Security trends for 2015

Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.

Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.

According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.

Despite the high profile CryptoLocker takedown, ransomware scams remain an all-too-real threat. Crooks are developing more sophisticated encryption schemes to support their fraud.

The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.

There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?

Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.

It seems like year 2014 has almost been “The Year of PoS Breaches.”  Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers.  I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.

Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations.  Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.

Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.

As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.

Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.

Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.

It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.

Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.

Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.

Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.

Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.

There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.

Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.

More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.

Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.

Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.

You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before.  End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.

 

3,110 Comments

  1. Tomi Engdahl says:

    AWS announces UK region offering local cloud storage in wake of Safe Harbour ruling
    But what effect is May to December?
    http://www.theinquirer.net/inquirer/news/2433763/aws-announces-uk-region-offering-local-cloud-storage-in-wake-of-safe-harbor-ruling

    AMAZON WEB SERVICES (AWS) has announced a new UK region for its cloud services. It is expected that the UK operation will be complete by the end of 2016, and that the facility will bolster the current AWS regional offerings in Dublin and Frankfurt.

    The news has a double impact for customers in the UK. On an operational level, it will create a lower latency, higher speed

    The second aspect comes from the continuing controversy surrounding the Safe Harbour ruling. UK companies will now be able to store data in the UK, thus avoiding any unpleasant laws governing access to files that may exist in other countries.

    Of course, the news comes in the same week that the so-called Snoopers’ Charter was revealed, which includes a number of clauses that will make UK-based storage less appealing.

    Theresa May delivers onerous Snoopers’ Charter surveillance promises
    Investigatory Powers Bill wants your internet history
    http://www.theinquirer.net/inquirer/news/2433307/theresa-may-delivers-onerous-snoopers-charter-surveillance-promises

    Reply
  2. Tomi Engdahl says:

    Dell and HP tech support staff are telling customers to ditch Windows 10
    The words ‘technical’ and ‘support’ don’t seem to apply here
    http://www.theinquirer.net/inquirer/news/2433750/dell-and-hp-tech-support-staff-are-telling-customers-to-ditch-windows-10

    A NUMBER OF OEMs have been caught discouraging the use of Microsoft Windows 10, and in some cases persuading customers to roll back to Windows 8.1.

    Research conducted by Laptop magazine for its annual Tech Showdown found that telephone support agents for Dell and HP told customers that they don’t encourage upgrading to Windows 10.

    The Dell agent told researchers that the company was getting “a ton of support calls from Windows 10 users” and recommended rolling back to 8.1, while a second agent said that there are “a lot of glitches” in the new OS.

    An HP agent spent an hour trying to get an HP proprietary feature working in Windows 10, took control of the researcher’s computer, attempted to fix it, failed, attempted to roll back to Windows 8.1, failed again and then suggested buying a $40 rescue USB.

    Reply
  3. Tomi Engdahl says:

    Latest Android adware threat is ‘virtually impossible’ to remove
    Auto-rooting trojan spells bad news for enterprises
    http://www.theinquirer.net/inquirer/news/2433718/latest-android-adware-threat-is-virtually-impossible-to-remove

    A NEW STRAIN of Android malware has been uncovered that has been described as “virtually impossible” to remove.

    Mobile security outfit Lookout delivered the warning message having spotted an aggressive type of adware hidden inside 20,000 Android apps. These apps, which are found mainly in third-party app stores rather than Google Play, are masquerading as legitimate popular applications, including Candy Crush, Facebook, Snapchat and WhatsApp.

    The malicious apps provide exactly the same functionality as the legitimate apps they impersonate, Lookout said, and can secretly root a phone and itself as a system application, making it “virtually impossible to get rid of”.

    Once up and running, adverts will be thrown up on the smartphone screen, and the hackers behind the adware will even be able to install apps on the device without consent.

    “In this rooted state, an everyday victim won’t have the proper interface to control what apps on the phone request root access. The problem here is that these apps may gain access to data they shouldn’t have access to, given their escalated privileges,” Bentley warned.

    “Unlike older types of adware that were obvious and obnoxious, prompting users to uninstall them, this new type of adware is silent and works in the background.”

    Reply
  4. Tomi Engdahl says:

    Turning A Teensy Into A U2F Key
    http://hackaday.com/2015/11/09/turning-a-teensy-into-a-u2f-key/

    Last month, GitHub users were able to buy a special edition Universal 2nd Factor (U2F) security key for just five bucks. [Yohanes] bought two, but wondered if he could bring U2F to other microcontrolled devices. he ended up building a U2F key with a Teensy LC, and in the process brought U2F to the unwashed masses.

    Universal 2nd Factor is exactly what it says on the tin: it doesn’t replace your password, but it does provide a little bit of extra verification to prove that the person logging into an account is indeed the person that should. Currently, Google (through Gmail and Google Drive), Github, Dropbox, and even WordPress (through a plugin) support U2F devices, so a tiny USB key that’s able to provide U2F is a very useful device.

    Teensy LC U2F key
    http://tinyhack.com/2015/11/08/teensy-lc-u2f-key/

    After receiving the keys, I got curious and started to read the U2F specifications. The protocol is quite simple, but so far I haven’t been able to find an implementation of a U2F key device using existing microcontrollers (Arduino or anything else). The U2F protocol uses ECC signing

    A U2F device is actually just a USB HID Device

    The U2F protocol is actually quite simple. When we want to use the hardware U2F key in a webapp (or desktop app), we need to add the USB key that we have to the app database. Practically, in the website, you would choose a menu that says “Add device” or “register new device”.

    When you choose the register/add device, the app will send a REGISTER request to they hardware U2F USB key with a unique appid (for web app, this consist of domain name and port). The hardware U2F key will generate a private/public key pair specific for this app id

    Next time the user wants to login, the app/webapp will send authentication request to the hardware U2F key. In practice, when logging in, the website will request you to plug the hardware U2F key and press the button in the hardware key.

    The app will send a random challenge and the appid (to identify which app it is), and the “key handle”

    Google provides U2F reference code including something to test USB U2F keys.

    Teensy LC doesn’t provide a user button (just a reset button), and I don’t want to add a button to it (it wouldn’t be portable anymore). So I just implemented everything without button press. This is insecure, but its ok for me for testing.

    Most of the time implementing your own device is not more secure than buying commercial solution, but sometimes it has some advantages over commercial solutions.
    For example: most devices that I know of doesn’t have a ‘reset’ mechanism.

    In our custom solution we can reset/reflash our own device (or just change the encryption key)) and have a plausible deniability that we are not related to that site (the suggestion in the U2F specification was to destroy a device if you no longer want to associate a website with your device if your device doesn’t have reset mechanism).

    Reply
  5. Tomi Engdahl says:

    Joseph Menn / Reuters:
    NSA says it discloses 91% of vulnerabilities it finds, but sources say it often uses those vulnerabilities first

    NSA says how often, not when, it discloses software flaws
    Read more at Reutershttp://www.reuters.com/article/2015/11/07/us-cybersecurity-nsa-flaws-insight-idUSKCN0SV2XQ20151107#iCWHY0Lx1c6RIISM.99

    Reply
  6. Tomi Engdahl says:

    Nearly 157,000 had data breached in TalkTalk cyber-attack
    Company says over 15,000 also had financial details hacked but most codes obtained could not be used for payments
    http://www.theguardian.com/business/2015/nov/06/nearly-157000-had-data-breached-in-talktalk-cyber-attack

    Almost 157,000 TalkTalk customers had their personal details hacked in last month’s cyber-attack on the telecoms company.

    Talk Talk said the total number of customers affected by the attack two weeks ago was 156,959, including 15,656 whose bank account numbers and sort codes were hacked.

    The total is 4% of TalkTalk’s 4 million customers and is a small fraction of the number feared when news of the attack broke. The number of customers whose bank details were stolen is lower than an estimate of less than 21,000 released a week ago.

    The company said 28,000 credit and debit card numbers, with some digits obscured, stolen by the hackers cannot be used for payment and customers cannot be identified from the data.

    When the cyber-attack was revealed, TalkTalk said it did not know how many customers were affected, raising concerns that hundreds of thousands of customers could be at risk. The company was criticised for its lack of information and for failing to to take precautions after being hacked twice before this year.

    Two teenage boys have been arrested and bailed in connection with the cyber-attack

    Reply
  7. Tomi Engdahl says:

    Facebook brings creepy ’Minority Report’-style ads one step closer
    Zuck flogs your location to brands for a mall mithering
    http://www.theregister.co.uk/2015/11/09/facebook_minority_report_ads/

    Facebook will nudge the retail industry one step closer to Minority Report-style ads that know who you are, where you are, and blast you with personalized ads that only you can see.

    We’re still some way from the noir movie vision, but you don’t need to boil a lobster quickly.

    From Thursday, Facebook will make its users’ location and personal data history available to brands in the US, who can then decide whether to blast local foot traffic with targeted advertising. A brand will be able to tell how many local shoppers had “engaged” (that’s the jargon) with one of its advertisements on Facebook within the past 28 days.

