for the consumer market, cyber security was always a matter of indifference to car OEMs and Tier Ones. Now, it’s a big deal.

    “Hacking research has shown that nearly all access points can be compromised.” To cope with this reality, technology suppliers are beginning to launch a number of cyber security solutions, he said. They range from hardware security to CAN (Controller Area Network) bus firewalls and ECU software monitoring.

    But what the world hasn’t seen yet – and Juliussen hasn’t seen either – is a technology capable of encrypting CAN bus itself.

    That’s about to change, according to Trillium, a Japan-based start-up headed by David Uze, former CEO of Freescale Japan. Uze told EE Times this week that a small team of Trillium engineers has developed what it calls SecureCAN — “a CAN bus encryption and key management system for protecting payloads less than 8bytes.”

    Essential to this assertion is a claimed ability to handle data “in 8bytes,” instead of the 128-bit block the Rijndael algorithm needs for AES-based encryptions.

    Reply
20. October 26, 2015 at 10:03 am

    Tomi Engdahl says:

    4 Security Challenges That May Tear Apart the Internet of Things
    http://www.eetimes.com/author.asp?section_id=36&doc_id=1328044&
    http://www.ebnonline.com/author.asp?section_id=3809&doc_id=278931&

    The Internet of Things is developing at such a rate that it threatens to outstrip our ability to adequately secure it…and that’s potentially a huge problem.

    A piece of software hasn’t been written yet that didn’t contain mistakes – after all, we’re only human. But with non-IoT security experts designing and building connected systems the risks grow ever greater. So what can be done?

    1) Proprietary software evil

    All of the IoT security flaws previously referenced were discovered thanks in part to reverse engineering of proprietary software.

    In short, over and over again closed proprietary software has proven to be simply unfit for purpose. Compared to mainstream open source software it represents the path of least resistance for a determined and sufficiently resourced attacker

    2) Network Connectivity

    The most dangerous Achilles heel of IoT devices is their connectivity – whether to the public facing Internet or with other networked devices. It gives attackers who have found a weakness in the code a means to hack their victims remotely. On an unprecedented scale, connectivity means an almost limitless number of systems can be hacked simultaneously.

    3) Broken firmware updates

    The vast majority of IoT and connected embedded devices can’t be regularly patched/updated; these patches and updates also aren’t automatically provided by the manufacturer. In instances where the software can be updated, the software should only come from a trusted source.

    4) Systems promiscuity

    All of the attacks mentioned above were made possible due to a lack of the internal security controls which limit lateral movement inside targeted systems. It’s a strategy used by cybercriminals frequently in targeted attacks to data centers. They gain an initial foothold into an endpoint via malware download, made possible by a spearphishing email or by simply cracking or stealing user credentials. Then they move around laterally inside the network, escalating privileges until they find the real prize – typically a database full of sensitive IP or customer information.

    Separation is one of the fundamental principles of security, so it’s not only dispiriting to see it ignored in so many cases when it comes to IoT-related system, it’s downright dangerous.

    As the Internet of Things becomes an ever-larger part of our lives, it has found its way into an increasing number of the systems and platforms we take for granted today. These systems control airplanes, automobiles, drug pumps and even rifles. It’s critical then that we take proactive steps to lock down the risks that come from software vulnerabilities.

    Reply
21. October 26, 2015 at 10:41 am

    Tomi Engdahl says:

    TalkTalk attack: ‘No legal obligation to encrypt customer bank details’, says chief
    ISP calls in BAE Systems to probe security breach
    http://www.theregister.co.uk/2015/10/25/talktalk_boss_no_legal_obligation_to_encrypt_customer_bank_details/

    TalkTalk continued on its quest to be painted merely as a victim of crime today, while the budget ISP’s website remained offline following a huge attack on its business earlier this week.

    In an interview with the Sunday Times, Harding said that her company was under no “legal obligation” to encrypt sensitive customer data, such as bank account details.

    “It wasn’t encrypted, nor are you legally required to encrypt it,” she told the newspaper. “We have complied with all of our legal obligations in terms of storing of financial information.”

    She added: “The bad stuff that can happen is actually because the criminal then scams you further.”

    TalkTalk has claimed that the data nicked by malefactors was “materially lower” than feared. However, the company was yet to reveal exactly how many of its customers were at risk of being targeted by scammers following the raid on its website.

    Reply
22. October 26, 2015 at 10:58 am

    Tomi Engdahl says:

    TalkTalk plays ‘no legal obligation’ card on encryption – fails to think of the children (read: its customers)
    Morality? We’ve heard of it!
    http://www.theregister.co.uk/2015/10/26/talktalk_encryption_dpa/

    On Sunday morning, embattled TalkTalk boss Dido Harding crassly stated that her company was under no legal obligation to encrypt customers’ sensitive data.

    Her brutal – and, some might say, foolish – comment came a day after the budget telco confirmed that some of its subscribers’ credit card details had been stolen in a raid on TalkTalk’s website last week.

    Since then, the company’s site has remained offline while a probe from Scotland Yard’s cyber cops and data-mining experts from BAE Systems’ Applied Intelligence wing – once known as Detica – rifle through TalkTalk’s computer systems, hunting for clues and trying to make the whole thing more secure.

    But while many may have expressed disgust with Harding’s off-colour remarks, it should be noted that current UK data regulations are pretty vague.

    The 1998 Data Protection Act only implies that companies should consider encrypting sensitive customer information, but no “explicit” obligation is demanded under UK law.

    If the past few days have shown us anything beyond the much wider debate about encryption, it’s that TalkTalk has failed to spot a flaw in its efforts to be ahead of the media with this story: the company’s reputation is in tatters because it seemingly gave no consideration for its moral obligation to its customers.

