Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.
3,110 Comments
Tomi Engdahl says:
Data breach at firm that manages Cisco, Microsoft certifications
Pearson VUE says credentials manager product affected
http://www.theregister.co.uk/2015/11/23/pearson_vue_data_breach_pcm/
Cisco, IBM, Oracle and Microsoft’s certification management provider, Pearson VUE, has copped to a data breach following a malware compromise of its Credential Manager System.
The Pearson Credential Manager (PCM) system supports a number of companies’ certification tracking programmes. Pearson VUE stated that an “unauthorised third party improperly accessed certain information related to a limited set of our users”.
Since at least 14 November, Cisco’s tracking system had claimed it was down for “site maintenance”. On Saturday, however, Cisco copped to the Pearson VUE incident and stated its tracking system “will remain down until further notice”.
Cisco added that “at this time, we believe that the compromised information, as it relates to individuals who have taken exams for and hold Cisco certifications, is limited to: name, mailing address, email address and phone number”.
Tomi Engdahl says:
China Cuts Mobile Service of Xinjiang Residents Evading Internet Filters
http://www.nytimes.com/2015/11/24/business/international/china-cuts-mobile-service-of-xinjiang-residents-evading-internet-filters.html?_r=0
HONG KONG — The Chinese government is shutting down the mobile service of residents in Xinjiang who use software that lets them circumvent Internet filters, escalating an already aggressive electronic surveillance strategy in the country’s fractious western territory.
Starting last week, shortly after terrorist attacks in Paris, the local police began cutting the service of people who had downloaded foreign messaging services and other software, according to five people affected.
The people, who spoke on the condition of anonymity over concerns about retaliation from local security forces for speaking to foreign news media, all said their telecommunications provider had told them to go to a local police station to have service restored.
Continue reading the main story
Related Coverage
A monitor at a Beijing Internet cafe displayed a police message on the proper use of the Internet.
China Ranks Last of 65 Nations in Internet FreedomOCT. 29, 2015
President Xi Jinping, center, meets Mark Zuckerberg, Facebook’s chief executive, as Lu Wei, China’s top Internet regulator looks on.
Mark Zuckerberg Courts China With Speech on People and PerseveranceOCT. 26, 2015
Protesters at a rally against Chinese censorship in front of the New York Public Library ahead of a BookExpo America event in May. A large delegation of publishers from China attended the trade gathering as guests of honor.
Sinosphere Blog: American Publishers Take a Stand Against Censorship in ChinaOCT. 15, 2015
President Xi Jinping of China, front row center, with senior technology company executives at a conference held at Microsoft in Redmond, Wash., in September.
U.S. Tech Giants May Blur National Security Boundaries in China DealsOCT. 30, 2015
An Apple Store in Hong Kong. Apple News app users in China are alerted: “News isn’t supported in your current region.”
Apple Is Said to Deactivate Its News App in ChinaOCT. 10, 2015
“Due to police notice, we will shut down your cellphone number within the next two hours in accordance with the law,” read a text message received by one of the people, who lives in the regional capital of Urumqi. “If you have any questions, please consult the cyberpolice affiliated with the police station in your vicinity as soon as possible.”
The person said that when she called the police, she was told that the service suspensions were aimed at people who had not linked their identification to their account; used virtual private networks, or V.P.N.s, to evade China’s system of Internet filters, known as the Great Firewall; or downloaded foreign messaging software, like WhatsApp or Telegram.
Tomi Engdahl says:
In Depth Biometrics
Catching a thief by their face
http://www.bbc.com/future/story/20151120-catching-a-thief-by-their-face
Retail stores are turning to facial recognition technology and customer tracking tools to fight against shoplifters. BBC Future investigates.
A man walks up to the front door of a jeweller in the centre of Rotterdam and buzzes to enter but it doesn’t budge. He waits. While he lingers by the door, a facial recognition camera quickly scans his face and cross references the image with a watch list of known shoplifters from the local police department. It turns out he has a criminal record for shoplifting and the jeweller doesn’t want him on the premises.
That was one example of a pilot called FotoSwitch in 2011, a program run by the Rotterdam Rihnmond police department, the Netherlands’ Ministry of Security and Justice, and the Dutch Federation of Gold and Silver, aided by Spanish biometrics firm Herta Security.
The pilot gave jewellers an opportunity to quickly screen customers before they entered. The door would also stay locked if a person was wearing sunglasses or something obscuring their face.
It’s the latest way retailers have tried to combat theft. But is it enough to tip the battle in their favour?
Steve Rowen of US-based Retail Systems Research (RSR) says that among the retailers it usually surveys, the challenge of preventing stock being pilfered by shoplifters is a constant. This has created a need for more intensive tools not only for surveillance but for managing a store in general, from staffing to presenting products. “CCTV, let’s be honest, you couldn’t use it for more than a basic general description of a person,” says Rowen.
CCTV is a classic method for getting a glimpse of your suspect but it can hit a dead end if it doesn’t have anyone to compare it to – a list of known or suspected shoplifters, for example.
More companies are now looking at using facial recognition to keep their stock safe
Herta’s technology needs just the “slightest glimpse” to match against a database and can recognise up to 20 or 30 faces in a crowd, says Gary Lee, Herta Security’s international business development manager. The company remains tight-lipped about who its clients are but it is currently testing its facial recognition system with a large electronics chain.
Rosenkrantz from FaceFirst says its technology is mostly used by grocery stores, DIY stores, and big box retailers. Stolen tools and electronics, for example, are easier to resell, making them an attractive target.
