Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.
3,110 Comments
Tomi Engdahl says:
Iranian VXers unleash RATs to bite popular Android devices
AndroRAT, DroidJack top pwning preferences.
http://www.theregister.co.uk/2015/10/29/iranian_hackers_android/
Future threat researcher Rodrigo Bijou says Iranian hackers have made Android a priority for attacks with remote access trojans.
The San Francisco consultant says attackers are preferring AndroRAT and DroidJack over common trojans like njRAT and DarkComet.
Android is the most popular mobile OS in the Middle East and Africa, where it runs on more than 80 percent of devices according to number crunchers at IDC.
Bijou (@rodrigobijou) says he learned of the attack trend after assessing six months’ worth of chatter on underground crime forums.
“Looking at the last six months of activity on prominent Iranian hacking forums, discussions are dominated by interest in RATs that target Android devices,” Bijou says.
Tomi Engdahl says:
Australia on the very brink of cyber-geddon, says ex-spook
Not really, says the document he was launching
http://www.theregister.co.uk/2015/10/27/australia_on_the_very_brink_of_cybergeddon_says_exspook/
Blood will flow in the streets, human entrails will adorn our flagpoles, and zombies are on the way to eat our brains, according to one of the architects of fortress Australia.
As well as promising cyber jihadist attacks, former Australian Security and Intelligence Organisation (ASIO) boss David Irvine, whose credits include long advocacy for the data retention regime that was enacted by the government this year, also told the country our “cyber maturity” has slipped.
Actually, it hasn’t, in spite of the hyperventilation that a superannuated spook should warn us about “terrorists” developing “destructive attack capabilities in the near term”.
Irvine was launching this document by the Australian Strategic Policy Institute, which has been widely – and wildly inaccurately – cited as saying that Australia’s cyber security is slipping.
The change in Australia’s readiness, a score-improvement of 4.1 was pretty close to the average for all the nations that are present in both the 2014 and 2015 assessments (score change of 3.9), and similar to Indonesia, India, and the United States.
Here, however, is the stinger: in spite of Irvine’s apocalyptic vision (which The Register has heard from natsec types ever since Richard Clarke told the world planes were about to drop out of the sky … in 2001) doesn’t speak to the actual content of the ASPI report.
The report is an assessment of policy, administrative, and to a degree, enforcement arrangements. To quote from the report:
“‘Maturity’ in this context is demonstrated by the presence, effective implementation and operation of cyber-related structures, policies, legislation and organisations. These cyber indicators cover whole-of-government policy and legislative structures, responses to financial crime, military organisation, business and digital economic strength, and levels of cyber social awareness.”
Jihadists could launch major cyber attacks, says former ASIO boss David Irvine
Read more: http://www.smh.com.au/federal-politics/political-news/jihadists-could-launch-major-cyber-attacks-says-former-asio-boss-david-irvine-20151026-gkisup.html#ixzz3pwUISV00
Follow us: @smh on Twitter | sydneymorningherald on Facebook
Tomi Engdahl says:
Cyber maturity in the Asia-Pacific Region 2015
https://aspi.org.au/publications/cyber-maturity-in-the-asia-pacific-region-2015
The second edition of the International Cyber Policy Centre’s annual Cyber Maturity in the Asia Pacific is the culmination of 12 months research and analysis delving into the cyber maturity of 20 countries
https://aspi.org.au/publications/cyber-maturity-in-the-asia-pacific-region-2015/Cyber-Maturity-2015.pdf
Tomi Engdahl says:
Privacy campaigners slam passing of controversial CISA legislation
So-called ‘cyber security’ bill passes by 74 votes to 21
http://www.theinquirer.net/inquirer/news/2431824/pressure-group-takes-action-against-cisa-cyber-security-bill
THE US SENATE has passed the controversial Cybersecurity Intelligence Sharing Act (CISA), despite widespread opposition to the bill given its shady privacy implications.
The Senate passed the bill, which encourages companies to share “cyber threat” data with the federal government in real time
Several amendments to the bill that would have required companies to implement strong consumer privacy protections were narrowly voted down.
This means that the bill is the same one that has faced strong opposition from big-name technology firms, including Apple and Twitter, which have argued that it will give the government invasive spying powers.
Pro-privacy campaigners have been quick to speak out about the vote, including NSA whistleblower Edward Snowden, who slammed CISA earlier this week as a “surveillance bill”.
The Electronic Frontier Foundation (EFF) has also spoken up, saying that CISA will do nothing to prevent future security breaches
“With security breaches like T-Mobile, Target and OPM becoming the norm, Congress knows it needs to do something about cyber security. It chose to do the wrong thing. The EFF will continue to fight against the bill by urging the conference committee to incorporate pro-privacy language.”
Tomi Engdahl says:
UK Government Says App Developers Won’t Be Forced To Implement Backdoors
http://news.slashdot.org/story/15/10/29/0132246/uk-government-says-app-developers-wont-be-forced-to-implement-backdoors
The UK government is sending mixed messages about how it views privacy and security. Fears have been mounting since Prime Minister David Cameron wondered aloud ‘in our country, do we want to allow a means of communication between people which we cannot read?’ — his view obviously being that, no, we don’t want to allow such a thing
UK government says app developers won’t be forced to implement backdoors
http://betanews.com/2015/10/28/uk-government-says-app-developers-wont-be-forced-to-implement-backdoors/
The UK government is sending mixed messages about how it views privacy and security. Fears have been mounting since Prime Minister David Cameron wondered aloud “in our country, do we want to allow a means of communication between people which we cannot read?” — his view obviously being that, no, we don’t want to allow such a thing.
Following the revelations about the spying activities of the NSA and GCHQ, public attention has been focused more than ever on privacy and encryption, Cameron having also suggested a desire to ban encryption. Today, some fears were allayed when it was announced that the government was not seeking to require software developers to build backdoors into their products. That said, the government said that companies should be able to decrypt ‘targeted’ data when required, and provide access to it.
Apple is just one of the companies to have said recently that it was technically incapable of decrypting encrypted messages sent between individuals. The minister for internet safety and security, Baroness Shields, expressed concern about the “alarming movement towards end-to-end encrypted applications”.
Making reference to ISIS, politicians pointed out that WhatsApp had been used to coordinate terrorist attacks, citing this as an example of why access to encrypted data was required.
Tomi Engdahl says:
You could say security and hackers are worrisome for CIOs, but again, I don’t think it’s keeping them up at night. They understand that they’re probably being hacked. And if they haven’t been yet, they’re going to be. More worrisome is how to find enough time in the day to get out in front of the issue and manage their overall risk profile so that when security issues do arise, they are fully prepared. But getting through the massive to-do list on any CIO’s desk in a given day is a problem that isn’t going to go away any time soon.
Source: https://enterprisersproject.com/article/2015/10/talent-not-shadow-it-or-hackers-what-keeps-cios-night
Tomi Engdahl says:
MySQL Servers Hijacked With Malware To Perform DDoS Attacks
http://it.slashdot.org/story/15/10/28/1658223/mysql-servers-hijacked-with-malware-to-perform-ddos-attacks
An anonymous reader writes with news of a malware campaign using hijacked MySQL servers to launch DDoS attacks. Symantec reports: “Attackers are compromising MySQL servers with the Chikdos malware to force them to conduct DDoS attacks against other targets
MySQL servers hijacked with malware to perform DDoS attacks
http://www.symantec.com/connect/blogs/mysql-servers-hijacked-malware-perform-ddos-attacks
Attackers are compromising MySQL servers with the Chikdos malware to force them to conduct DDoS attacks against other targets.
We’ve discovered malware that targeted MySQL servers to make them conduct distributed denial-of-service (DDoS) attacks against other websites. The attackers initially injected a malicious user-defined function (Downloader.Chikdos) into servers in order to compromise them with the Trojan.Chikdos.A DDoS malware
According to Symantec telemetry, the majority of the compromised servers are in India, followed by China, Brazil and the Netherlands.
Using a malicious user-defined function
A user-defined function (UDF) is compiled code that can be called from within MySQL to accomplish some function beyond what the database management system can offer. The UDF lives as a file on the server’s file system.
Using malicious UDFs to gain access to MySQL servers is not a new activity. Matthew Zimmerman comprehensively documented the approach in this report. In this technique, an attacker creates a UDF which implements some malicious activity, such as downloading malware or creating a remote shell. The attacker then installs the UDF onto the targeted MySQL server through an SQL injection attack.