    Reply
23. October 26, 2015 at 11:03 am

    Tomi Engdahl says:

    Easily Hacked Tea Kettle Latest To Highlight Pathetic Internet Of Things ‘Security’
    https://www.techdirt.com/articles/20151015/13551232547/easily-hacked-tea-kettle-latest-to-highlight-pathetic-internet-things-security.shtml

    We’ve discussed at length that companies rushing to embrace the “Internet of Things” (read: networked devices for those of us not in marketing) tend to have completely forgotten a little something called device security. As a result we’re now bombarded week after week with stories about cars that can be controlled remotely, televisions that share your unencrypted living room conversations with anybody on the Internet, and refrigerators that leave the door wide open to having your e-mail password stolen. Some of these are kind of cute exploits, but many of them could be potentially fatal.

    While these companies are desperately trying to highlight the wonderful future of Internet connected devices, they’ve inadvertently been creating advertisements for why many devices should just remain stupid. Especially if you’re going to cut corners in development so device security is an afterthought, or cut corners post release when it comes to quickly identifying and patching exploits.

    The latest case in point: the $150 iKettle by UK company Smarter promises to save its users “two days a year in wasted waiting time” over traditional tea kettles. How? Users can remotely turn the kettle on from anywhere via smartphone app, potentially letting users walk into the house just as the kettle comes to a boil.

    The researchers call the current state of IOT security “utterly bananas,” and warn readers of their blog not to “put pointless ‘Internet of Things’ devices on your home network, unless their security is proven.”

    New Wi-Fi kettle, same old security issues? Meh.
    https://www.pentestpartners.com/blog/new-wi-fi-kettle-same-old-security-issues-meh/

    The fundamental issue is that if you have this kettle it’s possible for someone to get your wireless network key, and help themselves to whatever is on your network, or use your Wi-Fi for whatever purpose they choose.

    Anyway, that’s all in the past because the new iKettle 2.0 model fixes all that. …erm, except it doesn’t.

    The apps that control them haven’t been updated.

    Here’s what is broken about the iKettle

    If you have a Wi-Fi kettle, a hacker can drive past your house and steal your Wi-Fi key (the PSK).

    This is REALLY easy if you use the Android app to control your kettle. If you use the iPhone app, it takes a little longer.

    If you haven’t configured the kettle, it’s trivially easy for hackers to find your house and take over your kettle. Check out our map of some unconfigured iKettles locations in West London

    Once the hacker has your Wi-Fi key, they would probably use it to access your home network, take control of your Wi-Fi router, then change your DNS settings so that all your internet traffic is relayed via them. Easy to steal your passwords!

    Your online banking, social networks, email. All compromised.

    Make sure you change your Wi-Fi router admin password. That’s good advice whether you have a Wi-Fi kettle or not!
    Make sure you’ve changed your Wi-Fi network key from the default too.

    Reply
24. October 26, 2015 at 12:39 pm

    Tomi Engdahl says:

    SaaS outfit to users: Change password! Or don’t. Oh, go on then
    Accounting company Xero spreads fear-o with password warning SNAFU
    http://www.theregister.co.uk/2015/10/26/you_change_your_password_actually_not_you_oh_go_on_then/

    Online accounting enfant terrible Xero has apologised for telling too many people to change their passwords, when they didn’t need to change their passwords even though it wouldn’t hurt them to change their passwords.

    Reply
25. October 26, 2015 at 1:12 pm

    Tomi Engdahl says:

    How to Memorize a Random 60-Bit String
    http://www.isi.edu/natural-language/mt/memorize-random-60.pdf

    User-generated passwords tend to be memo-
    rable, but not secure. A random, computer-
    generated 60-bit string is much more secure.
    However, users cannot memorize random 60-
    bit strings. In this paper, we investigate meth-
    ods for converting arbitrary bit strings into En-
    glish word sequences (both prose and poetry),
    and we study their memorability and other
    properties.

    Reply
26. October 26, 2015 at 1:30 pm

    Tomi Engdahl says:

    CCTV Botnet In Our Own Back Yard
    https://www.incapsula.com/blog/cctv-ddos-botnet-back-yard.html

    Much has been said about the threat posed by the Internet of Things (IoT). Considered the “barbaric horde” of under-protected connected devices, all of them are just waiting to be compromised by any half-competent hacker.

    While we haven’t yet had the chance to intercept any refrigerator-mounted malware, over the years we‘ve seen our share of IoT botnets, with CCTV ones being among the most common. We first warned about them in March 2014, when we became aware of a steep 240 percent increase in botnet activity on our network, much of it traced back to compromised CCTV cameras.

    Not surprising, given that CCTV cameras are among the most common IoT devices.
    Reports show that in 2014, there were 245 million surveillance cameras operating around the world. And this only accounts for the professionally installed ones. There are likely millions more that were installed by unqualified professionals, with even fewer security precautions.

    These numbers, and the lack of cybersecurity awareness on the part of many camera owners, are the reasons why CCTV botnets are some of our oldest foes.

    The attack was run of the mill, peaking at 20,000 requests per second (RPS).

    Further investigation of the offending IPs showed that they belonged to CCTV cameras, all accessible via their default login credentials. And that’s not all. Looking through the camera lens we also spotted a familiar sight—a storefront in a mall located not five minutes away from our offices!

    The opportunity for some community service was too good to pass up, so we hopped in our cars and took a trip to the mall.

    As noted, this assault consisted of HTTP GET floods that peaked at around 20,000 RPS, with its traffic originating from roughly 900 CCTV cameras spread around the globe.