Stores using facial recognition have to get their own access to a database of known shoplifters, which is often done in collaboration with local police.
More stores are opting for biometric security, with more than a quarter of respondents in a recent survey admitting they have recently used facial recognition
Facial recognition technology and high-definition digital cameras can be a huge investment for stores, says Rowen, and often they are looking for further ways to use the technology, making it more cost-effective.
In the survey mentioned, almost half of the stores said they were in favour of some kind of facial recognition technology and only 7% believed the technology was intrusive.
Lee believes that this is just an extension of the CCTV surveillance that we’re used to already amidst our daily lives.
Too intrusive?
Privacy will remain a major concern. In September of this year the UK’s Home Office published a report encouraging greater oversight on the handling of biometric data, which includes the kind of material the facial recognition system will be studying.
“We are extracting very abstract appearance characteristics so the privacy of the person is never compromised,” says CTO Shashi Kant. Netra’s software detects things like the colour of a person’s clothes, their hair length, or if they have a backpack or handbag.
Prism has created a similar tool, which turns “cameras into intelligent data centres” and mines existing CCTV footage for events that occur in the store like the movement of customers or products from shelves.
“All systems require some kind of visual verification,” he adds. Stores need a means to prove that a person that set off an alarm is the one that actually lifted the product and not a decoy.
Whether it’s biometric scanners or more abstract tracking tools, stores still depend on the use of cameras, which are only as good as what they can see. “There’s an art form to camera placement,” says Cutting.
Tomi Engdahl says:
Current and future uses of biometric data and technologies:
Government Response to the Committee’s Sixth Report of Session 2014–15
http://www.publications.parliament.uk/pa/cm201516/cmselect/cmsctech/455/455.pdf
Tomi Engdahl says:
Petition the Automotive Industry and Security Research Community to collaborate.
https://www.iamthecavalry.org/domains/automotive/5star/
Five Star Automotive Cyber Safety Program (PDF Version)
https://www.iamthecavalry.org/wp-content/uploads/2014/08/Five-Star-Automotive-Cyber-Safety-February-2015.pdf
Tomi Engdahl says:
The History of SQL Injection, the Hack That Will Never Go Away
http://it.slashdot.org/story/15/11/22/1437203/the-history-of-sql-injection-the-hack-that-will-never-go-away
Tomi Engdahl says:
New Wireshark, Nmap releases bring pre-Xmas cheer to infosec types
Nmap for XP and Wireshark for Mac put a smile on the face of security-loving girls and boys
http://www.theregister.co.uk/2015/11/23/wireshark_20_nmap/
Security types impatient for gifts under the Christmas tree may find that major upgrades to the popular Nmap and Wireshark infosec tools sate their appetite for new toys.
Apple fans will have access to a much-improved Wireshark as version two of the network sniffing tool dropped last week.
The immensely popular network protocol analyser tool now comes native for Mac, sports dozens of new bug fixes, and a new interface.
“Wireshark 2.0 features a completely new user interface which should provide a smoother, faster user experience,” Wireshark developers wrote in the release notes.
“The new (QT) interface should be familiar to current users of Wireshark but provide a faster workflow for many tasks.”
Tomi Engdahl says:
Web Stores Held Hostage
http://www.linuxjournal.com/content/web-stores-held-hostage?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+linuxjournalcom+%28Linux+Journal+-+The+Original+Magazine+of+the+Linux+Community%29
Last week has seen an explosion of e-commerce sites infected with the Linux.Encoder.1 ransomware. For those not familiar with the term, ransomware is a particularly vicious type of malware that aims to extort money from the owners of compromised systems.
In the case of Linux.Encorder.1, the malware attacks vital files on a web server, encrypting them so they cannot be opened by the administrator or applications. The files are encrypted using a secret key, so it’s impossible to decrypt them. This effectively shuts down the server and takes the site offline.
Linux.Encorder.1 leaves behind text files that tell the admin how to return the system to working order – by paying untraceable bitcoins to the malware author.
With thousands of systems compromised, there has been a lot of resentment about Linux security from store owners. But, despite the name of the malware, Linux is innocent! The security hole is actually in Magento, an extremely popular e-commerce application.
Tomi Engdahl says:
Hacker Claims He Gave FBI Info That Led To Killing Of ISIS Leader
http://www.buzzfeed.com/josephbernstein/hacker-claims-he-gave-fbi-info-that-led-to-killing-of-isis-l#.jonD7lmXZ
Alleged ISIS cyber mastermind Junaid Hussain died in an August drone strike, and this American hacker says he led the FBI to him.
In August 2014, a hacker who goes by the alias Shm00p walked into a Buffalo Wild Wings on the south side of Las Vegas to meet two FBI agents.
Less than a year later, Shm00p claims he gave those same agents information that he is now “99.9% sure” led to the extrajudicial killing of Junaid Hussain, the British-Pakistani hacker who became notorious for his affiliation with ISIS.
If true, Shm00p’s story sheds new light on the federal government’s use of informants from the world of hacking to pursue ISIS militants, a group that has found a massive foothold online.
Shm00p, who lives in Las Vegas, told BuzzFeed News in a telephone interview that he knew the Birmingham, England–born Hussain from their mutual affiliation with Team Poison, a hacking group. Together, in 2012, Shm00p says the two “call-bombed” the U.K.’s anti-terrorism hotline. This was one of several crimes for which Hussain was jailed for six months in 2012.