If the attacker is able to execute SQL commands, then they can use the DUMP parameter to effectively upload the UDF file on the system, which they then subsequently load into MySQL. The UDF is then executed and whatever malicious code that the attacker created is run.
Why SQL servers?
Given that Trojan.Chikdos.A is used to perform DDoS attacks from the infected system, we believe that the attackers compromised MySQL servers to take advantage of their large bandwidth. With these resources, the attackers could launch bigger DDoS campaigns than if they used traditional consumer targets.
MySQL is also the second most popular database management system in the world, giving the attackers a wide range of potential targets.
Mitigation
To protect against these types of attacks, SQL servers should not be run with administrator privileges where possible. Applications that use the SQL server should be patched regularly and follow good programming practices to mitigate SQL injection vulnerabilities. Check for the presence of new user accounts and ensure that remote access services are configured securely.
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Google to Symantec: account fully for misissued google.com certificates or else Chrome will flag your TLS certificates as unsafe
Still fuming over HTTPS mishap, Google makes Symantec an offer it can’t refuse
Google: Fix ailing certificate business or risk having Chrome flag your credentials.
http://arstechnica.com/security/2015/10/still-fuming-over-https-mishap-google-gives-symantec-an-offer-it-cant-refuse/
Google has given Symantec an offer it can’t refuse: give a thorough accounting of its ailing certificate authority process or risk having the world’s most popular browser—Chrome—issue scary warnings when end users visit HTTPS-protected websites that use Symantec credentials.
The ultimatum, made in a blog post published Wednesday afternoon, came five weeks after Symantec fired an undisclosed number of employees caught issuing unauthorized transport layer security certificates. The misissued certificates made it possible for the holders to impersonate HTTPS-protected Google webpages.
Symantec first said it improperly issued 23 test certificates for domains owned by Google, browser maker Opera, and three other unidentified organizations without the domain owners’ knowledge. A few weeks later, after Google disputed the low number, Symantec revised that figure upward, saying it found an additional 164 certificates for 76 domains and 2,458 certificates for domains that had never been registered. The misissued certificates represented a potentially critical threat to virtually the entire Internet population because they made it possible for the holders to cryptographically impersonate the affected sites and monitor communications sent to and from the legitimate servers.
“It’s obviously concerning that a CA would have such a long-running issue and that they would be unable to assess its scope after being alerted to it and conducting an audit,” Ryan Sleevi, a software engineer on the Google Chrome team, wrote in the blog post.
Tomi Engdahl says:
Apple Usurps Oracle As the Biggest Threat To PC Security
http://apple.slashdot.org/story/15/10/30/0028210/apple-usurps-oracle-as-the-biggest-threat-to-pc-security
According to data from Secunia, Apple’s software for Windows is now the biggest threat to PC security, surpassing previous long term champion Java.
Oracle has now fallen/risen to 2nd place, followed by Adobe.
Windows users often forget about patching their Apple programs
http://www.computerworld.com/article/2998398/security/windows-users-often-forget-about-patching-their-apple-programs.html
QuickTime and iTunes are two of the most exposed programs, according to Flexera
A survey of applications installed on Windows computers found that a lot of users don’t run up-to-date versions of Apple programs.
Apple’s multimedia program, QuickTime, and its iTunes software were ranked as some of the most “exposed” programs based on risk by Secunia Research, which is now part of Flexera Software.
Among U.S. users, some 61 percent of computers detected running QuickTime did not have the latest version. With iTunes, 47 percent of the installations were outdated versions.
It’s not Apple’s fault. Although many software companies alert users to new versions of applications, it’s largely up to users to install them.
Other applications that ranked in the top five most exposed programs included Adobe Reader X 10.x, Oracle Java JRE 1.8.x/8.x and Adobe Reader XI 11.x.
Tomi Engdahl says:
European Parliament Urges Protection for Edward Snowden
http://www.nytimes.com/2015/10/30/world/europe/edward-snowden-nsa-whistleblower.html?_r=1
BRUSSELS — The European Parliament narrowly adopted a nonbinding but nonetheless forceful resolution on Thursday urging the 28 nations of the European Union to recognize Edward J. Snowden as a “whistle-blower and international human rights defender” and shield him from prosecution.
On Twitter, Mr. Snowden, the former National Security Agency contractor who leaked millions of documents about electronic surveillance by the United States government, called the vote a “game-changer.” But the resolution has no legal force and limited practical effect for Mr. Snowden, who is living in Russia on a three-year residency permit.
Whether to grant Mr. Snowden asylum remains a decision for the individual European governments, and none have done so thus far.
The White House, which has used diplomatic efforts to discourage even symbolic resolutions of support for Mr. Snowden, immediately criticized the resolution.
“Our position has not changed,” said Ned Price, a spokesman for the National Security Council in Washington.
“Mr. Snowden is accused of leaking classified information and faces felony charges here in the United States. As such, he should be returned to the U.S. as soon as possible, where he will be accorded full due process.”
Tomi Engdahl says:
Fewer IPsec Connections At Risk From Weak Diffie-Hellman
http://it.slashdot.org/story/15/10/29/2230233/fewer-ipsec-connections-at-risk-from-weak-diffie-hellman
A challenge has been made against one of the conclusions in an academic paper on cryptographic weaknesses that may be the open door through which intelligence agencies are breaking encrypted connections. The paper, ‘Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice,’ claims that a massively resourced agency such as the NSA could build enough custom hardware that would crack the prime number used to derive an encryption key.
n the paper, the team of 14 cryptographers and academics who wrote it claim that upwards of 66 percent of IPsec VPN connections can be passively decrypted in this manner. Paul Wouters, a founding member and core developer of the Libreswan Project, as well as a Red Hat associate, said that researchers are jumping to a conclusion because of the way they scanned and tested VPN servers, and that the number is likely too high.
Fewer IPsec VPN Connections at Risk from Weak Diffie-Hellman
https://threatpost.com/fewer-ipsec-vpn-connections-at-risk-from-weak-diffie-hellman/115189/
A challenge has been made against one of the conclusions in a potentially blockbuster academic paper on cryptographic weaknesses that may be the open door through which intelligence agencies are breaking encrypted connections.
The paper, “Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice,” claims that a massively resourced agency such as the NSA could build enough custom hardware that would crack the prime number used to derive an encryption key. Once enough information is known about the prime, breaking Diffie-Hellman connections that use that same prime is relatively trivial.
In the paper, the team of 14 cryptographers and academics who wrote it claim that upwards of 66 percent of IPsec VPN connections can be passively decrypted in this manner.
Paul Wouters, a founding member and core developer of the Libreswan Project, as well as a Red Hat associate, said that researchers are jumping to a conclusion because of the way they scanned and tested VPN servers, and that the number is likely too high.
The researchers said in their paper that in May they scanned a 1 percent random sample of public IPv4 addresses for IKEv1 and IKEv2 (Internet Key Exchange), the protocols used to initiate IPsec VPN connections. More than 80,000 hosts responded with valid IKE packets, and 44 percent of those were accepting proposals to initiate connections, the paper said. Most of the remaining servers responded with no_proposal_chosen regardless of the proposal sent, and those were omitted in the results published in the paper. No_proposal_chosen indicates there is a mismatch of proposals happening during session negotiations.
The real problem is, you just cannot know the real configuration of a IPsec server without having credentials. So scanning the Internet for weak IPsec servers is always going to give really bad results.”
Wouters, using his time as a Freeswan/Libreswan/Openswan developer for context, said it’s nearly impossible to know what it is indeed a large number of VPNs, or for that matter, how many people are running Freeswan et al.
“That’s the beauty of open source software. We know it must be in the millions. But even the oldest freeswan did not support DH 768 and supported both DH 1024 and DH 1536 with a preference for the latter,” Wouters said. “So unless the administrator explicitly configured it weaker, we will be using at least 1536. So I would say it’s hopefully in the single percentage digits.”
Tomi Engdahl says:
WordPress Jetpack Plugin Patched Against Stored XSS Vulnerability – See more at: https://threatpost.com/wordpress-jetpack-plugin-patched-against-stored-xss-vulnerability/114896/#sthash.IySGsj1O.dpuf
Tomi Engdahl says:
European Aviation Agency Warns of Aircraft Hacking
https://threatpost.com/european-aviation-agency-warns-of-aircraft-hacking/114987/
The director of one of Europe’s top aviation agencies warned on Thursday that hackers could infiltrate critical systems in an airplane on the ground.
