Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.
3,110 Comments
Tomi Engdahl says:
Serious Flaws Found in ATMs of German Bank
http://www.securityweek.com/serious-flaws-found-atms-german-bank
German savings bank Sparkasse has started patching its ATMs and self-service terminals after a researcher discovered that the machines can be tricked into revealing a lot of sensitive information during software updates.
The issue was discovered by Benjamin Kunz-Mejri, CEO and founder of Germany-based security firm Vulnerability Lab. The researcher was using a Sparkasse terminal when the machine suddenly ejected his card, and changed its status to “temporarily not available.”
Interacting with the device caused a Windows command prompt showing details of an update process to appear on the screen. That’s when the researcher realized that the terminal had become temporarily unavailable because it was performing a software update.
Software updates are normally conducted in the background, but as Kunz-Mejri discovered, the progress and details of the update process can be made visible by interacting with the device. The researcher described his interaction with the machine as a “timing attack,” but he did not want to disclose additional details in order to prevent abuse.
When he discovered the vulnerability, Kunz-Mejri recorded a video of the information displayed on the terminal’s command prompt screen. After reviewing the recording, he determined that the update process exposed a lot of sensitive information, including the bank’s main system branch usernames, serial numbers, firewall settings, network information, device IDs, ATM settings, and two system passwords.
The tested devices are manufactured by Wincor Nixdorf, a German company that manufactures, sells, installs and services retail and banking hardware and software. The affected ATMs and self-service terminals are running Windows 7 and Windows XP operating systems, Vulnerability Lab said.
Tomi Engdahl says:
Cyber Boogeyman: Is Your Company Being Stalked by a (Business) Killer?
http://www.securityweek.com/cyber-boogeyman-your-company-being-stalked-business-killer
There’s a word for this kind of stalking and it’s called “doxing.”
Most people have not yet heard of it and fewer are aware of this fast-growing threat’s potential impact.
Perhaps even more troubling, almost no business is at present aware or alert to the dangers doxing poses to their brand and reputation, their networks, their partners, their customer data and much, much more.
It’s too bad cybercrime doesn’t come with theme music.
Doxing sounds complex, but it’s actually very simple. Originating from the word “documents” turned into a hacker-hip verb, it basically means to gather lots of important data about a person into a kind of dossier and dump it on the public Internet. Information such as a person’s phone number, physical and email address, favorite web sites, passwords, MAC and IP addresses for your mobile devices, the gym where they work out, favorite take out restaurants, their spouse’s employer and on and on and on.
Anything and everything that makes you “you” drawn from the footprints you leave at the intersection of your real and wired worlds.
Sometimes people get doxed for revenge. In other cases, it’s just classic identity theft and counterfeiting. Sometimes it’s hacktivists shaming someone for a cause. Sometimes it’s simply to harass; kinda like the old days when your high school nemesis would sign you up for 35 Columbia House record and tape club memberships. Now that’s scary.
Most disturbingly, in what is a fast-growing number of cases today, doxing is now being used for profit. Big profit.
With the liveliness of the dark web illicit markets, doxed information is a valuable cottage industry for those seeking bigger and badder cybercrime. In the market today, that bigger and badder cybercrime involves criminals using this technique to target companies directly and indirectly through their executives and employees, then parlaying that info into a big sale for those who want to further cyber exploit a business.
Undetected, the doxers are then easily able to target your CTO at their personal email address with a single phony email that mimics, say, a LinkedIn login form.
Due to the low standards and high re-use of passwords by most people, the doxers are then able to quickly gain access to both personal and work emails. Before you know it, they’re monitoring communications going on between your CTO and your patent counsel; something that yields a very lucrative set of designs that’s quickly monetized on the dark web.
Tomi Engdahl says:
Making IDS Cool Again
http://www.securityweek.com/making-ids-cool-again
Over the years, intrusion detection systems (IDS) have fallen off the radar for most security organizations. They seem about as relevant to today as pagers. This view is largely tied to the perception that IDS has been subsumed by intrusion prevention systems (IPS), which in turn has been subsumed by next-generation firewalls and UTMs.
This view has been largely confirmed by IDS/IPS vendors who focus almost exclusively on improving their IPS features and treating IDS as a deployment option in their IPS product portfolio.
“Want to detect intrusions? Great! Just deploy our IPS in out-of-band mode!”
Today, the lack of innovation in intrusion detection is coming home to roost. Modern attackers are far more sophisticated and increasingly successful at infiltrating a target network. Intrusions are increasing and harder to detect.
It has become very clear that intrusion detection and intrusion prevention are not simply deployment options of the same technology. They are in fact separate disciplines with unique requirements, goals and roles in the security stack.
Tomi Engdahl says:
To Combat a New Wave of Threats, Get Your Head in the Cloud
http://www.securityweek.com/combat-new-wave-threats-get-your-head-cloud
If you want to tell someone to be more realistic you might say: “Get your head out of the clouds.” But in fact, you have to do the exact opposite if you’re an IT security professional charged with managing security in today’s increasingly cloud-based world.
What you need to do is get your head in the cloud in order to understand a new wave of threats and identify ways to strengthen defenses. I’m not just talking about the benefits of using the cloud for security – unlimited storage capabilities for global threat intelligence and historical data, powerful processing capabilities for security analytics, and the ability to deploy security technologies to even the most remote outposts. You also need think about how attackers are now banking on the increasing usage of Software as a Service (SaaS) apps and the advent of Shadow IT and resulting Shadow Data (as I discussed previously) to steal valuable digital assets. These attacks often incorporate basic tactics but with a modern twist.
To ensure you understand and can address the main security challenges cloud apps can introduce to your organization, you need additional visibility and context. Start by ask yourself the following questions:
1. Do I know which cloud apps employees are using and how risky they are?
2. Do I know what files and data are exposed through these cloud apps?
3. Can I control the sensitive data shared through cloud-based apps?
4. If an attack happens, can I get to the bottom of it and set policy to prevent future attacks?
The cloud is transformative in its impact to create new business models, enable more effective collaboration, and increase productivity and agility, but it also adds increased risk of malicious or accidental leakage of business-critical data. Only by getting your head in the cloud can you fully understand the risks of each app, control how users share and access data, and combat zero-day malware.
Tomi Engdahl says:
How Carders Can Use eBay as a Virtual ATM
http://krebsonsecurity.com/2015/11/how-carders-can-use-ebay-as-a-virtual-atm/
How do fraudsters “cash out” stolen credit card data? Increasingly, they are selling in-demand but underpriced products on eBay that they don’t yet own. Once the auction is over, the auction fraudster uses stolen credit card data to buy the merchandise from an e-commerce store and have it shipped to the auction winner. Because the auction winners actually get what they bid on and unwittingly pay the fraudster, very often the only party left to dispute the charge is the legitimate cardholder.
So-called “triangulation fraud” — scammers using stolen cards to buy merchandise won at auction by other eBay members — is not a new scam. But it’s a crime that’s getting more sophisticated and automated, at least according to a victim retailer who reached out to KrebsOnSecurity recently after he was walloped in one such fraud scheme.
The victim company — which spoke on condition of anonymity — has a fairly strong e-commerce presence, and is growing rapidly.
The company was hit with over 40 orders across three weeks for products that later traced back to stolen credit card data. The victimized retailer said it was able to stop a few of the fraudulent transactions before the items shipped, but most of the sales were losses that the victim firm had to absorb.
The scheme works like this: An auction fraudster sets up one (or multiple) eBay accounts and sells legitimate products. A customer buys the item from the seller (fraudster) on eBay and the money gets deposited in the fraudster’s PayPal account.
The fraudster then takes the eBay order information to another online retailer which sells the same item, buys the item using stolen credit card data, and has the item shipped to the address of the eBay customer that is expecting the item. The fraudster then walks away with the money.
One reason this scheme is so sneaky is that the eBay customers are happy because they got their product, so they never complain or question the company that sent them the product. For the retailer, the order looks normal: The customer contact info in the order form is partially accurate
“For the retailer who ships thousands of orders every day, this fraudulent activity really doesn’t raise any red flags,”
Tomi Engdahl says:
The Harsh Truth of the Cybersecurity Talent Gap
http://www.securityweek.com/harsh-truth-cybersecurity-talent-gap
Everyone is talking about the shortage in security talent. Literally, everyone. It’s not for naught though, when you look at the sheer volume of open positions out there. We must have a talent shortage, right?