Several months later, however, he says FBI agents began asking about Hussain, who by that point had grown to be one of the most infamous members of ISIS. Citing security concerns, Shm00p eventually disclosed the information he had gathered from his chats with Hussain.
“I’m not going to watch other hackers get arrested for bullshit,” he said. “Terrorists are a different story.”
Tomi Engdahl says:
Video malvertising campaign lasted 12 hours? Try two months
Vid crapware issue worse than you thought – researchers
http://www.theregister.co.uk/2015/11/24/video_malware_advertising/
A malvertising campaign exploiting online videos to fling poison at netizens actually lasted for two months rather than the 12 hours previously reported, according to new research which suggested the previously unfavoured medium may be ripe for exploitation.
Contrary to The Media Trust’s report that a video malvertising campaign hit “some of the largest, most heavily trafficked sites for more than 12 hours”, an investigation by malvertising monitors ClarityAd discovered it had actually been ongoing for two months.
Two security experts who have analysed the vector extensively stated that the duration of the mischief suggested the industry needed to put much more effort into dealing with the new threat of video advertising malware.
To date malvertising has mostly targeted “display” advertisements, whether they be based on patch-addicted Flash or images with some nasties embedded.
The use of video advertisements has been a less exploited medium due to the relative security of the video advertising XML compared to the horror of Javascript, and the much higher cost of running a video campaign.
However video’s XML – VAST (Video Ad Serving Template) proved insufficient for advertisers, who demanded an extension to execute code in advertisements. That led to VPAID (Video Player Ad-Serving Interface Definition), a specification released by the Interactive Advertising Bureau. It was this which made video malvertising campaigns feasible.
Route of all evil
Businesses’ vulnerability to protecting their revenue seemingly demands the frequent obfuscation of VPAID Flash files, “maybe in the hope of protecting some trade secret”, suggested the researchers. In doing so they “completely ruined the security model originally thought out with VAST.”
Subsequently, the advertising ecology from Real Time Bidding (RTB) which has allowed a torrent of poison in display ads, was exported to the video advertising market.
Programmatic advertisements now account for 39 per cent of that market according to a recent study by eMarketer.
The result is that: “Publishers now have no idea who serves what ads on their websites, making it virtually impossible to police for compliance and security – unless they rely on dedicated audit and scanning technology.”
Tomi Engdahl says:
‘Hypocritical’ Europe is just as bad as the USA for data protection
Max Schrems’ bomb just keeps going off
http://www.theregister.co.uk/2015/11/24/europe_usa_data_protection_bad/
Europe is being hypocritical by derailing the Safe Harbour data protection agreement – because its own protections for citizens against indiscriminate surveillance are worse than the USA’s.
That’s the view of one expert on international data protection law at a meeting held by European competition group iComp today.
Dr Ian Walden, Professor of Information and Communications Law at St Mary’s, said that US citizens had greater safeguards against fishing expeditions than European citizens, and European law enforcement opted for blanket surveillance far more readily than US law enforcement.
“Reading the description of the USA in the Schrems verdict reminded me of UK legal framework. We allow mass and indiscriminate legal surveillance. The ways the law enforcement bodies gain access to our data remain highly secret. And UK law has extra-territorial reach.”
Asked if Europe was being hypocritical, Walden replied bluntly: “Yes”.
Austrian Max Schrems put a bomb under US-European trade recently. Data protection is a fundamental right in the EU, quite apart from the right to a private life. In 2000 the superstates allowed companies exporting data to “self certify” that their data flows between the EU and countries provided adequate data protection for European citizens. These are known as “Safe Harbour” agreements.
It’s left businesses feeling that they are collateral damage in a wider war.
Tomi Engdahl says:
Second Root Cert-Private Key Pair Found On Dell Computer
http://it.slashdot.org/story/15/11/24/166234/second-root-cert-private-key-pair-found-on-dell-computer
A second root certificate and private key, similar to eDellRoot [mentioned here yesterday], along with an expired Atheros Authenticode cert and private key used to sign Bluetooth drivers has been found on a Dell Inspiron laptop. The impact of these two certs is limited compared to the original eDellRoot cert.
Additional Self-Signed Certs, Private Keys Found on Dell Machines – See more at: https://threatpost.com/additional-self-signed-certs-private-keys-found-on-dell-machines/115467/#sthash.Cie1N2dJ.dpuf
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Dell does a Superfish, ships PCs with easily cloneable root certificates — Root certificate debacle that hit Lenovo now visits the House of Dell. — In a move eerily similar to the Superfish debacle that visited Lenovo in February, Dell is shipping computers that come preinstalled …
Dell does a Superfish, ships PCs with easily cloneable root certificates
Root certificate debacle that hit Lenovo now visits the House of Dell.
http://arstechnica.com/security/2015/11/dell-does-superfish-ships-pcs-with-self-signed-root-certificates/
In a move eerily similar to the Superfish debacle that visited Lenovo in February, Dell is shipping computers that come preinstalled with a digital certificate that makes it easy for attackers to cryptographically impersonate Google, Bank of America, and any other HTTPS-protected web.
The self-signed transport layer security credential, which was issued by an entity calling itself eDellRoot, was preinstalled as a root certificate on at least two Dell laptops, one an Inspiron 5000 series notebook and the other an XPS 15 model. Both are signed with the same private cryptographic key. That means anyone with moderate technical skills can extract the key and use it to sign fraudulent TLS certificates for any HTTPS-protected website on the Internet. Depending on the browser used, any Dell computer that ships with the root certificate described above will then accept the encrypted Web sessions with no warnings whatsoever. At least some Dell Inspiron desktops, and various Precision M4800 and Latitude models are also reported to be affected.