Patrick Ky director of the European Aviation Safety Agency, said a consultant hired by the agency—one who is a commercial pilot as well—exploited vulnerabilities in the ACARS (Aircraft Communications Addressing and Reporting System) used to transmit text messages between planes and ground stations.
Ky said at a press conference that it took the expert five minutes to crack ACARS and a couple of days to access the aircraft control system on the ground.
“For security reasons, I will not tell you how he did it, but I let you judge if the risk is high or low,”
Teso targeted ACARS specifically and disclosed a number of on-board system vulnerabilities. Teso said he found relatively little security protecting communication between the aircraft the ground.
“The system’s weak point is that it doesn’t verify communication packages on the way from the ground to the plane,” said Andrey Nikishin, head of future technologies projects development at Kaspersky Lab. “Because of that, it is possible to spoof the system by inserting a new package along the way.”
“Theoretically, a malicious user can influence a pilot’s decision to change the route, if, through the spoofing flow, he sends the plane a fake message about an upcoming storm,” Nikishin said. “The same malicious scheme could be applied to spoof GPS, making the system believe that it is located in a different place from where it actually is.”
“ACARS uses a proprietary encoding/decoding scheme that has been in use since 1978 – when aircraft equipment was not designed with cybersecurity in mind, Nikishin said. “This makes it outdated, and we believe that aircraft manufacturers should have already started to develop a new system, with a new approach.”
Ky’s revelation comes a day ahead of the introduction of a new European air traffic control system called Sesar.
“Tomorrow, with the introduction of Sesar and the possibility for the air traffic control to directly ive instructions to the aircraft control system, this risk will be multiplied,” Ky said. “We need to start by putting in place a structure for alerting airlines to cyber attacks.”
Tomi Engdahl says:
Chinese Hackers Targeted Insurer To Learn About US Healthcare
http://science.slashdot.org/story/15/10/29/2123228/chinese-hackers-targeted-insurer-to-learn-about-us-healthcare
When Anthem revealed a data breach that exposed the details of more than 80 million people, the incident raised a lot of questions: who would conduct such a hack against a health insurance firm? Investigators finally have some answers… and they’re not quite what you’d expect. Reportedly, the culprits were Chinese hackers helping their nation understand how US medical care works.
Chinese hackers targeted an insurer to learn about US health care
http://www.engadget.com/2015/10/28/anthem-health-care-hack-findings/
When Anthem revealed a data breach that exposed the details of more than 80 million people, the incident raised a lot of questions: who would conduct such a hack against a health insurance firm? Why? And what happens to the data? Well, investigators finally have some answers… and they’re not quite what you’d expect. Reportedly, the culprits were Chinese hackers helping their nation understand how US medical care works. It may be part of a concerted campaign to get ready for 2020, when China plans to offer universal health care. If that’s the case, the findings might explain a string of health-related breaches in the past few years.
If accurate, however, the allegations aren’t going to help China’s attempts to mend its image.
Tomi Engdahl says:
Lone wolves could be behind multi-million dollar Cryptowall ransomware racket
Top tech firms say group is ‘immensely successful’
http://www.theregister.co.uk/2015/10/30/crypowall_paper_cyber_threat_alliance/
A single group could be behind the monstrous Cryptowall 3.0 ransomware, widely considered to be one of the most menacing threats to end users that has fleeced victims of millions of dollars.
Intel Security, Palo Alto Networks, Fortinet, and Symantec under the Cyber Threat Alliance have probed the net scourge revealing that the attackers are thought to be a single entity. That theory’s based on commonalities in the Bitcoin wallets they use to receive ransom payments.
The findings are contained in the report Lucrative Ransomware Attacks (PDF). The document details the complexities of the ransomware menace that has forced users and businesses to pay criminals hundreds or thousands of dollars in individual ransoms for a key that can decrypt files.
Tomi Engdahl says:
Patch this braXen bug: Hypervisor hole lets guest VMs hijack hosts
Seven-year-old privilege escalation vulnerability caused by C code entanglement
http://www.theregister.co.uk/2015/10/29/xen_security/
The Xen hypervisor project today released nine security patches that should be applied ASAP – particularly the one that stops guest virtual machines seizing control of host servers.
That vulnerability – XSA-148 – can be exploited by a paravirtualized guest to manipulate the memory layout of the underlying system, and ultimately compromise the host and all other virtual machines running on it. Which is bad. The open-source Qubes OS project, which relies on Xen to run apps and drivers in isolated compartments, has dissected the programming blunder
Qubes Security Bulletin #22
Critical Xen bug in PV memory virtualization code (XSA 148)
https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-022-2015.txt
Admittedly this is subtle bug, because there is no buggy code that
could be spotted immediately. The bug emerges only if one looks at a
bigger picture of logic flows (compare also QSB #09 for a somehow
similar situation).
On the other hand, it is really shocking that such a bug has been
lurking in the core of the hypervisor for so many years. In our
opinion the Xen project should rethink their coding guidelines and try
to come up with practices and perhaps additional mechanisms that would
not let similar flaws to plague the hypervisor ever again (assert-like
mechanisms perhaps?). Otherwise the whole project makes no sense, at
least to those who would like to use Xen for security-sensitive work.
Specifically, it worries us that, in the last 7 years (i.e. all the
time when the bug was sitting there having a good time) so much
engineering and development effort has been put into adding all sorts
of new features and whatnots, yet no serious effort to improve Xen
security effectively. Because there have been, of course, many more
security bugs found in Xen over the last years (as the numbering of
this XSA suggests).
Tomi Engdahl says:
China, Germany moving closer to no-hack pact
Signals intelligence, diplomatic snooping still OK though
http://www.theregister.co.uk/2015/10/30/china_germany_no_hack_pact/
China and Germany are moving towards a mutual no-hacking-for-economic-espionage pact, along the lines of agreements already signed between China and the the US and UK.
German Chancellor Angela Merkel told reporters after talks with Chinese Premier Li Keqiang that Germany was seeking a deal “very quickly”. Germany, ahead of the UK, is China’s largest trading partner in Europe.
“China is very active in economic espionage, and Germany has been an attractive target because of the many technological innovations are happening at Mittelstand companies that traditionally have weak IT-security systems,” she told Bloomberg.
China routinely denies engaging in the theft of commercial secrets. Few independent infosec experts believed these denials, with the consensus view being that China has industrialised malware creation and hacking on a grand scale through units of the People’s Liberation Army and other arms of the state.
Targets include foreign government, NGOs, activists, and hi-tech companies (most particularly aerospace and defence contractors).
Tomi Engdahl says:
Police in US, Europe raid homes of supersnoop Droidjack RAT suspects
Users, not makers are target of cop crackdown
http://www.theregister.co.uk/2015/10/30/droidjack_raids/
Police across Europe have raided homes of suspected users of Droidjack, a strain of Android malware.
Cops in the US, UK, Germany, France, Belgium and Switzerland were all involved in the operation against Droidjack users. Details are so far sketchy and no arrests have been reported.
DroidJack is a remote access Trojan which is available for sale on underground forums for around $200. The malware can be used to stalk someone’s activity and movements, for example by jealous partners or criminals.
Tomi Engdahl says:
Anonymous hack group plans to out anonymous hate group
Operation KKK plans payback by lifting the hood on 1,000 Ku Klux Klan members
http://www.theregister.co.uk/2015/10/30/anonymous_hack_group_plans_to_out_anonymous_hate_group/
Persons using the name and iconography of online activist collective “Anonymous” (PUTNAIOOACA) have threatened to out members of the Ku Klux Klan.
In a Pastebin post PUTNAIOOACA operatives say “we will be revealing about 1000 of your klan member identities.”
The motivation for the campaign appears twofold, with the Pastebin dump suggesting revenge as one aim because “We are not attacking you because of what you believe in as we fight for freedom of speech, We are attacking you because of what you do to our brothers and sisters.”
What did the KKK do to PUTNAIOOACA? The paste says “You messed with our family and now we will mess with yours.”
Tomi Engdahl says:
Brit mobile pay biz reveals historical cyber attacks, gets smacked in the share price
‘Small number’ of customers’ details in public domain
http://www.theregister.co.uk/2015/10/30/shares_hit_as_mobile_payments_biz_fesses_to_historical_cyber_attacks/
The share price of mobile payments business Optimal Payments has taken a banging after the company confessed it was only just beginning to investigate historical data breaches, following the discovery of its customers’ data being trafficked online.
The British company said that it had only come to know about the data breaches due to media enquiries, although they had occurred several years ago. The Financial Times reported that the company had “confirmed that a ‘small number’ of [customers'] details are in the public domain, which are allegedly part of a larger database of stolen personal data.”