I believe that somewhere beneath the hype and panic the answer is yes. But there is a harsh truth that very few people are willing to talk about. First and foremost, the talent shortage is largely self-created by an IT industry’s desire to find cheap labor by offshoring work. Second, the people in the current labor pool often are mismanaged, are not in the most appropriate roles and/or are not being supported properly. Let me explain.
Companies wanted to “rent” lowest-cost, expendable resources as they only looked at the short-term cost savings.
The startling realization is that now there was no one to fill those open positions at the mid-level because all the low-level talent wasn’t there to grow. Corporate knowledge was locked up in archaic knowledge management systems or ticketing systems at a third party or worse, it didn’t exist.
So now that the security organizations need those people who have a decade of experience, there are very few to be found. Unfortunately, the push to realize short-term financial goals has created this long-term talent gap issue. Organizations are hoping for a quick fix, but I’m sorry to say that one is not available. It will likely take 8-10 years to grow the right talent and address the current shortage, but it’s going to be painful until then.
So, it turns out that if you manage to find smart people and convince them to join your team for a sum of money that doesn’t break the budget, the harder part comes next. Keeping these people meaningfully employed, that means giving them guidance, a fulfilling role and operational influence is difficult if you have not defined the processes and program for which you plan to hire them.
Tomi Engdahl says:
What’s the Disconnect with Strict Transport Security?
http://www.securityweek.com/whats-disconnect-strict-transport-security
Even the average Joe is starting to understand that encryption is important. If Joe doesn’t use HTTPS, an attacker can see or hijack his browser session. Session hijacking isn’t a theoretical threat: Over 5 years ago (an eternity in the #infosec world), Eric Butler released the Firesheep session hijacking tool and used Facebook as a target example.
Network administrators and architects certainly got the hint. Facebook went all-HTTPS shortly after. So did Twitter. Netflix is even talking about going all-HTTPS. Yay for encryption!
That’s why it’s so puzzling that adoption rate of HTTP Strict Transport Security (HSTS) remains so low at only 4.7 percent. HSTS plugs one of the security holes left behind when a site accepts both unencrypted (HTTP) and encrypted (HTTPS) requests.
The HSTS RFC requires that browsers interpret the Strict Transport Security header to mean that from now until “max-age” (usually 6 months or greater in the future) the browser should only use encryption (SSL) when connecting to the site.
This means that as long as Joe has visited the site at least once before and received the HSTS header, he can just type the site name in his browser address bar and the browser will automatically use SSL to protect the session.
Super cool and easy-peasy.
But if it’s so easy, why isn’t HSTS being used?
According to Ivan Ristic’s SSL Pulse database, HSTS adoption has been stuck at less than 5 percent since its inception over three years ago. There may be a few legitimate reasons not to use HSTS but honestly, one would be hard pressed to think of many. Certainly there aren’t enough reasons such that 95 percent of the Internet isn’t using this easy fix.
Tomi Engdahl says:
Firefox 42 arrives with tracking protection, tab audio indicators, and background link opening on Android
http://venturebeat.com/2015/11/03/firefox-42-arrives-with-tracking-protection-tab-audio-indicators-and-background-link-opening-on-android/
Mozilla today launched Firefox 42 for Windows, Mac, Linux, and Android. Notable additions to the browser include tracking protection, tab audio indicators, and background link opening on Android.
Firefox 42 for the desktop is available for download now on Firefox.com, and all existing users should be able to upgrade to it automatically. As always, the Android version is trickling out slowly on Google Play.
Mozilla doesn’t break out the exact numbers for Firefox, though the company does say “half a billion people around the world” use the browser. In other words, it’s a major platform that web developers target — even in a world increasingly dominated by mobile apps.
The new private browsing mode goes further than just not saving your browsing history (read: porn sites) — the added tracking protection means Firefox also blocks website elements (ads, analytics trackers, and social share buttons) that could track you while you’re surfing the web, and it works on all four platforms.
Firefox 42 … answer to the ultimate question of life, security bugs and fully private browsing?
SSL/TLS library flaws found, anti-analytics missiles deployed
http://www.theregister.co.uk/2015/11/04/mozilla_patches_up_firefox_flaws/
Mozilla has released Firefox 42 and Firefox ESR 38 38.4, which include fixes for worrying security vulnerabilities in the web browser.
The November 3 update squashes at least three bugs that can be potentially exploited to achieve remote code execution.
Two Mozilla engineers, Tyson Smith and David Keeler, uncovered two flaws (CVE-2015-7181 and CVE-2015-7182) in NSS, a toolkit used by Firefox to encrypt web traffic over SSL/TLS.
By exploiting “a use-after-poison and buffer overflow in the ASN.1 decoder,” a malicious HTTPS website can potentially inject arbitrary evil code into the connecting browser and execute it, it appears. That seems a particularly neat way to install malware on PCs.
These programming blunders are fixed in NSS versions 3.19.2.1, 3.19.4, and 3.20.1, which are used in Firefox 42 and Firefox ESR 38 38.4.
Other applications that use the open-source toolkit for encrypting internet traffic must be rebuilt with a non-vulnerable version of the libraries, and pushed out to people to install.
The WebRTC and Login Manager components have also been updated and the browser tab view now includes an indicator icon and mute option for pages that automatically play audio.
Tomi Engdahl says:
World’s top Internet companies and telcos rated on protection of users’ digital rights
Google scores best among Internet companies, Facebook way behind.
http://arstechnica.co.uk/tech-policy/2015/11/worlds-top-internet-companies-and-telcos-rated-on-protection-of-users-digital-rights/
The Ranking Digital Rights project has launched its first Corporate Accountability Index, in which 16 leading Internet and telecommunications companies were evaluated on the protection they offered their users’ digital rights. A total of 31 indicators were taken into account, in an attempt to rate each company’s policies and practices that affect users’ freedom of expression and privacy.
For the eight Internet companies and eight telecommunications companies selected, Ranking Digital Rights says that only six companies scored at least 50 percent of the total possible points. The highest score overall was 65 percent, obtained by Google, and nearly half the companies in the Index scored less than 25 percent, “showing a serious deficit of respect for users’ freedom of expression and privacy,” according to the project.
Alongside Google, the other Internet companies were (in order of their ranking): Yahoo (58 percent), Microsoft (56), Twitter (50), the South Korean mobile apps company Kakao (47), Facebook (41)
Although the scores of the companies are essentially arbitrary, they do highlight strengths and weaknesses among the world’s top Internet and telecommunications companies.
Tomi Engdahl says:
GCHQ ‘smart collection’ would protect MPs from spies, says NSA expert
Investigatory Powers tribunal was misled by ‘horsesh*t’
http://www.theregister.co.uk/2015/11/04/gchq_smart_collection_nsa_man_bill_binney/
Protecting members of Parliament from mass surveillance by bulk collection is “exceedingly simple”, according to the US co-inventor of the high technology devices and programs now used by GCHQ to intercept optical fibre cables carrying Internet data in and out of Britain.
Bill Binney, formerly Technical Director of the NSA’s Operations Directorate, dismissed as “absolute horseshit” claims by government lawyers to the Investigatory Powers Tribunal (IPT), reported in an adjudication last month, that “there is so much data flowing along the pipe” that “it isn’t intelligible at the point of interception”.
Green Party MP Caroline Lucas said: “These revelations from an ex-NSA operative are deeply concerning. It would appear that the Government has either willfully misled the public, or they simply don’t have a proper understanding of their own surveillance systems.”
“Selectors are the key. We use selectors to do smart selection and smart collection, to save resources. If you do unconstrained bulk collection, the amount content is not manageable. We use deselectors to minimize data.”
“Everything that wasn’t wanted wasn’t allowed to pass through and get stored”, he added. “If it wasn’t on your zone of suspicion, you automatically did not take it in,” he added.
“What NSA and GCHQ are supposed to do is vitally important”, Binney added. “I want them to succeed – but they are doing the absolute wrong thing now. They are dooming themselves to failure by bulk acquisition.”
