Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.
3,110 Comments
Tomi Engdahl says:
Hackathons: Don’t try them if you don’t like risks
Rules and tools to get the most out of your pizza-replete staff
http://www.theregister.co.uk/2015/11/12/hackathon_risks/
When organisations grind to a halt, weighed down by their own bureaucracy, inertia and politics, they flail about for something to give a short, sharp shock to their vitals. Something to get them moving again.
The techniques used to get things humming along again have varied over the years – a rogue’s gallery of specious business trends and fads. Twenty years ago, it might have been role playing. Ten years ago, an offsite with those cringeworthy trust-building games.
Today, we turn to hackathons.
Until quite recently, hackathons were the exclusive preserve of the tech startup community, thriving on the 48-hours-locked-in-a-room-together intensity followed by the near-orgasmic release of a great pitch. Suddenly, both big business and big government, in a collective penny-drop moment, have adopted the hackathon methodology to inspire employees and capture innovative ideas.
That should be making us suspicious. The purpose of a hackathon is to create a space so unconstrained by conventional wisdom as to be truly disruptive. Owing nothing to anyone, participants can be free to ‘think different’.
That’s the theory, anyway – but I doubt anything would be more terrifying to a big organisation.
Big bureaucracies – whether corporate or government – are at odds with hackathons, so they try to have it both ways: they stack the deck of the hackathon, then complain if they don’t get the promised results.
Tomi Engdahl says:
Robotic arm provides infosec automation for dodgy card readers
MWR debuts automated security evaluation to tidy PoS authentication vulnerabilities
http://www.theregister.co.uk/2015/11/12/mwr_emv_fuzzer/
Blighty-based infosec firm MWR InfoSecurity has created an automated fuzz tester to shore up vulnerabilities which may be affecting any device people are slotting their “Chip and Pin” cards into.
Most infosec researchers who have dug into the terminal-smartcard authentication procedure have found that vulnerabilities are often introduced during development. Talking to The Register, MWR’s Piotr Osuch suggested there was a large number of undiscovered vulnerabilities affecting these devices.
The Europay, MasterCard and Visa (EMV) standard, also known as “Chip and Pin”, is the banking industry’s de-facto standard for authenticating smartcard transactions. MWR had previously demonstrated an attack against the standard at a session during the Black Hat Security Conference in 2012, using smartcards purchased for just £40.
Tomi Engdahl says:
Linux Ransomware Has Predictable Key, Automated Decryption Tool Released
http://it.slashdot.org/story/15/11/11/2114219/linux-ransomware-has-predictable-key-automated-decryption-tool-released
Last week a new piece of ransomware was discovered that targets Linux servers. Yesterday, researchers at Bitdefender discovered a critical flaw in how the ransomware (dubbed Linux.Encoder.1) operates while testing a sample in their lab and released a free tool that will automatically decrypt any files on a victim’s system that were targeted.
Linux Ransomware Debut Fails on Predictable Encryption Key
http://labs.bitdefender.com/2015/11/linux-ransomware-debut-fails-on-predictable-encryption-key/
Here is a step-by-step walkthrough to get your data back:
– Download the script from
the Bitdefender Labs
repository [link updated to include the fix for the recent evolution of the ransomware]
(chances are that encryption also affected the system and you might need to boot from a live CD or mount the affected partition on a different machine)
– Mount the encrypted partition using the mount /dev/[encrypted_partition]
– Generate a list of encrypted files by issuing the following command: /mnt# sort_files.sh encrypted_partition > sorted_list
– Issue a head command to get the first file: /mnt# head -1 sorted_list
– Run the decryption utility to get the encryption seed: /mnt# python decrypter.py –f [first_file]
– Decrypt everything using the displayed seed: /mnt# python /tmp/new/decrypter.py -s [timestamp] -l sorted_list
http://labs.bitdefender.com/wp-content/plugins/download-monitor/download.php?id=Decrypter_0-1.3.zip
Tomi Engdahl says:
Shadow state? Scotland’s IT independence creeps forth
National ID and police surveillance plans from our friends in the north
http://www.theregister.co.uk/2015/11/12/scotlands_creeping_it_independence/
As debate kicks off at Westminster over the surveillance powers of spies and the police, the 55 Scottish National Party lawmakers look likely to be a restraining influence.
The party’s general election manifesto pledged to oppose the Snooper’s Charter. A decade ago, SNP MPs were among the first to oppose New Labour’s identity card scheme.
But in Scotland, the SNP-run government is introducing, or at least considering, IT-led projects which some critics see as increasing surveillance, including a data-sharing system covering all children, an upgraded CCTV network run by the police, and a Scottish identity scheme.
The Scottish Government dismisses this
Meanwhile, Scotland’s just-created single police force has been attempting its own bit of centralisation, with proposals to link up the nation’s public CCTV cameras. As elsewhere in the UK, councils run many of these cameras – and also like those across the country, they are short of cash following cuts in grants from central government.
Some local authorities in England and Wales have decided to cut back on CCTV to save money.
The Scottish Government said it is considering whether arrangements for oversight of CCTV are sufficiently robust, but that it encourages the police and local authorities to work in partnership.
A plan to use Scotland’s NHS Central Register as a national ID system
Tomi Engdahl says:
Justice officials fear nation’s biggest wiretap operation may not be legal
http://www.usatoday.com/story/news/2015/11/11/dea-wiretap-operation-riverside-california/75484076/
RIVERSIDE, Calif. — Federal drug agents have built a massive wiretapping operation in the Los Angeles suburbs, secretly intercepting tens of thousands of Americans’ phone calls and text messages to monitor drug traffickers across the United States despite objections from Justice Department lawyers who fear the practice may not be legal.
Nearly all of that surveillance was authorized by a single state court judge in Riverside County, who last year signed off on almost five times as many wiretaps as any other judge in the United States. The judge’s orders allowed investigators — usually from the U.S. Drug Enforcement Administration — to intercept more than 2 million conversations involving 44,000 people, federal court records show.
The eavesdropping is aimed at dismantling the drug rings that have turned Los Angeles’ eastern suburbs into what the DEA says is the nation’s busiest shipping corridor for heroin and methamphetamine.
The surveillance has raised concerns among Justice Department lawyers in Los Angeles
Federal agents often prefer to seek permission to tap phones from state courts, instead of federal courts, because the process is generally faster and less demanding than seeking approval through the Justice Department.
Tomi Engdahl says:
Ivan Ristic and SSL Labs: How One Man Changed the Way We Understand SSL
http://it.slashdot.org/story/15/11/11/2111249/ivan-ristic-and-ssl-labs-how-one-man-changed-the-way-we-understand-ssl
Ivan Ristic is well-known in the information security world, and his name has become almost a synonym for SSL Labs, a project he started in early 2009. Before that, he was mostly known for his work with OWASP and the development of the wildly popular open source web application firewall ModSecurity.
Ivan Ristic and SSL Labs: How one man changed the way we understand SSL
http://www.net-security.org/secworld.php?id=19095
When I originally came with the idea of SSL Labs, my primary audience were people like me, those who had to deploy encryption but were faced with poor documentation and behaviours. There were so many opportunities for mistakes and misconfiguration that the only way then (and today) was to inspect a running service to be absolutely sure,” he explained to us his motivation for starting the project.
“I was well aware of the complexities of SSL deployments, because I had been using it for years. I was frustrated with the lack of tools and good documentation and I was sure that others were too. So I decided to create a tool to help myself as well as others.”
SSL Labs was a pleasure project for Ristic, something he worked on in his spare time, so it evolved slowly at the beginning.
It took a couple more years for it to move from the status of “side project” to that of one of the main ones, but since 2013, it became Ristic’s main focus at the company, and he gives Qualys much of the credit for the project’s success.
“It’s doubtful that I would have been able to spend adequate time on it were it not for the Qualys funding, and it was that which allowed me to respond to the challenges,” he noted.
“Over the years, SSL Labs incorporated a great number of checks that are impossible to perform manually. With SSL Labs, you can do them in a minute. It’s a game changer because, to assess your TLS configuration, you don’t need to be an expert (which is extremely difficult because of how quickly things change). In other words, you can focus on your job instead,” he explained.
As time passed, there were other improvements. For example, organizations can perform automated assessments via the projects APIs – they can feed all their hostnames to the tool, automate the scanning, and know exactly when something changes (either because they broke something or because a new issue had been discovered).
For years, and even after joining Qualys, SSL Labs’ setup was one server hosted in the cloud and Ristic as the manager. But when Heartbleed hit in April 2014, they were inundated with a million sessions in only a couple of days, and they had to scramble to pad the backend.
“Luckily, it was easy to clone that server into six to handle the load,” says Ristic. “The bigger problem was the fact that I was on vacation that week and with an unreliable Internet connection.”
After that incident, SSL Labs was moved into the Qualys’s data centre, where it remains today. Ristic remains the only developer, but the production servers are now maintained by the company’s Ops team.
The project taught Ristic a great many things.
“As a user of TLS, you don’t realise how many moving parts there are behind the scenes,” he noted. “If I had to pick one thing, I’d say that I learned a lot about cryptography engineering. This comes from learning why certain features work in a certain way and, especially, why certain designs cause security issues. Apart from that, it was quite interesting to understand how much diversity there is in TLS deployments; so many different products with different capabilities and quirks. Although that doesn’t seem to be very useful at first, it actually teaches you a lot about how to design a protocol that is used by billions of devices over several decades.”
Tomi Engdahl says:
Did you connect your home home appliance into Internet? “Information security is not no certainty”
Security expert Harri Hurst says that the small home appliances attached to network will bring back the old security holes, which have already been patched on PCs.
You are buying a new pluggable into the TV, amplifier, a washing machine or even a coffee maker. Is there any way to make sure that it is good for the security point of view?
- No, responsible for security expert Harri Hursti briefly.
- The device may even be safe when it buy, but who knows what it will update. Information security is not, therefore, no certainty.
Security Threats have already been real examples.
- Manufacturers want to make the devices cheaply and quickly, and this means that they are using again, for example, the old code, Hursti warns.
- Security is thought afterwards, although it should be involved from the beginning.
Hurst to says that to improve the quality of home security would be a good start for access to the router’s settings so that it would tell as little as possible of home appliances outward. We could need a new kind of firewall.
- A firewall may prevent outsiders from penetrating into, but it also should be a device that would tell what information home appliances are leaking out.
Source: http://www.digitoday.fi/tietoturva/2015/11/12/liititko-kodinkoneen-nettiin-tietoturvasta-ei-mitaan-varmuutta/201514910/66?rss=6
Tomi Engdahl says:
Google emerges semi-victorious in browser tracking lawsuit battle
Search firm defeats a lot of the claims against it
http://www.theinquirer.net/inquirer/news/2434301/google-emerges-semi-victorious-in-browser-tracking-lawsuit-battle
CAN DO COMPANY Google has won a few early successes in a lawsuit about its tracking practices, according to reports, and has apparently convinced people that everything that it does is done with only the very best intentions.