    All compromised devices were running embedded Linux with BusyBox

    The malware we found inside them was an ELF binary for ARM named (.btce)

    We hope our story will raise awareness about the importance of basic security practices—as well as the threat posed by unsecured connected devices.

    Whether it is a router, a Wi-Fi access point or a CCTV camera, default factory credentials are there only to be changed upon installation. Please do so—or else you too may get a visit from the Incapsula team.

    Reply
27. October 26, 2015 at 1:32 pm

    Tomi Engdahl says:

    Google Expert on Windows 10 Security: Two Steps Forward, One Step Back
    http://news.softpedia.com/news/google-expert-on-windows-10-security-two-steps-forward-one-step-back-495287.shtml

    Microsoft has made several security improvements in Windows 10, trying to offer users additional protection after upgrading, but while the company has managed to achieve its goal in some cases, it has failed in others.

    As The Reg notes, one of the things that expose Windows 10 to an increased number of attacks is the fact that there are more system services running by default, which obviously makes it possible for hackers to look at new targets as compared to previous versions of Windows.

    For example, Windows 10 has a total of 196 system services and 291 drivers that are enabled by default, Forshaw notes, while Windows 8.1 has only 169 and 253, respectively. Windows 7 was the most secure, with 150 services and 238 drivers.

    “There are more system services and drivers which means more attack surface,” Forshaw has explained during his keynote. “Local system is the god account on Windows and as we go towards (Windows) 10 more services as a percentage of the total are running as the absolute highest account. That’s not great.”

    As far as User Account Control is concerned, this is now a feature that’s easily failing its mission of protecting users. Forshaw explains that UAC has turned from a security tool into “something you just put there to annoy the user,” and at some level, he’s right. UAC displays prompts to let you block or allow the running of applications that require administrator privileges, but right now, it can easily be bypassed by attackers.

    Mostly Harmless: Google Project Zero man’s verdict on Windows 10
    Two steps forward, one step 0-day hack
    http://www.theregister.co.uk/2015/10/26/windows_10_gets_penciled_security_tick_from_top_google_hacker/

    Reply
28. October 27, 2015 at 7:55 am

    Tomi Engdahl says:

    Police Arrest 15-Year-Old on Suspicion of Hacking British Telecoms Firm
    http://time.com/4088229/15-year-old-northern-ireland-talktalk-arrest/

    TalkTalk will likely face tough questioning about its hack-prevention techniques

    A 15-year-old boy in County Antrim, Northern Ireland, was arrested Monday in connection with Wednesday’s hack of British telecoms company TalkTalk, which may have exposed the personal data, including bank details, of over 4 million customers.

    TalkTalk representatives initially said that they were unsure how much customer data was encrypted and therefore protected, and that they’d received a ransom demand from a hacker.

    TalkTalk has hired BAE Systems to continue investigating the hack, according to Reuters.

    The company will likely face tough questioning about its hack-prevention techniques from British lawmakers, according to the Guardian.

    Boy, 15, arrested in Northern Ireland over TalkTalk cyber-attack
    http://www.theguardian.com/business/2015/oct/26/talktalk-cyber-attack-boy-15-arrested-in-northern-ireland

    Metropolitan police say a 15-year-old boy has been arrested in County Antrim over the hacking of the telecoms company TalkTalk

    The teenager was arrested on suspicion of offences under the Computer Misuse Act, police said.

    A statement from TalkTalk said: “We know this has been a worrying time for customers and we are grateful for the swift response and hard work of the police. We will continue to assist with the ongoing investigation.

    “In the meantime, we advise customers to visit http://talktalk.co.uk/secure for updates and information regarding this incident.”

    Shares in the embattled broadband and pay-TV firm fell 12% on Monday as city traders came to terms with the potential fallout of the hacking episode, the third possible data breach in 10 months. It has also emerged that the company could face claims amounting to millions of pounds from fraud victims who lose out as a result of the attack. The company has lost around £360m in value since it revealed details of the attack last Thursday.

    Security experts have been queuing up to claim that the TalkTalk attack was nothing out of the ordinary, and to point out the company’s failings.

    An ICO spokesperson said: “Our investigations into previous incidents are ongoing, and it wouldn’t be appropriate to presume a company had breached the Data Protection Act until our enquiries are complete. But what is clear is that organisations do need to make sure they have the appropriate level of security in place to protect the customer information they hold. If they don’t, we will act.”

    The telecoms regulator Ofcom said on Monday it was “extremely concerned about the data breach and any potential effects” on customers.

    “Until all of the facts have been established it is too early to say whether TalkTalk customers would have the right to terminate their contract,” said a spokeswoman.

    Reply
29. October 27, 2015 at 8:21 am

    Tomi Engdahl says:

    US Military Websites Still Relying On SHA-1
    http://tech.slashdot.org/story/15/10/27/0230228/us-military-websites-still-relying-on-sha-1

    Netcraft confirms many U.S. Department of Defense websites, including a remote access service used by the Missile Defense Agency, are more vulnerable to man-in-the-middle attacks than most consumer websites. The weaker than previously-thought SHA-1 algorithm is the main culprit, with the DoD today being the most prolific user of SHA-1 signed SSL certificates, even though NIST banned new use of this signature algorithm two years ago.

    U.S. military cyber security fails to make the grade
    http://news.netcraft.com/archives/2015/10/26/u-s-military-cyber-security-fails-to-make-the-grade.html

    The SHA-1 algorithm was first published in 1995 and is no longer considered secure. NIST’s decision to disallow SHA-1 signature generation after 2013 was originally due to concerns surrounding the cryptographic strength of the algorithm. Back then, it was thought quite likely that future advancements in computing technology and the discovery of new attacks would allow attackers to find SHA-1 hash collisions, and thus be able to impersonate any secure website with a seemingly valid SSL certificate. This prediction appears to have come true, with the latest research suggesting that the cost of using cloud computing resources to find a SHA-1 hash collision is now in the region of $75k, or perhaps even only a week’s use of the largest botnets.