Tomi Engdahl says:
Augmented reality has unexpected problems – intellectual property rights, privacy and physical security
Augmented reality means more information to the human observation, for example, through the virtual glasses. The best-known tools for the added reality is the Google Glass -älylasit and Microsoft HoloLens system.
Unfortunately, augmented reality also brings with it the legal problems that survives the University of Washington study. Equipment users collect a lot of information, thus undermining the security, violates intellectual property rights, harm freedom of expression constitutes a danger to the physical safety, reducing attention to the environment and perhaps easier for people to the discrimination.
Those devices collect all the time information on the user, and saving and sharing to third parties are legally problematic.
Displaying the information can be problematic in the sense that it may impair the user to focus on environment, which can cause even physical damage. It is not clear who is responsible for accidents.
Source: http://www.tivi.fi/Uutiset/lisatyn-todellisuuden-odottamattomat-ongelmat-tekijanoikeudet-yksityisyys-ja-fyysinen-turvallisuus-6062769
Tomi Engdahl says:
Cybersecurity careers: Where are the women?
http://www.networkworld.com/article/2997885/careers/cybersecurity-careers-where-are-the-women-raytheon.html
Ratheon studies paint pretty ugly picture of millennials in the cybersecurity realm
There is a serious and growing gap between men and women when it comes to choosing a cybersecurity career – then again there’s also a serious disinterest in the field altogether from millennials.
Those were the chief findings of a global study issued by Raytheon (NYSE: RTN) and the National Cyber Security Alliance (NCSA) this week that noted: In the U.S., 74% of young women and 57% of young men said schools did not offer the skills that are needed to pursue a degree in computer sciences.
Key findings from the study include:
Globally, 47% of men say they are aware of the typical range of responsibilities and job tasks involved in the cyber profession, compared to only 33% of women.
In the U.S., 67% of men and 77% of women said no high school or secondary school teacher, guidance or career counselor ever mentioned the idea of a cybersecurity career.
Globally, 62% of men and 75% of women said no secondary or high school computer classes offered the skills to help them pursue a career in cybersecurity.
Globally, 52% of women, compared to 39% of young men, said they felt no cybersecurity programs or activities were available to them.
While many young adults are generally unaware of that does not necessarily equate to meaning they have no interest in the field. Compared with a year ago, 28% more millennial say they are more likely to choose a career to make the Internet safer for users.
“It’s just woeful that we don’t have anywhere close to the number of women we need in the cyber workforce. Cybersecurity today is masculine, and defense is as well. We want to drive to change that,” said Paul Crichard, head of cyber intelligence for Raytheon UK in a statement.
Tomi Engdahl says:
‘Circle With Disney’ Locks Down Kids’ Devices From Afar
http://www.wired.com/2015/11/circle-with-disney-locks-down-kids-devices-from-afar/
Memory joined the ranks of Kickstarter hopefuls with Circle, a device to help families manage screen time. It didn’t work out. As it turns out, that might have been the best possible outcome.
“Kickstarter was what I like to call a really great failure,” says Circle Media founder Jelani Memory. A failure in that it Circle didn’t raise anywhere near its goal funds; really great in that just two years later Memory’s company not only has a product to sell, but a partnership with Disney to bolster it.
Circle with Disney, on sale beginning today for $99, looks a lot like that earlier effort. It’s a small cube that pairs with a local Wi-Fi network to give parents control over what kind of content their kids’ devices can access, and for how long. If Karen’s watching too much YouTube, for instance, you can limit her iPhone to an hour (or more, or less) of videos. You can “pause” Wi-Fi throughout the house for an extended period, and monitor time spent not just online but on which apps and content types.
Trust might seem like an odd word to associate with a product that sounds so distinctly Big Brother, it is. But maybe it’s better to think of Circle with Disney as Big Parent
About that trickery; Circle with Disney also takes an unconventional route to what might sound like a familiar destination.
As for routers, they’re simply not worth the trouble. “One of the decisions we made really early on was not to be the router,” says Memory. “People treat their routers like they treat their water heaters; they don’t want to touch it unless it’s broken, and if it’s broken, they’re really frustrated.”
Instead, Circle with Disney takes an entirely different hardware approach, one that’s simple to set up and to manage from an app
“We leverage a tactical thing called ARP spoofing,” Memory explains, a technique by which Circle with Disney intercepts and inspects network packets sent from connected devices, and has the ability to grant or deny permission. That’s what allows for such fine-tuned control.
Tomi Engdahl says:
US, UK big banks to simulate mega-hacker cyber-attack
Worried insurers and others don’t bother with securo probes
http://www.theregister.co.uk/2015/11/05/banks_to_face_cyber_security_test_this_month/
A mock exercise will take place this month to test how major banks respond to a major cyber attack, according to a newspaper report.
The joint UK and US initiative, Operation Resilient Shield, will be “the most sophisticated test … yet” of the way industry communicates and coordinates its efforts in response to cyber security incidents, the Telegraph reported.
The exercise has been in planning for months. The UK and US announced their intention to participate in a joint cyber security exercise in the financial services sector in January.
Previous cyber security exercises have been coordinated by the Bank in the UK.
Last year the Financial Policy Committee (FPC) at the Bank said that cyber security is not just a technical issue that the board of directors at UK banks can ignore.
Tomi Engdahl says:
UK cyber-spy law takes Snowden’s revelations of mass surveillance – and sets them in stone
‘You can’t just uninvent encryption’
http://www.theregister.co.uk/2015/11/05/ipb_reaction/
The encryption bothering parts of the UK’s Investigatory Powers Bill have left IT security experts flabbergasted.
Introducing the draft internet surveillance law in the House of Commons on Wednesday, Home Secretary Theresa May presented it as consolidating and updating existing investigatory powers. She spun it as a break from measures in the ultimately unsuccessful Communications Data Bill of 2012, adding “it will not ban encryption or do anything to undermine the security of people’s data.” The reality is far more complex and less reassuring than this bland assurance might suggest.
“RIPA requires CSPs [communications service providers] to provide communications data when served with a notice, to assist in giving effect to interception warrants, and to maintain permanent interception capabilities, including maintaining the ability to remove any encryption applied by the CSP to whom the notice relates.”
Look, ma – no backdoors! (Because they won’t be called that)
Truly secure end-to-end crypto systems allow only the two people chatting to decrypt each other’s messages, calls or other information exchanged. The app makers, network providers and any eavesdroppers along the line have no hope of cracking the ciphered bytes if intercepted.
One way to do this is use the Diffie-Hellman protocol, which allows two people to create a shared secret known only to them using prime-number maths
There are also sorts of end-to-end encrypted communications available now, especially in the wake of the Edward Snowden revelations of NSA-GCHQ mass surveillance, but it’s the main providers the UK authorities are interested in, we hear.
That focus on the mainstream – Facebook-owned WhatsApp and Apple – may spark an exodus to software perceived as being beyond the radar of the UK authorities. Make sure whatever code you decide to use is verified and trusted to work as advertised.
Implementation flaws (such as weak keys or bugs in the programming) and slip ups by users (such as accidentally leaking private keys) are enough to break cryptographic systems. “The true security in ‘end-to-end’ encryption depends on how it’s implemented and how it is used. Key generation, management, forward secrecy all matter,” Professor Alan Woodward of the University of Surrey noted on Twitter.
What the security agencies really want is a backdoor in the cryptography: a way to forcibly decrypt messages and calls. Mathematically, it’s not possible to build such a system in a secure way. If the snoops can flick a switch and defeat the encryption, so can anyone else, in theory. Criminals, bored teenagers, you name it; everyone loses.
Critics charge that the UK government is trying to effectively ban secure cryptography, a suggestion ministers deny. Despite this, sections of the bill suggest that communications providers operating in the UK may be ordered to “provide technical assistance” and remove electronic protections, possibly under a gagging order along the lines of a US National Security Letter.
The UK government wants to promote the use of good crypto to further its established goal of making the UK the best place in the world to do e-commerce. Alongside this, GCHQ and MI5 still want to be able to decrypt communications and identify suspects in terrorist plots, child abuse, and other serious crimes.