Google has won these scalps in the US courts and in cases about the invasion of privacy caused by the use of tracking cookies. We have asked it to comment on the success, we are waiting for it.
Reports have it that the 3rd US Circuit Court of Appeals in Philadelphia batted away a claim relating to the controversial Google Safari tracking thing, that we all know about already.
Google is accused of trampling on federal wiretap and computer fraud laws by exploiting gaps in the Apple’s Safari browser and another option called Microsoft’s Internet Explorer browser.
Google has already been found culpable in this department and has already been fined by the US Federal Trade Commission as a result. This case drags on though, and branches off. While it must be gravy for Google lawyers, it may be becoming tiresome for affected users.
Google immediately revealed its plans to challenge that decision.
Tomi Engdahl says:
Mårten Mickos job security start-up truck leader: “Someone must do something”
Finnish business leaders Mårten Mickos has left Hewlett-Packard, and transferred to the US HackerOne Security CEO of the company. This Mickos return to the core of its territory, namely the growth phase start-up truck to head.
HackerOne harness the hacker community to uncover the customers’ software vulnerabilities. Its business model, technology companies such as Yahoo, Twitter and Dropbox Hacker One to pay a monthly fee that it receives from around the world are situated hackers our efforts, as well as the collection and analysis of those reported by the bugs.
When the software is found the vulnerability, customers pay them a finder’s fee. HackerOne take a share of the reward. The aim is that hackers are rewarded for revealing vulnerabilities in software companies – not to sell the information to organized crime.
“Someone must do something in order to obtain a safer internet. Security solutions are software based are insufficient. This is a way to get the smartest hackers do a good job, “says Mickos.
“HackerOne brings the open-source model of the security business. I think hackers, I have been for years dealing with the encoders and open source nerds and I am fully convinced of their desire to do good. I also believe that transparency, cooperation and community spirit, “Mickos explained their choice.
“This strong start is rare. This year, the number of customers has almost quadrupled and investors is the toughest world of internet names. But the construction business with has never been a bed of roses, but requires a lot of work, “Mickos says.
Mickos reputation is based on the years 2001-2008, when he led the open-source database company MySQL.
Source: http://www.tivi.fi/Kaikki_uutiset/marten-mickos-tyostaan-tietoturva-startupin-johtajana-jonkun-pitaa-tehda-jotain-6064692
Tomi Engdahl says:
Fraudsters are using you and this Ammyy of malware downloads
Miscreants learning the lessons of the cyberspies
http://www.theregister.co.uk/2015/11/12/fraudsters_ammyy_malware_downloads/
Users of Ammyy Admin may have been unwittingly downloading malware along with their remote desktop software.
A group called the Buhtrap gang is using the malware to spy on and control its victims’ computers as part of a series of targeted attacks, net security firm ESET warns.
The tactics in play show that fraudsters are increasingly picking up the ideas and techniques of the more advanced cyberspies.
The malware is being distributed via a strategic web compromise. Since late October, visitors to ammyy.com were offered a bundle containing not only the company’s legitimate Remote Desktop Software, Ammyy Admin, but also various malware packages.
Jean-Ian Boutin, a malware researcher at ESET, commented: “The fact that cybercriminals now use strategic web compromises is another sign of the gap closing between techniques used by cybercriminals and by actors behind so-called Advanced Persistent Threats.”
Operation Buhtrap malware distributed via ammyy.com
http://www.welivesecurity.com/2015/11/11/operation-buhtrap-malware-distributed-via-ammyy-com/
We noticed in late October that users visiting the Ammyy website to download the free version of its remote administrator software were being served a bundle containing not only the legitimate Remote Desktop Software Ammyy Admin, but also an NSIS (Nullsoft Scriptable Installation Software) installer ultimately intended to install the tools used by the Buhtrap gang to spy on and control their victims’ computers.
While Ammyy Admin is legitimate software, it has a long history of being used by fraudsters. As a result, several security products, such as ESET’s, detect it as a Potentially Unsafe Application. However, it is still widely used, notably in Russia.
It appears Ammyy’s website is now clean and serves the malware-free Ammyy Admin remote administrator package, but for about a week, visitors were downloading an installer that contained both malware and the Ammyy product. After investigation, different malware families were found to have been distributed through Ammyy’s website.
Tomi Engdahl says:
Emil Protalinski / VentureBeat:
Google’s new ‘About me’ tool lets you control personal information shown by Gmail, YouTube, Maps, and more — Google has launched a new tool called About me that lets you see, edit, and remove the personal information that the company’s services show to other users.
Google’s new ‘About me’ tool lets you control personal information shown by Gmail, YouTube, Maps, and more
http://venturebeat.com/2015/11/10/googles-new-about-me-tool-lets-you-control-personal-information-shown-by-gmail-youtube-maps-and-more/
Google has launched a new tool called About me that lets you see, edit, and remove the personal information that the company’s services show to other users. Google confirmed to VentureBeat that the feature started rolling out to users this week.
Google’s various products and services (Gmail, Hangouts, Google Maps, Inbox, Google Play, YouTube, Google+, and so on) sometimes ask you to share certain personal information. These details are then shown to other users who interact with you or search for you. Until now, all of this was stored in Google+, assuming you created an account. But Google+ is no longer a requirement for Google’s services, and so the company needs a new solution, and ideally one that isn’t public by default.
When I first loaded my About me page, I saw Google had my gender, birthday, occupation, work contact info, and work history. Out of curiosity, I tried to remove everything to see how far I could get.
I was unable to delete my name (though I could remove my last name) nor my photo.
Interestingly, I also couldn’t remove my birthday. All I could do was hide the year.
Indeed, this is Google’s way of keeping track of your personal information without forcing you to use Google+. That said, if you have a Google+ account, this is the same set of details. If you add or remove content on Google+ or on About me, the changes will be reflected on both.
Tomi Engdahl says:
It may be that all your message is analyzed
Analytics2015 – When you complain poorly-functioning mobile phone interface, your message will be recorded and it will become part of a giant database, from which an operator to learn from text analysis. – During analysis is growing hundreds of billions of dollars of business, says SAS Institute analyst expert Tuba Islam.
According to Islam, the major operators are investing in analytics for large sums of money. They use analytics as well as network planning, optimization and development of advertising and campaigns.
- This is natural, since the operator of the telecommunications equipment is already in place and network to transfer the data. It only takes analytics, and SAS enters the picture.
Operators will, of course, access to just about everything a smartphone user’s activity. Location, phone records, use of data at the application level and other data is easily transformed into data points. In addition to these rapidly growing unstructured data analysis.
- There are tools that convert speech into the text. It can be applied to text analysis. It can be based on the feeling of the analysis or to search for keywords, Islam says.
Basically everything in their phone talks, or communicates, can be used as a source of analysis.
Analytics allows operators are also better equipped to protect themselves against various forms of fraud. – Analytics reveals abnormal behavior and traffic on the network. Tracking these models emerge, and they can be addressed, Tuba Islam says.
Source: http://etn.fi/index.php?option=com_content&view=article&id=3590:voi-olla-etta-kaikki-sanomasi-analysoidaan&catid=13&Itemid=101
Tomi Engdahl says:
Apple user anger as Mac apps break due to security certificate lapse
Digital rights management ‘blunder’ leads to users having to delete and reinstall every app they bought or downloaded from App Store
http://www.theguardian.com/technology/2015/nov/12/apple-user-anger-mac-apps-break-security-certificate-lapse
Mac users faced trouble with their apps overnight after the security certificate Apple uses to prevent piracy expired late on Wednesday.
Applications downloaded from the Mac App Store were temporarily unavailable from 10pm UK time, when a security certificate expired, five years after its creation, with no replacement immediately available.
Even once Apple fixed the error, issuing a new certificate for the apps (with an expiry date of April 2035, this time), users were still faced with problems. Those who could not connect to the internet couldn’t verify the new certificate, while those who had forgotten their password or couldn’t log in to iCloud for some other reason are also unable to use the downloaded apps until they can log in to the service.
Some were forced to delete and then reinstall every app they had bought or downloaded from the App Store, before they could be used, taking to Twitter to vent their frustrations.
Security certificates are issued by the App Store to ensure that only apps properly bought and paid for can be run on users’ Macs, as well as to guard against the installation of malware using Apple’s developer credentials.
Tomi Engdahl says:
Prison Hack Shows Attorney-Client Privilege Violation
http://yro.slashdot.org/story/15/11/12/1426204/prison-hack-shows-attorney-client-privilege-violation?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
An enormous cache of phone records obtained by The Intercept reveals a major breach of security at Securus Technologies, a leading provider of phone services inside the nation’s prisons and jails. The materials — leaked via SecureDrop by an anonymous hacker who believes that Securus is violating the constitutional rights of inmates — comprise over 70 million records of phone calls
“Particularly notable within the vast trove of phone records are what appear to be at least 14,000 recorded conversations between inmates and attorneys”
Not So Securus
Massive Hack of 70 Million Prisoner Phone Calls Indicates Violations of Attorney-Client Privilege
https://theintercept.com/2015/11/11/securus-hack-prison-phone-company-exposes-thousands-of-calls-lawyers-and-clients/
AN ENORMOUS CACHE of phone records obtained by The Intercept reveals a major breach of security at Securus Technologies, a leading provider of phone services inside the nation’s prisons and jails. The materials — leaked via SecureDrop by an anonymous hacker who believes that Securus is violating the constitutional rights of inmates — comprise over 70 million records of phone calls, placed by prisoners to at least 37 states, in addition to links to downloadable recordings of the calls. The calls span a nearly two-and-a-half year period, beginning in December 2011 and ending in the spring of 2014.
Particularly notable within the vast trove of phone records are what appear to be at least 14,000 recorded conversations between inmates and attorneys, a strong indication that at least some of the recordings are likely confidential and privileged legal communications — calls that never should have been recorded in the first place. The recording of legally protected attorney-client communications — and the storage of those recordings — potentially offends constitutional protections, including the right to effective assistance of counsel and of access to the courts.
“This may be the most massive breach of the attorney-client privilege in modern U.S. history, and that’s certainly something to be concerned about,” said David Fathi, director of the ACLU’s National Prison Project. “A lot of prisoner rights are limited because of their conviction and incarceration, but their protection by the attorney-client privilege is not.”
But the fact that a hacker was able to obtain access to over 70 million prisoner phone call records shows that Securus’ data storage system is far more vulnerable than it purports to be.