The company was working to establish the number of customers whose data had been stolen
“Shares fell up to 17.9 per cent after the announcement,”
The tumble follows another in response to a breach at TalkTalk following what it has claimed was a cyberattack earlier last week. At the time, the CEO of TalkTalk, Dido Harding, had complained that “cyber criminals are becoming increasingly sophisticated and attacks against companies that do business online are becoming increasingly frequent.”
To date, two teenage suspects, a 15-year-old and a 16-year-old, have been arrested in connection with the TalkTalk incident.
Customers have not been contacted regarding the breaches
Tomi Engdahl says:
Have a Plan A, and Plan B – just don’t go down with the ship
Paranoia and obsessiveness will keep you afloat
http://www.theregister.co.uk/2015/10/30/disaster_recovery_thats_not_a_disaster/
When planning for disaster recovery, our natural inclination is to focus on the technical design. We work to strike the perfect balance between controlling infrastructure spend and the required capacity.
Technical considerations are of course paramount – replication schedules based on delta changes and available bandwidth, the impact of synchronous versus asynchronous writes, calculations of recovery time and recovery point objectives – all to ensure that the required data and systems are available at the secondary site.
This is of course the primary purpose of the disaster recovery solution, and nobody would argue that the technical implementation isn’t paramount.
It’s easy to get caught up in these finer technical details, though, and overlook some fundamental pitfalls that could turn your recovery into a bigger disaster than any problem your system was supposed to cope with.
Let’s examine some of these scenarios and consider how you can mitigate against them.
Man down
This is a morbid scenario to open up with, but the possibility is very real. More often than not, you’ll be forced to switch to a disaster recovery site
There is always the possibility that the disaster you’re recovering could be a real killer
What happens if your sysadmins were in the building at the time of the disaster? What happens if they were hauling ass to the data centre together to put out the fire, and were in a car wreck en route? What happens if they were on the plane that left your data centre as a big smoking wreckage?
If your sysadmin team is large then having two or three of them incapacitated might not be the end of the world, but there’s always the chance you might find yourself with all of your sysadmins unavailable to implement the disaster recovery plan. So what happens then?
It helps to have nominated seconds within your organisation.
Document everything
It goes without saying, but the best disaster recovery system in the world could be rendered somewhat pointless without proper documentation to support it, particularly if you’re relying on one of the aforementioned deputised sysadmins to save the day.
It may sound like a stereotype, but IT folk are notorious for not documenting their processes well. Whether it’s down to innocent absent-mindedness or a cynical desire to protect their own position through knowledge-siloing, there will be very few among us who could honestly say they literally couldn’t document any better.
You need to document every step of switching from your primary to secondary site, in the most excruciating detail. It sounds obvious (and tedious) but this cannot be overstated.
You need to consider: what steps do you take to access the disaster recovery site? How can you check that all data and services have been replicated before you allow customers access? What method do you use to bring databases back online at the secondary site?
Test and test again
The chap in question wouldn’t be offended if I said he was one of those stereotypically poor documenters, yet his Oracle disaster recovery plan was meticulous and surgically precise – in addition to being a welcome relief in a time of crisis – so why was that single piece of Oracle documentation so good?
Because, it was rigorously tested, and the same should be true of your disaster recovery system (and of course, its associated documentation).
Remember to treat any disaster recovery trial as a test of the documentation and the plan as much as the system, and try to have someone who didn’t write the plan perform the test; this is the perfect opportunity to test out your deputised sysadmins, and ensure the process works no matter who is at the helm on the day.
You, your team, and the business stakeholders will all sleep better at night as a result.
Tomi Engdahl says:
Haroon Siddique / Guardian:
TalkTalk: hackers accessed fewer than 1.2M email addresses, names, and phone numbers, 21K unique bank account details, 28K obscured credit, debit card details
TalkTalk says hackers accessed fraction of data originally thought
http://www.theguardian.com/business/2015/oct/30/talktalk-hackers-accessed-fraction-data-cyber-attack
Telecoms company confirms scale of cyber-attack was far smaller than feared as second teenager is bailed following data breach
A second teenager has been arrested in relation to the alleged theft of data during a cyber-attack on the Telecoms giant Talk Talk.
The 16-year-old boy was arrested in Feltham, west London, Metropolitan police said on Friday. He was released on bail until a date yet to be confirmed.
His arrest followed that on Monday of a a 15-year-old boy in Co Antrim, Northern Ireland, on suspicion of offences under the Computer Misuse Act. He has also been bailed, until a date in November.
The 16-year-old’s Feltham home was searched during the arrest on Thursday, as was another residential property in Liverpool.
TalkTalk has 4m customers whose bank details and personal information were feared at risk from the attackon its website, which took place a week ago.
Tomi Engdahl says:
Electronic Frontier Foundation:
US State Department will not classify “cyber products” as munitions in export control list
VICTORY: State Department Decides Not to Classify “Cyber Products” as “Munitions”
https://www.eff.org/deeplinks/2015/10/victory-state-department-decides-not-classify-cyber-products-munitions
This week, the U.S. Department of State’s Defense Trade Advisory Group (DTAG) met to decide whether to classify “cyber products” as munitions, placing them in the same export control regime as hand grenades and fighter planes. Thankfully, common sense won out and the DTAG recommended that “cyber products” not be added to the control list. EFF and Access Now filed a brief joint statement with the DTAG urging this outcome and we applaud the DTAG’s decision.
There were a number of problems with the proposal to place “cyber products” on the U.S. Munitions List, but most importantly, no one knows how “cyber products” would be defined.
But beyond the definitional problem, we fundamentally disagree with the idea of classifying any computer security tools as weapons. Until the late 1990s, encryption itself was included on the U.S. Munitions List. Indeed, one of EFF’s flagship cases from that era was a constitutional challenge to that listing. We won, and cryptographic tools are no longer legally defined as “munitions” in the United States.
Export controls on software, as we told the DTAG, have in the past had serious unintended consequences. Previous export controls on software have resulted in widespread risk to all Internet users. For example, the inclusion of encryption technology on the Munitions List led to deployment of an “export grade” standard to avoid the export controls. As it turned out, that persistent “export grade” standard, even 20 years after encryption controls were lifted, left millions of users susceptible to the “FREAK” and “Logjam” attacks used to monitor and modify website browsing data.
Tomi Engdahl says:
No, we’re not sorry for Xen security SNAFUs says Ian Jackson
Gandalf-grade developer says everything is insecure, so why single out Xen?
http://www.theregister.co.uk/2015/11/01/no_were_not_sorry_for_xen_security_snafus_says_ian_jackson/
Open source luminary Ian Jackson has hit back at criticism of the Xen Project’s security.
The project last week nixed nine nasties, including a seven-year-old guest-host escape, and has patched a string of bugs this year including some that threatened to disrupt cloud services.
The many bug squashed of late has seen some rumblings, and this rather strident effort from Marek Marczykowski-Góreck of InvisbleThings Lab takes things to a new level with some strongly-worded criticism:
“… it is really shocking that such a bug has been lurking in the core of the hypervisor for so many years. In our opinion the Xen project should rethink their coding guidelines and try to come up with practices and perhaps additional mechanisms that would not let similar flaws to plague the hypervisor ever again (assert-like mechanisms perhaps?). Otherwise the whole project makes no sense, at least to those who would like to use Xen for security-sensitive work.
The thrust of Jackson’s argument is that everything is insecure, but the Xen Project treats its code with the best known remedy: sunlight.
“Unlike almost all corporations, and even most Free Software projects, the Xen Project properly discloses, via an advisory, every vulnerability discovered in supported configurations. We also often publish advisories about vulnerabilities in other relevant projects, such as Linux and QEMU.”
Tomi Engdahl says:
EU Parliament: Citizens’ Rights Still Endangered By Mass Surveillance
http://politics.slashdot.org/story/15/11/01/148246/eu-parliament-citizens-rights-still-endangered-by-mass-surveillance
Too little has been done to safeguard citizens’ fundamental rights following revelations of electronic mass surveillance, say MEPs in a resolution voted on Thursday. They urge the EU Commission to ensure that all data transfers to the US are subject to an “effective level of protection” and ask EU member states to grant protection to Edward Snowden, as a “human rights defender”. Parliament also raises concerns about surveillance laws in several EU countries.