    The data will be aggregated and anonymised, unlike the 2002 Dreamworks movie adaption of Philip K Dick’s eponymous short story.

    Reply
  8. Tomi Engdahl says:

    Touchnote breach: Wrote a postcard with us? Thieves have your pal’s name, address
    The gift that keeps on giving. (Yes they have your details too)
    http://www.theregister.co.uk/2015/11/09/touchnote_cops_to_data_breach_tells_customers_no_action_required/

    London-based postcard biz Touchnote has offered more details about a data breach it confessed to on Bonfire Night.

    In a statement published on its site on 5 November, Touchnote claimed it had the previous day “received information confirming that Touchnote has been victim of criminal activity, resulting in the theft of some of our customer data.”

    Passwords stored on the site were hashed and salted, though the company informed its customers that “it is considered best practice to change your password after any data theft.”

    Reply
  9. Tomi Engdahl says:

    FCC Fines Cox for Lizard Squad Hack
    The FCC has fined Cox Communications $595,000 over the August 2014 hacker attack by a member of the Lizard Squad group.

    FCC Fines Cox for Lizard Squad Hack
    http://www.securityweek.com/fcc-fines-cox-lizard-squad-hack

    Broadband communications company Cox has agreed to pay a heavy fine to settle allegations by the Federal Communications Commission (FCC) that it had failed to protect customers’ personal information.

    Cox has agreed to pay a $595,000 settlement as part of what the FCC calls its first privacy and data security enforcement action against a cable operator.

    Pretending to be a staff member from the company’s IT department, the attacker convinced a Cox customer service representative and a contractor to enter their usernames and passwords on a phishing website. The hacker used the stolen credentials to access customer information, including names, email addresses, addresses, PINs, and in some cases social security and driver’s license numbers.

    EvilJordie changed some of the affected customers’ passwords, and posted some of the stolen information on social media websites.

    “The Communications Act requires that a cable operator shall not disclose personally identifiable information concerning any subscriber without the prior written or electronic consent of the subscriber concerned and shall take such actions as are necessary to prevent unauthorized access to such information by a person other than the subscriber or cable operator,” the FCC said.

    Reply
  10. Tomi Engdahl says:

    File-Encrypting Ransomware Targets Linux Users
    http://www.securityweek.com/file-encrypting-ransomware-targets-linux-users

    Researchers at Russian antivirus company Doctor Web have come across a new file-encrypting ransomware that appears to be targeting machines running Linux operating systems.

    The security firm believes tens of users have already fallen victim to the threat, which seems to be mainly aimed at webmasters whose machines host web servers.

    It’s unclear at this point how the malware is distributed and installed on victims’ computers, but experts noted that the threat requires administrator privileges in order to work. Once it infects a device, the ransomware, detected by Dr. Web as Linux.Encoder.1, downloads a couple of files containing the attacker’s demands and one file containing a public RSA key that is used to store the AES keys for encrypting files, Dr. Web said.

    Reply
  11. Tomi Engdahl says:

    EU Expects New Data Transfer Deal With US in Three Months
    The EU said it hoped to reach a new deal with Washington within three months on data transfers which major firms like Facebook rely on, but demanded “bullet-proof” privacy protections.

    EU Expects New Data Transfer Deal With US in Three Months
    http://www.securityweek.com/eu-expects-new-data-transfer-deal-us-three-months

    Brussels – The EU said Friday it hoped to reach a new deal with Washington within three months on data transfers which major firms like Facebook rely on, but demanded “bullet-proof” privacy protections.

    The European Court of Justice last month ruled that the EU-US “Safe Harbor” arrangement allowing firms to transfer European citizens’ personal information to the US was “invalid” because it did not properly protect the data from spy agencies.

    EU and US officials have since held several rounds of talks for a new arrangement.

    Reply
  12. Tomi Engdahl says:

    Flaw Allows Hackers to Find Ubiquiti Devices Exposed to Web
    Certificate reuse allows hackers to identify Ubiquiti devices that might be exploitable from the Internet. 1.1 million devices found.

    Flaw Allows Hackers to Find Ubiquiti Devices Exposed to Web
    http://www.securityweek.com/flaw-allows-hackers-find-ubiquiti-devices-exposed-web

    Ubiquiti Networks products have the remote administration feature enabled by default and a new flaw found by researchers at SEC Consult allows malicious hackers to quickly identify potentially vulnerable devices.

    Researchers at IT security consultancy SEC Consult recently discovered that in addition to the remote management feature that is available via SSH, HTTP and HTTPS, there is another security weakness that can be abused by cybercriminals. According to experts, many Ubiquiti devices have the same hardcoded cryptographic keys.

    “A certificate, including its private key, is embedded in the firmware of several Ubiquiti Networks products. This certificate is used for the HTTPS service (default server certificate for web based management) and is the same on all devices,” SEC Consult explained.

    Reply
  13. Tomi Engdahl says:

    Zak Stone / Matter:
    An accidental death at an unsafe Airbnb rental raises questions about liability and safety standards for the company
    Living and Dying on Airbnb
    https://medium.com/matter/living-and-dying-on-airbnb-6bff8d600c04

    Communities are trying to process the deep impacts of Airbnb on domestic space, real estate, travel, hospitality, and the risks and benefits we ascribe to such things. Supporters of Airbnb have argued for the rights of homeowners to make money off their own property, and for the ability of home-sharing platforms to police themselves. The company has rallied to its hosts’ defense, offering legal support and helping start Peers, an association for Airbnb hosts, Uber drivers, and other freelancers that turns out opposition to legislation to curb companies operating in this on-demand economy

    While New York requires hotels to adhere to much stricter safety standards than apartment buildings (portable fire extinguishers, automatic sprinklers, posted emergency guidelines), unregulated hotels — whether a sketchy commercial operation or a branding consultant’s Williamsburg loft — usually don’t. “[T]he visitor is thus placed at significantly increased risk of injury or death,”

    Reply
  14. Tomi Engdahl says:

    Agence France-Presse:
    Belgian court orders Facebook to stop tracking non-registered users within 48 hours, or risk a fine of $269K a day; company says it will appeal — Belgian court gives Facebook 48 hours to stop tracking Internet users — A Belgian court on Monday gave Facebook 48 hours to stop tracking Internet users …

    Belgian court gives Facebook 48 hours to stop tracking Internet users
    http://www.afp.com/en/news/belgian-court-gives-facebook-48-hours-stop-tracking-internet-users

    A Belgian court on Monday gave Facebook 48 hours to stop tracking Internet users who do not have accounts with the US social media giant, or risk fines of up to 250,000 euros ($269,000) a day.

    The order follows a case lodged by Belgium’s privacy watchdog in June which said Facebook indiscriminately tracks Internet users when they visit pages on the site or click “like” or “share”, even if they are not members, the court said.

    In Monday’s decision, the Belgian court said Facebook uses a special “cookie” that lodges on an Internet user’s device if they visit a Facebook page, for example belonging to a friend, a shop or a political party — even if they are not signed up to the network.

    The cookie then stays on their device for up to two years and allows Facebook to consult it whenever the user pays further visits to Facebook pages, or to any page where they can like or recommend via a Facebook link.

    “The judge ruled that this is personal data, which Facebook can only use if the Internet user expressly gives their consent, as Belgian privacy law dictates,” the statement said.

    Reply
  15. Tomi Engdahl says:

    Steve Ragan / CSO:
    Comcast resets nearly 200,000 passwords after customer list goes on sale — Dark Web market ad offering Comcast accounts in bulk — Over the weekend, a reader (@flanvel) directed Salted Hash to a post on a Dark Web marketplace selling a number of questionable, if not outright illegal goods.

    Comcast resets nearly 200,000 passwords after customer list goes on sale
    http://www.csoonline.com/article/3002604/cyber-attacks-espionage/comcast-resets-nearly-200000-passwords-after-customer-list-goes-on-sale.html

    Over the weekend, a reader (@flanvel) directed Salted Hash to a post on a Dark Web marketplace selling a number of questionable, if not outright illegal goods. The post in question offered a list of 590,000 Comcast email addresses and corresponding passwords.

    As proof, the seller offered a brief list of 112 accounts with a going rate of $300 USD for 100,000 accounts.

    Saturday evening, Salted Hash contacted Comcast about the account list being sold online. By the time our message reached them, Comcast had already obtained a copy of the list and their security team was checking each record against the ISP’s current customer base.

    Of the 590,000 records being sold, only about 200,000 of them were active

    However, playing the better safe than sorry card, Comcast will assume the passwords on the matching accounts are valid and force a reset.

    Customers impacted by the password resets will be dealt with on a case-by-case basis.

    Many of those commenting on the massive list speculated that it was recycled information – and tagged the seller as a scammer (a black mark among criminals trading in compromised data).