The crowdsourced discovery came over the weekend
Laura P. Thomas / Direct2Dell:
Dell posts instructions to remove unsafe eDellRoot certificate, will provide software update that removes it automatically today — Response to Concerns Regarding eDellroot Certificate — Today we became aware that a certificate (eDellRoot), installed by our Dell Foundation Services application …
Response to Concerns Regarding eDellroot Certificate
http://en.community.dell.com/dell-blogs/direct2dell/b/direct2dell/archive/2015/11/23/response-to-concerns-regarding-edellroot-certificate
Tomi Engdahl says:
Last year, the Identity Theft Resource Center recorded data breaches at 783 businesses, banks, schools, health care outfits, and government systems. Together they exposed north of 85 million sensitive records, including Social Security numbers, health histories, banking details, and account passwords.
Source: http://www.slate.com/articles/technology/users/2015/11/sony_employees_on_the_hack_one_year_later.single.html
Tomi Engdahl says:
Cipher Security: How to harden TLS and SSH
http://www.linuxjournal.com/content/cipher-security-how-harden-tls-and-ssh?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+linuxjournalcom+%28Linux+Journal+-+The+Original+Magazine+of+the+Linux+Community%29
Encryption and secure communications are critical to our life on the Internet. Without the ability to authenticate and preserve secrecy, we cannot engage in commerce, nor can we trust the words of our friends and colleagues.
It comes as some surprise then that insufficient attention has been paid in recent years to strong encryption, and many of our “secure” protocols have been easily broken. The recent Heartbleed, POODLE, CRIME and BEAST exploits put at risk our trust in our networks and in one another.
Strong Ciphers in TLS
The Transport Layer Security (TLS) protocols emerged from the older Secure Sockets Layer (SSL) that originated in the Netscape browser and server software.
It should come as no surprise that SSL must not be used in any context for secure communications. The last version, SSLv3, was rendered completely insecure by the recent POODLE exploit. No version of SSL is safe for secure communications of any kind—the design of the protocol is fatally flawed, and no implementation of it can be secure.
TLS version 1.0 is also no longer safe. The immediate preference for secure communication is the modern TLS version 1.2 protocol, which, unfortunately, is not (yet) widely used. Despite the lack of popularity, prefer 1.2 if you value security.
Yet, even with TLS version 1.2, there still are a number of important weaknesses that must be addressed to meet current best practice as specified in RFC 7525:
“Implementations MUST NOT negotiate RC4 cipher suites.” The RC4 cipher is enabled by default in many versions of TLS, and it must be disabled explicitly. This specific issue was previously addressed in RFC 7465.
“Implementations MUST NOT negotiate cipher suites offering less than 112 bits of security, including so-called ‘export-level’ encryption (which provide 40 or 56 bits of security).” In the days of SSL, the US government forced weak ciphers to be used in encryption products sold or given to foreign nationals. These weak “export” ciphers were created to be easily broken (with sufficient resources). They should have been removed long ago, and they recently have been used in new exploits against TLS.
“Implementations MUST NOT negotiate SSL version 3.” This formalizes our distaste for the entire SSL suite.
“Implementations SHOULD NOT negotiate TLS version 1.0 (or) 1.1.” Prefer TLS 1.2 whenever possible.
There are several implementations of the TLS protocols, and three competing libraries are installed on Oracle Linux systems by default: OpenSSL, NSS and GnuTLS. All of these libraries can provide Apache with TLS for HTTPS. It has been asserted that GnuTLS is of low code quality and unsafe for binary data, so exercise special care with this particular library in critical applications. This article focuses only on OpenSSL, as it is the most widely used.
This configuration focuses upon the Advanced Encryption Standard (AES)—also known as the Rijndael cipher (as named by the cipher’s originators), with 3DES as a fallback for old browsers. Note that 3DES generally is agreed to provide 80 bits of security, and it also is quite slow.
Strong Ciphers in SSH
It is now well-known that (some) SSH sessions can be decrypted (potentially in real time) by an adversary with sufficient resources. SSH best practice has changed in the years since the protocols were developed, and what was reasonably secure in the past is now entirely unsafe.
The first concern for an SSH administrator is to disable protocol 1 as it is thoroughly broken. Despite a stream of vendor updates, older Linux releases maintain this flawed configuration, requiring the system manager to remove it by hand. Do so by ensuring “Protocol 2″ appears in your sshd_config, and all reference to “Protocol 2,1″ is deleted. Encouragement also is offered to remove it from client SSH applications as well, in case a server is inaccessible or otherwise overlooked.
For further hardening of Protocol 2 ciphers, I turn to the Stribika SSH Guide.
Tomi Engdahl says:
Pearson Credential Manager System Used By Cisco, IBM, F5 Has Been Breached
http://it.slashdot.org/story/15/11/24/1412229/pearson-credential-manager-system-used-by-cisco-ibm-f5-has-been-breached
An anonymous reader writes with a report from Help Net Security that the credential management system used by Pearson VUE (part of education company and publisher Pearson) has been breached “by an unauthorized third party with the help of malware.” Pearson VUE specializes in computer-based assessment testing for regulatory and certification boards
Credential manager system used by Cisco, IBM, F5 has been breached
Posted on 24 November 2015.
http://www.net-security.org/secworld.php?id=19150
Pearson VUE, a provider of computer-based assessment testing for regulatory and certification boards, has announced that its Credential Manager system (PMC) has been compromised by an unauthorized third party with the help of malware.