More broadly, the Securus leak reveals just how much personal information the company retains about prisoners and the countless people to whom they are connected.
A key selling point to its clients is that the company not only installs and maintains phone systems at little to no cost to the government, but also that it agrees to pay back to its clients generous “site commissions,” a kickback that comes from revenue generated by inmate calls
In addition to the sweetheart deal it offers clients, Securus also touts the technology of its Secure Call Platform, which allows recording and monitoring, with few exceptions, of all calls made by prisoners. The superior technology, it claims, ensures that its database is well-protected, and only accessible to authorized users — among them corrections workers, police investigators, and prosecutors. Law enforcement personnel are particularly important to the company: Securus promises it can provide recordings on demand to investigators across jurisdictions, promoting its system as a powerful crime-solving tool.
“OMG … this is not good!” reads an internal Securus email discussing phone calls hacked in 2014.
But the scale of the Securus hack shows the company has failed to fulfill its own promises on security. The more than 70 million phone call records given to The Intercept include phone calls placed to nearly 1.3 million unique phone numbers by more than 63,000 inmates. The original data was contained in a 37-gigabyte file and scattered across hundreds of tables, similar to spreadsheets, which The Intercept merged into a single table containing 144 million records. A search for duplicates reduced this figure to more than 70 million records of individual phone calls.
The database contained prisoners’ first and last names; the phone numbers they called; the date, time, and duration of the calls; the inmates’ Securus account numbers; as well as other information. In addition to metadata, each phone call record includes a “recording URL” where the audio recordings of the calls can be downloaded.
The vast majority of the calls appear to be personal in nature
PRISONERS DO NOT GENERALLY ENJOY a right to privacy while incarcerated — a fact that is emphasized in the course of virtually any communication with the outside world. Like other jail and prison telecoms, Securus inserts a recorded message at the beginning of each prisoner-initiated phone call, reminding recipients that “this call is from a correctional facility and may be monitored and recorded.
If the goal for recording and monitoring detainee phone conversations is to enhance safety both inside and outside a facility that’s one thing — but those conversations should not be stored indefinitely, once they’re determined to be free of intelligence that would aide the institutional goal.
The mass recording of detainee calls was originally rationalized as improving safety within a facility
The implications are especially alarming for calls that are understood to be the exception to the record-everything rule. Securus’ phone systems are supposed to be set up to allow certain phone numbers to be logged and flagged so that calls to those numbers are exempt from being recorded — let alone stored.
Indeed, that a criminal defendant or inmate should be able to speak frankly and honestly with a lawyer is a cornerstone of the criminal justice system — inherent in a defense attorney’s ethical obligations, and firmly rooted in the Sixth Amendment right to competent and effective legal counsel.
The data provided to The Intercept also includes at least 27 recordings of calls to attorneys in Austin, Texas, made between December 2011 and October 2013 — a fact that is particularly compelling in light of a federal civil rights suit filed there in 2014 against Securus, which provides phone service to the county’s jails.
The hacked database also includes records of calls between prisoners and prosecutors — including 75 calls to a U.S. attorney’s office in Missouri.
That’s why prison calling systems, such as Securus’ Secure Call Platform, are set up to log numbers that should not be recorded. “But that’s a technological issue and sometimes it doesn’t work,” said Cassidy.
But Schwartz argues that the logging of attorney phone numbers provides a “recognition that there is attorney-client privilege” and that it is “incumbent on the government to follow through” in protecting that privilege. When attorneys learn that their calls have been recorded, it shakes the foundation of trust, inevitably impinging on their Sixth Amendment obligations. “Once people know there is trickery, there is a chilling of attorney-client communications — because how do you know it won’t happen again?” Schwartz asked.
Indeed, that is precisely the risk that Fathi sees arising from the breach of Securus’ database. “Going forward, prisoners will have very good cause to question whether their phone calls with their attorneys are confidential.”
Tomi Engdahl says:
A tale of two women: Same birthday, same Social Security number, same big-data mess
http://www.cio.com/article/3004596/identity-management/a-tale-of-two-women-same-birthday-same-social-security-number-same-big-data-mess.html
It’s a case that would seem to defy the odds many times over: Two Florida women born on the same day, in the same state, and given almost the same name. Though no one realized it at the time, it turns out they were also given the same Social Security number.
Joanna Rivera and Joannie Rivera only recently discovered the problem, according to a report this week, but in the meantime it’s caused no end of trouble for them. Credit applications have been denied; tax returns have been rejected.
Identity theft might have been a likely assumption, but in this case, it was something different.
After 25 years of confusion, the Social Security Administration reportedly has admitted its mistake at last: In 1990, two Florida hospitals created the same record for two babies with similar first names, the same last name and the same date of birth, and the administration gave them both the same Social Security number.
It’s not as uncommon as you might think. In fact, some 40 million SSNs are associated with multiple people, according to a 2010 study by ID Analytics.
Some, as in the Rivera case, are innocent mistakes caused by data-entry errors or bad handwriting, said Ken Meiser, vice president of identity solutions at ID Analytics.
Others are “what we call identity manipulation,” whereby someone with a shaky credit history makes subtle changes to their identity so it’s not connected with their history, he said.
“If you’re one of the folks who has had that duplication, it creates issues,” Meiser said. “It’s a really interesting challenge for everybody involved.”
Tomi Engdahl says:
ID Analytics: 40 million Social Security numbers associated with more than one person
http://goo.gl/QGGT3m
“I can’t believe it happened,” Rivera said.
The government gave both babies the same Social Security number.
“They shouldn’t make mistakes like this,” Rivera said.
It’s a mistake the government wouldn’t admit or fix until the Consumer Watchdog told Rivera to call her Congressman.
The Social Security Administration said it was a mistake made in 1990 by the hospitals that created the Social Security record for two babies with similar first names, the same last name, and same date of birth.
Tomi Engdahl says:
URL Shorteners: Which Shortening Service Should You Use?
http://searchengineland.com/analysis-which-url-shortening-service-should-you-use-17204
URL shortening services are experiencing a renaissance in the age of Twitter. When every character counts, these services reduce long URLs to tiny forms. But which is the best to use, when so many are offered and new ones seem to appear each day? Below, issues to consider and a breakdown of popular services, including recommendations and services to avoid
CheckShortURL supports almost all URL shortening services:
t.co, goo.gl, bit.ly, amzn.to, tinyurl.com, ow.ly, youtu.be and many others!
http://www.checkshorturl.com/
What is it made for?
CheckShortURL is an expand link facility: it allows you to retrieve the original URL from a shortened link before clicking on it and visiting the destination. We provide furthermore information about unshortened URL such as title, description, keywords and author of the page. It also checks if the original URL is on search engines, Twitter, and lets you know if the hidden link is safe or not.
Tomi Engdahl says:
Ransomware-as-a-service surfaces, wants 10 percent profit cut
Customer loyalty in the age of scumware
http://www.theregister.co.uk/2015/11/13/ransomwareasaservice_surfaces_wants_10_percent_profit_cut/
Web scum are offering another ransomware as a service model under which ill-gotten gains are split between VXers and buyers.
The CryptoLocker service by FAKBEN ransomware noted by Salted Hash is the creation of an individual or VXer group that is flogging its ransomware through a Tor Hidden Service.
No technical information is offered regarding the capabilities of the ransomware — which is claimed to be some version of the well known CryptoLocker — and should serve as a warning for all would-be criminals thinking of signing up.
Most ransomware fail because of encryption implementation flaws that white hats can exploit to retrieve decryption keys for free.
Punters will need to buy in for the paltry price of US$50. The VXers claim they will keep 10 percent of the total ransom paid.
Custom ransoms can be set to a limit of $1,000,000 before database errors are thrown. A basic GUI will show the number of infected machines and ransoms paid.
The group says the ransomware will launch in coming days.
Writing ransomware is a complex business and many would-be VXers have quickly failed.
Tomi Engdahl says:
CloudFlare drinks the DNSSEC kool-aid, offers it on universal basis
Controversial protocol launched
http://www.theregister.co.uk/2015/11/13/cloudflare_dnssec/
CloudFlare has rolled out Universal DNSSEC, despite widespread controversy alleging it would provide an excellent platform from which intelligence agencies could spy upon and intercept global internet traffic.
Universal DNSSEC will be available to CloudFlare customers for free. The company announced that it will do “all the heavy lifting by signing your zone and managing the keys … All you need to do is enable DNSSEC in your CloudFlare dashboard and add one DNS record to your registrar.”
The CDN and DNS flogging company claimed “DNSSEC guarantees a website’s traffic is safely routed to the correct servers so that a site’s visitors are not intercepted by a hidden ‘man-in-the-middle’ attacker.”
DNSSEC, or DNS Security Extensions, is certainly a countermeasure against DNS cache-poisoning attacks, such as those famously highlighted by security researcher Dan Kaminsky back in 2008.
It uses cryptographic checks to make sure that IP results returned by a DNS query point to the corresponding domain name.
The technology, however, remains highly contentious.
CloudFlare has attempted to explain how DNSSEC works, the root-signing ceremony, how it will “solve the final hurdles for widespread DNSSEC adoption by using elliptic curve cryptography, the complexities that the protocol involves, and DNSSEC’s usefulness for registars.
How DNSSEC Works
https://www.cloudflare.com/dnssec/how-dnssec-works/
Tomi Engdahl says:
Latest Android phones hijacked with tidy one-stop-Chrome-pop
Chinese researcher burns exploit for ski trip.
http://www.theregister.co.uk/2015/11/12/mobile_pwn2own/
Google’s Chrome for Android has been popped in a single exploit that could lead to the compromise of any handset.
The exploit, showcased at MobilePwn2Own at the PacSec conference in Tokyo yesterday but not disclosed in full detail, targets the JavaScript v8 engine. It can probably hose all modern and updated Android phones if users visit a malicious website.
It is also notable in that it is a single clean exploit that does not require multiple chained vulnerabilities to work, the researchers say.
Quihoo 360 researcher Guang Gong showcased the exploit which he developed over three months.
PacSec organiser Dragos Ruiu told Vulture South the exploit was demonstrated on a new Google Project Fi Nexus 6.
“The impressive thing about Guang’s exploit is that it was one shot; most people these days have to exploit several vulnerabilities to get privileged access and load software without interaction, ” Ruiu says
“As soon as the phone accessed the website the JavaScript v8 vulnerability in Chrome was used to install an arbitrary application (in this case a BMX Bike game) without any user interaction to demonstrate complete control of the phone.”
“The vuln being in recent version of Chrome should work on all Android phones”
A second team from Germany also appears to have popped a modern Samsung phone, with a demonstration delayed until today due to a delayed flight.