    The marketplace ad has generated a single sale since it was posted. The odds are good that Comcast themselves were the customer

    Reply
  16. Tomi Engdahl says:

    Blue Coat acquires cloud security startup Elastica for $280M (Updated)
    http://venturebeat.com/2015/11/07/source-blue-coat-is-buying-cloud-security-startup-elastica-for-more-than-300m/

    Blue Coat Systems, a security vendor owned by Bain Capital, is acquiring Elastica, a startup that detects potentially dangerous use of cloud applications.

    Blue Coat sells hardware that gives companies and government agencies visibility into encrypted web traffic flowing through their data centers. The equipment can prevent unwanted use of apps, like uploading pictures to Facebook or including attachments in emails. Similarly, Elastica reveals all the cloud services that a company’s employees are using, and allows admins to enforce security policies across those services.

    Elastica’s competitors include Bitglass, Netskope, and Skyhigh Networks. Another competitor, Adallom, was acquired by Microsoft for $320 million.

    Reply
  17. Tomi Engdahl says:

    8 of the 10 Top Security Flaws Used By Cyber-Criminals This Year Were Flash Bugs
    http://it.slashdot.org/story/15/11/10/0218207/8-of-the-10-top-security-flaws-used-by-cyber-criminals-this-year-were-flash-bugs?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29

    Adobe Flash Player provided eight of the top 10 vulnerabilities used by exploit kits in 2015. Angler is currently the most popular exploit kit, regularly tied to malware including Cryptolocker. Vulnerabilities in Microsoft’s Internet Explorer and Silverlight are also major targets.

    Gone in a Flash: Top 10 Vulnerabilities Used by Exploit Kits
    https://www.recordedfuture.com/top-vulnerabilities-2015/

    Recorded Future threat intelligence analysis of over 100 exploit kits (EKs) and known vulnerabilities identified Adobe Flash Player as the most frequently exploited product. While the role of Adobe Flash vulnerabilities as a regular in-road for criminals and malware should come as no surprise to information security professionals, the scale is significant.

    Reply
  18. Tomi Engdahl says:

    Judge Blocks NSA Spying and Sets an Important Precedent
    http://www.wired.com/2015/11/judge-blocks-nsa-spying-and-sets-an-important-precedent/

    A federal judge has ordered an immediate halt to the NSA’s controversial phone records collection program, ruling that the program violates the Constitution.

    US District Judge Richard Leon’s decision to end the collection is a victory for the plaintiffs in the case and for civil liberties groups who have been asserting that the program was unconstitutional since it was first exposed by Edward Snowden in 2013.

    But while the ruling is important in principle for what it says about the legality of the program, its practical importance is minimal since the ruling only applies to the two plaintiffs who brought suit against the NSA—Larry Klayman, a conservative legal activist, and his business.

    Even that victory is minor since the NSA’s collection program is already set to end on November 29. The ruling is significant anyway, however, because it’s so rare that a judge ever enjoins the NSA from spying.

    The NSA’s phone records collection program began around May 2006 and has continued until today, allowing the spy agency to collect millions of phone records for customers of Verizon and other US phone companies.

    Reply
  19. Tomi Engdahl says:

    The NSA keeps 9 percent of the vulnerabilities it discovers to itself
    http://betanews.com/2015/11/07/the-nsa-keeps-9-percent-of-the-vulnerabilities-it-discovers-to-itself/

    Openness and the NSA are not happy bedfellows; by its very nature, the agency is highly secretive. But in recent years, post-Edward Snowden, the organization has embarked on something of a PR campaign in an attempt to win back public trust.

    The latest manoeuvre sees the NSA promoting the fact that when it discovers security vulnerabilities and zero-days in software, it goes public with them in 91 percent of cases… but not before it has exploited them. No information about the timescale for disclosures is given, but what most people will be interested in is the remaining 9 percent which the agency keeps to itself.

    Reply
  20. Tomi Engdahl says:

    Microsoft swallows data protection software company Secure Islands
    Islands in the Redmond Stream
    By Dave Neal
    http://www.theinquirer.net/inquirer/news/2433986/microsoft-swallows-data-protection-software-company-secure-islands

    “This acquisition accelerates our ability to help customers secure their business data no matter where it is stored – across on-premises systems, Microsoft cloud services like Azure and Office 365, third-party services, and any Windows, iOS or Android device,” said Takeshi Numoto, corporate VP for pushing Microsoft cloud and enterprise services.

    “Businesses continue to face challenges protecting their data in a world where information travels beyond the boundary of the corporate network and across many devices outside company control.

    “Secure Islands’ technology enhances the data protection capabilities available today with Azure Rights Management Service, Microsoft’s cloud-based information protection solution,”

    Reply
  21. Tomi Engdahl says:

    Linux webmasters hit with encryption ransomware issue
    Trojan encrypts files and messes with your day
    http://www.theinquirer.net/inquirer/news/2433914/linux-webmasters-hit-with-encryption-ransomware-issue

    A RUSSIAN SECURITY OUTFIT CALLED Dr Web has warned Linux users that they have an encryption malware ransomware threat to worry about.

    The antivirus doctor type company says that it has enough evidence to put a flame to a malware trojan beacon, warning that so far tens of users have fallen victim to infection. Infected parties are webmasters, and the files are those associated with the serving of webpages.

    “Judging from the directories in which the Trojan encrypts files, one can draw a conclusion that the main target of cybercriminals is website administrators whose machines have web servers deployed on,” it said.

    “There have been some cases, when virus makers exploited the CMS Magento vulnerability to launch attacks on web servers. Doctor Web security researchers presume that at least tens of users have already fallen victim to this Trojan.”

    The trojan has a plain name, Linux.Encoder.1, and Doctor Web reckons that once it is onboard – it is not clear how that happens – it downloads extra files, and grabs out at RSA keys. After that, things get really bad.

    Reply
  22. Tomi Engdahl says:

    Untamed pledge() aims to improve OpenBSD security
    Monkey with the wrong permissions, your program dies
    http://www.theregister.co.uk/2015/11/10/untamed_pledge_hopes_to_improve_openbsd_security/

    Linus Torvalds may have used the Washington Post to drop a bucket on the “masturbating monkeys” of OpenBSD, but they seem insular enough not to care overmuch.

    In a set of slides posted at openbsd.org, one of the project’s founders, Theo de Raadt, has set down the principles behind one of the projects that Torvalds dislikes – the renamed tame(), now called pledge().

    Pledge() is designed as a mitigation rather than a cure-all, de Raadt explains, but it’s a mitigation with an interesting approach: a process or application stipulates the system services it needs, and if it steps beyond its boundaries, it’s killed.

    Why bother? Think of it as a second line of security: someone trying to exploit a compromised application to step outside its permissions finds themselves stonewalled by the pledge() rules.

    He explains that the system call interface is an attack surface, but many common library routines “call a wide variety of system calls”.

    In looking at 500 OpenBSD programs, de Raadt says, there’s a clear pattern in how system calls are used: there’s a “rich set of system calls needed during initialisation”, but the main loop of the program calls a “narrower class of system calls”.

    Hence, if pledge() statements (requests for permission to use particular system calls) are inserted between initialisation and the main loop, it can watch over operations to see if the program breaks its own rules.

    Pledge() itself for now covers calls like stdio; various path calls; file attributes (such as ownership); socket opening statements; networking like DNS and route calls; getpwd and others.

    However, “as more needs are found”, pledge() can be extended, he writes.

    Reply
  23. Tomi Engdahl says:

    Outrageous OPSEC: What happens when skiddies play natsec
    Rocket Kitten phishermen self-d0x with hard-coded credentials
    http://www.theregister.co.uk/2015/11/10/rocket_kitten_checkpoint/

    CheckPoint has raided the servers of a bumbling alleged Iranian hacking group using credentials hardcoded into malware, using its access to name suspected members.

    The Rocket Kitten group was revealed September 2014 and later in more detail March targeting organisations throughout the Middle East with persistent, successful, but unsophisticated phishing emails.

    CheckPoint has entered the fray into its latest report (pdf), finding holes in the groups horrendously poor operational security to discover what it says is likely the true identities of at least two members

    While attribution is a messy and dangerous business, Rocket Kitten’s supreme operational security failures provided the unnamed Check Point researchers with plenty of evidence to link hacker aliases with names: command and control credentials were hardcoded into the malware, and the VXers failed to remove infections on their own machines.

    http://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf

    Reply
  24. Tomi Engdahl says:

    The kernel of the argument
    Fast, flexible and free, Linux is taking over the online world. But there is growing unease about security weaknesses.
    http://www.washingtonpost.com/sf/business/2015/11/05/net-of-insecurity-the-kernel-of-the-argument/

    It took years for the Internet to reach its first 100 computers. Today, 100 new ones join each second. And running deep within the silicon souls of most of these machines is the work of a technical wizard of remarkable power, a man described as a genius and a bully, a spiritual leader and a benevolent dictator.

    Linus Torvalds

    But while Linux is fast, flexible and free, a growing chorus of critics warn that it has security weaknesses that could be fixed but haven’t been. Worse, as Internet security has surged as a subject of international concern, Torvalds has engaged in an occasionally profane standoff with experts on the subject. One group he has dismissed as “masturbating monkeys.” In blasting the security features produced by another group, he said in a public post, “Please just kill yourself now. The world would be a better place.”