Pearson VUE is part of Pearson, the world’s largest learning company. Over 450 credential owners (including IT organizations such as IBM, Adobe, etc.) across the globe use the company’s solutions to develop, manage, deliver and grow their testing programs.
“PCM is a credential management system used by a subset of Pearson VUE’s credentialing, certification and licensing customers. Many of these customers refer to the platform by a different name with their candidates/members,” the company explained in a FAQ.
“If your credentialing, certification or licensing organization has posted information about this or communicated with you about the issue directly, then it’s likely that you use this platform. ”
The company is still assessing the scope of the breach, and says that they do not think that US Social Security numbers or full payment card information were compromised
“According to Pearson VUE, an unauthorized party may have improperly gained access to information related to users that could include: names, postal addresses, phone numbers, email addresses, user IDs and, in some cases, last four digits of credit card numbers and dates of birth,”
Cisco’s Certifications Tracking System has also been affected and it’s down.
Tomi Engdahl says:
FBI has lead in probe of 1.2 billion stolen Web credentials: documents
http://www.reuters.com/article/2015/11/24/us-usa-cyberattack-russia-idUSKBN0TD2YN20151124?feedType=RSS&feedName=technologyNews#6WIpdjQLweHclGYb.97
A hacker who once advertised having access to user account information for websites like Facebook (FB.O) and Twitter (TWTR.N) has been linked through a Russian email address to the theft of a record 1.2 billion Internet credentials, the FBI said in court documents.
That hacker, known as “mr.grey,” was identified based on data from a cybsecurity firm that announced in August 2014 that it had determined an alleged Russian crime ring was responsible for stealing information from more than 420,000 websites, the documents said.
CyberVor had stolen the 1.2 billion credentials and more than 500 million email addresses.
Read more at Reutershttp://www.reuters.com/article/2015/11/24/us-usa-cyberattack-russia-idUSKBN0TD2YN20151124#SsFH47DOm1bw4spv.99
Tomi Engdahl says:
Hacker predicts AMEX card numbers, bypasses chip and PIN
Easy algorithm and US$10 bork-box mean fun for fraudsters
http://www.theregister.co.uk/2015/11/25/kamkar_credit_card/
Brainiac hacker Samy Kamkar has developed a US$10 gadget that can predict and store hundreds of American Express credit cards and use them for wireless transactions, even at non-wireless payment terminals.
The mind-blowing feat is the result of Kamkar cracking how the card issuer picks replacement numbers, and in dissecting the functionality of magnetic stripe data.
It means criminals could use the tiny gadget to keep pillaging cash after cards have been cancelled at businesses that do not require the three or four -digit CVV numbers on the back of cards.
American Express has been notified and says it is working on a fix.
“Magspoof is a device that can spoof any mag stripe or credit card entirely wirelessly, can disable chip and PIN (EMV) protection, switch between different credit cards, and accurately predict the card number and expiration on American Express credit cards,” Kamkar says.
MagSpoof – “wireless” credit card/magstripe spoofer
http://samy.pl/magspoof/
MagSpoof is a device that can spoof/emulate any magnetic stripe or credit card. It can work “wirelessly”, even on standard magstripe/credit card readers, by generating a strong electromagnetic field that emulates a traditional magnetic stripe card.
Note: MagSpoof does not enable you to use credit cards that you are not legally authorized to use.
MagSpoof can be used as a traditional credit card and simply store all of your credit cards (and with modification, can technically disable chip requirements) in various impressive and exciting form factors, or can be used for security research in any area that would traditionally require a magstripe, such as readers for credit cards, drivers licenses, hotel room keys, automated parking lot tickets, etc.
Tomi Engdahl says:
MPs launch ‘TalkTalk’ inquiry over security of personal data online
Parliamentary inquiry to gather evidence until 23 November
http://www.theregister.co.uk/2015/11/04/talktalk_inquiry/
Executives at TalkTalk, including CEO Dido Harding herself, may face a grilling from Members of Parliament over the shoddy security practices which led to the theft of than a million Britons’ data from her company.
This morning the Culture, Media and Sport Committee announced it had “launched an inquiry into cyber-security following the recent attack on TalkTalk’s website.”
The inquiry will be titled “Cyber security: Protection of personal data online inquiry” and follows confusion at TalkTalk as to how many customers’ details had been lost, and how dangerous such a loss might be to those customers.
Tomi Engdahl says:
Cartoon brings proper tech-talk to telly
Amazing Gumball character ‘bypassed storage controller, decrypted disks, accessed ESXi server cluster’
http://www.theregister.co.uk/2015/11/25/cartoon_brings_proper_techtalk_to_telly/
Technology on the telly is often made-up rubbish: every CCTV camera in the world is online, progress bars never pause, passwords can be brute-forced in moments and mobile phones never drop out unless faults enhance the dramatic effect. The language used to describe it is worse
kids cartoon The Amazing World Of Gumball offered the following verbiage during a recent episode
Whatever the reasons, the mere fact that stuff like this makes it into a cartoon means readers can now safely outsource their kids’ technical education to the telly. As is proper.