Tomi Engdahl says:
Hypervisor headaches: hosed by x86 exception bugs
Microsoft, Xen, KVM et al need patches
http://www.theregister.co.uk/2015/11/13/hypervisor_headaches_hosed_by_x86_exception_bugs/
Various hypervisors and operating systems are scrambling to patch around an x86 bug that lets an admin-level guest crash the underlying CPU, causing a denial-of-service to anyone else on the same machine.
The issue, described here, is that with some x86 CPUs, an attacker with kernel-mode code execution privileges on a guest operating system can hang the CPU.
The two CVEs Redmond cites are described by Xen (which has been updated to address the same issues) here. There’s an alignment check exception (CVE-2015-5307) that can trigger an infinite loop in some x86 CPUs, and a debug exception (CVE-2015-8104) that can result in an infinite loop or a stack fault, depending on how it’s triggered.
Tomi Engdahl says:
Amazon vendors flog thousands of rooted, malware-laden tablets
Because getting infected in the after-market is so tedious
http://www.theregister.co.uk/2015/11/13/amazon_vendors_flog_thousands_of_rooted_malwareladen_tablets/
Amazon is unwittingly acting as the retail channel for thousands of Android preloaded with nightmare advertising malware and with operating systems rooted, users and security boffins allege.
The blackbox tablets badged under various brands and flogged on the ecommerce site and elsewhere are A$100 (£50) Android units that customers allege is arriving preloaded with malware.
Other complaints relate to poor quality of manufacture.
Tens of thousands of the devices loaded with the Cloudsota malware are likely in circulation.
Chinese security firm Cheetah Mobile says it knows of 17,233 that had its antivirus installed; the number without their AV is feasibly much higher.
That trojan is a persistent advertising menace that resides within the Android KitKit boot image making it difficult to remove.
It can install ad applications so they cannot be removed, can uninstall security software and other apps, and will re-install itself if removed.
“We assume that the unbranded tablet manufacturers do not pay any attention to user feedback, nor do they have the capability to offer a solution to this problem.
“When users boot the device, Cloudsota will visit the trojan creator’s server about every 30 minutes in order to obtain operating commands.”
Tomi Engdahl says:
NoSQL: Injection vaccination for a new generation
This future architecture still falls into some of the same old traps
http://www.theregister.co.uk/2015/11/13/nosql_security_new_generation/
We are becoming more and more accustomed to reading about losses of online data through malicious hack attacks, accidents, and downright carelessness – it’s almost as if we don’t know how to secure data against the most common form of attack.
Of course, that isn’t really true as best practice, legislation, and education on the matter are easy to come by, from a variety of sources.
Yet we continue to see common attacks being repeated, with SC Magazine reporting recently that 100,000 customers where compromised by SQL injection.
NoSQL is, or was meant to be (you pick) the future architecture, an opportunity, almost, to start afresh. Given that and with the wealth of knowledge that’s amassed from decades of SQL, you’d think NoSQL databases and systems wouldn’t fall into the same traps as the previous generations of RDBM systems.
Just this February nearly 40,000 MongoDB systems where found with no access control and with default port access open. To be fair, not all the possible faults I’m about to mention apply to all NoSQL systems; some are harder than others and some from distribution companies are deliberately hardened out of the box.
The first rule of security is that if someone manages to get on your box then it’s just about game over. Hopefully, I don’t need to re-emphasise the importance of firewalling database boxes (whatever the flavour) from the outside world and only allowing access to your application servers, but it is worth stating that this is as important in the NoSQL world as any other.
Tomi Engdahl says:
The Edward Snowden guide to practical privacy
NSA whistleblower talks turkey about personal surveillance
http://www.theregister.co.uk/2015/11/12/snowden_guide_to_practical_privacy/
If you’re just an average user concerned about your privacy
Use Tor when browsing. You don’t have to use Tor all the time (it does slow things down considerably and some sites will also block Tor traffic). But if you are looking at or for something that you feel is sensitive, then either set up your browser to work with Tor or use the Tor browser.
Use an ad-blocker. Says Snowden: “As long as service providers are serving ads with active content that require the use of Javascript to display, that have some kind of active content like Flash embedded in it, anything that can be a vector for attack in your web browser – you should be actively trying to block these.”
Use a password manager. It doesn’t matter how many surveys and reports come out that tell people to use different passwords and complex passwords, a huge percentage of us maintain borderline idiotic approaches. The simple answer is: get a password manager. It will protect you.
Use two-factor authentication. Many services such as Gmail, Twitter, Dropbox, Hotmail, and Facebook offer this now for no charge. So even if your password does get exposed, you still have a backup such as a text message to your phone to secure your information.
Use apps that protect your information. Snowden suggests the smartphone app Signal, which encrypts both your phone calls and texts. It’s free and easy to use. Although of course, following a high-profile argument with the FBI, it would appear that Apple’s messaging service is also pretty secure (although Snowden would probably have doubts).
Use the HTTPS Everywhere browser plug-in. This comes from the Electronic Frontier Foundation (EFF) and will try to force all browser communication to be encrypted.
Encrypt your hard drive. This is comparatively easy these days but you have to be careful to do two things: one, have a longish phrase to make it worthwhile; and two, make damn sure you remember that phrase. There will be a slowdown in performance but nothing too bad if you have a modern machine.
Be smart with your security questions. Stop using your mother’s maiden name for everything. Likewise your first school. The key is to mix things up as much as possible so if someone does get into one of your accounts, they can’t use the same information to get in everywhere else.
Tomi Engdahl says:
Robert Hackett / Fortune:
Exclusive: Secure Messenger TigerText Raises $50 Million, Aims to be Health Care’s Top Chat Tool
http://fortune.com/2015/11/11/tiger-text-raises-50-million/
The Whisper app co-founder’s other startup has raised more than $80 million to date.
Brad Brooks, co-founder and CEO of TigerText, a 5-year-old secure messenger startup based in Santa Monica, Calif., has staked his business on a thesis—a plain observation, really—that he believes will revolutionize the healthcare industry: People prefer to text.
“People are already gravitating toward SMS,” Brad Brooks tells Fortune. “But it’s not really a viable solution” when it comes to healthcare, he says, given the industry’s need for secure, encrypted channels, authentication processes, and enterprise-level controls over networks and users. So, that’s just what TigerText has developed: a tool that “ring fences,” as Brooks says, the text messaging experience. Plus, it adds a useful application programming interface that software developers can build upon as well as a self-deleting messages feature.
“There aren’t many of these companies founded by individuals that have built or scaled companies in the technology and media space and are also a physician,”
“We think of TigerText as the Slack of healthcare,” Mittendorff said, referencing the multi-billion dollar “unicorn” chat app startup that has taken less strictly regulated industries such as media (Fortune’s office included) by storm.
The Whisper app co-founder’s other startup has raised more than $80 million to date.
Brad Brooks, co-founder and CEO of TigerText, a 5-year-old secure messenger startup based in Santa Monica, Calif., has staked his business on a thesis—a plain observation, really—that he believes will revolutionize the healthcare industry: People prefer to text.
So he and his brother Andrew — a co-founder of TigerText who sits on the company’s board and is a certified orthopedic surgeon — have set out to revamp medical communications.
“People are already gravitating toward SMS,” Brad Brooks tells Fortune. “But it’s not really a viable solution” when it comes to healthcare, he says, given the industry’s need for secure, encrypted channels, authentication processes, and enterprise-level controls over networks and users. So, that’s just what TigerText has developed: a tool that “ring fences,” as Brooks says, the text messaging experience. Plus, it adds a useful application programming interface that software developers can build upon as well as a self-deleting messages feature.
TigerText plans to announce that it has closed a Series C round of funding worth $50 million. The company last raised $21 million in January 2014, bringing its total funding raise to date to more than $80 million.
The latest investment was led by Norwest Venture Partners and included participation from Invus Group and Accolade Partners as well as return backers Shasta Ventures, OrbiMed, and Reed Elsevier RDLSF 3.15% .
Robert Mittendorff, the Norwest partner and certified physician who led his firm’s funding round, says he ran a three-year search on 15 companies before deciding to back TigerText. “There aren’t many of these companies founded by individuals that have built or scaled companies in the technology and media space and are also a physician,” he explains, referencing Brad Brooks’ former post as president of DIC Entertainment, the late children’s-branded media company that had spun out of Disney DIS -0.27% , and his brother’s medical background.
In 2012, Brad Brooks also co-founded Whisper, an anonymous messaging startup that became embroiled in a data privacy controversy after the British-based news outlet the Guardian published an investigation concerning its namesake app last year. The outlet’s initial reports that the company secretly collected certain user data, despite claiming otherwise, had to be significantly walked back in a later correction to the story.
“We think of TigerText as the Slack of healthcare,” Mittendorff said, referencing the multi-billion dollar “unicorn” chat app startup that has taken less strictly regulated industries such as media (Fortune’s office included) by storm.
Meanwhile, Symphony, the bank-backed communications service tailor-made for the financial industry, also has designs on heavily regulated, compliance-driven industries such as health care, as well as the consumer market. The firm last month raised $100 million from Google and other backers.
Other companies that have designed chat tools with healthcare specifically in mind include Imprivata with its Cortext messaging product and Voalte, a private communications software firm based in Florida.
Tomi Engdahl says:
Joe Rossignol / MacRumors:
Some apps installed from Mac App Store were temporarily unusable after Apple failed to renew security certificate — Some Mac App Store Apps ‘Damaged’ Due to Expired Security Certificates — A growing number of MacRumors readers and Twitter users have been experiencing an issue …
Some Mac App Store Apps ‘Damaged’ Due to Expired Security Certificates
http://www.macrumors.com/2015/11/12/mac-app-store-apps-damaged-expired-receipts-issue/
A growing number of MacRumors readers and Twitter users have been experiencing an issue with some Mac App Store apps displaying a “damaged” error when opened since late Wednesday. The issue has affected popular apps such as 1Password, Acorn, Byword, DaisyDisk and Tweetbot.
Mac users are prompted with this error message when opening Mac App Store apps:
“App Name” is damaged and can’t be opened. Delete “App Name” and download it again from the App Store.
The issue, however, also appears to affect some users running OS X El Capitan, leading Haddad to believe that Mac App Store apps contacting Apple’s servers simultaneously may be causing a “self inflicted DDOS on Apple’s receipt generation service.”
It appears that Apple has since set a new 2035 expiration date for the security certificates
Tomi Engdahl says:
Linux webmaster encryption ransomware issue hits 40,000 sites and rising
Trojan encrypts files and still messes with your day
http://www.theinquirer.net/inquirer/news/2433914/linux-webmasters-hit-with-encryption-ransomware-issue
RUSSIAN ANTIVIRUS OUTFIT DR WEB, has carried on studying the Linux.Encoder.1 trojan threat, and reported some more bad news about increased infection.