Tomi Engdahl says:
Encrypt voice calls, says UK Gov’s CESG … using CESG encryption
Snooping left hand, meet keen-on-crypto right hand
http://www.theregister.co.uk/2015/11/05/cryptography_is_bad_iandi_good_says_govuk/
While the world was distracted by the Cameron government’s ban-cryptography log-everything Investigatory Powers Bill, the civil service was urging government and enterprises to adopt better cryptography for voice calls.
CESG, “the Information Security arm of GCHQ, and the National Technical Authority for Information Assurance”, dropped new guidance (called Secure voice at OFFICIAL) about protecting voice calls, noting that the PSTN has been considered insecure (“suitable for UNCLASSIFIED calls only”) for some years.
It’s even got its very own nifty key exchange protocol it wants vendors to use.
Having decided in 2010 there wasn’t a security protocol that it liked, it put forward RFC 6509 (“MIKEY-SAKKE” – more on this in a minute) as its own proposal.
MIKEY-SAKKE is now incorporated into the CESG’s Secure Chorus product spec, and the body says as well as Cryptify Call for iOS and Android it’s evaluating other products to see if they meet the spec.
Into the future, the spooks reckon VoLTE will open things up even further, creating an ecosystem of products suitable for “government and enterprise customers”.
A good question is “why did CESG think the world needed a new key exchange protocol?”, and El Reg is practically certain that question will exercise Snowdenistas around the world.
The surface explanation is that encrypting VoIP calls adds a new wrinkle to encryption, compared to e-mail, Web, or VPNs communications.
Tomi Engdahl says:
Strengthening Diffie-Hellman in SSH and TLS
http://www.linuxjournal.com/content/strengthening-diffie-hellman-ssh-and-tls
Conjecture on cracked primes for the Diffie-Hellman asymmetric algorithm is in recent news, suggesting that several nations have broken primes in common use and can read all traffic
To protect ssh, edit the file
To protect TLS for HTTPS, compute your own Diffie-Hellman primes like so
Tomi Engdahl says:
Emerging technologies and the future of humanity
http://bos.sagepub.com/content/71/6/29.full
Emerging technologies are not the danger. Failure of human imagination, optimism, energy, and creativity is the danger.
Why the future doesn’t need us: Our most powerful 21st-century technologies—robotics, genetic engineering, and nanotech—are threatening to make humans an endangered species. —Bill Joy, co-founder and at the time chief scientist, Sun Microsystems, 20001
Although it was not clear at the time, Bill Joy’s article warning of the dangers of emerging technologies was to spawn a veritable “dystopia industry.” More recent contributions have tended to focus on artificial intelligence, or AI; electric car and space technology entrepreneur Elon Musk has warned that AI is “summoning the demon” (Mack, 2015), while physicist Stephen Hawking has argued that “the development of full artificial intelligence could spell the end of the human race” (Cellan-Jones, 2014). The Future of Life Institute (2015) recently released an open letter signed by many scientific and research notables urging a ban on “offensive autonomous weapons beyond meaningful human control.” Meanwhile, the UN holds conferences and European activists mount campaigns against what they characterize as “killer robots” (see, e.g., Human Rights Watch, 2012). Headlines reinforce a sense of existential crisis; in the military and security domain, cyber conflict runs rampant, with hackers accessing millions of US personnel records, including sensitive security clearance documents. Technologies such as uncrewed aerial vehicles, commonly referred to as “drones,” are highly contentious in both civil and conflict environments, for many different reasons. A recent US Army Research Laboratory report foresees genetically and technologically enhanced soldiers networked with their battlespace robotic partners and remarks that “the presence of super humans on the battlefield in the 2050 timeframe is highly likely because the various components needed to enable this development already exist and are undergoing rapid evolution” (Kott et al., 2015: 19).
Tomi Engdahl says:
Can the Cloud Be More Secure Than Your Own Servers? (Video)
http://it.slashdot.org/story/15/11/04/1746211/can-the-cloud-be-more-secure-than-your-own-servers-video?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
Sarah Lahav, CEO of Sysaid, believes “the cloud” can be more secure than keeping your software and data behind your firewall and administering it yourself, especially for small and medium-sized firms. Why? Because Amazon, Rackspace, and other major cloud and SaaS providers probably have lots more security experts and other IT people at their command than you do.
Tomi Engdahl says:
TSA Screeners Can’t Detect Weapons (and They Never Could)
http://it.slashdot.org/story/15/11/04/1647204/tsa-screeners-cant-detect-weapons-and-they-never-could
TSA screeners’ ability to detect weapons in luggage is “pitiful,” according to classified reports on the security administration’s ongoing story of failure and fear. “In looking at the number of times people got through with guns or bombs in these covert testing exercises it really was pathetic. When I say that I mean pitiful,”
TSA airport screeners’ ability to detect weapons declared “pitiful”
Security measures under “full system review.” Agency considering using dogs.
http://arstechnica.com/tech-policy/2015/11/tsa-airport-screeners-ability-to-detect-weapons-declared-pitiful/
US lawmakers and federal watchdogs on Tuesday derided the Transportation Security Administration’s ability, or lack thereof, to adequately detect weapons and other contraband during the passenger screening process at the nation’s airports.
Auditors from the Inspector General’s Office, posing as travelers, discovered enormous loopholes in the TSA’s screening process. A leaked classified report this summer found that as much as 95 percent of contraband, like weapons and explosives, got through during clandestine testings. Lynch’s comments were in response to the classified report’s findings.
“The failures included failures in the technology, failures in TSA procedures, and human error,” Inspector General John Roth told (PDF) the committee. “We found layers of security simply missing.”
“The day you think you get the screening process, the security process, right is the day you will be defeated,” Neffenger said.
Tomi Engdahl says:
Nine Out of Ten of the Internet’s Top Websites Are Leaking Your Data
http://yro.slashdot.org/story/15/11/04/2059230/nine-out-of-ten-of-the-internets-top-websites-are-leaking-your-data
The vast majority of websites you visit are sending your data to third-party sources, usually without your permission or knowledge. That’s not exactly breaking news, but the sheer scale and ubiquity of that leakage might be.
“Findings indicate that nearly 9 in 10 websites leak user data to parties of which the user is likely unaware.”
Nine Out of Ten of the Internet’s Top Websites Are Leaking Your Data
http://motherboard.vice.com/en_uk/read/9-out-of-10-of-the-internets-top-websites-are-leaking-your-data
The vast majority of websites you visit are sending your data to third-party sources, usually without your permission or knowledge. That’s not exactly breaking news, but the sheer scale and ubiquity of that leakage might be.
Tim Libert, a privacy researcher with the University of Pennsylvania, has published new peer-reviewed research that sought to quantify all the “privacy compromising mechanisms” on the one million most popular websites worldwide. His conclusion? “Findings indicate that nearly 9 in 10 websites leak user data to parties of which the user is likely unaware.”
Libert used his own open source software called webXray—the same program he’s used in the past to analyze trackers installed on health and porn websites—and he found that not only were most siphoning user data, they were sharing it all over the place.
“Sites that leak user data contact an average of nine external domains,” he wrote in the new paper, published in the International Journal of Communication, “indicating that users may be tracked by multiple entities in tandem.”
Tomi Engdahl says:
Many US enterprises still running XcodeGhost-infected Apple apps, FireEye says
http://www.csoonline.com/article/3000890/data-protection/many-us-enterprises-still-running-xcodeghost-infected-apple-apps-fireeye-says.html
A new version of XcodeGhost has also appeared that tries to defeat defenses built into iOS 9
Dozens of U.S. enterprises are still using Apple mobile apps seeded with malware for a clever hacking scheme revealed last month known as XcodeGhost.
The computer security firm FireEye said Tuesday it has detected that 210 enterprises that are still using infected apps, showing that the XcodeGhost malware “is a persistent security risk,” according to a blog post.