    The majority of SHA-1 signed SSL certificates issued for use on publicly-accessible websites within the past few months, and that are valid beyond the start of 2017

    The security of some of these sites is further undermined by their use of TLS 1.0 connections, even though most users’ browsers are likely to support later versions. TLS 1.0 is now considered weak and obsolete, with some standards bodies such as the PCI SSC mandating that it should no longer be used in new applications, and that existing applications must migrate to TLS 1.1 or later by June 2016.

    But disabling support for TLS 1.0 is not always feasible, particularly as some older browsers such as Internet Explorer 8 do not support TLS 1.1 and 1.2. If it is essential for a server to retain support for TLS 1.0 (in addition to later versions), then TLS Fallback SCSV must be used to prevent downgrade attacks against clients that support TLS 1.1 or later.

    Reply
30. October 27, 2015 at 8:23 am

    Tomi Engdahl says:

    Europe seeks a few good geeks for hacking cars and homes
    EU body wants to pen test smarter devices
    http://www.theregister.co.uk/2015/10/27/eu_seeks_geeks_for_hacking_cars_and_homes/

    The European Union Agency for Network and Information Security (ENISA) responsible for researching computing threats to the continent has widened its remit to include checking out car and smart building hacking.

    ENISA has decided on its 2016 work schedule and, as well as its continuing job looking for security holes and best practice in mainstream IT, the group has identified smart cars, smart airports, hospitals, health technology, and the security of the Internet of Things as areas for concern.

    “The Management Board adopted a challenging work programme for 2016, given the limited resources of the Agency and the rapidly evolving cyber landscape,” said ENISA’s executive director, Udo Helmbrecht.

    More than a few of the presentations at this year’s DEFCON and Black Hat security conferences focused on car hacking, which is this year’s sexy topic for many. After gaping security holes were found in some Chrysler and General Motors models and the Tesla Model S, regulators have got interested in the possibilities.

    The new ENISA focus means its researchers are going to be looking into the software setup of smarter cars, buildings, and devices. They won’t just be looking for flaws, but also trying to formulate the policies that the EU can standardize around for the future.

    There are some, particularly those in the US, who would see this as unnecessary government intrusion. But, as we’ve seen with cars, computers, and most forms of technology, sometimes an impartial outside view can head problems off at the pass.

    Reply
31. October 27, 2015 at 1:15 pm

    Tomi Engdahl says:

    TalkTalk hack: Police arrest teenager (15) in Northern Ireland
    http://www.belfasttelegraph.co.uk/news/northern-ireland/talktalk-hack-police-arrest-teenager-15-in-northern-ireland-34143245.html

    A 15-year-old teenager has been arrested in Co Antrim in connection with the TalkTalk security breach.

    A TalkTalk spokesperson said: “TalkTalk can confirm that we have been informed by the Metropolitan Police of the arrest of a suspect in connection with the cyberattack on our website on 21stOctober 2015.

    TalkTalk chief executive Dido Harding said earlier she still was unsure how many of its four million UK customers had been affected by the attack, which had affected the telecoms giant’s website rather than its “core systems”.

    North Antrim MP Ian Paisley said: “The type of attack suffered by TalkTalk once again highlights the significant danger that cybercrime poses and the impact that it can have on the community.

    “Virtually every household will have banking or other personal information stored by companies on computer systems and should those systems be compromised it can leave people vulnerable to a range of crimes.

    The latest breach is the third in a spate of cyber attacks affecting TalkTalk in the last eight months, with incidents in August and February resulting in customers’ data being stolen.

    TalkTalk saw more than a 10th of its value wiped off in trading today as shares plummeted more than 12%

    Reply
32. October 27, 2015 at 1:17 pm

    Tomi Engdahl says:

    Danny Yadron / Wall Street Journal:
    Keith Alexander’s IronNet raises $32.5M in a Series A led by Trident Capital Cybersecurity, with KPCB participating

    Ex-NSA Chief’s Cybersecurity Startup Draws Funding
    Infusion of $32.5 million in IronNet highlights ties between Silicon Valley and Washington
    http://www.wsj.com/article_email/ex-nsa-chiefs-cybersecurity-startup-draws-funding-1445819345-lMyQjAxMTE1MzIyNjAyMTY5Wj

    IronNet was founded by Keith Alexander, who was NSA director in 2013 when former agency contractor Edward Snowden revealed that the NSA had snooped with help from technology firms. Since then, government officials and tech executives have clashed over the proper limits of encryption technology.

    IronNet is the latest of several security companies seeking to profile hacker behavior and create computer models to spot it, so they can detect threats more quickly. That could put Mr. Alexander in competition with companies such as FireEye Inc., CrowdStrike Inc. or Palantir Technologies Inc., the data-analytics company that reportedly helped U.S. spies find Osama bin Laden.

    “We don’t want them to know how far we’ve gone,” he said, referring to potential competitors. On its website, IronNet uses a mix of tech and military language, promising “real-time visibility and situational awareness across the information environment.”

    Reply
33. October 27, 2015 at 1:23 pm

    Tomi Engdahl says:

    TalkTalk incident management: A timeline
    Let’s waft away the spin and take a hard look
    http://www.theregister.co.uk/2015/10/27/talktalk_incident_management_review/

    Contradictory statements issued by TalkTalk regarding the third data breach the company has experienced this year have provided inadequate information to the telco’s customers about their data, while effectively insulating the company from questions regarding its security practices with insubstantive, and at times incoherent, PR emissions.