The firm revealed the problem already, but now it has more information. While before we spoke of infected parties that ran into the tens, now, we have a lot more zeroes to deal with and a bigger picture to look at.
“The attack scheme shows that cybercriminals do not actually need root privileges to compromise web servers running Linux and encrypt files,” explained the firm.
“Moreover, the Trojan still poses a serious threat to Internet resources owners, especially taking into account that many popular CMSes have unfixed vulnerabilities, and some webmasters either disregard the necessity of timely updates or just use outdated versions of CMSes.”
According to the studies there might be as many as 2,000 impacted sites, each with various degrees of threat. That was yesterday, we have carried out the same research, a Google search for “README_FOR_DECRYPT.txt” and found that the number of results is now in the 40,000 region.
“Judging from the directories in which the Trojan encrypts files, one can draw a conclusion that the main target of cybercriminals is website administrators whose machines have web servers deployed on,” it said.
Tomi Engdahl says:
TalkTalk hired BAE Systems’ infosec bods before THAT hack
Plus: Police told us not to answer questions, says telco
http://www.theregister.co.uk/2015/11/13/talktalks_security_revealed/
Contrary to suggestions that TalkTalk hired BAE Systems to shore up its security after the much-publicised hack in October, the telco had actually been outsourcing its security operations centre to BAE since June – and previously told investors it had “completed” a security audit.
In its annual report, published in June, TalkTalk claimed it had completed key cybersecurity initiatives including the “encryption of hardware and removable media” implementing “a data loss prevention solution,” as well as a complete “vulnerability scanning and penetration testing” run-through.
These measures were evidently not sufficient to prevent the data of 1.2m customers being stolen through what has been alleged to be a SQL injection – “an attack vector that has been known for more than a decade and [is] fairly easy to prevent” as Wim Remes, manager EMEA strategic services at Rapid7, the firm behind the Metaspolit penetration testing tool, explained to The Register.
BAE Systems informed The Register that “prior to the incident [we provided monitoring support, but this] was limited to monitoring the corporate non-market facing network.” BAE stated it is “progressively increasing [its] monitoring support” adding that the “process is not yet complete but is progressing well.”
TalkTalk claimed it had increased investment in cybersecurity by a third over the last three years, and it fully expected “to spend even more in the future.”
TalkTalk considered the “Potential Impact” of a snafu to be “loss of competitive advantage, regulatory fines, damage to the brand, and ultimately, churn.”
However, following delivery of the company’s first half financial results for 2015/16 this morning, TalkTalk CEO Dido Harding downplayed churn concerns – the fear that customers would leave for a rival. She stated that customers who had initially attempted to leave after the breach had changed their minds, adding that there were “very early indications that customers think that we’re doing the right thing.”
Did you have anybody working in security, Dido?
TalkTalk has continued to keep schtum about how seriously it handled security prior to the breach. What is clear is that the company did not employ a Chief Information Security Officer. Asked who its head of security was at the time of the breach, TalkTalk told The Register only that it could “confirm the three most senior technology roles have been here eight years, five years and four years.”
Asked why business customers were also affected, despite using a different site to interface with TalkTalk, the telco reiterated: “The police have requested we not make any further comment on specific details of the attack.”
Former TalkTalk customers may also have been affected by the most recent breach
Tomi Engdahl says:
It’s Way Too Easy To Hack the Hospital
http://it.slashdot.org/story/15/11/13/1356243/its-way-too-easy-to-hack-the-hospital
The Mayo Clinic had assembled an all-star team of about a dozen computer jocks, investigators from some of the biggest cybersecurity firms in the country, as well as the kind of hackers who draw crowds at conferences such as Black Hat and Def Con. The researchers split into teams, and hospital officials presented them with about 40 different medical devices. Do your worst, the researchers were instructed. Hack whatever you can.
Like the printers, copiers, and office telephones used across all industries, many medical devices today are networked, running standard operating systems and living on the Internet just as laptops and smartphones do. Like the rest of the Internet of Things—devices that range from cars to garden sprinklers—they communicate with servers, and many can be controlled remotely. As quickly became apparent to Rios and the others, hospital administrators have a lot of reasons to fear hackers.
Sooner or later, hospitals would be hacked, and patients would be hurt.
It’s Way Too Easy to Hack the Hospital
Firewalls and medical devices are extremely vulnerable, and everyone’s pointing fingers
http://www.bloomberg.com/features/2015-hospital-hack/
In the fall of 2013, Billy Rios flew from his home in California to Rochester, Minn., for an assignment at the Mayo Clinic, the largest integrated nonprofit medical group practice in the world. Rios is a “white hat” hacker, which means customers hire him to break into their own computers.
He assumed he was going on a routine bug hunt, a week of solo work in clean and quiet rooms.
But when he showed up, he was surprised to find himself in a conference room full of familiar faces. The Mayo Clinic had assembled an all-star team of about a dozen computer jocks, investigators from some of the biggest cybersecurity firms in the country, as well as the kind of hackers who draw crowds at conferences such as Black Hat and Def Con. The researchers split into teams, and hospital officials presented them with about 40 different medical devices. Do your worst, the researchers were instructed. Hack whatever you can.
“Every day, it was like every device on the menu got crushed,” Rios says. “It was all bad. Really, really bad.” The teams didn’t have time to dive deeply into the vulnerabilities they found, partly because they found so many—defenseless operating systems, generic passwords that couldn’t be changed, and so on.
“Someone is going to take it to the next level. They always do,” says Rios. “The second someone tries to do this, they’ll be able to do it. The only barrier is the goodwill of a stranger.”
Shortly after flying home from the Mayo gig, Rios ordered his first device—a Hospira Symbiq infusion pump. He wasn’t targeting that particular manufacturer or model to investigate; he simply happened to find one posted on EBay for about $100.
Rios connected his pump to a computer network, just as a hospital would, and discovered it was possible to remotely take over the machine and “press” the buttons on the device’s touchscreen, as if someone were standing right in front of it. He found that he could set the machine to dump an entire vial of medication into a patient.
In the spring of 2014, Rios typed up his findings and sent them to the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
In his report, he listed the vulnerabilities he had found and suggested that Hospira conduct further analysis to answer two questions: Could the same vulnerabilities exist in other Hospira devices? And what potential consequences could the flaws present for patients?
“The FDA seems to literally be waiting for someone to be killed before they can say, ‘OK, yeah, this is something we need to worry about,’ ” Rios says.
Rios is one of a small group of independent researchers who have targeted the medical device sector in recent years, exploiting the security flaws they’ve uncovered to dramatic effect.
Such attacks angered device makers and hospital administrators, who say the staged hacks threatened to scare the public away from technologies that do far more good than harm.
“All their devices are getting compromised, all their systems are getting compromised,” he continues. “All their clinical applications are getting compromised—and no one cares. It’s just ridiculous, right? And anyone who tries to justify that it’s OK is not living in this world. They’re in a fantasyland.”
Last fall analysts with TrapX Security, a firm based in San Mateo, Calif., began installing software in more than 60 hospitals to trace medical device hacks.
After six months, TrapX concluded that all of the hospitals contained medical devices that had been infected by malware.
In several cases, the hackers “spear phished” hospital staffers
In one case, hackers penetrated the computer at a nurses’ station, and from there the malware spread throughout the network, eventually slipping into radiological machines, blood gas analyzers, and other devices.
Many of the hospitals that participated in the study rely on the device manufacturers to maintain security on the machines,
That service is often sporadic, he says, and tends to be reactive rather than preventive.
Medical profiles often contain that same credit card information, as well as Social Security numbers, addresses, dates of birth, familial relationships, and medical histories—tools that can be used to establish false identities and lines of credit, to conduct insurance fraud, or even for blackmail.
Hospitals generally keep network breaches to themselves. Even so, scattered reports of disruptions caused by malware have surfaced.
In the hallway just outside his room, Rios found a computerized dispensary that stored medications in locked drawers.
it had a built-in vulnerability: a hard-coded password that would allow him to “jackpot” every drawer in the cabinet. Such generic passwords are common in many medical devices, installed to allow service technicians to access their systems, and many of them cannot be changed. Rios and a partner had already alerted Homeland Security about those password vulnerabilities, and the agency had issued notices to vendors informing them of his findings. But nothing, at least at this hospital, had been done.
He’d already told the federal government that he knew how to sabotage the pumps, but after he returned home he decided to make a video to show them how easily it could be done.
“We have to create videos and write real exploit code that could really kill somebody in order for anything to be taken seriously,” Rios says. “It’s not the right way.”
But it got the FDA’s attention. Finally, after more than a year of hectoring from Rios, the FDA in July issued an advisory urging hospitals to stop using the Hospira Symbiq infusion pump because it “could allow an unauthorized user to control the device and change the dosage the pump delivers.”
“It’s viewed as precedent-setting,”
Hospira said that it would work with vendors to remedy any problems and that the Symbiq model was off the market. But the advisory was merely that: It didn’t force the company to fix the machines that were already in hospitals and clinics
“It was the moment we realized that the FDA really was a toothless dragon in this situation,”
The FDA’s challenge is a tricky one: to draft regulations that are specific enough to matter yet general enough to outlast threats that mutate and adapt much faster than the products the agency must certify.
After the guidelines were published, the American Hospital Association sent a letter to the FDA saying health-care providers were happy to do their part, but it urged the agency to do more to “hold device manufacturers accountable for cybersecurity.”
Rios says he doesn’t care how manufacturers or hospitals fix the problem, so long as they do something. The Hospira saga convinced him that the only way for that to happen is to continue to pressure manufacturers, calling them out by name until they’re forced to pay attention. That automated medicine cabinet wasn’t the only device he’d found with a hard-coded password; along with research partner Terry McCorkle, Rios found the same vulnerability in about 300 different devices made by about 40 different companies.
Since the FDA’s Hospira advisory was issued this July, boxes of medical devices have continued to arrive on Rios’s doorstep in Half Moon Bay
For novice independent researchers, however, access to devices can be a forbidding barrier to work in this field.
Tomi Engdahl says:
Lorenzo Franceschi-Bicchierai / Motherboard:
‘Nasty’ Bug In MetroPCS Site Left Personal Data of Subscribers Open to Hackers
http://motherboard.vice.com/read/nasty-bug-in-metropcs-website-left-personal-data-of-subscribers-open-to-hacker
Until this month, if you were one of the more than 10 million MetroPCS subscribers, anyone who knew your phone number could easily get all your personal information from the company’s website, including your home address, your type of plan, and even your phone’s model and serial number.