Last month, more than 4,000 applications were found to have been modified with a counterfeit version of Xcode, which is an application development tool from Apple
XcodeGhost S: A New Breed Hits the US
https://www.fireeye.com/blog/threat-research/2015/11/xcodeghost_s_a_new.html
Just over a month ago, iOS users were warned of the threat to their devices by the XcodeGhost malware. Apple quickly reacted, taking down infected apps from the App Store and releasing new security features to stop malicious activities. Through continuous monitoring of our customers’ networks, FireEye researchers have found that, despite the quick response, the threat of XcodeGhost has maintained persistence and been modified.
More specifically, we found that:
XcodeGhost has entered into U.S. enterprises and is a persistent security risk
Its botnet is still partially active
A variant we call XcodeGhost S reveals more advanced samples went undetected
Tomi Engdahl says:
8 of the most unsettling things you’ll find on the darknet
http://www.itworld.com/article/2978329/security/8-of-the-most-unsettling-things-youll-find-on-the-darknet.html
Tomi Engdahl says:
Feds have plan in case we are hit with catastrophic solar flares
http://www.digitaljournal.com/science/white-house-prepares-six-step-plan-for-catastrophic-solar-flares/article/448073
We take the nation’s power grid for granted. But what would happen if the power went out all over the country, or all over the world? This scenario has resulted in the White House coming out with a contingency plan if a massive solar flare hits.
Most of us are familiar with the devastation caused by hurricanes, earthquakes, and even droughts. But there is one natural phenomenon that could devastate our technology-driven society, and that is space weather.
We hear and read about electromagnetic pulses (EMPs), solar flares and coronal mass ejections (CMEs). As a matter of fact, an intense solar flare disrupted low-frequency radio wave communications over South America and the Atlantic Ocean on September 28 this year.
And in October 2014, Digital Journal reported on an X-Class event, the most powerful kind of solar flare.
Space weather scientists are kept busy watching the sun
Space weather scientists with the National Oceanic Atmospheric Administration (NOAA) and NASA have warned for years that if a massive solar storm were to hit the earth, the effects would be beyond catastrophic. An EMP would take down electrical grids, quite possibly on a global scale, and it could last for months and months.
Think about this, no satellites, no telecommunications capabilities, no refrigeration, no airlines, no water and no food supply line. Why? Because almost everything we use or rely on is partially or fully dependent on electricity. It can be a frightening scenario to contemplate. “Frankly,” space weather consultant John Kappenman told Gizmodo last month, “this could be one of the most severe natural disasters that the country, and major portions of the world, could face.”
A web of interdependencies makes the modern economy especially sensitive to solar storms.
Read more: http://www.digitaljournal.com/science/white-house-prepares-six-step-plan-for-catastrophic-solar-flares/article/448073#ixzz3qcLuPbpS
Tomi Engdahl says:
Dave Maass / Electronic Frontier Foundation:
California cops are using biometric devices for digital fingerprinting, facial and tattoo recognition, in the field
California Cops Are Using These Biometric Gadgets in the Field
https://www.eff.org/deeplinks/2015/11/how-california-cops-use-mobile-biometric-tech-field
Mobile biometric technology includes mobile devices and apps that police use to capture and analyze a person’s physical features in the field and submit that information to a central database for matching. Ostensibly, police deploy this technology as a means to confirm the identity of someone during a stop. However, the technology can be used to capture people’s biometric data and add it to biometric databases, regardless of whether their identity is in question.
Of those that did respond, most employed a digital fingerprinting device. Facial recognition has also been widely embraced among agencies in San Diego County, with Santa Clara County law enforcement agencies close behind. In addition, the Los Angeles Sheriff’s Department’s biometrics system includes tattoo recognition, while the Orange County Sheriff’s Department is also investigating iris recognition.
Tomi Engdahl says:
Fake IT admin tricked Cox rep into handing over customer database – cableco fined $600k
Shocked outfoxed Cox docked
http://www.theregister.co.uk/2015/11/06/fcc_cox_data_breach/
US broadband watchdog the FCC has fined Cox Communications $595,000 (£391,000, AU$832,000) after a Lizard Squad hacker swiped its customer records.
The FCC announced the punishment on Thursday, ending an investigation into the 2014 security breach. The fine is the first such penalty the FCC has dished out against a US cable operator.
The regulator said Cox failed to provide adequate security for its customer database, and then failed to notify the commission when the intrusion was discovered.
“Cable companies have a wealth of sensitive information about us, from our credit card numbers to our pay-per-view selections,” said Travis LeBlanc, FCC enforcement bureau chief.
“This investigation shows the real harm that can be done by a digital identity thief with enough information to change your passwords, lock you out of your own accounts, post your personal data on the web, and harass you through social media.”
In addition to paying the FCC nearly $600,000, Cox has agreed to implement a stricter security program including regular testing, audits, and monitoring of customer data.
Tomi Engdahl says:
OmniRAT malware scurrying into Android, PC, Mac, Linux systems
Leverages Stagefright scare for installs
http://www.theregister.co.uk/2015/11/06/omnirat_malware_android_poc_mac_linux/
As police across Europe crack down on the use of the DroidJack malware, a similar software nasty has emerged that can control not just Android, but also Windows, Mac, and Linux systems and is being sold openly at a fraction of the cost.
The remote-control tool, detected by security firm Avast, is called OmniRAT and appears to be of German origin. The seller promises that the “remote administration tool” can operate on Android smartphones but also allow full control of Windows systems and some control of OS X and Unix computers after installation.
Avast investigated an incident of the code being used in Germany, where the victim received a text message that claimed to be unable to show an image because of Android’s now-patched Stagefright bug. In order to view the image, the victim was asked to download an app to do so.
Tomi Engdahl says:
Facebook CTO: Clear legal grounds needed for EU-US data exports
New law means no more data centres for social giant
http://www.theregister.co.uk/2015/11/06/facebook_cto_on_safe_harbor/
A European Court last month threw data-sharing with the US into a thicket by tearing up the so-called safe harbor agreement.
The catalyst for that was Facebook – or, rather Austrian Max Schrems, who’d accused Facebook of illegally analyzing user data, tracking users on third-party pages and participating in the US National Security Agency’s spying program.
Ireland’s ICO washed their hands of the case, so Schrems went to Brussels.
Safe harbor was the equivalent of Schengen-style, passport-free, frictionless travel across the EU, but for data.
Under European law, personal information on EU citizens must stay within the Continent for privacy reasons. Safe harbor let data go outside the EU, to the US, on a promise to keep people’s data secure.
The scrapping of safe harbor threw at least observers into chaos: it’s the end of data sharing, it’ll be the start of data-centre tidal-wave building boom, thought many.
The truth lies somewhere in between, with US firms falling back on Model Clauses, template agreements written by the Commission that let firms in members states continue to send data to countries outside the EU lacking “adequate levels” of protection.
Tomi Engdahl says:
First Remote-Access Trojan That Can Target Android, Linux, Mac and Windows
http://apple.slashdot.org/story/15/11/05/1750257/first-remote-access-trojan-that-can-target-android-linux-mac-and-windows
Hackers have put on sale OmniRAT, a remote access trojan that can target Androids, Linux, Mac, and Windows PCs. The tool costs $25-$50, which is only a fraction of $200-$300,the price of DroidJack, another Android RAT.
Avast is currently reporting that the RAT was used this summer in Germany, spread to victims via SMS messages.
DroidJack isn’t the only spying software out there: Avast discovers that OmniRat is currently being used and spread by criminals to gain full remote control of devices.
https://blog.avast.com/2015/11/05/droidjack-isnt-the-only-spying-software-out-there-avast-discovers-that-omnirat-is-currently-being-used-and-spread-by-criminals-to-gain-full-remote-control-of-devices/
Tomi Engdahl says:
Crypto-Ransomware Encrypts Files “Offline”
http://it.slashdot.org/story/15/11/05/2053211/crypto-ransomware-encrypts-files-offline
Ransomware comes in various forms, and not all ransomware encrypts files — some just block computers until the ransom is paid. When the file encryption feature is included, the encryption key is usually sent to the malware’s C&C server, which is controlled by the crooks — but not always.
Crypto-ransomware encrypts files “offline”
http://www.net-security.org/malware_news.php?id=3143
Check Point researchers have recently analyzed a crypto-ransomware sample that demonstrated an alternative method of encrypting files and delivering the key (i.e., the information required to discover the right key) to the criminal behind the scheme.