    There are legitimate philosophical differences amid the harsh words. Linux has thrived in part because of Torvalds’s relentless focus on performance and reliability, both of which could suffer if more security features were added. Linux works on almost any chip in the world and is famously stable as it manages the demands of many programs at once, allowing computers to hum along for years at a time without rebooting.

    Yet even among Linux’s many fans there is growing unease about vulnerabilities in the operating system’s most basic, foundational elements — housed in something called “the kernel,” which Torvalds has personally managed since its creation in 1991. Even more so, there is concern that Torvalds’s approach to security is too passive, bordering on indifferent.

    “There are a lot of kernel developers who do really care about security, but they’re not the ones making the calls.”

    The rift between Torvalds and security experts is a particular source of worry for those who see Linux becoming the dominant operating system at a time when technology is blurring the borders between the online and ­offline worlds. Much as Windows long was the standard for personal computers, Linux runs on most of the Internet’s servers. It also operates on medical equipment, sensitive databases and computers on many kinds of vehicles, including tiny drones and warships.

    “If you don’t treat security like a religious fanatic, you are going to be hurt like you can’t imagine. And Linus never took seriously the religious fanaticism around security,”

    Over several hours of conversation, Torvalds, 45, disputed suggestions that security is not important to him or to Linux, but he acknowledged being “at odds” with some security experts. His broader message was this: Security of any system can never be perfect. So it always must be weighed against other priorities — such as speed, flexibility and ease of use — in a series of inherently nuanced trade-offs. This is a pro­cess, Torvalds suggested, poorly understood by his critics.

    “The people who care most about this stuff are completely crazy. They are very black and white,” he said, speaking with a slight Nordic accent from his native Finland. “Security in itself is useless. . . . The upside is always somewhere else. The security is never the thing that you really care about.”

    “There is no way in hell the problem there is the kernel,” Torvalds said. “If you run a nuclear power plant that can kill millions of people, you don’t connect it to the Internet.”

    Or if you do, he continued, you build robust defenses such as firewalls and other protections beyond the operating system so that a bug in the Linux kernel is not enough to create a catastrophe.

    “If I have to worry about that kind of scenario happening,” Torvalds added with a wry grin, “I won’t get any work done.”

    Now, consider this: The Linux kernel runs on the New York Stock Exchange, every Android smartphone and nearly all of the world’s supercomputers. Much of the rapidly expanding universe of connected devices uses Linux, as do many of the world’s biggest companies, including Google, Facebook and Amazon.com. The tech-heavy U.S. economy, many would argue, also depends on the smooth functioning of Linux.

    Accidental hero

    Stories about tech titans tend toward pat narratives: the blazing discovery, the shrewd business moves, the thrilling triumph after years of struggle. The story of Torvalds, and by extension Linux, is almost the opposite. He was a shy, brainy college student who built something with no obvious market — a new operating system in a world that already had Windows, Mac OS and Unix — and gave it away. It wasn’t a business. It was a hobby.

    Versions of Linux have proved vulnerable to serious bugs in recent years.

    Those problems did not involve the kernel itself, but experts say the kernel has become a popular target for hackers building “botnets,” giant networks of computers that can be organized to initiate cyberattacks. Experts also say that government spies — and the companies that sell them surveillance tools — have turned their attention to the kernel as Linux has spread.

    “A decade ago, Linux was seen as the more secure alternative to Windows environments, which suffered the lion’s share of attacks at the time,” Akamai’s security team wrote. But the sharply rising popularity of Linux has meant “the potential opportunity and rewards for criminals has also grown. Attackers will continue to evolve their tactics and tools and security professionals should continue to harden their Linux based systems accordingly.”

    But harden how?

    Ultimate attack surface

    Even if Torvalds originally considered Linux a hobby, others saw gold. Red Hat, a North Carolina company, released a version that became widely deployed across corporate America and at many government agencies. A South African businessman released Ubuntu, a popular desktop version of Linux, in 2004. Traditional tech giants — IBM, Intel, Oracle — also made big bets on Linux.

    The rising popularity of the operating system sparked efforts to toughen its defenses. Companies that sold versions of Linux had security teams add protections. Even the U.S. government, which has adopted Linux on many of its computers, had the NSA develop advanced security features, called SELinux, making the operating system more suitable for sensitive work.

    The problem, as critics pointed out, was that these protections relied on building walls around the operating system that, however high or thick, could not possibly stop all comers. Those who penetrated gained control of the Linux kernel itself, meaning the hackers could make a compromised computer do anything they wanted — even if every other piece of software on the machine was flawlessly protected. According to veteran security engineer Kees Cook, this made the Linux kernel “the ultimate attack surface.”

    In an era when software makers increasingly were candid about security flaws, issuing alerts that detailed problems and explicitly urged people to install safer updates, Torvalds had a different approach. In messages that accompanied each new version of the Linux kernel, he described various improvements but would not call attention to the ones that fixed security problems.

    This frustrated security experts who saw transparency as a key part of their mission. They reasoned that if a software maker knew about a bug, then malicious hackers almost certainly did, too, and had been exploiting it for months or even years. Failing to warn users directly and forcefully made it harder for them to protect themselves.

    Torvalds also resisted suggestions that security deserved a special place in the hierarchy of concerns faced by software makers. All flaws, in his view, were equally serious.

    This comment — often recalled in shorthand as Torvalds’s declaration that “bugs are just bugs” — is the line most often quoted by his critics as they seek to explain what they consider a persistent, almost willful tone-deafness on security.

    Those who specialize in security think in terms of categories of bugs. Each one is a cousin of others, some known, some not yet discovered, based on which functions they exploit. By studying each new one carefully, these experts say it is possible to defeat entire classes of bugs with a single fix.

    Rather than trying to create protections against “classes” of bugs, Torvalds hopes to inspire better coding in general. “Well-written code just doesn’t have a lot of special cases. It just does the right thing. . . . It just works in all situations.”

    “The market for that is pretty small in the end,” he later said of Spengler’s project. “Most people don’t want the Grsecurity system.”

    The limited consumer demand for security was not news to anybody who worked in the field. Spengler often lamented how, as Linux spawned a multibillion-dollar industry, he and his colleagues struggled to raise enough in donations to underwrite their work.

    “People don’t really care that much,” Spengler later said. “All of the incentives are totally backward, and the money isn’t going where it’s supposed to. The problem is just going to perpetuate itself.”

    Because the Linux kernel is not produced by a business, it does not respond to market conditions in a conventional way, but it is unquestionably shaped by incentives — and, most of all, by Torvalds’s priorities.

    Even many Linux enthusiasts see a problem with this from a security perspective: There is no systemic mechanism for identifying and remedying problems before hackers discover them, or for incorporating the latest advances in defensive technologies. And there is no chief security officer for the Linux kernel.

    “Security is an easy problem to ignore, and maybe everyone thinks somebody else should do it,”

    The most famous overhaul in software history came in 2002, when Gates ordered engineers at Microsoft to make security their top priority, a process that took several years and helped the famously hackable staples of that company’s lineup to become considerably safer.

    The security situation with Linux is not nearly so dire as it was for Microsoft in 2002. It’s also harder to see how such an overhaul could happen for an open-source project.

    The security stakes for the tech industry were underscored in the keynote address at an August summit on Linux security that pointedly compared the blinkered attitude of software makers today to that of the automobile industry in the 1960s, when cars functioned well but failed to protect people during unforeseen events such as crashes — leading directly to unnecessary suffering and death.

    “Let’s not take 50 years to get to the point where computing is fun, powerful and a lot less likely to maim you when you make a mistake,” concluded the keynote speaker, Konstantin Ryabitsev, who manages computer systems for the Linux Foundation.

    Reply
  25. Tomi Engdahl says:

    UK Gov’t Can Demand Backdoors, Give Prison Sentences For Disclosing Them
    http://news.slashdot.org/story/15/11/10/0154242/uk-govt-can-demand-backdoors-give-prison-sentences-for-disclosing-them?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29

    An anonymous reader writes with some of the latest news about the draft Investigatory Powers Bill. Ars reports: “Buried in the 300 pages of the draft Investigatory Powers Bill (aka the Snooper’s Charter), published on Wednesday, is something called a ‘technical capability notice’ (Section 189).”

    Professor of journalism at City University Heather Brook writes at the Gaurdian: “When the Home Office and intelligence agencies began promoting the idea that the new investigatory powers bill was a “climbdown”, I grew suspicious. If the powerful are forced to compromise they don’t crow about it or send out press releases – or, in the case of intelligence agencies, make off-the-record briefings outlining how they failed to get what they wanted. That could mean only one thing: they had got what they wanted. So why were they trying to fool the press and the public that they had lost? Simply because they had won. I never thought I’d say it, but George Orwell lacked vision. ”

    This snooper’s charter makes George Orwell look lacking in vision
    Heather Brooke
    http://www.theguardian.com/commentisfree/2015/nov/08/surveillance-bill-snoopers-charter-george-orwell

    I never thought I’d say it, but George Orwell lacked vision. The spies have gone further than he could have imagined, creating in secret and without democratic authorisation the ultimate panopticon. Now they hope the British public will make it legitimate.