All that data was left exposed online by a security flaw in the MetroPCS payment page, potentially allowing cybercriminal to steal the identity of customers, hack into their email or bank accounts through social engineering, or, worse, stalk them in real life.
Security researchers Eric Taylor and Blake Welsh found the bug and shared their research with Motherboard last month. A spokesperson for T-Mobile, which owns MetroPCS, told Motherboard the the flaw was fixed, so the data is not exposed anymore. But until Motherboard notified the company, all you needed to know a MetroPCS’ subscribers personal information was a little knowledge of programming.
“It’s a pretty nasty bug,” HD Moore, a well-known security researcher who works at Rapid7 and who reviewed Taylor’s research, told Motherboard. “It seems like a serious privacy exposure.”
In theory, a hacker didn’t even need to know somebody’s number. An attacker could have just run an automated script and harvested the personal data of many, if not all, MetroPCS customers. That would’ve been easy to do
“I’m obviously not very happy that my home address can easily be found online.“
A T-Mobile spokesperson told Motherboard the company appreciates “responsible disclosure from you and the researcher,” but declined to comment any further.
Tomi Engdahl says:
Brendan Klinkenberg / BuzzFeed:
How tech firms responded to Paris attacks: Facebook’s Safety Check used in first man-made disaster, emergency response tools activated by Airbnb, Uber, others — How Tech Learned From Past Crises And Reacted To The Paris Attacks — What Facebook, Airbnb, and Uber did when terrorists attacked Paris.
How Tech Learned From Past Crises And Reacted To The Paris Attacks
What Facebook, Airbnb, and Uber did when terrorists attacked Paris.
http://www.buzzfeed.com/brendanklinkenberg/startsups-rise-to-the-occasion#.wmQA0oO2p
There are a growing number of technology platforms that people around the world depend on each day — a dependency that often becomes much starker in times of crisis.
Following Friday’s terrorist attacks across Paris, which left at least 129 dead, many of the websites and apps we use on a regular basis made an effort to help those caught in the disaster.
But the process can also be fraught with sensitive considerations, with companies not wanting to be seen to be capitalizing on tragedy.
In the midst of the attacks on Friday, Facebook deployed “Safety Check,” a tool the company built for “disasters.” Safety Check uses geolocation to let those close to a crisis zone check in and let their Facebook friends know that they’re safe.
In the past 24 hours, 4.1 million people notified 360 million people that they were safe using Facebook’s Safety Check.
With over one billion people checking into the service every day, Facebook is uniquely situated when it comes to trying to communicate with the outside world in one simple step.
Safety Check was first developed in October, 2014, and has been used five times since then, most notably after the earthquake in Nepal earlier this year.
“We chose to activate Safety Check in Paris because we observed a lot of activity on Facebook as the events were unfolding,” Alex Schultz, Facebook’s Vice President of Growth, said in a statement. “In the middle of a complex, uncertain situation affecting many people, Facebook became a place where people were sharing information and looking to understand the condition of their loved ones.”
“This activation will change our policy around Safety Check and when we activate it for other serious and tragic incidents in the future.”
Uber did, however, disable all dynamic pricing
The company has learned from past crises
Airbnb also urged all its hosts in Paris to open their homes (or listings) to those affected by the attacks or left stranded in the city in the aftermath.
Twitter was also instrumental in finding safe places for those caught in Paris to stay.
Twitter was also instrumental in finding safe places for those caught in Paris to stay. The service saw two major hashtags go viral on Friday night, one of which — #PorteOuverte — was used to signal that its sender either needed a place to go, or had a place to offer. #PorteOuverte had 1 million tweets in 10 hours, averaging 7,000 tweets a second at its peak.
Twitter also utilized its new summarization feature, Moments, to curate the news into an easier-to-digest format culled from the platform. Its livestreaming service Periscope also gave an on-the-ground perspective to the events.
While Reddit’s enormous, international, and web-native user base is well-suited to dig up information, its unstructured and unregulated investigations have previously led to incorrect assumptions and unfounded accusations
Tomi Engdahl says:
Julia Angwin / ProPublica:
Vizio is selling your viewing data, collected via its smart TVs with tracking on by default, and possibly connected to your IP — Own a Vizio Smart TV? It’s Watching You — TV makers are constantly crowing about the tricks their smart TVs can do. But one of the most popular brands …
Own a Vizio Smart TV? It’s Watching You
Vizio, one of the most popular brands on the market, is offering advertisers “highly specific viewing behavior data on a massive scale.”
http://www.propublica.org/article/own-a-vizio-smart-tv-its-watching-you
TV makers are constantly crowing about the tricks their smart TVs can do. But one of the most popular brands has a feature that it’s not advertising: Vizio’s Smart TVs track your viewing habits and share it with advertisers, who can then find you on your phone and other devices.
The tracking — which Vizio calls “Smart Interactivity” — is turned on by default for the more than 10 million Smart TVs that the company has sold. Customers who want to escape it have to opt-out.
In a statement, Vizio said customers’ “non-personal identifiable information may be shared with select partners … to permit these companies to make, for example, better-informed decisions regarding content production, programming and advertising.”
Vizio’s actions appear to go beyond what others are doing in the emerging interactive television industry. Vizio rivals Samsung and LG Electronics only track users’ viewing habits if customers choose to turn the feature on. And unlike Vizio, they don’t appear to provide the information in a form that allows advertisers to reach users on other devices.
Vizio’s technology works by analyzing snippets of the shows you’re watching, whether on traditional television or streaming Internet services such as Netflix. Vizio determines the date, time, channel of programs — as well as whether you watched them live or recorded. The viewing patterns are then connected your IP address – the Internet address that can be used to identify every device in a home, from your TV to a phone.
Tomi Engdahl says:
Andy Greenberg / Wired:
How The Intercept used anonymous Tor whistleblower tool SecureDrop for its prison phone call story — SecureDrop Leak Tool Produces a Massive Trove of Prison Docs — It’s been more than two years since the debut of SecureDrop, a piece of software designed to help whistleblowers easily …
SecureDrop Leak Tool Produces a Massive Trove of Prison Docs
http://www.wired.com/2015/11/securedrop-leak-tool-produces-a-massive-trove-of-prison-docs/
It’s been more than two years since the debut of SecureDrop, a piece of software designed to help whistleblowers easily and anonymously leak secrets to media outlets over the Tor anonymity network. Now, that system is finally bearing fruit, in the form of a massive dump of files from one of the country’s largest prison phone companies.
On Wednesday, the investigative news site the Intercept published a story based on a collection of 70 million call records taken from a database of Securus, a Dallas, Texas-based company that provides phone service to more than 2,200 prisons around the United States. The database, which the Intercept says was stolen from Securus by a hacker, shows that the company keeps records of every phone call made by the more than 1.2 million inmates who use the service in 37 states, including the time, phone numbers called, inmate names, and even the audio recordings of every call. Those records are routinely sold to law enforcement customers, according to the Intercept’s reporting, and most damningly, include inmate conversations with lawyers that are meant to be protected by the privacy of attorney-client privilege. “This reveals exactly how much surveillance is going on in the criminal justice system,” Jordan Smith, a co-author of the story, tells WIRED. “Many of these calls should never have been recorded in the first place.”
Tomi Engdahl says:
E.T. Brooking / Foreign Policy:
Behind #OpISIS and GhostSec, a group of hactivists fighting ISIS online, gathering and passing intelligence, which may have helped to disrupt a terror plot — Anonymous vs. the Islamic State — For nearly a year, a war has been unfolding in strange corners of the Internet.
Anonymous vs. the Islamic State
http://foreignpolicy.com/2015/11/13/anonymous-hackers-islamic-state-isis-chan-online-war/
For nearly a year, a war has been unfolding in strange corners of the Internet. But can a bunch of hackers really take on the world’s deadliest jihadi group?
Although Chase’s formal education ended with high school, computers were second nature to him. He had begun fiddling with code at the age of 7 and freelanced as a web designer and social media strategist. He now turned these skills to fighting the Islamic State, also known as ISIS. Centralizing other hacktivists’ efforts, he compiled a database of 26,000 Islamic State-linked Twitter accounts. He helped build a website to host the list in public view and took steps to immunize it against hacking counterattacks by Islamic State sympathizers.
For more than a year, a ragtag collection of casual volunteers, seasoned coders, and professional trolls has waged an online war against the Islamic State and its virtual supporters. Many in this anti-Islamic State army identify with the infamous hacking collective Anonymous. They are based around the world and hail from every walk of life. They have virtually nothing in common except a passion for computers and a feeling that, with its torrent of viral-engineered propaganda and concerted online recruiting, the Islamic State has trespassed in their domain. The hacktivists have vowed to fight back.
The effort has ebbed and flowed, but the past nine months have seen a significant increase in both the frequency and visibility of online attacks against the Islamic State. To date, hacktivists claim to have dismantled some 149 Islamic State-linked websites and flagged roughly 101,000 Twitter accounts and 5,900 propaganda videos. At the same time, this casual association of volunteers has morphed into a new sort of organization, postured to combat the Islamic State in both the Twitter “town square” and the bowels of the deep web.
This is something new. Anonymous arose from the primordial, and often profane, underground web forums to cause mischief, not to take sides in real wars. The group gained notoriety for its random, militantly apolitical, increasingly organized hacking attacks during the mid-2000s. Its first “political” operation was an Internet crusade against the Church of Scientology following its suppression of a really embarrassing Tom Cruise video.
In time, however, Anonymous operations became less about laughs and more about causes, fighting the establishment and guaranteeing a free and open Internet. In 2010, the group launched #OpPayback, retaliating against PayPal for, among other things, suspending payments to WikiLeaks following the publication of a trove of classified U.S. documents. This was followed by a cascade of increasingly political operations: in support of the Occupy Wall Street movement and the Arab Spring protests; against the CIA and Interpol; against Muslim discrimination in Myanmar; and on behalf of democratic activists in Hong Kong. Most recently, Anonymous launched a muddled campaign against purported members of the Ku Klux Klan. As Paul Williams, a hacktivist writer and occasional documentarian, writes in a colorful history of the group, “Anonymous had come to the conclusion that they were no longer abstractly playing with scatology and paedo bears.”
Today, in the fight against the Islamic State, the hacking collective finds itself split by a potentially existential crisis. If Anonymous defends the unrestricted use of the Internet, should this guarantee not apply to everyone, including Islamic State militants? What exactly does it mean when members of a group formed to flout authority find themselves sharing many of the same goals as the U.S. government
Tomi Engdahl says:
New PoS Malware Delivered via Malicious Docs, Exploit Kit
http://www.securityweek.com/new-pos-malware-delivered-malicious-docs-exploit-kit
A new point-of-sale (PoS) malware has been widely distributed by cybercriminals alongside ad fraud and information-stealing threats.