This particular piece of ransomware is not new. It was first spotted in June 2014. It’s evolution is continuous, as the author comes up with a newer version every two months or so
It seems to have been written by a Russian author, and is currently directed at Russian targets.
Once downloaded and run on the machine, the ransomware encrypts all personal files and renames them.
It doesn’t need to contact a C&C to receive an encryption key or to send it to the crook.
“The beginning (first 30000 bytes) of each file is encrypted using two buffers of digits and letters that are randomly generated on the infected machine. The remainder of each file (if it exists) is encrypted using an RSA public key (‘local’) that is randomly generated on the infected machine, along with the matching local RSA private key required for decryption of the data,” the researchers explained.
“The randomly generated buffers and the local RSA private key that are required for decryption are added as metadata to each encrypted file, and are then encrypted using three hardcoded RSA 768 public keys that the offender created in advance (‘remote’). The matching remote RSA private keys required to unlock the metadata are located on the attacker’s side.
When the criminal asks the victims to contact him via email, he also asks them to send in one encrypted file. He extracts the encrypted metadata from the file, uses his remote RSA private keys to decrypt it, and this gives him the buffers and local RSA private key needed by the victims to decrypt the file(s).
Tomi Engdahl says:
“Unsecured Memory Card” Prompts Election Fraud Investigation In Georgia
http://politics.slashdot.org/story/15/11/05/2232218/unsecured-memory-card-prompts-election-fraud-investigation-in-georgia?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
On Tuesday, there was an election in Dekalb County, Georgia. An area of the county known as LaVista Hills voted on a referendum on whether they should incorporate into a brand-new city or whether they should remain an unincorporated part of the county. The referendum failed by a mere 136 votes, less than 1 percent of all votes cast.
The second in command at DeKalb County’s office of elections is now alleging there were very serious irregularities regarding the LaVista Hills cityhood vote. Piazza says voters were turned away at their polling places, voter material wasn’t properly secured, and that “there was a memory card that collects citizen votes loose in the office.”
DeKalb County’s LaVista Hills election investigated for tampering
http://www.ajc.com/news/news/dekalb-countys-lavista-hills-election-investigated/npG8k/
Piazza says some voters were turned away at their polling place, and voter material wasn’t properly secured.
He also told Channel 2 there was a memory card that collects citizen votes loose in the office.
The election could be invalidated if a judge finds misconduct, fraud or irregularities that could change the result, according to Georgia law.
Tomi Engdahl says:
Jacob Kastrenakes / The Verge:
Luma’s new router system gives homeowners network activity tracking and better WiFi coverage; preorders start at half-price for $99, shipping expected in spring
This new router lets you spy on what everyone in the house is doing
http://www.theverge.com/2015/11/5/9674264/luma-router-announced-multiroom-wifi-parental-controls
Setting up Wi-Fi in your home has never really changed. You buy one router, hope it reaches every corner of your home, and then react in frustration when it doesn’t. Businesses have always had a solution to this problem — putting multiple Wi-Fi access points throughout a large space — and now some startups are trying to bring that approach to the home. The latest is Luma, a new router system that’s supposed to make it easy to fill a home with strong Wi-Fi and provide a homeowner with much more control over what happens on their network.
The Wi-Fi part is straightforward. You can buy just a single Luma router, but you’re expected to buy several of them at once — they’re sold in a three pack — and place them throughout your home. Once they’re set up, the routers will all form a single network, so you’ll only have to connect once, even as you move throughout the house; the routers can even take care of moving you between 5GHz and 2.4GHz networks.
But that’s where the basics of Luma stop and the more interesting — and invasive — aspects begin. Unlike typical routers that have bewildering settings pages, Luma can be managed entirely through a simple companion app. And that companion app is able to do quite a few other things, including show what devices are connected to the network and what those devices are doing. That means showing everything from what servers your smart thermostat is connecting with to the exact websites that people in your house are viewing (it cannot, however, show the specific content; so you may see that someone is viewing Facebook, but you won’t see their private messages).
Luma’s activity tracking is meant for monitoring children: a content filter is included that allows you to lock certain users into viewing sites that are rated G, PG, PG-13, and so on; requests to bypass the filter can be sent on a site-by-site basis after they’ve been blocked, and a chat window can be activated to let parents discuss it.
Where it gets more problematic is that you can only sort of turn this off. Luma’s activity tracking isn’t a niche feature — it’s front and center on the app, with everyone’s activity and snapshots of the sites they visit presented like an Instagram feed. The network’s administrator can tell Luma to hide certain users’ activity, so it won’t be displayed, but there’s no way to lock that setting in.
Its all impressive tech, but it’s clear that Luma’s business-style approach to home network management can go a bit too far. (Luma comes from a team that’s created and sold several other startups involving business network security.)
https://getluma.com/
Tomi Engdahl says:
Android App Mutates Source Code, Spreads Virally and Enables Mesh Networks
http://it.slashdot.org/story/15/11/05/2328241/android-app-mutates-source-code-spreads-virally-and-enables-mesh-networks
Researchers from the Delft University of Technology have developed a self-replicating, mutating Android app which can create on-the-fly mesh networks in the event of an infrastructural disaster, or the enabling of internet kill switches by oppressive regimes.
The app’s source is available at GitHub
https://github.com/Tribler/self-compile-Android
The self-replicating smartphone app that’s ready for the apocalypse – and the censors
https://thestack.com/world/2015/11/05/the-self-replicating-smartphone-app-thats-ready-for-the-apocalypse-and-the-censors/
Researchers from the Netherlands are working on a communications app so resilient that it can survive communications and power outages, natural disasters, and can self-replicate, mutate and spread virally between clusters of mobile phones, eventually across all mobile OSes.
In the paper Autonomous smartphone apps: self-compilation, mutation, and viral spreading [PDF], lead Paul Brusee and co-researcher Johan Pouwelse detail the development of a smart phone tool so resilient that it can compile itself, enabling a daisy-chained mesh network of smartphones which in effect act collectively as cell towers – which might themselves either have been destroyed by earthquakes or other disasters, or else have been turned off, monitored or interfered with by governments concerned about civilian aggregation.
The app replicates within the Android OS at the moment, though future work is anticipated to enable it to spread as easily between iOS and Windows phones, since it does not require root access in order to reproduce, and is not intended to be spread via stores such as Google Play or other centralised app repositories.
The act of transmission can involve a complete change of identity when communicated between Android devices via Android Beam or side-loading. During the process of replication the app, effectively a polymorphic computer virus in terms of social behaviour, may transform from a game to a calculator
The mesh network created depends on either WiFi or Bluetooth, and facilitates the diffusion of information until at least one point in the mesh reaches the ‘outside world’.
Autonomous smartphone apps:
self-compilation, mutation, and viral spreading
http://arxiv.org/pdf/1511.00444v2.pdf
Tomi Engdahl says:
Stegosploit: Owned by a JPG
http://hackaday.com/2015/11/06/stegosploit-owned-by-a-jpg/
Stegosploit isn’t really an exploit, so much as it’s a means of delivering exploits to browsers by hiding them in pictures. Why? Because nobody expects a picture to contain executable code.
the code is delivered steganographically by spreading the bits of the characters that represent the code among the least-significant bits in either a JPG or PNG image.
OK, so the exploit code is hidden in the picture. Reading it out is actually simple: the HTML canvas element has a built-in getImageData() method that reads the (numeric) value of a given pixel.
And here’s the coup de grâce. By packing HTML and JavaScript into the header data of the image file, you can end up with a valid image (JPG or PNG) file that will nonetheless be interpreted as HTML by a browser. The simplest way to do this is send your file myPic.JPG from the webserver with a Content-Type: text/html HTTP header. Even though it’s a totally valid image file, with an image file extension, a browser will treat it as HTML, render the page and run the script it finds within.
The end result of this is a single image that the browser thinks is HTML with JavaScript inside it, which displays the image in question and at the same time unpacks the exploit code that’s hidden in the shadows of the image and runs that as well. You’re owned by a single image file! And everything looks normal.