    This bill is characterised by a clear anti-democratic attitude. Those in power are deemed to be good, and are therefore given the benefit of the doubt. “Conduct is lawful for all purposes if …” and “A person (whether or not the person so authorised or required) is not to be subject to any civil liability in respect of conduct that …”: these are sections granting immunity to the spies and cops.

    The spies’ surveillance activities are also exempt from legal due process. No questions can be asked that might indicate in any legal proceeding that surveillance or interception has occurred. This is to ensure the general public never learn how real people are affected by surveillance. The cost of this exemption is great. It means British prosecutors can’t prosecute terrorists on the best evidence available – the intercepts – which are a key part of any prosecution in serious crime cases worldwide.

    While the concerns of the state dominate, those of the citizen are nowhere to be seen. There is almost no mention in the bill of the privacy and democratic costs of mass surveillance, nor of seriously holding the state to account for the use and abuse of its sweeping powers.

    The adjectives used to describe the “stringent application process” (for warrants) or the “robust safeguards” and “world class scrutiny” are doing the heavy lifting of conveying the robustness of the regime. The reality is quite different.

    Not everything needs a warrant. Our digital lives can be accessed after authorisation within the agency itself. No judicial approval necessary.

    In addition, business owners would have to contend with the man from MI5 ordering that they create new databases or monitoring tools. If companies don’t keep these, they’ll have to create them and face a criminal offence if they fail to put in place security measures to “protect against unlawful disclosure”. Possibly the state may compensate them for all this, possibly not. It’s up to a minister.

    Business owners will not be able to speak out about this to anyone, even their employees, or appeal to any court or legal authority.

    Companies can be legally compelled by the security services to hack their customers’ equipment.

    There are two types of transparency: downwards – where the ruled can observe their rulers, as codified in Freedom of Information Acts – and upwards, where those at the bottom are made transparent to those at the top, such as by state surveillance. Democracy is characterised by transparency downwards, tyranny by the opposite. It is telling that at the same time this government is seeking to undermine the Freedom of Information Act, it has introduced an investigatory powers bill that puts us all under the spotlight of suspicion.

    Reply
  26. Tomi Engdahl says:

    China may have just made it harder for its citizens to ever get Spotify or Apple Music
    http://qz.com/545395/china-may-have-just-made-it-harder-for-its-citizens-to-ever-get-spotify-or-apple-music/

    China doesn’t think its online censorship laws are strict enough. So government officials, in an effort to continue purging potentially subversive content from the country, are now turning their attention toward an unexpected target—music.

    Starting next year, companies that offer online music in China will be ordered to filter their libraries for “harmful” content before making any music available to the public, Reuters and several other news agencies reported Monday (Nov. 9). China’s Ministry of Culture announced the rule on its website.

    Three of the biggest web service sites in the country—Alibaba, Baidu, and Tencent—offer music streaming services and will more than likely be subject to the change. These companies already have to censor their web content, and many of them employ large teams of people to find and erase sensitive online material. Under the new rules, the size of those teams will probably have to increase.

    China looking to scrub its Internet of offensive songs
    http://www.cnet.com/news/china-reaches-into-online-music-to-squelch-offensive-songs/#ftag=CADf328eec

    The People’s Republic is taking aim on music, ordering all music streaming companies to examine songs before they’re released to the public to ensure they’re not violent, overly sexual or inappropriate.

    China’s Internet is one of the most censored in the world, and now could face even fiercer censorship thanks to new regulations set to come into effect next January.

    Under the new rules, announced on Monday, companies that provide or host music will need to examine what’s being made available before it’s posted to ensure it’s appropriate for public consumption, as per China’s Ministry of Culture.

    The result could be particularly unfortunate for Chinese fans of hip hop, with authorities having blacklisted dozens of rap songs in August, claiming they promote violence and obscenity.

    The tightening control over online music is the latest attempt by the Chinese government to keep the Internet clean of offensive, pornographic and culturally inappropriate content. The People’s Republic is already well known for having a heavily censored Internet, with sites like Facebook, Google and Twitter being blocked behind what’s referred to as The Great Firewall of China.

    Even with strong censorship of content, Chinese companies have been aggressive in offering streaming entertainment, with the country having a massive 480 million Internet users who listen to online music, according to the China Internet Network Information Center.

    Reply
  27. Tomi Engdahl says:

    The computer virus is born, November 10, 1983
    http://www.edn.com/electronics-blogs/edn-moments/4437117/The-computer-virus-is-born–November-10–1983?_mc=NL_EDN_EDT_EDN_today_20151110&cid=NL_EDN_EDT_EDN_today_20151110&elq=a71fb7cf88404f23aaa6987b8b9e3ee8&elqCampaignId=25640&elqaid=29181&elqat=1&elqTrackId=5ed99c8109af430b8e4a9e320f290323

    At a security seminar in 1983, Fred Cohen, a USC graduate student, demonstrated a short program that infected a computer, replicated, and spread to other computers. The way it infected the system was compared to a virus and the term “computer virus” was born.

    Cohen inserted code into a Unix command which allowed him to gain control of a mainframe computer system in just five minutes. The code was hidden in a legitimate program on a floppy disk.

    His academic adviser, Leonard Adleman, pointed out that the self-replicating code worked like a virus, coining the term. Adleman is also known for being a co-inventor of the RSA (the A is for Adleman) cryptosystem, often used in security systems.

    Reply
  28. Tomi Engdahl says:

    Your Unhashable Fingerprints Secure Nothing
    http://hackaday.com/2015/11/10/your-unhashable-fingerprints-secure-nothing/

    Passwords are crap. Nobody picks good ones, when they do they re-use them across sites, and if you use even a trustworthy password manager, they’ll get hacked too. But you know what’s worse than a password? A fingerprint. Fingerprints have enough problems with them that they should never be used anywhere a password would be.

    Passwords are supposed to be secret, like the name of your childhood pet. In contrast, you carry your fingers around with you out in the open nearly everywhere you go. Passwords also need to be revocable. In the case that your password does get revealed, it’s great to be able to simply pick another one. You don’t want to have to revoke your fingers. Finally, and this is the kicker, you want your password to be hashable, in order to protect the password database itself from theft.

    In the rest of the article, I’ll make each of these three cases, and hopefully convince you that using fingerprints in place of a password is even more broken than using a password in the first place. (You listening Apple and Google? No, I didn’t think you were.)

    Reply
  29. Tomi Engdahl says:

    Apple’s Tim Cook declares the end of the PC and hints at new medical product
    http://www.telegraph.co.uk/technology/apple/11984806/Apples-Tim-Cook-declares-the-end-of-the-PC-and-hints-at-new-medical-product.html

    Exclusive interview: The Apple boss has two missions – taking on the office PC with his new devices and keeping his customers safe from cyber criminals

    One area there is clearly of big concern to Apple, a company that has been unusually passionate in its defence of privacy, is the prospect of any legislation that could make it harder for it to encrypt consumers’ communications end to end – in a way that even it cannot read — or that would create loopholes that could be hacked.

    Theresa May’s Investigatory Powers Bill – the Snoopers’ Charter – wouldn’t ban encryption but would enforce a requirement on tech firms and service providers to help provide unencrypted communications to the police or spy agencies if requested through a warrant. There are fears that it could be used to demand that firms terminate end to end encryption, allowing them to read people’s communications and pass them onto the authorities.

    “To protect people who use any products, you have to encrypt. You can just look around and see all the data breaches that are going on. These things are becoming more frequent. They can not only result in privacy breaches but also security issues. We believe very strongly in end to end encryption and no back doors,” Cook warns. “We don’t think people want us to read their messages. We don’t feel we have the right to read their emails.”

    “Any backdoor is a backdoor for everyone. Everybody wants to crack down on terrorists. Everybody wants to be secure. The question is how. Opening a backdoor can have very dire consequences.”

    The Apple boss doesn’t believe that it is possible or sensible for a country to go it alone; technology and systems have become too globalised. “We are all connected, whether we like it or not”.

    It would also be wrong to pick on a few big players, he says. “It’s not the case that encryption is a rare thing that only two or three rich companies own and you can regulate them in some way. Encryption is widely available. It may make someone feel good for a moment but it’s not really of benefit. If you halt or weaken encryption, the people that you hurt are not the folks that want to do bad things. It’s the good people. The other people know where to go.”

    Data and identity theft has a very real human cost, he argues. By jeopardising “people’s financial security, it can affect their psychology and health.” Worse, cybercriminals and cyberterrorists could hack into the IT systems that control our infrastructure and transport systems, with potentially devastating effects, “including our trains.”

    He is confident that May and the government will do the right thing. “I’m optimistic.”