The malware, dubbed by Proofpoint “AbaddonPOS,” has been spotted on systems infected with the banking Trojan Vawtrak, also known as Neverquest and Snifula.
PoS malware can help cybercriminals earn a lot of money, but such threats are often used in more targeted attacks. However, researchers have spotted AbaddonPOS in campaigns that appear to be mainly aimed at consumers.
Anti-malware company Cyphort reported in early November that the psychcentral.com website had been directing users to the Angler exploit kit. Angler had been set up to serve the ad fraud malware Bedep, the Vawtrak banking Trojan, and a new RAM scraping malware designed to scan running processes for payment card information.
Proofpoint observed the same PoS malware, namely AbaddonPOS, being distributed with the aid of weaponized Microsoft Word documents designed to download the information-stealing Trojan Pony (Fareit) and Vawtrak.
“Cherry Picker” PoS Malware Cleans Up After Itself
http://www.securityweek.com/cherry-picker-pos-malware-cleans-after-itself
A point-of-sale (PoS) malware that went largely undetected for the past several years has been analyzed by researchers at Trustwave.
Dubbed by the security firm “Cherry Picker,” the threat has been around since at least 2011, but it managed to stay under the radar thanks to its sophisticated functionality and use in highly targeted attacks.
In 2011, Trustwave started analyzing several pieces of malware designed to inject processes with cardholder data. One of these toolsets consisted of two components: sr.exe, which is a command line interface, and searcher.dll, which got injected into targeted processes by sr.exe.
This toolset was often found on infected systems alongside other threats, such as a PoS malware created using the AutoIt scripting language, and Rdasrv, one of the earliest PoS RAM scrapers.
According to researchers, Cherry Picker relies on a new memory scraping algorithm, it uses a file infector for persistence, and it comes with a cleaner component that removes all traces of the infection from the system.
The latest version of the PoS malware relies on an API called QueryWorkingSet to scrape the memory. The harvested data is then written into a file and sent to the attacker’s server.
“Cherry Picker’s use of configuration files, encryption, obfuscation, and command line arguments have allowed the malware to remain under the radar of many security companies and AV’s,” Trustwave researchers said. “The introduction of new way to parse memory and find CHD, a sophisticated file infector, and a targeted cleaner program have allowed this malware family to go largely unnoticed in the security community.”
Tomi Engdahl says:
Cybersecurity Talent: Finding the Security Breakers and the Technology Makers
http://www.securityweek.com/cybersecurity-talent-finding-security-breakers-and-technology-makers
Over the past two to three years, organizations that haven’t historically been focused on security have started to build out information security programs. Likewise, startups—which would typically hire security professionals later in their evolution—want to make sure security is built in from the start. That has resulted in more security jobs than people to fill them.
The security talent shortage represents a bigger issue facing the information security profession. Nowhere is it more relevant than in application security.
Application security professionals are the Swiss army knives of the security organization, ready to take on a variety of situations using their array of developmental and architectural expertise. They have to understand information security principles and policy, along with how they apply to the specific code that is written. Usually that means they should be able to write some code.
The most efficient solution to the current application security gap is to hire application developers and teach them security principles. They have the trust of the development teams and the comprehension of a security professional, positioning them to be highly effective.
Many organizations currently choose to move network security professionals into the application security role. Some organizations get lucky and find someone who used to code back in school. Others struggle.
That network security person will do a fantastic job of finding vulnerabilities in applications. The instincts developed in the network world apply in the application world as well. But the job doesn’t stop there. Throughout the security industry, but particularly in application security, the objective isn’t just to find vulnerabilities – it’s to help the organization fix them and ultimately prevent the same thing from happening in the future.
Tomi Engdahl says:
Using an Attacker’s ‘Shadow’ to Your Advantage
http://www.securityweek.com/using-attackers-shadow-your-advantage
With more than three billion individuals interacting across social media, mobile and cloud services, digital footprints are increasing. The age of digital business has, for the most part, been a positive thing. It has increased the ease and speed of communication at the same time as reducing the cost. However, some of this information can be inadvertently exposed and may be used maliciously.
A ‘digital shadow’ is a subset of a digital footprint and consists of exposed personal, technical or organizational information that is often highly confidential, sensitive or proprietary. Adversaries can exploit these digital shadows to reveal weak points in an organization and launch targeted attacks.
This is not necessarily a bad thing, though. Some digital shadows can prove advantageous to your organization; the digital shadows of your attackers.
Hacktivists tend to be more visible and easy to track because a primary motivation is to be heard and cause disruption and embarrassment. Their activity can be broken down into three main parts:
1. Indication and warning – Social media is a useful tool for monitoring for hacktivist operational announcements. The use of operational hashtags, which are prevalent, aids this process. Groups will invariably provide operation names and specify target lists. If a hacking group name you on a target list, you are going to want to know.
2. Evidence of attack – You can also monitor for claims of defacements, DDoS attacks and breaches. This may occur on social media, often Twitter, but also on code-sharing sites such as Pastebin. Getting there first can help to reduce the reputational impact on your organization. But it also helps from a historical view; understanding what tactics, techniques and procedures (TTPs) have used in the past help you to gauge how to best prioritize defense spending.
3. Significant activity – Organizations can monitor social media and news sources for significant activity. While more mature organizations may use Activity Based Intelligence (ABI) to draw this information out, this approach need not be that complex. This approach may simply include observing arrests, reference to new techniques, declaration of links to other groups or actors.
The dark web can be a useful place to find out about the latest TTPs of cyber criminals, but do not underestimate the power of social media and sharing sites.
Tomi Engdahl says:
PNG pongs: critical bug patched in ubiquitous libpng
Crafted image crashes apps, server processes
http://www.theregister.co.uk/2015/11/15/png_pongs_critical_bug_patched_in_ubiquitous_libpng/
This will not be fun: the graphics processing library libpng has a vulnerability and needs to be patched.
The problem for that is that libpng is everywhere – in browsers, anything that processes photos to produce thumbnails, file browsers, music players, in applications in every operating system.
The bug is a simple denial-of-service at this stage, but that won’t be where it ends, since bugs that let attackers crash applications are a favourite starting point for more effective nastiness.
Libpng’s custodian Glenn Randers-Pehrson asked for the CVE for the bug here. He writes:
“I request a CVE for a vulnerability in libpng, all versions, in the png_set_PLTE/png_get_PLTE functions. These functions failed to check for an out-of-range palette when reading or writing PNG files with a bit_depth less than 8. Some applications might read the bit depth from the IHDR chunk and allocate memory for a 2^N entry palette, while libpng can return a palette with up to 256 entries even when the bit depth is less than 8.
Tomi Engdahl says:
Hack a Padlock key from Plastic Scraps
http://hackaday.com/2015/11/16/hack-a-padlock-key-from-plastic-scraps/
Not too many years ago, if you wanted a decent copy of a key made, you had to head to either a locksmith’s shop or the nearest hardware store, where real people actually knew their trade.
But as [BlueMacGyver] shows us, a serviceable padlock key can be whipped up quickly at home with nothing but scraps.
soot the profile of the key with a lighter, transfer the carbon to some stiff plastic with Scotch tape, and cut out the profile. With a little finagling the flat copy makes it into the lock and opens it with ease
We’ve given a lot of coverage lately to hacks involving locks, including copying keys from photos and making bump keys with a 3D printer. But we like this hack for its simplicity.
Tomi Engdahl says:
Yes, GCHQ is hiring 1,900 staffers. It’s not a snap decision
Increase announced days before Paris attacks
http://www.theregister.co.uk/2015/11/16/uk_gch1_1900_staff/
Despite the timing of the UK Prime Minister’s emissions following the terrorist attacks in Paris last Friday, increases in intelligence personnel were already in place and had been announced by the Treasury some days before.
After the attacks, David Cameron stated his government would be funding an increase of 1,900 intelligence personnel. While it appeared to some observers as an admirable “response”, it was in fact an increase that had already been announced by the Chancellor of the Exchequer last Monday.
Blighty’s three spy agencies will receive an increase in personnel to help them combat “those who would destroy us and our values” according to the PM.
George Osborne sets out his priorities for the Spending Review
https://www.gov.uk/government/speeches/george-osborne-sets-out-his-priorities-for-the-spending-review
At the summer Budget, I committed to spending 2% of our national output on defence every year of this Parliament, protected spending across government on counter-terrorism and on our security and intelligence agencies, and I have created a Joint Security Fund which will grow to £1.5 billion by the end of this Parliament.
The internet – central to modern life – provides new ways for our enemies to plan and act against us.
The threat from terrorists – from extreme ideologies – needs to be challenged head-on.
The probable fate of that Russian airliner in Sinai is a painful reminder of that.
So I can confirm that over the next five years we will substantially increase the number of people across all three secret intelligence agencies who investigate, analyse and help disrupt terrorist plots.
This is a government that puts security first.
Economic security. National security.
Tomi Engdahl says:
Police Body Cameras Come With Pre-Installed Malware
http://hardware.slashdot.org/story/15/11/15/1347218/police-body-cameras-come-with-pre-installed-malware
The old Conficker worm was found on new police body cameras that were taken out of the box by security researchers from iPower Technologies. The worm is detected by almost all security vendors, but it seems that it is still being used because modern day IoT devices can’t yet run security products. This allows the worm to spread, and propagate to computers when connected to an unprotected workstation.
Police Body Cameras Shipped with Pre-Installed Conficker Virus
http://news.softpedia.com/news/police-body-cameras-shipped-with-pre-installed-conficker-virus-496177.shtml
US-based iPower Technologies has discovered that body cameras sold by Martel Electronics come pre-infected with the Conficker worm (Win32/Conficker.B!inf).
The specific line of body cameras iPower tested is the same one sold to police forces around the US, used by street patrol officers and SWAT team members in their operations.
The model, Frontline Body Camera, is attached to an officer’s chest and works by recording their activities on video, their location using a GPS tracker, and taking regular snapshots as images.
The camera records data on an internal drive, from where the officer or their supervisors can download it onto a computer via a USB cable.
According to iPower’s account, this is where they spotted the infection.
The worm comes pre-installed on new Martel Frontline Body Camera models
Conficker is again dangerous thanks to IoT devices
While detection rate is high, Conficker can still be very useful, especially today, with the proliferation of more and more IoT (Internet of Things) devices.
Since almost no IoT device can run security products and they are usually programmed without paying too much attention to self-protection measures, Conficker can be as effective in 2015 as it was in 2008 and 2009.
While the worm is almost useless on PCs because of the built-in security updates included with Windows a long long time ago, modern Internet-connected equipment is ripe for the taking.