Exploit Delivery via Steganography and Polyglots
http://stegosploit.info/
Stegosploit creates a new way to encode “drive-by” browser exploits and deliver them through image files. These payloads are undetectable using current means. This paper discusses two broad underlying techniques used for image based exploit delivery – Steganography and Polyglots. Drive-by browser exploits are steganographically encoded into JPG and PNG images. The resultant image file is fused with HTML and Javascript decoder code, turning it into an HTML+Image polyglot. The polyglot looks and feels like an image, but is decoded and triggered in a victim’s browser when loaded.
Tomi Engdahl says:
Jon Brodkin / Ars Technica:
FCC rejects petition to require services like Google, Facebook, YouTube, Pandora, Netflix, and LinkedIn to honor “Do Not Track” requests
Websites can keep ignoring “Do Not Track” requests after FCC ruling
Petition to impose Do Not Track requirements rejected by commission.
http://arstechnica.com/business/2015/11/fcc-wont-force-websites-to-honor-do-not-track-requests/
Websites will not be forced to honor consumers’ “Do Not Track” requests as the Federal Communications Commission today dismissed a petition that would have imposed new requirements on companies like Google and Facebook.
Consumer Watchdog had petitioned the FCC to “initiate a rulemaking proceeding requiring ‘edge providers’ (like Google, Facebook, YouTube, Pandora, Netflix, and LinkedIn) to honor ‘Do Not Track’ Requests from consumers.” The group’s proposed rule would prevent online services from requiring consumers to consent to tracking in exchange for accessing Web services, preventing online services from sharing personal information of users with third parties when consumers send Do Not Track requests.
When consumers enable the Do Not Track setting in their browsers, they send an HTTP header in an attempt to opt out of third-party tracking conducted by analytics services, advertising networks, and social platforms. Some companies have committed to honor Do Not Track requests, but they are mostly ignored.
Tomi Engdahl says:
TalkTalk says only 156,959 customers affected by cyberattack data breach
Plus, two more suspects arrested and released on bail, and gov’t launches inquiry.
http://arstechnica.co.uk/information-technology/2015/11/talktalk-says-only-156959-customers-affected-by-cyberattack-data-breach/
TalkTalk has finally released some exact details of the cyberattack that it suffered a couple of weeks ago. The “good” news is, only 156,959 customers had their personal details leaked, or about 4 percent of TalkTalk’s total customer base of 3.9 million.
For those 157,000 customers, the hackers obtained a range of personal details, including name, address, date of birth, telephone number, and e-mail address—probably more than enough to cause some identity theft-related trouble.
Of the 157,000 affected customers, the hackers obtained 28,000 partial credit card numbers, but TalkTalk maintains that they were obfuscated enough that they can’t be used by crooks or sold on the black market.
Tomi Engdahl says:
ProtonMail Pays Crooks $6,000 In Bitcoin To Cease DDoS Bombardment
http://www.forbes.com/sites/thomasbrewster/2015/11/05/protonmail-pays-to-stop-ddos/
ProtonMail is getting its first taste of life as an entity known to criminals looking for a quick, easy payday.
Throughout most of yesterday and through to this morning, the encrypted email service, set up by CERN scientists in Geneva last year to fight snooping by the likes of the NSA, was offline. The company had to use a WordPress blog to disclose what was happening to customers.
Its datacenter was effectively shut down by waves of traffic thanks to two separate Distributed Denial of Service (DDoS) attacks. One of the groups responsible for flooding the servers demanded ProtonMail cough up 15 Bitcoin (currently worth around $6,000), or the attack would continue.
Andy Yen, one of the co-founders of ProtonMail and the one charged with leading the defence of the company, confirmed the ransom was paid yesterday – the payment has gone through to this Bitcoin address. The attacks have stopped for now and the start-up’s site is online.
Yen told FORBES other firms running operations in the same datacenter were knocked down by the “extremely powerful” DDoS – something that made Yen nervous. The company’s Internet Service Provider (ISP) also placed pressure on the company to pay to ease the pain.
“Basically, we were forced to pay by our ISP and datacenter because the collateral damage was just too much for them,”
He believes the first DDoS was the one carried out by the extortionists, though he doesn’t believe the same group was behind the second attack, which started around 2pm CET yesterday and weighed in at a whopping 100Gbps.
“The second attack was scary, most of the DDoS experts that have been communicating with us hadn’t seen that before – it was a full-scale infrastructure attack,”
Swiss police are investigating, whilst ProtonMail seeks for a decent DDoS-protection vendor. FORBES understands Yen has been in touch with CloudFlare, Incapsula and a handful of other vendors. A solution has been chosen, but Yen wouldn’t disclose which one.
It’s bad timing for ProtonMail, which planned to launch to the wider public this month
DDoS extortion attacks are depressingly common. One group, going by the name DD4BC, has been a particularly nasty menace, launching attacks then threatening stronger hits unless a 40 Bitcoin ransom was paid within 24 hours.
Tomi Engdahl says:
Natasha Lomas / TechCrunch:
Full text of Trans-Pacific Partnership released, gets criticized by Internet privacy and consumer groups for threatening digital rights
TPP Trade Agreement Slammed For Eroding Online Rights
http://techcrunch.com/2015/11/05/tpp-vs-privacy/
Tomi Engdahl says:
The German parliament, the Bundestag is about to deny parliamentarians and parliamentary employees of Flash player and the use of a number of other web browser plug-ins.
In addition, will require longer passwords of at least eight digit pin-codes.
The background of the new guidelines has been amassive data breach that has shaken the German Parliament a half years ago. After this, the German embassies and consulates have been attacked using Flash zero-day vulnerabilities.
The Bundestag will also purchase an external service provider protects denial of service attacks.
Documents ackquired by Spiegel bemoans the fact that the media reported intrusions. The authors argue that issuing an attacker being caught wind of risk and gave him time to cover up their tracks. The investigations have indicated that the attackers had political intentions.
Source: http://www.tivi.fi/Kaikki_uutiset/parlamentti-haluaa-kieltaa-flash-playerin-6063417
Tomi Engdahl says:
Hackers take down Swedbank website with DDoS attack
For the second time in as many months
http://www.theinquirer.net/inquirer/news/2433764/hackers-take-down-swedbank-website-with-ddos-attack
SWEDISH BANK Swedbank has had its website taken offline by hackers after suffering a distributed denial of service (DDoS) attack on Friday.
Details remain thin on the ground, but the attack means that customers are unable to to carry out online transactions or contact the bank through its website.
There’s no word as to when the website will be back up and running, but the bank has confirmed that its mobile applications are still working.
This isn’t the first time that Swedbank has fallen victim to hackers. The company admitted in a statement given to Reuters that this was the second attack in as many months, and – clearly not very confident in its own security – that it will probably happen again.
“The website was also hit by a hacker attack in October. It is not the first time and it will probably not be the last,” a spokesperson said.
Tomi Engdahl says:
User data plundering by Android and iOS apps is as rampant as you suspected
Most commonly shared data for Android is e-mail addresses; for iOS, it’s GPS data.
http://arstechnica.com/security/2015/11/user-data-plundering-by-android-and-ios-apps-is-as-rampant-as-you-suspected/
Apps in both Google Play and the Apple App Store frequently send users’ highly personal information to third parties, often with little or no notice, according to recently published research that studied 110 apps.
The researchers analyzed 55 of the most popular apps from each market and found that a significant percentage of them regularly provided Google, Apple, and other third parties with user e-mail addresses, names, and physical locations. On average, Android apps sent potentially sensitive data to 3.1 third-party domains while the average iOS app sent it to 2.6 third-party domains. In some cases, health apps sent searches including words such as “herpes” and “interferon” to no fewer than five domains with no notification that it was happening.
“The results of this study point out that the current permissions systems on iOS and Android are limited in how comprehensively they inform users about the degree of data sharing that occurs,” the authors of the study, titled Who Knows What About Me? A Survey of Behind the Scenes Personal Data Sharing to Third Parties by Mobile Apps, wrote. “Apps on Android and iOS today do not need to have permission request notifications for user inputs like PII and behavioral data.”