Tomi Engdahl says:
600,000 Arris Cable Modems Have Double Back Doors
http://www.dslreports.com/shownews/600000-Arris-Cable-Modems-Have-Double-Back-Doors-135709
A Brazilian security researcher claims that he has uncovered not one, but two backdoors in some Arris cable modems (TG862A, TG862G, DG860A). According to this blog post by Bernardo Rodrigues, the double backdoor impacts around 600,000 Arris cable modems, in use by some of the world’s largest ISPs including Comcast, Time Warner Cable, Charter and Cox.
The firmware of these modems shipped with an undocumented “libarris_password.so” library, which acted as a backdoor by allowing privileged account logins with a different custom password for each day of the year.
This ARRIS password of the day is a remote backdoor known since 2009 and still intact. The default seed is MPSJKMDHAI and many ISPs won’t bother changing it at all, he notes
In short, Rodrigues notes that there’s multiple backdoors allowing full remote access to ARRIS Cable modems, and an access key that is generated based on the Cable modem’s serial number. He says he was asked by Arris not to disclose the password generating algorithm, but doubts that’s going to do much to deter or slow down would-be attackers.
“I’m pretty sure bad guys had been exploiting flaws on these devices for some time (just search for ARRIS DNS on Twitter, for example),”
ARRIS Cable Modem has a Backdoor in the Backdoor
https://w00tsec.blogspot.com.au/2015/11/arris-cable-modem-has-backdoor-in.html
Tomi Engdahl says:
UK Mobile Operator Could Block Ads At Network Level
http://mobile.slashdot.org/story/15/11/24/2110239/uk-mobile-operator-could-block-ads-at-network-level
UK network operator EE says it is investigating the possibility of blocking adverts at a network level, allowing customers to limit the types and frequency of adverts they see in browsers and applications. The move is likely to concern digital publishers, many of whom rely on advertising revenue to fund their content. Ad blockers have become more popular in recent times, with many users employing them to save battery life, consume less data and protect against malvertising attacks.
EE proposes restrictions on mobile adverts
Chief executive Olaf Swantee launches strategic review over measure against ‘intrusive or crass’ ads that ‘can drive people crazy’
http://www.telegraph.co.uk/finance/newsbysector/mediatechnologyandtelecoms/telecoms/12008197/EE-proposes-restrictions-on-mobile-adverts.html
EE, Britain’s biggest mobile operator, is considering introducing technology that will hand smartphone users the power to control the advertising they see online, in a clampdown that would cause major upheaval in the £2bn mobile advertising market.
Olaf Swantee, EE’s chief executive, has launched a strategic review that will decide whether the operator should help its 27 million customers to restrict the quantity and type of advertising that reaches their devices, amid concern over increasingly intrusive practices.
The review will look at options for creating new tools for subscribers that would allow them to block some forms of advertising on the mobile web and potentially within apps, such as banners that pop up on top of pages or videos that play automatically. EE customers could also get the ability to control the overall volume of advertising.
Tomi Engdahl says:
High Level Coding Language Used To Create New POS Malware
http://yro.slashdot.org/story/15/11/24/1742238/high-level-coding-language-used-to-create-new-pos-malware
A new malware framework called ModPOS is reported to pose a threat to U.S. retailers, and has some of the highest-quality coding work ever put into a ill-intentioned software of this nature. Security researchers iSight say of the ModPOS platform that it is ‘much more complex than average malware’
ModPOS retail malware is not the work of script-kiddies
https://thestack.com/security/2015/11/24/modpos-retail-malware-is-not-the-work-of-script-kiddies/
Security researchers at iSight have identified a new platform for malware out in the wild, representing an unusually high effort in a sphere dominated by cut-n-paste and minor modifications to existing malware variants.
The company reports that the framework, entitled ModPOS, is an active threat to U.S. retailers in the imminent high-volume buying season, and that the malware platform is amongst the most sophisticated and high-effort outings for POS cybercriminals to date.
The company saw evidence of ModPOS as far back as 2012, but spent another three years in studying it whilst warning individual retailers which seemed to have been affected. The platform is thought to be written in a high-level programming language, likely C, and has a modular construction and the capacity to utilise plugins.
Tomi Engdahl says:
High-Security, Open-Source Router is a Hit on Indiegogo (Video)
http://linux.slashdot.org/story/15/11/24/1940251/high-security-open-source-router-is-a-hit-on-indiegogo-video
The device is called the Turris Omnia, and its Indiegogo page says it’s a “hi-performance & open-source router.” Their fundraising goal is $100,000. So far, 1,191 backers have pledged $248,446 (as of the moment this was typed), with 49 days left to go. They’ve shipped 2,000 pieces so far but, says interviewee Ondej Filip, “95% of them are in the Czech Republic.”
This isn’t the cheapest router (or even server) out there, but a lot of people obviously think a Turris Omnia, with its crypto security, automatic updates, and server functions would be nice to have.
https://www.turris.cz/en/
Tomi Engdahl says:
Tor Project: Anonymity ain’t free, folks. Pony up
Privacy network passes around the hat
http://www.theregister.co.uk/2015/11/25/tor_project_donations/
The Tor project is asking its supporters to donate money to help the nonprofit continue to operate.
The project has kicked off a fundraising effort to further expand its online anonymity network and further back educational projects.
Users can donate one-time cash sums or set up a monthly recurring donation. In addition to Paypal-based online donations, the Tor Project said it will accept money via Dwolla, Bitcoin, and old-fashioned check, cash, money order, and bank transfer.
https://www.torproject.org/donate/donate.html
Tomi Engdahl says:
Dell computers bundled with backdoor that blurts hardware fingerprint to websites
How it works
http://www.theregister.co.uk/2015/11/25/dell_backdoor_part_two/
Analysis Dell ships Windows computers with software that lets websites slurp up the machine’s exact specifications, warranty status, and other details without the user knowing.