Mass surveillance: EU citizens’ rights still in danger, says Parliament
http://www.europarl.europa.eu/news/en/news-room/content/20151022IPR98818/html/Mass-surveillance-EU-citizens'-rights-still-in-danger-says-Parliament
Too little has been done to safeguard citizens’ fundamental rights following revelations of electronic mass surveillance, say MEPs in a resolution voted on Thursday. They urge the EU Commission to ensure that all data transfers to the US are subject to an “effective level of protection” and ask EU member states to grant protection to Edward Snowden, as a “human rights defender”. Parliament also raises concerns about surveillance laws in several EU countries.
This resolution, approved by 342 votes to 274, with 29 abstentions, takes stock of the (lack of) action taken by the European Commission, other EU institutions and member states on the recommendations set out by Parliament in its resolution of 12 March 2014 on the electronic mass surveillance of EU citizens, drawn up in the wake of Edward Snowden’s revelations.
By 285 votes to 281, MEPs decided to call on EU member states to “drop any criminal charges against Edward Snowden, grant him protection and consequently prevent extradition or rendition by third parties, in recognition of his status as whistle-blower and international human rights defender”.
Tomi Engdahl says:
Real-World Roadblocks To Implementing CISA
http://politics.slashdot.org/story/15/11/01/160238/real-world-roadblocks-to-implementing-cisa
The recent approval of CISA (the Cybersecurity Information Sharing Act) by the US Congress and Senate is paving the way for broader security collaboration. If and when CISA is ratified into law, the chief obstacles to cybersecurity collaboration within the private sector will remain.
Real-world roadblocks to implementing CISA
http://www.net-security.org/article.php?id=2405
The recent approval of CISA (the Cybersecurity Information Sharing Act) by the US Congress and Senate is paving the way for broader security collaboration.
There is a rapidly growing belief that security intelligence sharing needs to become part of every company’s defense toolbox – to detect, analyze, research and mitigate cybersecurity risks. Nevertheless, major obstacles remain. These include the implications that information sharing will have on the privacy of consumers, who are caught in the crosshairs of security data exchanges between companies and governments.
The main goal of CISA is to reduce the barriers to meaningful sharing and collaboration between enterprises and government by addressing liability concerns associated with sharing sensitive data.
In its current form, CISA focuses on the following concerns:
1. Liability Protection – Companies will not be held liable for sharing indicators of compromise, this includes sending and receiving, required to respond to a cyber threat.
2. Government Sharing – President Obama’s 2011 proposal allowed the DHS to share data it received with other law enforcement entities. This broad reaching approach triggered massive opposition over fears that other agencies would misuse data and discourage private companies from sharing information with the government, over concerns they could be implicated in criminal investigations.
3. Privacy Protection – The most criticized part of the act concerns possible privacy violations if an individual’s personal information is shared as part of a cybersecurity event.
The current debate regarding privacy protection centers around distinguishing between information about suspected attackers (which should be shared), and information about potential victims (which merits protection).
If and when CISA is ratified into law, the chief obstacles to cybersecurity collaboration within the private sector will remain, including:
Trust
Cyber experts are paranoid, and for good reason – the magnitude, sophistication and damages arising from cyber breaches are enormous – which makes them hesitant to disclosing sensitive information with non-trusted peers. Meanwhile, current cloud-based approaches for creating intelligence sharing hubs pose concerns that data may be leaked to unwanted parties.
Automation
One painful challenge for security experts is the enormous amount of data they must parse – which makes identifying actionable insights almost impossible. False positives, data overlap and threat relevancy – also discourage companies from investing in security collaboration initiatives.
Other Regulatory Frameworks
CISA promotes sharing – but when dealing with cyber threat data companies are also concerned about other mandates which may govern the information being shared. These include anti-trust, privacy, sectorial directives and data protection regulations that affect many multi-national organizations.
Tomi Engdahl says:
Windows 10 growth stalls during October
Windows XP market share declining less than Win 8.x or 7
http://www.theregister.co.uk/2015/11/02/windows_market_share_october_2015/
Next year’s Windows 10 auto-upgrade is MSFT’s worst idea since Vista
Do you want virus outbreaks? Because that’s how you get ‘em
http://www.theregister.co.uk/2015/10/31/windows_10_recommended_upgrade/
Microsoft’s decision to push out Windows 10 upgrades as automatic Windows Update downloads is one of those ideas that sounded great in a Redmond meeting room, but will cause more problems than it solves.
Right from the get-go Microsoft has made it clear that it is looking for a very fast rollout of Windows 10. The new operating system was offered as a free upgrade for some users – a first for Microsoft – and ever since the launch, Microsoft has been hustling people to upgrade, by fair means or foul.
Nowadays, if you boot up a Windows 7 or 8 system you’ll see a variety of popups encouraging you to upgrade – roughly every few days, based on Vulture West’s experience. These are annoying but perfectly legitimate advertising.
But deciding to make the upgrade part of the patching cycle is a grave mistake. True, it’s only going to be an optional upgrade at the moment, but by early next year the pressure is going to be raised, and anyone who automatically installs recommended security patches will find themselves with a new operating system waiting to start.
And just about everyone installs recommended updates automatically because Microsoft insists on it.
Getting a download from a bunch of fading rockers is one thing, but getting a new operating system is quite another. I’ve already had a call from an elderly relative asking about this and she’s not keen, as she’s only just learned how to use Windows 8 in the last few years and doesn’t fancy redoing all that.
It’s likely to be the same story for a lot of other Windows users. Update settings are going to be changed and, as a result, we’re going to see a lot more operating system and application software flaws going unpatched.
Malware writers and phishers are going to have a field day with this. It typically takes less than a week after Microsoft announces its Patch Tuesday fixes for the scummier side of the internet to reverse-engineer them and distribute to take advantage of the unpatched.
Tomi Engdahl says:
Don’t panic, biz bods: A guide to data in the post-Safe Harbor world
Sweat the details
http://www.theregister.co.uk/2015/10/09/living_in_a_post_safe_harbour_world/
The Safe Harbor agreement this week suddenly became of interest to a lot more IT managers than had previously given a stuff about it.
But what is Safe Harbor, exactly?
The Safe Harbor agreement between the US and the EEA – which comprises the member states of the EU plus Iceland, Norway and Liechtenstein – dating from 2000, had provided a convenient way for companies with European presence to transfer data to the US.
Instead of having to meet the individual requirements of each of the European countries from which data was being exported, you simply needed to demonstrate “adequacy” in your data protection processes and policies in order to gain a blanket approval for transferring data to the US from any or all of the EEA states.
Now, after various challenges and reviews of the agreement over the years, the European Court of Justice has ruled Safe Harbour unsatisfactory and chucked it in the bin.
The thing for IT managers to bear in mind about the EU-US agreement is that it was just that: a specific agreement that made life easier for data transfers to (which really means data storage in) the US in particular.
As the cover of a well-known stellar information book might put it, though: don’t panic. Yes, if you’d relied on the agreement you need to review the adequacy of your protection processes now it’s gone. But it doesn’t mean you have to rush and do anything daft.
Let’s have a look at what the Information Commissioner’s Office (ICO) says about sending personal data (and it’s primarily personal data we’re talking about) outside the EEA. The ICO’s guide to data protection (well worth a read) has eight principles. Principle eight, “Sending personal data outside the European Economic Area”, for example, contains a ten-point checklist which tells you to ask yourself things like::
“Have you complied with all the other data protection principles?” and: “Is the transfer to a country on the EU Commission’s list of countries or territories providing adequate protection for the rights and freedoms of data subjects in connection with the processing of their personal data?”
DIY data protection
And the guidelines are pretty simple:
Do a proper risk assessment. Nothing difficult there, you’d have had to do it with Safe Harbor anyway (albeit that it’d probably have been a bit less onerous).
If you don’t think the place you’re transferring to is well-enough protected, add your own safeguards.
Check out the eighth principle of the ICO guide and see if you can use any of the exceptions it offers.
The ICO helps you out with the second point, incidentally: it provides guidance for model clauses (standard contract clauses for which they provide templates) or binding corporate rules (which enable something similar to what the Safe Harbor process provided in terms of a multi-state umbrella arrangement but which need to be registered on a fairly onerous company-by-company basis).
So, then, what does the average IT manager need to do about the new Safe Harbor ruling?
Don’t rush into anything.
Remember, Safe Harbor is just one of the ways you can legally transfer data outside the EEA – and that it only affects transfers to the US.
Be happy you’re not trying to move data from the US.
Tomi Engdahl says:
APNewsBreak: South Korea pulls plug on child monitoring app
http://goo.gl/bqV6ue
SEOUL, South Korea (AP) — The most widely used child surveillance app in South Korea has been pulled from the market after security specialists raised serious concerns about the program’s safety.