Tomi Engdahl says:
Anonymous Vows Revenge For ISIS Paris Attacks
http://news.slashdot.org/story/15/11/15/2257233/anonymous-vows-revenge-for-isis-paris-attacks
As usual, Anonymous members are quicker to respond to threats than investigators and have announced #OpParis as revenge for the Paris attacks. Their action is similar to #OpISIS from this spring, launched after the Charlie Hebdo attacks.
Anonymous Announces Payback for ISIS Paris Attacks
http://news.softpedia.com/news/anonymous-announces-payback-for-the-isis-paris-attacks-496184.shtml
It didn’t take long for Anonymous members to rally and swear payback for the recent ISIS terror attacks that took place in Paris, France, on Friday, November 13, 2015.
In its previous campaign, the hackers tracked, hacked, unmasked, and reported thousands of Twitter accounts that were run or associated with the Islamic State’s members.
Expect the same thing to happen again, especially since ISIS doesn’t have any other kind of online presence that Anonymous can attack outside their Twitter accounts.
Yesterday, Belgium’s Internal Affairs Minister said that ISIS members might have used the built-in PlayStation 4 chat system to coordinate attacks. If this information is confirmed by French investigators, expect the group to take aim at Sony’s service in the coming months.
Tomi Engdahl says:
Congress Talks About ‘Cybersecurity’ More Than Ever, But Still Doesn’t Get It
http://motherboard.vice.com/read/congress-talks-about-cybersecurity-more-than-ever-but-still-doesnt-get-it?trk_source=recommended
Information security, more commonly referred to as cybersecurity, is more mainstream than ever. Headline-grabbing hacks like Sony Pictures, Ashley Madison, Hacking Team, and the so-called Fappening (the leak of naked pictures of celebrities caused by a flaw in iCloud), have everyone worried about hacking—including the US Congress.
In October, the world “cyber,” particularly associated with security, appeared in the Congressional record 715 times, according to data collected by the Sunlight Foundation. That’s an all-time high, and shatters the previous record of 396 mentions of “cyber” in August 2012.
But despite all this attention and all these words, the truth is that Congress doesn’t get cybersecurity at all. The recent uptick in mentions is partly because Congress was working on passing the infamous Cybersecurity Information Sharing Act, or CISA, and this bill is the perfect example of why Washington still doesn’t understand what it really takes to make networks and systems more secure.
Many experts, digital rights advocates, and few members of Congress see CISA as more of a flawed privacy-killer than a real solution to cybersecurity issues. And you don’t need to trust them. Just look at the last several high-profile hacks for proof.
In other words, you can share as much information as you want on hackers and cyberattacks, but if your systems and networks are out of date, they are vulnerable.
As long as the US government doesn’t take care of its own cyberinfrastructure, hackers gonna hack.
Tomi Engdahl says:
Firefox’s New Feature for Tighter Security
http://www.linuxjournal.com/content/firefoxs-new-feature-tighter-security?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+linuxjournalcom+%28Linux+Journal+-+The+Original+Magazine+of+the+Linux+Community%29
Freedom and privacy go hand in hand. In an ideal world, we wouldn’t have to worry about who was looking over our shoulders. None of us would have anything to hide, and we would have ulterior motives. As citizens of the real world though, we have to take measures to protect ourselves.
Building privacy features into the software we use makes that protection easier to accomplish. And, that’s why Mozilla has extended Firefox’s private browsing feature with a new option to prevent third-party sites from tracking your on-line activity.
Although this functionality has been available for some time through plugins, it now is built in to the browser, resulting in better performance. In fact, Firefox is the first of the major browsers to include tracking protection as a core feature.
So, what does tracking protection do? Put simply, it limits the amount of information that your browser shares with Web sites and on-line services, such as ad servers and Web analytics tools, including Web beacons and other tracking mechanisms.
Firefox’s new feature is designed to recognize and block common Web beacon content, such as 1-pixel images. But any type of content can be used as a Web beacon, including text files like stylesheets and scripts. So while tracking protection does improve your privacy, it’s not a complete guarantee of anonymity.
Although this new feature is a great step in the right direction, it still fails to provide total protection for end users. It’s important for people to realize that features such as private browsing are not a total guarantee of privacy. They do a pretty good job of covering your tracks at a superficial level, but still are plenty of signs for those who know where to dig.
For instance, Firefox’s private browsing mode deletes all cache files and temp files when the browsing session ends, but that doesn’t mean the data is gone from your computer. The data from the deleted files usually remains on the disk until it’s overwritten.
Even if the temp and cache files are destroyed, data from your browsing session often can be uncovered in memory and from the swap partition.
When Firefox launches third-party applications to display content (for instance, VLC to play a WMV file), the content could be cached and added to the history feature of that application.
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Privacy advocate warns FTC about ads that use inaudible sound to link phone, TV, tablet, and PC
Beware of ads that use inaudible sound to link your phone, TV, tablet, and PC
Privacy advocates warn feds about surreptitious cross-device tracking.
http://arstechnica.com/tech-policy/2015/11/beware-of-ads-that-use-inaudible-sound-to-link-your-phone-tv-tablet-and-pc/
Privacy advocates are warning federal authorities of a new threat that uses inaudible, high-frequency sounds to surreptitiously track a person’s online behavior across a range of devices, including phones, TVs, tablets, and computers.
The ultrasonic pitches are embedded into TV commercials or are played when a user encounters an ad displayed in a computer browser. While the sound can’t be heard by the human ear, nearby tablets and smartphones can detect it. When they do, browser cookies can now pair a single user to multiple devices and keep track of what TV commercials the person sees, how long the person watches the ads, and whether the person acts on the ads by doing a Web search or buying a product.
Cross-device tracking raises important privacy concerns, the Center for Democracy and Technology wrote in recently filed comments to the Federal Trade Commission. The FTC has scheduled a workshop on Monday to discuss the technology.
“As a person goes about her business, her activity on each device generates different data streams about her preferences and behavior that are siloed in these devices and services that mediate them,” CDT officials wrote. “Cross-device tracking allows marketers to combine these streams by linking them to the same individual, enhancing the granularity of what they know about that person.”
Tomi Engdahl says:
Exclusive: Inside the ProtonMail siege: how two small companies fought off one of Europe’s largest DDoS attacks
What started as a simple digital ransom quickly escalated into a trans-continental networking battle.
http://www.techrepublic.com/article/exclusive-inside-the-protonmail-siege-how-two-small-companies-fought-off-one-of-europes-largest-ddos/
The ransom note arrived in the middle of the night, and it didn’t seem like a big deal. “We let users know we had been hit, called up the ISP, and then went back to sleep,” said ProtonMail CEO and CERN-alum Andy Yen. “Usually these guys hit you a few times, then move on, so you just ignore them.”
What came next was impossible to ignore.
Less than twelve hours later, on the morning of Wednesday, November 4th 2015, “things were out of control,” said Yen. The Switzerland-based secure email company ProtonMail was hit by one of Europe’s largest distributed denial of services (DDoS) attacks. ProtonMail servers were slammed with a 50 Gigabit per second wall of junk data that threatened to sink the company.
ProtonMail uses end-to-end encryption to ensure that even the company itself does not have access to user messages. All data encryption and decryption happens on the client side, and data is secured using a passphrase which the company does not possess.
Though DDoS attacks are common and crude, they are also effective at disrupting critical networking infrastructure.
ProtonMail was actually hit by two groups of attackers
“First we moved the BGP IP prefix,”
The new attackers were incredibly advanced, Gargula explained, and became more sophisticated through the week. “Every time we made a change in tactics, they responded with a change,”
“The second attackers impacted many other companies,” said Yen. “They also lost access to mission critical infrastructure.”
ProtonMail’s primary datacenter was knocked offline completely, and the regional ISPs were struggling to stay up. “The collateral damage by then was hundreds of companies”
“From the start, ProtonMail has always been opposed to paying [ransom],” Yen explained, “but after discussions with other impacted companies, and considering the sheer amount of collateral damage, we respected the decision to pay.”
ProtonMail made an understandable but crucial mistake by paying the ransom, said Tim Matthews, vice president of marketing at Imperva Incapsula.
After paying the ransom, the attacks continued unabated. Running out of options, ProtonMail contacted the Swiss government agency MELANI and opened a dialogue with other companies recently hit by extortion attacks.
“To solve the financing issue we took to social media and set up our crowdfunding campaign,” said Yen, “and immediately users jumped in to support us.”
Helping ProtonMail was risky as it could potentially expose other companies to the data-wrath of the new attackers.
Many datacenters and network specialists offered us assistance, fully knowing the risks of helping.”
“A week-long DDoS is still pretty long, and we can’t rule out the possibility that they are regrouping,”
Tomi Engdahl says:
Symantec’s salvation plan is more and better integration. No, really
New CEO Mike Brown outlines security product mashup plan
http://www.theregister.co.uk/2015/11/17/symantec/
Symantec divested Veritas because it never quite convinced anyone that an integrated security and data management company made sense, and its security business has struggled in part because it’s not linked its protection products. But the company’s new CEO Michael Brown nonetheless thinks that integrating the company’s range is the key to turning around Symantec’s fortunes.
Tomi Engdahl says:
Leaked Documents Confirm Polygraph Operators Can’t Detect Countermeasures
http://tech.slashdot.org/story/15/11/16/1616226/leaked-documents-confirm-polygraph-operators-cant-detect-countermeasures
AntiPolygraph.org has published a document (14 MB PDF) on polygraph countermeasures that is allegedly derived from classified information.
https://antipolygraph.org/documents/drdak-polygraph-countermeasures.pdf
Tomi Engdahl says:
As Predicted: Encryption Haters Are Already Blaming Snowden (?!?) For The Paris Attacks
https://www.techdirt.com/articles/20151115/23360632822/as-predicted-encryption-haters-are-already-blaming-snowden-paris-attacks.shtml
It really was less than two months ago that we noted that, having lost the immediate battle for US legislation to backdoor encryption, those in the intelligence community knew they just needed to bide their time until the next big terrorist attack. Here was the quote from Robert Litt — the top lawyer for the Office of the Director of National Intelligence from September:
Although “the legislative environment is very hostile today,” the intelligence community’s top lawyer, Robert S. Litt, said to colleagues in an August e-mail, which was obtained by The Post, “it could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement.”
Tomi Engdahl says:
Keeping Pace with Cryptowall
http://blog.fortinet.com/post/keeping-pace-with-cryptowall
Cryptowall is a popular ransomware which targets computers running Microsoft Windows, encrypts files, and extorts money to decrypt user files. With its predecessor’s first appearance way back September 2013, cryptowall has become a financial success to its authors. Following this success, the authors have now released what is believed to be the 4th generation of cryptowall with new alterations techniques.