    We first reported on an outage at TalkTalk.co.uk on the afternoon of Wednesday 21 October.

    Reply
34. October 27, 2015 at 1:24 pm

    Tomi Engdahl says:

    TalkTalk attack: UK digi minister recommends security badges for websites
    Foolishly suggests kitemark to, er, reassure customers
    http://www.theregister.co.uk/2015/10/27/ed_vaizey_security_kitemark_after_talktalk_attack/

    The UK’s digital minister Ed Vaizey has floated the idea of adding kitemarks to websites that have strong security measures in place, following the attack on TalkTalk’s business last week.

    Speaking in Parliament on Monday in response to an urgent question on data breaches and consumer protection, following the ransack of TalkTalk’s sensitive customer details, Vaizey said:

    In many cases, businesses set out extremely detailed terms and conditions, but the idea that they are consumer-friendly is wide of the mark.

    If I can take, as it were, the spirit of her question [Labour MP, Gisela Stuart], some kind of kitemark to denote companies that have robust cyber-security procedures in place would be something worth exploring.

    ‘Misinformation’ on government views on encryption? Fancy that!

    During the debate, Vaizey also responded to questions about encryption, after he was asked if companies should use such technical safeguards to help secure customer data.

    “It has to be said that companies should encrypt their information. There has been some misinformation that the government are somehow against encryption,” the minister said, without elaborating further.

    “All organisations must have appropriate security measures in place to prevent the personal data they hold being accidentally or deliberately compromised. Any measures put in place should prevent security breaches or limit the damage if they do occur,” we were told by the data watchdog.

    The ICO added: “As one single product cannot guarantee security, we would advise a combination of different tools and techniques. Encryption is just one way of doing this.”

    Reply
35. October 27, 2015 at 3:09 pm

    Tomi Engdahl says:

    By 2019, vendors will have sucked out your ID along with your cash 5 billion times
    Biometric payments may ‘irretrievably compromise’ online identities
    http://www.theregister.co.uk/2015/10/27/biometric_payment_authentication_to_hit_5_billion_says_juniper/

    Research house Juniper has stared into its crystal ball and discovered that the number of biometrically authenticated payment transactions will reach nearly five billion by 2019, up from a mere 130 million currently.

    Apple Pay and Samsung are the only providers that currently use fingerprint scanners for authentication, with availability currently limited to the US and UK and South Korea. However, Juniper estimates next year will be a turning point for the services.

    According to the report, there will be a greater number of fingerprint scanners in mid-range smartphones, as part of moves to push the “mobile wallet”.

    Uptake is likely to happen alongside the growing take-up of contactless infrastructure Point of Sale, said the research.

    But biometrics for payment is not confined to fingerprints, with Mastercard thought to be trialling a ‘selfie’ facial payment verification app.

    Reply
36. October 27, 2015 at 3:29 pm

    Tomi Engdahl says:

    LAN security for MoCA and powerline
    http://www.edn.com/electronics-blogs/brians-brain/4440220/LAN-security-for-MoCA-and-powerline

    MoCA adapters, as it turns out, ship by default with encryption turned off. Enabling encryption, along with configuring a custom encryption password (since you won’t just go with the factory default … right?) is by no means intuitive (assuming the necessary hardware switch even exists, which isn’t always the case).

    And in the absence of a blocking filter such as the one Amazon recommended to me, if your MoCA adapters have encryption disabled or enabled with the default password, it’s straightforward for neighbors sharing a street-side splitter to snoop your LAN.

    This revelation next got me thinking about powerline networking. Thankfully, all of the powerline adapters I know of come with encryption enabled, albeit with a common factory-default password (56-bit DES “HomePlug” for early-generation HomePlug-standard devices, for example, and 128-bit AES “HomePlugAV” for newer-generation products)

    it’s difficult enough to get powerline-transported packets to jump across the two phases of the 220V source within a home, far from traveling outside the home.

    However, as abundant Internet case studies suggest, LAN data leakage beyond any particular residence is indeed possible, especially in apartment complexes and other close-proximity housing configurations where multiple residences are served by the same street-side transformer.

    And true, wireless networking has the same conceptual security issue … I’m easily able to “see” my next-door neighbors’ SSIDs. But I think that LAN equipment manufacturers have been much more upfront in educating consumers of the need to set unique and secure Wi-Fi encryption passwords than they have been with MoCA and powerline. And that’s too bad.

    Reply
37. October 27, 2015 at 4:48 pm

    Tomi Engdahl says:

    Edward Snowden: CISA is all about surveillance
    No way, Sherlock
    http://www.theinquirer.net/inquirer/news/2431824/pressure-group-takes-action-against-cisa-cyber-security-bill

    WHISTLEBLOWER Edward Snowden has joined in the chorus of disapproval about the CISA legislation, taking part in a Fight for the Future (FFtF) Reddit session and making his feelings felt.

    FFtF is full of feelings for the joining up of Snowden and celebrated his virtual participation in a blog post. It has a lot to celebrate already, as the anti-CISA camp is pretty well stuffed with appalled parties.

    “CISA isn’t a cyber security bill. It’s not going to stop any attacks. It’s not going to make us any safer. It’s a surveillance bill. What it allows is for the companies you interact with every day, visibly like Facebook or invisibly like AT&T, to indiscriminately share private records about your interactions and activities with the government,” said Ed.

    “CISA allows private companies to immediately share a perfect record of your private activities the instant you click a link, log in, make a purchase, and so on. And the government reward them for doing it by granting a special form of legal immunity for their cooperation.”

    “At a time when CISA is being rejected by the public, security experts, and even the tech industry it’s supposed to protect, it was suspicious that Congress is barrelling forward with this bill at breakneck speed,” said FftF co-director Tiffiniy Cheng.