Moon Hyun-seok, a senior official at the Korea Communications Commission, told The Associated Press that “Smart Sheriff” has been removed from the Play store, Google’s software marketplace, and that existing users are being asked to switch to other programs.
security was one of the reasons that led to the removal of Smart Sheriff
A law passed in April requires all new smartphones sold to those 18 and under to be equipped with software which parents can use to snoop on their kids’ social media activity. Smart Sheriff, the most popular of more than a dozen state-approved apps, was meant to keep children safe from pornography, bullying and other threats, but experts say its abysmal security left the door wide open to hackers and put the personal information of some 380,000 users at risk.
Mario Heiderich of Cure53 said it wasn’t his place to say whether it was right to mandate the installation of monitoring apps on children’s phones. But he said Smart Sheriff’s implementation of the surveillance was disastrous.
“If you are going to do it at all, you have to do it right,” he said. “And this was not done right at all.”
Tomi Engdahl says:
Anonymous plans to reveal names of about 1,000 Ku Klux Klan members
http://www.theguardian.com/technology/2015/oct/29/anonymous-ku-klux-klan-members-reveal-names
The ‘hacktivist’ collective wrote that the identities of white supremacist group members will be revealed next month on anniversary of their anti-Klan operation
The “hacktivist” collective Anonymous have vowed to release the names of “about 1,000” Ku Klux Klan members as part of an ongoing operation against the white supremacist group in the US.
The names were obtained after Anonymous gained access to a Klan twitter account, according to a tweet from the Operation KKK, as Anonymous have named the anti-Klan operation.
Operation KKK’s Twitter account said that the name-dump will coincide with the one-year anniversary of the beginning of the group’s cyber-war with the Klan following a grand jury’s decision not to indict officer Darren Wilson for the death of Michael Brown in Ferguson, Missouri.
In November 2014, a local Missouri chapter of the KKK distributed fliers threatening violence against activists.
In response, Anonymous declared war on the white supremacy group. They took over the KKK’s Twitter account and replaced its logo with their own – the account remains under Anonymous’ control to this day – and hit Klan-affiliated sites with DDoS (distributed denial of service) attacks. They also released the names of a number of KKK members.
Anonymous, which operates as a grassroots-style organisation with no visible leadership or membership structure, has chosen a disparate group of targets since its inception roughly 12 years ago. Its first high-profile operation, known as Project Chanology, targeted the Church of Scientology.
Founded after the civil war, the Ku Klux Klan is considered America’s oldest hate
A press release posted online on Tuesday
http://www.theguardian.com/technology/2015/oct/29/anonymous-ku-klux-klan-members-reveal-names
Tomi Engdahl says:
Microsoft doesn’t see Windows 10′s mandatory data collection as a privacy risk
Exec says telemetry data is key to improving the operating system
http://www.pcworld.com/article/2997213/privacy/microsoft-doesnt-see-windows-10s-mandatory-data-collection-as-a-privacy-risk.html#tk.rss_windows
In the run-up to the launch of Windows 10 earlier this year, users noticed that Microsoft’s operating system would be collecting more data on them by default than it had in the past, including information about their location and what they’re typing, and sending it off to Microsoft.
Understandably, some folks were concerned about the privacy implications of such a move, especially given disclosures around government surveillance, and the fact that Microsoft previously hadn’t built this kind of data collection into its operating system.
Those concerns weren’t helped by Microsoft, which was slow to clarify exactly what it takes from users and how to disable much of that collection. It’s possible for users to opt out of things like the contact and calendar tracking through Microsoft that Cortana uses to provide its personal assistant services, but people who use Windows 10′s express settings will toggle them on immediately.
Business users have more controls:
Configure telemetry and other settings in your organization
https://technet.microsoft.com/library/mt577208%28v=vs.85%29.aspx
Tomi Engdahl says:
Somebody Just Claimed a $1 Million Bounty for Hacking the iPhone
http://motherboard.vice.com/en_uk/read/somebody-just-won-1-million-bounty-for-hacking-the-iphone
Apple devices are widely considered extremely secure and hard to hack. But as the internet adage says, everything can be hacked—even the new iPhone.
Over the weekend, somebody claimed the $1 million bounty set by the new startup Zerodium, according to its founder Chaouki Bekrar, a notorious merchant of unknown, or zero-day, vulnerabilities.
The challenge consisted of finding a way to remotely jailbreak a new iPhone or iPad running the latest version of Apple’s mobile operating system iOS (in this case iOS 9.1 and 9.2b), allowing the attacker to install any app he or she wants with full privileges.
“Making the jailbreak remotely triggerable via Safari or Chrome requires at least two to three additional exploits.“
Many tech companies in the last few years, such as Facebook and Google, have launched bug-bounty programs, offering rewards to friendly hackers who find vulnerabilities and disclose them to the company so that they can get fixed. There are also several bug bounty middle men, such as HackerOne and Bugcrowd, who act as platforms for crowdsourced bug-hunting. (Apple does not offer a bug bounty program.)
Tomi Engdahl says:
WoW! Want to beat Microsoft’s Windows security defenses? Poke some 32-bit software
Compatibility tool ‘hampers EMET anti-malware protections’
http://www.theregister.co.uk/2015/11/03/32bit_software_to_beat_emet/
Two chaps claim to have discovered how to trivially circumvent Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) using Redmond’s own compatibility tools.
A report [PDF] by the duo at Duo Security describes how the Windows on Windows (WoW64) environment can be abused to bypass builtin security tools.
WoW64 allows 32-bit applications to run on 64-bit Windows installations. At its core, it works by trapping system calls made by code running in 32-bit mode, and jumping to 64-bit long mode before letting Windows handle the call. By taking advantage of the mode changes, we’re told, it is possible to smuggle malicious code past EMET’s barriers, which ordinarily do a good job of blocking vulnerability exploits.
Of course, to pull this off, one must find and exploit a security hole in a piece of 32-bit software that’s running on a 64-bit system using WoW64.
Duo’s Darren Kemp and Mikhail Davidov reckon a ton of 32-bit web browsers run in WoW64 mode on Windows PCs, though.
“Based on a sample of one week’s worth of browser authentication data for unique Windows systems, we found that 80 per cent of browsers were 32-bit processes executing on a 64-bit host system (running under WoW64), 16 per cent were 32-bit processes executing on 32-bit hosts, while the remaining 4 per cent were true 64-bit processes,” their report reads.
Dev to Mozilla: Please dump ancient Windows install processes
Old habits die hard
http://www.theregister.co.uk/2015/11/03/dev_to_mozilla_please_dump_ancient_windows_install_processes/
Security bod Stefan Kanthak is asking Mozilla to quit using Windows self-extracting installs.
Last week, Kanthak posted to Full Disclosure that Mozilla’s SETUP.EXE package has a long-standing bug that allows privilege escalation for local users.
The problem Kanthak describes is simple: self-extracting archives (not just from Mozilla) are subject to an ancient exploit in the DLL search order. The attacker can load a rogue DLL instead of what the installer expects.
Tomi Engdahl says:
Web server secured? Good, now let’s talk about e-mail
It’s not just Hillary whose server’s a spillory
http://www.theregister.co.uk/2015/11/03/web_server_secured_good_now_lets_talk_about_email/
While Website owners may have noticed the need to get rid of old, buggy or weak crypto, those operating e-mail servers seem to be operating on autopilot.
Not in a good way, either: the world of e-mail is headed for “controlled flight into terrain” if sysadmins don’t grab the controls and get to work, the researchers from Austria’s SBA Research and the St Pölten University of Applied Sciences say.
“The recent increase in HTTPS certificate security (moving certificates from 1024 to 2048 bit) went totally unnoticed for all e-mail related ports, IPv4-wide”.
Still feeling relaxed? How about this: “millions of hosts are currently misconfigured to allow AUTH-PLAIN over unencrypted connections”.
Moreover, user’s can’t easily check server certificates in e-mail, making it easy for an attacker to present a fake cert, and deprecated TLS versions 1.1 and 1.2 were accepted by 650,000 SMTP servers.
Tomi Engdahl says:
Malware menaces Merkel’s minion, says Spiegel
NSA Regin trojan hit German Chancellery chief’s laptop
http://www.theregister.co.uk/2015/10/27/malware_menaces_merkels_minion_says_spiegel/
Powerful malware with speculative National Security Agency (NSA) links has infected the private laptop of Germany’s secretary of state in the Federal Chancellery, according to reports by national news digger Der Spiegel.