    Reply
  30. Tomi Engdahl says:

    Megan Geuss / Ars Technica:
    US charges three men with widespread hacking whose targets included JP Morgan

    US charges three men with widespread hacking whose targets included JP Morgan
    Suspects allegedly used Heartbleed to hack into a global financial institution.
    http://arstechnica.com/tech-policy/2015/11/us-charges-three-men-with-widespread-hacking-whose-targets-included-jp-morgan/

    On Tuesday federal prosecutors unsealed charges against three men, revealing details of a sprawling criminal enterprise that involved hacking some of the US’ biggest financial institutions as well as the theft of personal information pertaining to 100 million customers. With that information, the men allegedly made off with hundreds of millions of dollars.

    Although the indictment does not name the hacked financial institutions directly, Reuters reports that JP Morgan Chase, ETrade, and News Corp. (which owns The Wall Street Journal) have confirmed that they were party to the crimes described by the indictment.

    The newly unsealed charges (PDF) accuse Gery Shalon, a 31-year-old Israeli, of masterminding the hacks that resulted in the loss of personal information pertaining to some 100 million customers of US financial institutions

    Chief among the allegations is that Shalon and Aaron used their unauthorized access to financial institution networks to artificially manipulate certain US stock prices through a “pump-and-dump” scheme.

    US authorities also charged that Shalon and his co-conspirators operated illegal gambling websites, processed payments for criminals selling anything from illegal pharmaceuticals to malware, and operated an illegal US-based Bitcoin exchange that ran afoul of US anti-money laundering laws.

    These activities apparently earned the group hundreds of millions of dollars between 2007 and July 2015, “of which Shalon concealed at least $100 million in Swiss and other bank accounts,” the indictment says.

    Today’s unsealed indictment also paints an interesting picture of how some of the network intrusions allegedly occurred. The US Attorney General claims that Aaron was a customer of many of the hacked companies, and he gave his login credentials to Shalon and an unnamed co-conspirator who performed analysis of the companies’ networks. Shalon and the co-conspirator later accessed the companies’ networks and placed malware on them to allow them to steal information about customers over a period of months

    http://www.justice.gov/usao-sdny/file/792506/download

    Reply
  31. Tomi Engdahl says:

    Kim Zetter / Wired:
    Leaked documents show the FBI never charged the hacker in the Matthew Keys case, despite knowing his identity for at least two years

    Feds Never Charged the Real Hacker in the Matthew Keys Case
    http://www.wired.com/2015/11/matthew-keys-case-feds-know-who-the-real-hacker-sharpie-is/

    Former Reuters social media editor Matthew Keys is facing up to 25 years in prison after his conviction last month on conspiracy charges related to a 2010 hack of the Los Angeles Times web site. Although Keys didn’t actually conduct the hack, prosecutors aggressively pursued him anyway. Now it turns out that authorities have known the alleged identity of the real hacker for at least two years, but apparently never pursued charges against him.

    UK authorities identified the alleged hacker as a 35-year-old living in Scotland and shared this information with the FBI back in 2013, according to FBI documents that were published on the Cryptome web site last July and that recently came to WIRED’s attention.

    “It’s kinda complicated,” a spokesman for the US Attorney’s office in Los Angeles told WIRED about the US failure to pursue charges, without elaborating.

    After he posted the credentials in the chat room, Keys encouraged members of Anonymous to use them to “go fuck some shit up.”

    A hacker going by the name “Sharpie” then used the credentials to access a Tribune server and make a minor alteration to the headline of a Los Angeles Times news story.

    Keys was charged in 2013 with conspiracy to cause unauthorized damage to a protected computer, with transmission of computer code that resulted in unauthorized damage of a protected computer, and with attempting to transmit malicious code to cause unauthorized damage. Earlier this month, he was convicted on all charges.

    Although Keys was charged under a specific provision of the Computer Fraud and Abuse Act—causing unauthorized damage to a protected computer—prosecutors calculated losses for activities that were unrelated to this charge and that caused no damage to a computer.

    But while US prosecutors extended considerable effort to convict Keys of a felony hack, they extended much less effort on tracking down Sharpie, the person who actually did the hacking.

    Cauthen added that the hacker known as Sharpie was believed to be in the UK, and police officials there already knew of him “for his involvement in the Anonymous group.” Sharpie had apparently participated in Operation Payback, a series of DDoS attacks that targeted Visa, MasterCard, and Paypal in 2010 for refusing to process donations to WikiLeaks.

    “The logical course of action is to request information from investigators in the United Kingdom to see if they have information regarding Sharpie,” Cauthen wrote his Los Angeles counterpart.

    WIRED was unable to independently verify the authenticity of the FBI documents, but there is no reason to believe the information disclosed in them is not correct.

    Reply
  32. Tomi Engdahl says:

    GCHQ says that British industry is bashed seven times a day by hackers
    We’re probably gonna need some bigger laws
    http://www.theinquirer.net/inquirer/news/2434040/gchq-says-that-british-industry-is-bashed-seven-times-a-day-by-hackers

    ACCORDING TO THE WATCHMEN AT GCHQ, the average UK enterprise is bothered by malicious attacks around seven times a day.

    The spy agency has been chatting to its friends at the Telegraph, which reports that GCHQ estimates there are 200 attacks on industry every month, up from 100 in summer 2014.

    “These are attacks that are of significance to national security,” said Ciaran Martin, director general for cyber security at GCHQ. “That is either because of who the aggressor or the victim is or because of the nature of the attack.”

    Victims of such attacks, said Martin, are the kind of outfits that you really don’t want to be attacked, exposed or made vulnerable. They include nuclear power companies and businesses that work with the military.

    “CyberInvest is an exciting initiative which brings industry, government and academia together, and builds on the UK’s reputation as a global leader for cyber security research,” said Ed Vaizey UK Minister for Culture and the Digital Economy

    Reply
  33. Tomi Engdahl says:

    Proof-of-Concept Ransomware Affects Macs

    http://apple.slashdot.org/story/15/11/10/1846215/proof-of-concept-ransomware-affects-macs?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29

    Ransomware, the devilish family of malware that locks down a victim’s files until he or she coughs up a hefty bounty, may soon be coming to Mac.

    We Now Have Proof that Macs Can Get Ransomware
    http://motherboard.vice.com/read/we-now-have-proof-that-macs-can-get-ransomware

    Ransomware, the devilish family of malware that locks down a victim’s files until he or she coughs up a hefty bounty, may soon be coming to Mac.

    Last week, a Brazilian security researcher produced a proof-of-concept for what appears to be the first ransomware to target Mac operating systems (Mac OS X). On Monday, cybersecurity company Symantec verified the researcher’s findings.

    “Mabouia is the first case of file-based crypto ransomware for OS X, albeit a proof-of-concept,” Symantec wrote in a blog post.

    “It’s simple code, I did it in two days,” Rafael Salema Marques, the creator of the malware dubbed “Mabouia,” told Motherboard in a phone interview.

    Reply
  34. Tomi Engdahl says:

    Ex-GCHQ chief: Bulk access to internet comms not same as mass surveillance
    ‘I’d have gone further and demanded weblogs’
    http://www.theregister.co.uk/2015/11/11/ex_gchq_chief_bulk_access_to_internet_comms_not_same_as_mass_surveillance/

    A specially convened, one-off chinwag about the so-called “tech issues” in the UK government’s latest draft super-snoop bill failed to get to the nitty-gritty on Tuesday afternoon.

    Parliament’s science and technology committee faced down industry bods, the former boss of GCHQ and a number of academics to try to better understand some of the technical concerns that have been raised following the draft legislation’s arrival last week.

    Inevitably, one-time GCHQ chief Sir David Omand was animated about supporting the government’s bid to massively ramp up snooping on Brits’ online activity.

    When quizzed about technical improvements, he told MPs: “I would have gone slightly further than internet connection records. Having a full weblog would be far better.”

    The trouble is that such a strategy “is not thought to be saleable” at present.

    “The volumes of data are enormous on the internet,” Omand added. “This bill will not eliminate the difficulties of encryption … but it will help the authorities manage their level of risk.”

    Earlier in the session, Internet Service Providers’ Association chair James Blessing had warned MPs that many of the technical demands in the draft legislation were “fuzzy”.

    “The communications data definitions are actually not fuzzy at all, they’re actually quite precise. What is not defined in the bill is metadata,”

    On encryption, he said “I’m not mandating backdoors” and claimed that there was “a lot of nuisance” being written about the government’s stance on crypto tech, which just so happened to chime with similar claims coming out of the GCHQ camp on Tuesday.

    He also claimed that bulk access to internet communications was the same as mass surveillance.

    Reply
  35. Tomi Engdahl says:

    ProtonMail restores services after epic DDoS attacks
    http://www.net-security.org/secworld.php?id=19088

    After several days of intense work, Switzerland-based end-to-end encrypted e-mail provider ProtonMail has largely mitigated the DDoS attacks that made it unavailable for hours on end in the last week.

    The attacks have exceeded 100Gbps, and are still going on, but they are no longer capable of knocking ProtonMail offline for extended periods of time.