    Reply
38. October 27, 2015 at 4:49 pm

    Tomi Engdahl says:

    US spy agency is concerned about state-sponsored spying
    Also with Edward Snowden
    http://www.theinquirer.net/inquirer/news/2432112/us-spy-agency-is-concerned-about-state-sponsored-spying

    VORACIOUS DATA CONSUMER the US National Security Agency (NSA) is concerned that some national states, but not the United ones, are taking hacking and surveillance too far and are close to crossing a line.

    Ledgett is concerned about state-sponsored shenanigans, which is ironic since the rest of the world is concerned about US-sponsored swoop-and-store-data grabs. Anyway, he reckons that anything that connects to the internet is in the threat sphere.

    “If you are connected to the internet, you are vulnerable to determined nation-state attackers,” he said.

    “We’ve seen in the high hundreds of targets who have said: ‘Hey, we are vulnerable to these sorts of detection techniques and we need to change the way that we do that,’ and a number of them have,” he added, along with a warning that hacking is easy these days.

    “The barrier to entry is going down, and as everybody in the world becomes more connected with computers and information systems the vulnerabilities are going up.”

    Reply
39. October 28, 2015 at 11:02 am

    Tomi Engdahl says:

    Wired:
    Senate passes cybersecurity bill CISA by a vote of 74-21, remaining differences still to be resolved between House and Senate — CISA Security Bill Passes Senate With Privacy Flaws Unfixed — For months, privacy advocates have asked Congress to kill or reform the Cybersecurity Information Sharing Act …

    CISA Security Bill Passes Senate With Privacy Flaws Unfixed
    http://www.wired.com/2015/10/cisa-cybersecurity-information-sharing-act-passes-senate-vote-with-privacy-flaws/

    For months, privacy advocates have asked Congress to kill or reform the Cybersecurity Information Sharing Act, a bill that they say hides new government surveillance mechanisms in the guise of security protections. Now the Senate has shot down a series of attempts to change the legislation’s most controversial measures, and then passed it with those privacy-invasive features fully intact.

    On Tuesday afternoon, the Senate voted 74 to 21 to pass a version of CISA that roughly mirrors legislation passed in the House earlier this year, paving the way for some combined version of the security bill to become law. CISA is designed to stem the rising tide of corporate data breaches by allowing companies to share cybersecurity threat data with the Department of Homeland Security, who could then pass it on to other agencies like the FBI and NSA, who would in theory use it to defend the target company and others facing similar attacks. That landslide vote was no doubt fueled in part by a year of massive hacks that hit targets including the health insurer Anthem, Sony, and the Office of Personal Management.

    ‘You had… much of Silicon Valley against this bill, privacy advocates and civil society groups against this bill. Our biggest takeaway is disappointment.’ Electronic Frontier Foundation Analyst Mark Jaycox

    The version of CISA passed Tuesday, in fact, spells out that any broadly defined “cybersecurity threat” information gathered can be shared “notwithstanding any other provision of law.” Privacy advocates consider that a vague and potentially reckless exemption in the protections of Americans’ personal information. “Every law is struck down for the purposes of this information sharing: financial privacy, electronic communications privacy, health privacy, none of it would matter,” says Robyn Greene, policy counsel for the Open Technology Institute. “That’s a dangerous road to go down.”

    Reply
40. October 28, 2015 at 11:05 am

    Tomi Engdahl says:

    Electronic Frontier Foundation:
    US regulators grant exemptions to DMCA’s DRM rules for jailbreaking, remixing DVDs and Blu-rays, preserving video games, researching and modifying car software — Victory for Users: Librarian of Congress Renews and Expands Protections for Fair Uses — The new rules for exemptions …

    Victory for Users: Librarian of Congress Renews and Expands Protections for Fair Uses
    https://www.eff.org/deeplinks/2015/10/victory-users-librarian-congress-renews-and-expands-protections-fair-uses

    The new rules for exemptions to copyright’s DRM-circumvention laws were issued today, and the Librarian of Congress has granted much of what EFF asked for over the course of months of extensive briefs and hearings. The exemptions we requested—ripping DVDs and Blurays for making fair use remixes and analysis; preserving video games and running multiplayer servers after publishers have abandoned them; jailbreaking cell phones, tablets, and other portable computing devices to run third party software; and security research and modification and repairs on cars—have each been accepted, subject to some important caveats.

    The exemptions are needed thanks to a fundamentally flawed law that forbids users from breaking DRM, even if the purpose is a clearly lawful fair use. As software has become ubiquitous, so has DRM. Users often have to circumvent that DRM to make full use of their devices, from DVDs to games to smartphones and cars.

    Still, as long as its rulemaking process exists, we’re pleased to have secured the following exemptions.

    Car Security Research, Repair, and Modifications
    Jailbreaking Phones, Tablets, and More
    Archiving and Preserving Video Games
    Remix Videos From DVD and Blu-Ray Sources

    Reply
41. October 28, 2015 at 11:13 am

    Tomi Engdahl says:

    Glyn Moody / Ars Technica UK:
    German data protection authorities to investigate data transfers from EU to US by companies like Facebook and Google

    Germany will investigate legality of post-Safe Harbour EU-US data transfers immediately
    In the wake of landmark CJEU ruling, Facebook & Google likely to be investigated first.
    http://arstechnica.co.uk/tech-policy/2015/10/germany-to-begin-investigating-legality-of-eu-us-data-transfers-immediately/

    German data protection authorities have announced that they will immediately begin investigating data transfers from the EU to the US by companies such as Facebook and Google, and may issue orders for data flows to be halted.