The Regin-derived malware in question is thought to be a plugin dubbed Qwerty, used in the NSA’s WarriorPride framework.
That connection is based on Snowden documents and deep technical analysis that also shows Regin bears links to the infamous Stuxnet malware and spin-offs Flame and Duqu, as well as the long-running and truly advanced Equation hacking group which has operated for some 15 years and infected hundreds of targets.
Germany’s federal prosecutor’s office is investigating the attacks but has not provided a timeline for the probe.
Tomi Engdahl says:
KeyPass looter: The password plunderer to hose pwned sys admins
‘When you’re owned, you’re boned’.
http://www.theregister.co.uk/2015/11/03/keypass_looter_the_password_plunderer_to_hose_pwned_sys_admins/
Kiwi hacker Denis Andzakovic has developed an application that steals password vaults from the popular local storage vault KeyPass.
The jeu de mots KeyFarce works when a user has logged into their vault, and will dump the contents to a file that attackers can steal.
It is no death knell for KeyPass or other password managers, but is an extra bow in the quiver of attackers capable of compromising a target’s machine.
“One of the main uses of the tool is for penetration testers,”
Hacking tool swipes encrypted credentials from password manager
“KeeFarce” targets KeePass, but virtually all password managers are vulnerable.
http://arstechnica.com/security/2015/11/hacking-tool-swipes-encrypted-credentials-from-password-manager/
Using a password manager is one of the biggest ways that average computer users can keep their online accounts secure, but their protection is pretty much meaningless when an end user’s computer is compromised. Underscoring this often ignored truism is a recently released hacking tool that silently decrypts all user names, passwords, and notes stored by the KeePass password manager and writes them to a file.
KeeFarce, as the tool has been dubbed, targets KeePass, but there’s little stopping developers from designing similar apps that target virtually every other password manager available today. Hackers and professional penetration testers can run it on computers that they have already taken control of. When it runs on a computer where a logged in user has the KeePass database unlocked, KeeFarce decrypts the entire database and writes it to a file that the hacker can easily access.
Tomi Engdahl says:
New Android update fixes two critical vulnerabilities
http://www.theverge.com/2015/11/2/9658286/android-marshmallow-update-vulnerability-patch-deployment
Android is getting a new patch today, fixing a total of 23 vulnerabilities including two critical issues. The most serious of the vulnerabilities allows remote code execution through email, web browsing and MMS. The patch also fixes a newly discovered vulnerability in the Stagefright library, listed as high rather than critical because of the difficulty of remote execution.
The patch includes bugs reported by Trend Micro, System Security Lab and Keen Team, as well as Google’s internal security teams. Partners were notified of the bugs by October 5th, and the patches will be published to the Android Open Source Project’s code repository within 48 hours.
It’s the fourth monthly update since Android security began its monthly schedule, and the second since the Marshmallow release.
The big question for Android users is how long it will take for the patch to reach every device. It’s being deployed directly to Nexus devices, and Samsung has said it will push monthly patches immediately to Galaxy S, Note, and Tab models. LG made a similar announcement at this year’s Black Hat conference. Other manufacturers like HTC and Sony have pushed out patches for specific bugs like Stagefright but haven’t yet committed to the rolling updates.
Tomi Engdahl says:
Open Whisper Systems releases Signal encrypted messaging app for Android to replace TextSecure and RedPhone
http://venturebeat.com/2015/11/02/open-whisper-systems-releases-signal-encrypted-messaging-app-for-android-to-replace-textsecure-and-redphone/
Open Whisper Systems, a provider of security-related technologies and apps for mobile devices, has started rolling out an Android version of its private messaging and calling iOS app Signal. In doing so, the company has consolidated the two current apps it has on Android into one, thereby mirroring what it gives iOS users.
Competing with the likes of Telegram, Open Whisper Systems promises that Signal will provide users with the utmost privacy — the company said it cannot hear your conversations or see your messages, which means neither can governments. “Everything in Signal is always end-to-end encrypted, and painstakingly engineered in order to keep your communication safe,” Open Whisper Systems declared in a blog post.
Tomi Engdahl says:
Lucian Constantin / PCWorld:
Vulnerability in Baidu’s Moplus SDK, integrated in 14K+ apps, may affect 100M users
Baidu app component puts 100 million Android devices at risk
Baidu’s Moplus SDK allows attackers to execute malicious commands on users’ devices.
http://www.pcworld.com/article/3000026/security/baidu-android-app-component-puts-100-million-devices-at-risk.html
A software development kit created by Chinese Internet services company Baidu and used by thousands of Android applications contains a feature that gives attackers backdoor-like access to users’ devices.
The SDK is called Moplus and while it’s not open to the public, it was integrated in more than 14,000 apps, of which only around 4,000 were created by Baidu, security researchers from Trend Micro said in a blog post Sunday.
The company estimates that the affected apps are used by over 100 million users.
According to Trend Micro’s analysis, the Moplus SDK opens an HTTP server on devices where affected apps are installed; the server doesn’t use authentication and accepts requests from anyone on the Internet.
Even worse, by sending requests to this hidden HTTP server, attackers can execute predefined commands that were implemented in the SDK. These can be used to extract sensitive information like location data and search queries, as well as to add new contacts, upload files, make phone calls, display bogus messages and install apps.
On devices that have been rooted, the SDK allows the silent installation of applications
The Trend Micro researchers believe that in many ways the Moplus flaw is worse than one discovered earlier this year in the Android Stagefright library because at least that one required attackers to send malicious multimedia messages to users’ phone numbers or to trick them into opening malicious URLs.
Baidu fixed all the security issues that were reported to the company by Oct. 30, a Baidu representative said via email.
However, the question remains how quickly all of the third-party developers that used this SDK will update their apps with the latest version
Tomi Engdahl says:
Lucian Constantin / Computerworld:
Google researchers examine Galaxy S6 Edge and show OEMs add risky code as they find 11 vulnerabilities introduced by Samsung — Google researchers poke holes in Galaxy S6 Edge, show OEMs add risky code — Google’s security researchers hunted for bugs in Samsung’s Galaxy S6 Edge phone
Google researchers poke holes in Galaxy S6 Edge, show OEMs add risky code
http://www.computerworld.com/article/3000662/mobile-security/google-researchers-poke-holes-in-galaxy-s6-edge-show-oems-add-risky-code.html
The code added by Samsung to the Android firmware on its device had 11 easy-to-find vulnerabilities
The researchers found 11 vulnerabilities in Samsung’s code that could be exploited to create files with system privileges, steal the user’s emails, execute code in the kernel and escalate the privilege of unprivileged applications.
“Overall, we found a substantial number of high-severity issues, though there were some effective security measures on the device which slowed us down,” the security researchers said in a blog post. “The weak areas seemed to be device drivers and media processing. We found issues very quickly in these areas through fuzzing and code review.”
Tomi Engdahl says:
Lucas Matney / TechCrunch:
Cybersecurity Firm iboss Raises $35M From Goldman Sachs, Looks Toward IPO
http://techcrunch.com/2015/11/03/cybersecurity-firm-iboss-raises-35m-from-goldman-sachs-looks-toward-ipo/
After 10 years without any outside investment, cybersecurity firm iboss is finally raising its Series A. The company’s president said that even now, the company, which has been profitable since it launched, really “didn’t need the money.”
The cloud-based security platform just raised a $35 million Series A from Goldman Sachs’ Private Capital Investing group.
The company’s technologies work by “actively monitoring all network traffic,” which allows it to “prevent large-scale data breaches caused by malware that has made its way into the network and is poised to steal data,” according to a company statement.
Tomi Engdahl says:
Slack’s Stewart Butterfield says email is ‘the cockroach of the internet’ and we’ll be living with it for the next 30 years
http://uk.businessinsider.com/slack-stewart-butterfield-email-is-the-cockroach-of-the-internet-2015-11?r=US&IR=T
“Email will be the cockroach of the internet,” he said, when asked whether Slack will kill email. “I think we’ve got another 30 or 40 years of email left.”
The reason email survives — even though everyone seems to hate it — is that “email has many benefits, it’s the lowest common denominator for official communications,” Butterfield said. “But it’s a terrible way to manage internal communications.”