    The first attacker, the Armada Collective is a new hacking group motivated by financial gain who demanded a ransom from the company. The second attack came from an unknown group. This second attack caused the bulk of the damage.

    “Their sole objective was to take ProtonMail offline, at any cost, with no regards for collateral damage, and to keep us offline for as long as possible. The attack significantly disrupted our infrastructure and made email access impossible. This impacted over half a million users worldwide, including many journalists, activists, and dissidents who are active on our platform,” said Andy Yen, CEO of ProtonMail.

    Reply
  36. Tomi Engdahl says:

    Tim Cook: UK crypto backdoors would lead to ‘dire consequences’
    Weakening encryption will only hurt the ‘good people’
    http://www.theregister.co.uk/2015/11/10/tim_cook_reaffirms_no_spook_backdoors_over_latest_uk_super_snoop_bid/

    IPB Apple boss Tim Cook has once again warned of what he says would be the “dire consequences” of opening up backdoors to allow spies to access our data.

    He said it would be wrong for the UK government’s latest super-spy bid – the draft Investigatory Powers Bill, which landed in Parliament last week – to weaken cryptography.

    “It’s not the case that encryption is a rare thing that only two or three rich companies own and you can regulate them in some way. Encryption is widely available,” he told the newspaper.

    “It may make someone feel good for a moment but it’s not really of benefit. If you halt or weaken encryption, the people you hurt are not the folks that want to do bad things. It’s the good people. The other people know where to go,” Cook added.

    Reply
  37. Tomi Engdahl says:

    Facebook conjures up a trap for the unwary: scanning your camera for your friends
    Auto-spam your friends with Photo Magic
    http://www.theregister.co.uk/2015/11/10/facebook_scans_camera_for_your_friends/

    Facebook has decided it doesn’t pester its users enough, so it’s going to use its facial recognition technology as the basis of a new nag-screen.

    The ad network is testing a feature in its Android app that will scan a user’s recent images for photos that look like their friends. If it spots a match, it’ll ask if the photos should be shared with other people in them.

    The feature is being tested on Australian users first, with iOS to arrive by the end of the week, and if they don’t grab pitchforks and torches, The Social NetworkTM threatens promises to take it to the US soon.

    The pic-scanning isn’t restricted to photos you’ve already uploaded to Facebook – the app scans your phone’s photo collection for new images, and will raise a dialogue asking if you want to post it to your friends.

    There will be an opt-out, just in case you don’t want a careless selfie in flagrante delicto with a partner’s friend turning up on your feed because the evening involved a lot of booze and not much good sense, and Facebook users who can navigate the baroque maze of its privacy settings can already opt out of having their faces detected in other users’ photos.

    Reply
  38. Tomi Engdahl says:

    RBS promises ‘safe, secure, confidential’ info-sharing on Facebook at Work
    First bankers to use Zuck biz platform
    http://www.theregister.co.uk/2015/10/26/facebook_at_work_rbs/

    RBS has inked a deal with Facebook to allow its 100,000 bank employees to use the free content ad network’s Facebook at Work product.

    Financial details of the agreement were not disclosed by the companies.

    The bank’s surprise decision to opt for a service that is still in its infancy will no doubt raise eyebrows among some, who might question why such a conservative organisation would make such a bold move.

    Facebook, until now, hasn’t been known for competing in the enterprise space.

    Many companies block Facebook at work, which explains the logic behind the arrival of Facebook at Work: a site that is only used within the firewall of a given biz. The service is completely separate from personal Facebook accounts.

    The Mark Zuckerberg-run company only confirmed it was developing a biz-friendly platform in November last year.

    Reply
  39. Tomi Engdahl says:

    “The company’s most important product launch” – F-Secure wants to revolutionize the security market with an easy device

    F-Secure published a Sense router referred to in the evening to secure smart home network yesterday. It is the company’s first appliance release, which is the company’s Managing Director Christian Fredriksson described the company’s most important product launch.

    Sense works by creating a home WLAN network, in which all wireless devices connected to the home. The router analyzes the network traffic passing through it seeking threats or improper connections. Computing power and intelligence Senselle offers F-Secure security in the cloud.

    Because Sense works within your home network between the smart device and the internet, it protects all devices from smart washing machines to lighting and refrigerators.

    Technically, the device is ac-level of WLAN router with two antennas. F-Secure, the WLAN network load-bearing capacity, special attention has been paid.

    In addition to observing the network traffic the device will be offered at Sense apps for Android, iOS, and later also in a Windows 10 platform. The application is intended to protect equipment and operations management panel Sense router.

    Through the dashboard, advanced user can view statistics, for example, the use of the network and attached devices.

    Sense is designed to be easy to use.

    Device services can be expanded in the future. F-Secure has plans to expand the application, for example, password management, and the company’s VPN service Freedom could in the future be part of an appliance Fredriksson says.

    Sense comes pre-sale today, but the device will start deliveries until next spring. Advance Sale price is 99 euros and after the release of EUR 199.

    Source: http://www.tivi.fi/Kaikki_uutiset/yhtion-tarkein-tuotejulkistus-f-secure-haluaa-mullistaa-tietoturvamarkkinat-helpolla-laitteella-6064141

    Reply
  40. Tomi Engdahl says:

    The smartphone will tell us all

    Analytics2015 – All are now talking about big data. Miscellaneous equipment, sensors and sensors produce us data continuously. – The smartphone tells us really everything, said SAS Institute spoken Analytics2015 event data artist Jer Thorp.

    Thorp examples show how the modern human life can be very accurately described as the basis of the data collected by the smart phone. – Our movements can draw a map that tells you where to go to the pub every Friday at five o’clock.

    Thorp, this does not surprise anyone. When he has presented the results to humans, the result is essentially a shrug and a comment that I think he’s working for the NSA.

    This is, of course, partly a matter of concern. We should have a personal relationship with your data.

    - Data is not numbers, but encoded in your life. Man to produce data, not the machine. If you do not understand that big data is human, to have the opportunity to make big mistakes.

    Source: http://etn.fi/index.php?option=com_content&view=article&id=3585:alypuhelin-kertoo-meista-kaiken&catid=13&Itemid=101

    Reply
  41. Tomi Engdahl says:

    TalkTalk boss: ‘Customers think we’re doing right thing after attack’
    Sales depressed after being offline for three weeks
    http://www.theregister.co.uk/2015/11/11/talktalk_boss_customers_think_we_are_doing_right_thing_after_attack/

    Shares in TalkTalk climbed more than 12 per cent, following the company’s first half fiscal report to the City this morning.

    The budget telco’s boss Dido Harding was bullish about TalkTalk’s response to the attack on its systems last month.

    She claimed during a conference call with journalists and analysts that some customers had initially attempted to kill their contracts immediately after TalkTalk revealed it had suffered a security breach, only to apparently change their minds following the “blip” in demand to abandon the service.

    Harding added that there were “very early indications that customers think that we’re doing the right thing”.

    Half of the £35m costs that TalkTalk expects to swallow following the breach, which the company has said hit nearly 157,000 subscribers (four per cent of its customer base), is one-off in nature, according to TalkTalk’s chief beancounter, Iain Torrens.

    Harding explained that the bill covers incident response, incremental call volumes, internal IT costs and external IT consulting costs. TalkTalk called in BAE Systems and other security experts, following the attack.

    “Forgone revenue of having sales sites down for three weeks is something to work through,” s

    The telco’s chief reiterated that TalkTalk needed to do more to win back the confidence of its customers.

    Reply
  42. Tomi Engdahl says:

    Joseph Cox / Motherboard:
    Court documents show university helped FBI identify Silk Road 2 and possibly child porn suspect; Tor claims FBI paid Carnegie Mellon $1M to deanonymize users — Court Docs Show a University Helped FBI Bust Silk Road 2, Child Porn Suspects — An academic institution has been providing information …

    Court Docs Show a University Helped FBI Bust Silk Road 2, Child Porn Suspects
    http://motherboard.vice.com/read/court-docs-show-a-university-helped-fbi-bust-silk-road-2-child-porn-suspects?gbwlbe

    An academic institution has been providing information to the FBI that led to the identification of criminal suspects on the dark web, according to court documents reviewed by Motherboard. Those suspects include a staff member of the now-defunct Silk Road 2.0 drug marketplace, and a man charged with possession of child pornography.

    It raises questions about the role that academics are playing in the continued crackdown on dark web crime, as well as the fairness of the trials of each suspect, as crucial discovery evidence has allegedly been withheld from both defendants.

    “Whatever you’re doing, it isn’t science.”

    In January of this year, Brian Richard Farrell from Seattle was arrested and charged with conspiracy to distribute heroin, methamphetamine and cocaine.

    In an interview with the FBI, Farrell quickly admitted to being “DoctorClu,” a staff member on the Silk Road 2.0 marketplace, saying “You’re not going to find much of a bigger fish than me.”

    Silk Road 2.0 was launched shortly after the original was shut down in October 2013. It also relied on the Tor anonymity network to hide the IP addresses of both the servers running the marketplace as well as mask of those accessing it.