    The recent decision by the Court of Justice of the European Union (CJEU) gave local data protection authorities the power to examine whether data transfers under the Safe Harbour framework breached EU laws. However, it was expected that this would take place only once formal complaints about harm from such transfers had been received from affected members of the public, as in Ireland. Instead, the German data protection authorities have decided to begin investigating on their own initiative, as the German news magazine Der Spiegel reports.

    Reply
42. October 28, 2015 at 11:14 am

    Tomi Engdahl says:

    Lauren Pollock / Wall Street Journal:
    Cisco to Buy Network-Security Firm Lancope for $453 Million

    Cisco to Buy Network-Security Firm Lancope for $453 Million
    Acquisition is the latest move by networking giant to boost its security business
    http://www.wsj.com/article_email/cisco-to-buy-network-security-firm-lancope-for-453-million-1445949390-lMyQjAxMTA1ODI5NzUyNDczWj

    Cisco Systems Inc. agreed to buy Lancope Inc. for about $453 million, the latest in a series of deals by the networking giant to boost its security business.

    Lancope, a closely held company in Alpharetta, Ga., sells software to help detect and respond to security threats on corporate computer networks.

    Lancope’s roughly 300 employees will be folded into the Cisco security unit led by David Goeckeler, which has expanded through several acquisitions.

    Reply
43. October 28, 2015 at 11:15 am

    Tomi Engdahl says:

    Jordan Novet / VentureBeat:
    Developer-focused security startup SourceClear raises $10M
    http://venturebeat.com/2015/10/27/developer-focused-security-startup-sourceclear-raises-10m/

    SourceClear, a startup that provides tools developers can use to find security issues hiding in open-source software that their applications draw on, is announcing a $10 million round of funding today.

    For the time being, SourceClear is focused on improving security for technology companies, and in this business, it’s common for software engineers to draw on existing open-source software — which, in turn, can draw on other open-source software. From time to time, researchers discover vulnerabilities in open-source software, leading companies to scramble to figure out if they’re affected and, if so, to patch their software. (Remember Heartbleed?) SourceClear wants to make sure developers only deploy code that’s secure — and to also minimize the impact when new vulnerabilities emerge.

    “When we see vulnerabilities get published, we go and see which other libraries may have the same problem,” founder and chief executive Mark Curphey told VentureBeat in an interview. “It turns out that lots of other libraries have exactly the same issues but have not been reported.”

    SourceClear currently supports Java, Ruby on Rails, and Node.js. The new money will help the startup add support for Python and Scala. C and C++ support is coming, too

    Reply
44. October 28, 2015 at 11:18 am

    Tomi Engdahl says:

    FBI gives shocking advice to ransomware victims
    http://www.neowin.net/news/fbi-gives-shocking-advice-to-ransomware-victims

    Over the last few years ransomware has become a prominent way for hackers to extort money from victims. Ransomware such as Cryptolocker encrypts a victims computer and demands a payment to decrypt the files. What’s surprising is how the FBI deals with victims of ransomware attacks. Last week at the Cyber Security Summit 2015 event, Joseph Bonavolonta, the Assistant Special Agent in charge of the FBI’s CYBER and Counterintelligence Program at the FBI’s Boston office revealed that the FBI can’t really do a lot about the problem.

    Ransomware programs such as Cryptolocker and Cryptowall appear to have gotten the better of the FBI, “To be honest, we often advise people just to pay the ransom.” revealed Bonavolonta “The ransomware is that good”.

    The announcement by the FBI also stated that 992 CryptoWall-related complaints were received between April 2014 and June 2015 with losses to victims totaling $18,000,000. Aside from suggesting the usual tips of using anti-virus software, enabling popup blockers and backing up data the only other help the FBI could give was to contact your local FBI field office, turns out now that they can’t do much either.

    Reply
45. October 28, 2015 at 12:32 pm

    Tomi Engdahl says:

    The study warns, mobile phone networks are leaking

    Finnish Communications Regulatory Authority warned as early as last spring, the security problems associated with the SS7 protocol. Now Adaptive Mobile is the seminar demonstrated that the threats are real.

    SS7 is an old signaling protocol, which is used to form the voice, SMS and data connections operators’ networks. Generally, operators do not protect the SS7 network, which gives hackers basically carte blanche to users of location and tracking billing information, and in the worst cases, voice and data traffic monitoring.

    SS7 networks are abused by cyber criminals and state organizations.
    These connections and services is already increasing its own gray market.

    Source: http://etn.fi/index.php?option=com_content&view=article&id=3506:tutkimus-varoittaa-kannykkaverkot-vuotavat&catid=13&Itemid=101

    Real World SS7 Attacks
    Evidence, Analysis and Prevention
    http://www.adaptivemobile.com/webinars/ss7

    Reply
46. October 28, 2015 at 1:47 pm

    Tomi Engdahl says:

    85% of Android devices are exposed to at least one vulnerability
    Is your device secure?
    http://www.electronicproducts.com/Programming/OS/85_of_Android_devices_are_exposed_to_at_least_one_vulnerability.aspx

    Approximately 85 percent of Android devices have been exposed to at least one of 13 critical vulnerabilities the OS has become inflicted with, a new study conducted by Cambridge University and funded by Google, found.

    While the Stagefright vulnerability put Android devices front and center as being insecure, it appears that the OS’ issues lie in more than just one security hole. How protected a device is depends on the number of updates released by the manufacturer as well as how regularly customers update their phones; Android only receives 1.26 updates every year.

    On average, 85 percent of the devices they surveyed were found with at least one critical vulnerability.

    “The security of Android depends on the timely delivery of updates to fix critical vulnerabilities,” the Cambridge University team said. “Unfortunately few devices receive prompt updates, with an overall average of 1.26 updates per year, leaving devices unpatched for long periods.”