Tomi Engdahl says:
DOJ indicts man who blasted false stock info on Twitter then traded on it
Fake tweets caused major stock drops, but SEC believes suspect made just $100.
http://arstechnica.com/tech-policy/2015/11/scottish-man-indicted-for-twitter-based-stock-fraud/
The US Attorney for Northern California has indicted a Scottish man on charges that he illegally manipulated stock prices with a simple Twitter account.
According to the indictment (PDF), 62-year-old James Alan Craig created two fraudulent Twitter accounts on which he pretended to be market research firms. He then tweeted out false info about publicly traded stocks on Twitter, causing significant drops in stock prices for two companies. He then allegedly day-traded on those stocks through his girlfriend’s TradeMonster account.
There wasn’t a big payoff for Craig. A separately filed SEC complaint (PDF) notes that he earned only about $100 from the scheme, because he waited too long to trade the stocks. “Craig’s conduct, however, caused harm to the US markets and investors by triggering significant stock price drops, which undermine investor confidence,” states the SEC filing.
Tomi Engdahl says:
Drones are dropping drugs into prisons and the US govt just doesn’t know what to do
Uncle Sam needs your help
http://www.theregister.co.uk/2015/11/06/drones_fly_drugs_into_prisons/
Tomi Engdahl says:
Let’s Encrypt gets automation
Unblocking the open CA’s client process
http://www.theregister.co.uk/2015/11/09/lets_encrypt_gets_automation/
Hoping to expand the pool of Let’s Encrypt testers, TrueCrypt audit project co-founder Kenneth White has run up a set of scripts to automate the process of installing certificates under the Mozilla-backed open CA.
White, co-director of the Open Crypto Audit Project, has posted the work at Github, here. He explains that the project is quite simple, consisting of Python scripts to “stand up the official Let’s Encrypt certificate management ACME client tool” in the target environments.
These include Debian, Amazon’s Linux (for AWS), CentOS, RedHat and FreeBSD.
LetsEncrypt Client Installers
https://github.com/kennwhite/install-letsencrypt
A suite of simple install scripts for the LetsEncrypt official certificate client on most major *nix OS (Debian, AWS, CentOS, RedHat, Ubuntu FreeBSD)
Tomi Engdahl says:
FCC won’t track Do Not Track
Consumer Watchdog request gets ’403: Forbidden’
http://www.theregister.co.uk/2015/11/09/fcc_wont_track_do_not_track/
America’s Federal Communications Commission (FCC) has decided it won’t intervene against companies that don’t honour user Do Not Track requests.
The decision (PDF here) comes in response to a request by Consumer Watchdog, which in June asked the FCC to support users’ Do Not Track browser settings.
The request put the FCC in something of a cleft stick, since its “net neutrality” decision earlier this year came with a commitment that it wasn’t going to regulate individual providers.
http://transition.fcc.gov/Daily_Releases/Daily_Business/2015/db1106/DA-15-1266A1.pdf
Tomi Engdahl says:
Badly-Coded Ransomware Locks User Files and Throws Away Encryption Key
http://it.slashdot.org/story/15/11/08/1353209/badly-coded-ransomware-locks-user-files-and-throws-away-encryption-key
A new ransomware family was not tested by its developer and is encrypting user files and then throwing away the encryption key because of an error in its programming. The ransomware author wanted to cut down costs by using a static encryption key for all users, but the ransomware kept generating random keys
Epic Fail: Power Worm Ransomware Accidentally Destroys Victim’s Data During Encryption
http://news.softpedia.com/news/epic-fail-power-worm-ransomware-accidentally-destroys-victim-s-data-during-encryption-495833.shtml
A variant of the Power Worm ransomware is infecting computers, encrypting their data files, and throwing away the encryption key, all because of an error in the malware’s programming.
The Power Worm malware is a PowerShell-based ransomware, which uses the Windows PowerShell to initiate and execute its malicious activity.
The Windows PowerShell is a framework developed by Microsoft to allow developers to automate tasks and operations on Windows PCs.
Trend Micro researchers were the ones that discovered the Power Worm ransomware back in March 2014, when they detected an active campaign targeting Word and Excel files.
Tomi Engdahl says:
Going Dark Crypto Debate Going Nowhere
http://it.slashdot.org/story/15/11/08/140208/going-dark-crypto-debate-going-nowhere
FBI general counsel James Baker reiterated a theme his boss James Comey started months ago, that Silicon Valley needs to find a solution to the “Going Dark” encryption problem. Two crypto and security experts, however, pointed out during a security event in Boston that encryption remains the best defense against the government’s surveillance overreach and espionage hacking targeting intellectual property.
Same Rhetoric Permeates Going Dark Encryption Debate
https://threatpost.com/same-rhetoric-permeates-going-dark-encryption-debate/115271/
Baker—speaking at the Advanced Cyber Security Center conference and flanked by crypto luminary Susan Landau of Worcester Polytech Institute and Eric Wenger, director of cybersecurity and privacy, global government affairs at Cisco—made the case that encryption hampers law enforcement investigations on a local level and surveillance efforts on national security and terrorism fronts.
The other side argues that, especially post-Snowden and the endless run of evidence of the National Security Agency’s overreach on surveillance and deliberate efforts to weaken cryptographic standards, that encryption remains the best defense against government surveillance and advanced attackers targeting intellectual property. Asking Silicon Valley for help in solving Going Dark, for example, seems to be an unlikely proposition.
“Silicon Valley distrusts the U.S. government, especially after the Snowden leaks,”
Laundau and Wenger, however, countered that there are alternatives available to help the FBI and law enforcement compel companies to turn over customer data.
“Someone with the NSA once said to me: ‘The law in the case of a wiretap warrant gives us the right to collect information. It doesn’t say it should be easy,’” Landau said. “The FBI is in a really hard spot, and part of that is because of the way we define the political discussion, which is zero failure. Asking the FBI to have zero cases of terrorism is not plausible.”
Tomi Engdahl says:
Vulnerability In Java Commons Library Leads To Hundreds of Insecure Applications
http://developers.slashdot.org/story/15/11/08/0346258/vulnerability-in-java-commons-library-leads-to-hundreds-of-insecure-applications
Stephen Breen from the FoxGlove Security team is calling attention to what he calls the “most underrated, underhyped vulnerability of 2015.” It’s a remote code execution exploit that affects the latest versions of WebLogic, WebSphere, JBoss, Jenkins, and OpenMMS, and many other pieces of software. How? An extremely common Java library.
Comment:
Agreed – this is not a “Java” security vulnerability – this is working as designed. Its the responsibility of the application owner to either:
1) Reject any user input of serialized objects
2) Accept said user input and sanitize it.
What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability.
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
The most underrated, underhyped vulnerability of 2015 has recently come to my attention, and I’m about to bring it to yours. No one gave it a fancy name, there were no press releases, nobody called Mandiant to come put out the fires. In fact, even though proof of concept code was released OVER 9 MONTHS AGO, none of the products mentioned in the title of this post have been patched, along with many more. In fact no patch is available for the Java library containing the vulnerability. In addition to any commercial products that are vulnerable, this also affects many custom applications.
In this post I’ll be dropping pre-authentication, remote code execution exploits that leverage this vulnerability for WebLogic, WebSphere, JBoss, Jenkins, and OpenNMS. All on the newest versions. Even more interesting, I’ll detail the process we went through to discover that these products were vulnerable, and how I developed the exploits.
Tomi Engdahl says:
Here’s the little-known legal loophole that permitted mass surveillance in the UK
Law from 1984 – yes, really – let GCHQ et al run amok
http://www.theregister.co.uk/2015/11/09/hawktalk_wip/
This article explains the extent to which the national security agencies have been collecting bulk communications data using powers which are being exercised in a way that were never subject to Parliamentary scrutiny.
Such data collection is neither subject to the relevant code of practice covering communications data nor to scrutiny from the regulator who was specifically tasked by Parliament to supervise the use of communications data.
This is yet another lesson in the dangers of leaving wide-ranging powers on the statute book. It also provides the explanation why the collection of bulk communications data is believed by ministers to be lawful.
Tomi Engdahl says:
The Onapsis Research Lab delivers regular SAP security advisories and vulnerability research to our eco-system of customers, partners and the information security industry
https://www.onapsis.com/research/security-advisories