    UPDATE: After the publication of this piece, the Tor Project published a blog post claiming that researchers at Carnegie Mellon University were paid “at least $1 million” to work with the FBI.

    Did the FBI Pay a University to Attack Tor Users?
    https://blog.torproject.org/blog/did-fbi-pay-university-attack-tor-users

    The Tor Project has learned more about last year’s attack by Carnegie Mellon researchers on the hidden service subsystem. Apparently these researchers were paid by the FBI to attack hidden services users in a broad sweep, and then sift through their data to find people whom they could accuse of crimes. We publicized the attack last year, along with the steps we took to slow down or stop such an attack in the future

    Reply
  43. Tomi Engdahl says:

    The Intercept:
    Prison phone services provider Securus Technologies breached, compromising 70M call recordings including 14K conversations between inmates and attorneys — Massive Hack of 70 Million Prisoner Phone Calls Indicates Violations of Attorney-Client Privilege

    Not So Securus
    https://theintercept.com/2015/11/11/securus-hack-prison-phone-company-exposes-thousands-of-calls-lawyers-and-clients/

    AN ENORMOUS CACHE of phone records obtained by The Intercept reveals a major breach of security at Securus Technologies, a leading provider of phone services inside the nation’s prisons and jails. The materials — leaked via SecureDrop by an anonymous hacker who believes that Securus is violating the constitutional rights of inmates — comprise over 70 million records of phone calls, placed by prisoners to at least 37 states, in addition to links to downloadable recordings of the calls. The calls span a nearly two-and-a-half year period, beginning in December 2011 and ending in the spring of 2014.

    Massive Hack of 70 Million Prisoner Phone Calls Indicates Violations of Attorney-Client Privilege

    Reply
  44. Tomi Engdahl says:

    How to Contact The Intercept Anonymously
    https://theintercept.com/securedrop

    The Intercept is serious about protecting our sources. With our SecureDrop server, you can share messages and files with our journalists in a way that should help you remain secure and anonymous, even from us. Messages and files that you send to us will be encrypted.

    How to Use The Intercept’s SecureDrop Server

    Everything you do on the Internet leaves trails. Before following these instructions, go to a public wifi network, such as at a coffee shop that you don’t normally frequent, and follow them from there. Or connect to a VPN.

    Download and install the Tor Browser Bundle from https://www.torproject.org/.
    Open the Tor Browser and copy and paste this into the address bar: https://y6xjgkgwj47us5ca.onion/
    Follow the instructions to send us information. You will be given a codename that you can use to log back in and check for responses in the future.

    Our SecureDrop servers are under the physical control of The Intercept‘s staff. When you interact with our SecureDrop servers, we don’t log any information about your IP address, web browser, or operating system, nor do we deliver persistent cookies to your browser. When you use Tor to connect to our SecureDrop server, your connection is encrypted. Using the Tor network helps mask your activity from anyone that is monitoring your Internet connection, and it helps mask your identity from anyone monitoring our Internet connection.

    Reply
  45. Tomi Engdahl says:

    Instascam! Apple yanks phoney app, Google follows
    Popular password harvester kicked off App Store and Play
    http://www.theregister.co.uk/2015/11/12/instascam_apple_yanks_phoney_app_google_follows/

    A popular but malicious fake Instagram “who viewed your profile” app has been pulled from both Apple’s App Store and Google Play – but not until after between 500,000 and a million suckers downloaded it.

    “Who Viewed Your Profile – InstaAgent” exploited peoples’ insecurity (it’s also a popular way for Twitter scam accounts to draw in the clicks) to get them to install an app that harvested user credentials, posted them to a remote server, and hijacked accounts to post unauthorised images to victims’ profiles.

    Reply
  46. Tomi Engdahl says:

    Got a time machine? Good, you can brute-force 2FA
    Get rid of ntpdupdate, patch ntpd, says security researcher
    http://www.theregister.co.uk/2015/11/12/got_a_time_machine_good_you_can_bruteforce_2fa/

    Time-based two-factor authentication tokens, and plug-ins that use them, are only as good as your time signal, and in the right (wrong) circumstances, they can be brute-forced.

    Security researcher Gabor Szathmari says the problem is that if your 2FA tokens depend on the network time protocol (NTP), it’s too easy for a sysadmin to put together an attackable implementation.

    As he explains in two posts here (the background) and here (proof of concept), if an attacker can trick NTP, they can mount a brute-force attack against the security tokens produced by Google Authenticator (the example in the POC) and a bunch of other Time-based One-time Password Algorithm-based (TOTP) 2FA mechanisms.

    Under TOTP, a seed is combined with the time to produce the token, and as Szathmari points out, “the same combination of secret key and timestamp always generates the same 6-digit code.”

    That’s where NTP comes in. After the world realised the ntpd daemon was vulnerable, it got patched with validation algorithms so as not to accept bogus timestamps, Szathmari writes.

    However, he says, a lot of sysadmins still use the deprecated ntpdupdate, which doesn’t run validation.

    Time manipulation is what creates the attack vector, Szathmari says. A malicious time source can strand the victim’s clocks in a time warp, making them retain the same six-digit token long enough to step through the million possible combinations, and brute-force the 2FA.

    Reply
  47. Tomi Engdahl says:

    Microsoft Agrees to Store Customer Data in Germany
    http://www.securityweek.com/microsoft-agrees-store-customer-data-germany

    Microsoft has put new data centers in Germany under the control of Deutsche Telekom, the companies said, in a move that will keep privacy-sensitive Germans’ customer data in the country.

    US tech giant Microsoft has put new data centers in Germany under the control of Deutsche Telekom, the companies said Wednesday, in a move that will keep privacy-sensitive Germans’ customer data in the country.

    After scandals over US surveillance programs that spooked Europeans, Deutsche Telekom will serve as “custodian” for Microsoft’s cloud-based services in Germany.

    “All customer data will remain exclusively in Germany,” Deutsche Telekom said in a statement, adding that the service will also be available to European clients outside Germany.

    “With this partnership with T-Systems, Microsoft customers can choose a data protection level that complies with the requirements of German customers and many clients of the public sector,” added Anette Bronder, director of Digital Division at the Deutsche Telekom subsidiary T-Systems.

    Reply
  48. Tomi Engdahl says:

    Tenable Network Security Raises $250 Million
    http://www.securityweek.com/tenable-network-security-raises-250-million

    Tenable Network Security, makers of vulnerability scanners and software solutions that help find network security gaps, announced on Tuesday that it has raised $250 million in a massive Series B funding round.

    Founded in 2002, Tenable’s flagship products include SecurityCenter Continuous View, which provides an integrated view of network health, and Nessus, software used for detecting and assessing network data.

    Customers include Deloitte, Visa, BMW, Adidas, and the U.S. Department of Defense.

    Reply
  49. Tomi Engdahl says:

    Oz e-health privacy: after a breach is too late
    Privacy foundation slams ‘dangerously naive’ Senators
    http://www.theregister.co.uk/2015/11/12/oz_ehealth_privacy_after_a_breach_is_too_late/

    Australia’s peak privacy body has lambasted the country’s Senate for being ignorant about the implications of the country’s new e-health records.

    What was once called the Personally Controlled Electronic Health Record (PCEHR), re-branded My Health Record this year to give it a smiley face, is the government’s attempt to dragoon Australians into a national health database.

    Looking behind the mask, however, the Australian Privacy Foundation reckons the e-health system looks more like it was designed for spooks and revenue-collectors than for doctors or patients.

    “The PCEHR is accessible in multiple ways, including over the Internet. The first line of defence should be highly effective systemic controls backed up by civil and criminal penalties.

    “Relying primarily on penalties overlooks the fact that they are totally ineffective against criminals and cyber-terrorists operating overseas. Once a breach has occurred, the data cannot be put back in the box. Once an identity is used fraudulently, the damage is done.”

    For that reason, Robinson-Dunn writes, a reliance on criminal and civil penalties is “patently absurd”.

    The APF says the entire e-health strategy needs to be re-evaluated, and the record re-designed to be “functional, secure and useful”.

    Reply
  50. Tomi Engdahl says:

    Oz railway lets newspaper photograph train keys
    Your opsec slip is showing, Metro Rail
    http://www.theregister.co.uk/2015/11/12/oz_railway_lets_newspaper_photograph_train_keys/

    Police are now saying that yesterday’s Melbourne train-heist-and-wreck was possible because miscreants bought stolen keys online.

    The vandalism, the cost of which is now estimated at AU$3 million rather than the original $2 million, involved people getting into an idle train at Hurstbridge station, starting it, and taking it on a 50-metre trip through the railyard.

    The train halted by a “derail block” which then tipped it into another train.

    However, in reporting the issue of stolen keys, Melbourne newspaper The Age compounded the problem: it showed a photograph of “universal keys” in sufficient detail for them to be reproduced.

    The publication is reminiscent of the emergence in September of 3D printed copies of TSA master luggage-keys, copied from a picture published by the Washington Post – except that a train is much bigger and more dangerous than most suitcases.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*