This information can be used to build a fingerprint that potentially identifies a person while she browses across the web. It can be abused by phishers and scammers, who can quote the information to trick victims into thinking they’re talking to a legit Dell employee. And, well, it’s just plain rude.
A website created by a bloke called Slipstream – previously in these pages for exposing security holes in UK school IT software – shows exactly how it can work.
This proof-of-concept code exploits a weakness in the design of Dell’s support software to access the computer’s seven-character service tag – an identifier that Dell’s support website uses to look up information on the machine, including the model number, installed components, and warranty data.
As documented by Duo Security, Dell Foundation Services starts up a web server on TCP port 7779 that accepts requests for the service tag.
No authentication required. This serial code can then be fed into Dell’s support site to look up information about the machine.
The Register has tested the proof-of-concept site and verified that it does indeed pull up the service code on an Inspiron 15 series laptop bought in July. Slipstream also confirmed to The Reg that his script works even when the vulnerable root CA cert is removed by Dell’s prescribed methods.
Dell was thrust into the spotlight yesterday when researchers first broke word of eDellRoot, a rogue certificate authority quietly installed on Windows machines that can be exploited by man-in-the-middle attackers to decrypt people’s encrypted web traffic.
Tomi Engdahl says:
ModPOS: Black Friday retailers brace for point of sale malware threat
Threat could lead to big losses at stores
http://www.theinquirer.net/inquirer/news/2436173/modpos-black-friday-retailers-brace-for-bigtime-point-of-sale-malware-threat
A SECURITY FIRM CALLED iSIGHTpartners has taken some of the shine off the otherwise civil and polite Black Friday holiday, by reporting on ModPOS, a piece of point-of-sale (PoS) malware that is sophisticated, stealthy and ready to join in with the Mad Max-a-like shopping experience.
The PoS threat warning comes as people are limbering up to do battle over cheap TVs and sofas, so it could not have come at a worse time for retailers, who no doubt still wince at the thought of what happened to Target and Home Depot when PoS became a pain in their respective assets.
iSIGHTpartners describes ModPOS as a “highly sophisticated criminal malware framework”, adding that it is hard to spot.
Tomi Engdahl says:
Amazon is suffering a subtle data breach, lest it turn into another TalkTalk
Quietly and politely change your password please. Thank you. Sssssssh.
http://www.theinquirer.net/inquirer/news/2436349/amazon-is-suffering-a-subtle-data-breach-lest-it-turn-into-another-talktalk
AMAZON CUSTOMERS are being advised to change their passwords after a suspected credential leak.
Selected customers are waking up to emails from the e-tail giant warning that they might want to take steps to reduce the risk of Black Friday-related unsolicited shopping shenanigans.
No one from Amazon has told the press exactly what is going on at the moment, but the affected users are getting letters stating,
“[Amazon] recently discovered that your password may have been improperly stored on your device or transmitted to Amazon in a way that could potentially expose it to a third party,” the company said in an email to some users. “We have corrected the issue to prevent this exposure.”
With its busiest period of trading around the corner, Amazon can’t afford to be the next TalkTalk, and is subtly dealing with the issue, which, it assures in the email has now been fixed to avoid a repeat.
So it’s the usual advice. To be on the safe side, change your password, even if you’ve not had the mail. If you use the same password for other sites, first of all, stop it. Second of all, change those passwords too.
Tomi Engdahl says:
Cyber-terror: How real is the threat? Squirrels are more of a danger
No, go ahead, let’s spend billions worrying about an iPearl Harbor
http://www.theregister.co.uk/2015/11/24/cyber_terror/
The UK Chancellor George Osborne last week announced that the British government plans to double cybersecurity spending and establish a single National Cyber Centre.
Cybersecurity spending will rise to £1.9bn ($2.87bn) at a time of budget cuts to police and other government departments. More details are expected to come in the Autumn Statement to Parliament on Wednesday.
Speaking at GCHQ last week, Osborne claimed that the extra spending is justified in large part because cyber-jihadists are trying to take down critical infrastructure – power stations, air traffic control systems and more. Daesh, aka the Islamic State, is plotting deadly attacks on computer systems – and is close to achieving the capability, the Chancellor alleged
“I have made a provision to almost double our investment to protect Britain from cyber attack and develop our sovereign capabilities in cyberspace, totaling £1.9 billion over five years,” Osborne said.
“If you add the spending on core cyber security capabilities government protecting our own networks and ensuring safe and secure online services, the government’s total cyber spending will be more than £3.2 billion.”
Some of the money will go into an Institute of Coding as well as fighting cybercrime. But a major focus of the spending will come in further boosting the capabilities of GCHQ to tackle Daesh killers. Neither Russian nor China (the UK’s most capable cyber-espionage adversaries) merited a mention in the Chancellor’s speech.
But what are the capabilities of the self-styled Cyber Caliphate? Russia is now the chief suspect in the most serious network assault ever attributed to the Cyber Caliphate group, the hack on French TV station TV5 Monde back in April. Jihadist propaganda was posted on the station’s website by miscreants who claimed they were affiliated with the Islamic State. The TV network was knocked off air for about 18 hours.
Pretty much everyone took it at face value that the Cyber Caliphate was behind the attack, and it wasn’t until weeks later, once the dust had settled, that experts published evidence that undermined the Daesh-involvement hypothesis and fingered Russians as the likely culprit.