    Reply
47. October 28, 2015 at 5:42 pm

    Tomi Engdahl says:

    4g phone user can easily traced

    Aalto University researchers showed that most phones can be localized using a fake base station and the level of service may degraded with it. Professor N. Asoka and his team built a laboratory environment with such 4g fake base station. The mobile device can be forced to reveal the location, allowing the user to locate in an urban environment of two square kilometers in area. Anyone can acquire the necessary equipment – they cost slightly more than one thousand euros.

    When the mobile device connects to the network, it receives a temporary identifier. It is random and is updated at regular intervals. The temporary identifier can be valid for up to three days. Therefore, it cna be used to follow smart phone for about three days.

    Spy can locate a person even further by defining distance from three known points. Phishing target may also be forced to use 2G or 3G network, or he may be prevented from entering into any network.

    Source: http://www.tivi.fi/rss/4g-puhelimen-kayttajan-voi-jaljittaa-helposti-6061266

    Reply
48. October 28, 2015 at 5:45 pm

    Tomi Engdahl says:

    A total of about 600 000 British consumer users and personal data are currently being marketed in the dark online, tells the Financial Times.

    Tens of thousands of data has been successfully hack corporate and government databases during 2014. Hacked information includes, inter alia, bank accounts, and they make it possible to steal your money and the digital identities of individuals.

    Business information stolen from databases are sold an average of 19.60 pounds, ie approximately EUR 27 per record.

    Source: http://www.tivi.fi/Kaikki_uutiset/600-000-tietomurron-uhrin-tiedot-myynnissa-pilkkahintaan-6061243

    TalkTalk hack: Personal data of ‘tens of thousands’ of Britons available online for £19
    http://www.independent.co.uk/news/uk/crime/personal-data-of-tens-of-thousands-of-britons-available-online-for-19-a6711451.html

    Approximately 600,000 Britons had their personal details stolen from company databases, as well as government databases, last year.

    While the average cost of personal information online is roughly £19.60 ($30), personal information from governmental databases is referred to as the “crown jewels” on the Dark Web – and trades hands for around $75.

    A government spokesperson, in a statement to the newspaper, claimed there were a number of “very effective” schemes in place as part of a £860million investment in cyber security.

    “Every company board should be fully aware of the risk from cyber-attack, and be confident that the company has proper security in place.”

    Reply
49. October 28, 2015 at 5:54 pm

    Tomi Engdahl says:

    Carriers Selling Your Data: a $24 Billion Business
    http://yro.slashdot.org/story/15/10/28/0131232/carriers-selling-your-data-a-24-billion-business

    It goes without saying that cellphone carriers have access to tons of data about their subscribers. They have data about who you call, what sites you visit, and even where you’re located. Now: “Under the radar, Verizon, Sprint, and other carriers have partnered with firms including SAP to manage and sell data.

    The $24 Billion Data Business That Telcos Don’t Want to Talk About
    Mobile Carriers Are Working With Partners to Manage, Package and Sell Data
    http://adage.com/article/datadriven-marketing/24-billion-data-business-telcos-discuss/301058/

    U.K. grocer Morrisons, ad-buying behemoth GroupM and other marketers and agencies are testing never-before-available data from cellphone carriers that connects device location and other information with telcos’ real-world files on subscribers. Some services offer real-time heat maps showing the neighborhoods where store visitors go home at night, lists the sites they visited on mobile browsers recently and more.

    Under the radar, Verizon, Sprint, Telefonica and other carriers have partnered with firms including SAP, IBM, HP and AirSage to manage, package and sell various levels of data to marketers and other clients. It’s all part of a push by the world’s largest phone operators to counteract diminishing subscriber growth through new business ventures that tap into the data that showers from consumers’ mobile web surfing, text messaging and phone calls.

    There is a lot of marketer interest in that information because it is tied to actual individuals. For the same reason, however, there is potential for resistance from privacy advocates.

    Too risky for the E.U.?
    To protect privacy, SAP receives non-personally-identifiable, anonymized information from telcos, and only provides aggregated information to its clients to prevent reidentification of individuals. Still, sharing and using data this way is controversial. Nearly all the players exploring the burgeoning Telecom Data as a Service field, or TDaaS for short, are reluctant to provide the details of their operations, much less freely name their clients.

    The global market for telco data as a service is potentially worth $24.1 billion this year, on its way to $79 billion in 2020

    Perhaps the most prominent recent moves in the burgeoning TDaaS realm are Verizon’s $4.4 billion acquisition of AOL in May, followed by its purchase of mobile ad network Millennial Media for $238 million in September. Many saw the AOL buy as a means for Verizon to turn its data into a viable business, in part because AOL provides ad-tech infrastructure and marketer relationships that Verizon lacks.

    Reply
50. October 29, 2015 at 8:05 am

    Tomi Engdahl says:

    Burned: British Gas customer info hits Pastebiin
    Insecurity, it’s a gas-gas-gas
    http://www.theregister.co.uk/2015/10/29/burned_british_gas_customer_info_hits_pastebiin/

    British Gas has ‘fessed up that customer data posted to Pastebin was genuine, but believes payment details were not exposed.

    The BBC says it’s seen an e-mail sent to customers about the privacy breach, which the energy company says was not due to a breach of its own systems.

    “I can assure you there has been no breach of our secure data storage systems, so none of your payment data, such as bank account or credit card details, have been at risk,” the e-mail says.

    The BBC speculates that the customer data may have come from a phishing campaign, or by attackers testing whether people whose data had been exposed in other breaches had re-used their passwords.

    Since four million accounts were compromised in the Talk Talk attack, that’s not too far-fetched.

    Reply