Tomi Engdahl says:
Saying “Wasted” On Facebook Can Affect Your Credit Score
http://tech.slashdot.org/story/15/11/04/003226/saying-wasted-on-facebook-can-affect-your-credit-score
According to a recent report by the Financial Times (paywalled), some of the top credit rating companies are now using people’s social media accounts to assess their ability to repay debt. “If you look at how many times a person says ‘wasted’ in their profile, it has some value in predicting whether they’re going to repay their debt,” Will Lansing, chief executive at credit rating company FICO, told the Financial Times. “It’s not much, but it’s more than zero.”
Tomi Engdahl says:
Snowden-approved encrypted chat app lands on Android with incredibly bad timing
Encryption software faces a tough crowd
http://www.theinquirer.net/inquirer/news/2433198/snowden-approved-encrypted-chat-app-lands-on-android-with-incredibly-bad-timing
AN APPLICATION called TextSecure, which was available on iOS and apparently had some sort of appeal for Edward Snowden, has made its way onto Android at a time when Google is about to be told that such stuff is a no-no under a reignited Snoopers’ Charter.
This is more than a name change, however. The firm behind it, Open Whisper Systems, said in a blog post that it has combined the existing TextSecure and RedPhone systems into one thing called Signal. TextSecure users should enjoy an easy transition through a software update.
“Today we’ve started rolling out Signal for Android, which unites simple private messaging and simple private calling into a single app on Android.”
Tomi Engdahl says:
Kaspersky kills CoinVault and Bitcryptor ransom threats and frees all the keys
Cheers Kaspersky – good to know
http://www.theinquirer.net/inquirer/news/2433180/kaspersky-kills-coinvault-and-bitcryptor-ransom-threats-and-frees-all-the-keys
SECURITY RESEARCH has found that attacks by gits on gewgaws have increased and that mobile malware is popular in the mean streets of Malicious Town.
Russian security firm Kaspersky is behind the revelation, and the firm’s IT Threat Evolution Q3 2015 report showed significant increases across the board. All this keeps the firm on its toes and very busy.
It’s not all bad news, and Kaspersky has claimed scalps on the infamous CoinVault and Bitcryptor ransomware systems. The firm said that things have been shut down and people pinched for their roles. Kaspersky has also released the relevant keys so that locked out users can reunite themselves with their kidnapped content.
Tomi Engdahl says:
What Your Photos Know About You
http://yro.slashdot.org/story/15/11/03/1725231/what-your-photos-know-about-you
Sandra Henry-Stocker became curious about how much more complex the jpg format had become since she first did a deep dive into it more than twenty years ago, so she dug into how much information is stored and where. “This information is quite extensive — depending on the digital camera you’re using,” says Henry-Stocker
What do your photos know about you?
http://www.itworld.com/article/2999967/personal-technology/what-do-your-photos-know-about-you.html
Ever wonder about how much information is stored in your image files beyond the pixels that comprise the images themselves? And what that data might tell about you, your camera, your photographic style, and your location? It just might be a lot more than you ever imagined.
To begin, all the metadata regarding the photos that we take with our digital cameras and phones are stored in the EXIF (exchangeable image format) data that is incorporated into the jpg (and tiff) photos. This information is quite extensive — depending on the digital camera you’re using, containing detailed information about the photo such as the make and model of the digital camera that was used, whether a flash was used, the focal length, light value, and the shutter speed that was used when it was taken. And, if your phone/camera has geotagging turned on, it will also include the altitude, longitude and latitude of the place where the photo was taken.
In addition, when I update an image with Gimp, say to crop it or rotate it 90 degrees, Gimp also adds information to the image file.
Geotagging causes the longitude and latitude to be captured.
Sometimes, you might want to remove, change, or simply examine this data. For example, if you’re a very serious photographer, you might not want to share all the details of how you made the shot. These might comprise your own kind of “photography trade secret”. Or you might not want anyone to know where you were a photo was shot or the date and time that it was shot. Or you just might not want the extra data adding bulk to the size of your files. You might also sometimes want to add data — for example, to insert a copyright notice into your image files. All of these things can easily be done with exiftool.
Tomi Engdahl says:
Why Avast Won’t Show Source Code To the Government, But Others Do
http://yro.slashdot.org/story/15/11/03/207225/why-avast-wont-show-source-code-to-the-government-but-others-do
Avast, a security and antivirus company based in Prague, says they refuse to share their source code, and that the U.S. government hasn’t even asked them. This is not necessarily the case for the rest of the industry. Over the summer we learned from a report at The Intercept that GCHQ and the NSA had a project to subvert security software so they could use vulnerabilities and exploits to their own advantage. Antivirus firms McAfee and Symantec were notably absent from the list of targets, and Symantec later confirmed over email that they “permitted source code review in controlled environments to meet government requirements.”
Why Avast won’t show source code to the government, but others do
http://www.zdnet.com/article/avast-ceo-snowden-source-code-government-nsa-surveillance/
Antivirus and security firms that serve enterprise and government customers on occasion disclose their source code to acquire lucrative contracts.
So it comes as little surprise that Avast was targeted by the US National Security Agency, a revelation which came from one of the documents leaked by whistleblower Edward Snowden. In an effort known as “Project Camberdada,” the US intelligence agency, with help from its British counterpart GCHQ, aimed to subvert and reverse engineer antivirus and security software to find vulnerabilities that would allow the agencies “the highest privileges with just one shot,” according to The Intercept, which first reported the story.
A total of 22 other foreign companies were on the NSA’s target list, but notably absent was British antivirus provider Sophos and US security firms Symantec and McAfee.
US companies, including his former employer, would share their data with government agencies to secure long-term contracts.
Symantec confirmed in an email that it “has permitted source code review in controlled environments to meet government requirements for certain product certifications, such as Common Criteria certification.”
Giving assurances to one country, and receiving government certification, can harm a security company in another.
He said US businesses should “think twice” about using Russian security software, just as the Russian government would be “crazy” to use an Israeli hardware, for example.
“Spy agencies exist to spy,” said Steckler. “There’s nothing is inherently wrong with it, you just need to be aware of it.”
Tomi Engdahl says:
How the F.B.I. Can Detain, Render and Threaten Without Risk
http://www.nytimes.com/2015/11/03/opinion/how-the-fbi-can-detain-render-and-threaten-without-risk.html?_r=1
Mr. Meshal has fallen into a legal black hole, where the light of justice is extinguished in the name of national security. The appellate court decision means that American citizens have no means available to hold the government accountable for violating their constitutional rights, simply because the United States conveniently denied those rights in another country of its choosing.
Tomi Engdahl says:
F-Secure Revamps Bug Bounty Program
http://www.securityweek.com/f-secure-relaunches-expands-bug-bounty-program
Finland-based security solutions provider F-Secure announced this week the launch of a bug bounty program that covers several of the company’s corporate and consumer products.
F-Secure launched its vulnerability reward program in the spring of 2014 and suspended it in February 2015. The initial program only covered F-Secure Younited storage services.
The company has now relaunched its bug bounty program and expanded it to include many of the firm’s products. The new program includes consumer products such as F-Secure SAFE, Internet Security, Freedom, and Key, and corporate solutions such as F-Secure Client Security, Server Security, Email and Server Security, Internet Gatekeeper, Linux Security, and Protection Service for Business (PSB) products.
Experts who find vulnerabilities in these applications can earn between €100 ($110) and €15,000 ($16,500).
Tomi Engdahl says:
TalkTalk: Details of Over 1 Million Users Accessed by Hackers
http://www.securityweek.com/talktalk-details-over-1-million-users-accessed-hackers
British telecoms company TalkTalk has published information regarding the details accessed by hackers in the recent data breach, and law enforcement has announced the arrest of a third suspect in the case.
Shortly after launching an investigation into the incident, TalkTalk attempted to downplay the incident saying that the attackers only breached its website and not its core systems, and that the amount of data exposed is significantly smaller than initially believed.
The company has now revealed that the hackers gained access to less than 21,000 bank account numbers and sort codes, less than 28,000 credit and debit cards, and less than 15,000 dates of birth. As it stated earlier in the investigation, the payment card numbers compromised in the breach are incomplete (i.e. six middle digits are blanked out), which means fraudsters cannot use the information directly to steal money from bank accounts.
TalkTalk also reported that the attackers accessed the names, email addresses and phone numbers of less than 1.2 million customers. The data, allegedly obtained by hackers after exploiting a SQL injection vulnerability, has been reportedly sold on cybercrime forums.
The Metropolitan Police announced over the weekend the arrest of a third suspect in this case, a 20-year-old man from Staffordshire. Investigators had previously arrested a 15-year-old boy from Northern Ireland, and a 16-year-old from Feltham.