DDoS, defacement and social media hijacking
As explained in some depth by security expert Robert Pritchard, cyber-jihadism is likely limited to “website defacements, denial of service attacks or some sort of social media hijacking.” Pritchard published the article months ago but he told us last week that the capabilities of cyber-jihadists hasn’t changed much, in his assessment.
Hacktivists on the pro-Assad side – most notably the self-styled Syrian Electronic Army – are demonstrably capable when it comes to social media hijacking, which they normally pull off using phishing. Elements of malware slinging are also involved in both sides of the pitiless civil war in Syria.
But an ability for militias or terrorists to launch infrastructure attacks? Really there’s no evidence for that, at least in the public domain – even though some infosec firms are all too ready to ramp the threat level all the way down to DEFCON-1.
Anti-malware firm BitDefender last week implausibly warned that an “IS cyber-attack on the UK could cripple all forms of communication and infrastructure.”
“It is conceivable that although Islamic State might not have the necessary technical skills, it could potentially outsource these types of attacks to parties that do. The black market is riddled with such services, all waiting for the right buyer,”
Challenged by the Register to justify this warning, Cosoi referred to run-of-the-mill action movie Die Hard 4.0, and denied spreading fear, uncertainty and doubt. Independent experts, such as Steve Lord, are dismissive. “Bitdefender’s assertions are more grounded in Hollywood than reality,”
Doom, gloom, and profits
Doomsayers have been speaking about a Cyber Pearl Harbor and latterly a cyber-9/11 for many years, long before the rise of Daesh. Nothing devastating has happened, thankfully, even from nation-state grade attackers, much less terrorists.
About the worst cyber-attack ever recorded were wiper malware-style infections within the enterprise PC networks of Saudi Aramco and RasGas in 2012 (chief suspect: Iran) and South Korean banks and broadcasters as part of “Dark Seoul” in 2013 (chief suspect: North Korea) and Sony Pictures last year (North Korea, allegedly, again).
None of these attacked industrial control systems. The only example of a software nasty deliberately wrecking equipment that we all know about is the infamous Stuxnet worm, which hobbled centrifuges at nuclear facilities in Natanz, Iran. Stuxnet has been widely attributed to a joint US-Israeli operation.
So, in summary, hackers have never been credited with taking down a power grid.
Ross Anderson, professor of security engineering at Cambridge University, told El Reg that even though it might now be possible to kill people by hacking – for example, by interfering with medical equipment via poorly secure hospital networks – that does not suit a terrorist’s wider purposes.
”If you want to inflict terror, then you’d get a lot more impact by just walking through the West End of London and shooting a few people,” he said.
Tomi Engdahl says:
Customers at Sheraton, Westin, other hotels hit by data-stealing hack attack
http://www.cnet.com/news/customers-at-sheraton-westin-other-hotels-hit-by-data-stealing-hack-attack/
Starwood Hotels and Resorts, the company behind nearly a dozen hotel brands, says that more than 50 of its locations suffered from a malware attack on point-of-sale systems.
If you stayed at a Sheraton, Westin or other Starwood hotel in the US or Canada this past year, you’ll want to keep an eye on your credit or debit card account.
Starwood Hotels and Resorts Worldwide said this week that point-of-sale systems at more than 50 of its hotels had been infected with malicious software. The malware, installed at gift shops, restaurants and other locations, let hackers make off with payment card data, including cardholder name, card number, security code and expiration date.
The company said in a statement that it has removed the malware and “implemented additional security measures to help prevent this type of crime from reoccurring.”
Starwood is far from the only business to fall victim to this sort of attack on point-of-sale systems. Last year, home-improvement chain Home Depot said 56 million credit cards had been put at risk by such an attack. Prior to that, at the end of 2013, Target was hit by a similar breach, which the chain estimated could have affected a third of the US population.
Tomi Engdahl says:
Wall Street Journal:
Profile of Gery Shalon, the man who prosecutors allege masterminded the JP Morgan hack
Accused Mastermind of J.P. Morgan Hack a Product of Israel’s Internet Underbelly
Gery Shalon is alleged to have run a ‘criminal conglomerate’ that reaped hundreds of millions of dollars in illegal profit
http://www.wsj.com/article_email/accused-mastermind-of-j-p-morgan-hack-a-product-of-israels-internet-underbelly-1448101982-lMyQjAxMTA1OTI5MzEyMzM1Wj
To many in Tel Aviv’s thriving tech community, Gery Shalon appeared to be one of its most prosperous entrepreneurs.
Mr. Shalon lived in a multimillion-dollar home in the city’s affluent Savyon suburb, was involved in a number of businesses offering Web trading platforms and online gambling, and cut a striking figure as one of the industry’s flashiest dressers, according to property records, former employees and others who know him.
Now, the 31-year-old sometimes called “Gabi the Georgian” sits in a Haifa, Israel, jail accused of being the mastermind of one of the largest cyberattacks on U.S. corporations in history.
Mr. Shalon and two others were charged with hacking into the servers of a dozen companies, including J.P. Morgan and Dow Jones & Co., the publisher of The Wall Street Journal, as part of a global operation that allegedly involved illegal Internet casinos, a payment-processing service for criminals and an unlicensed exchange for bitcoin, a digital currency.
“There’s an unsightly side to Israeli tech,” said Adam Fisher, a partner at Bessemer Venture Partners, a U.S.-based venture-capital firm with offices in Israel. Mr. Fisher said more than a few companies based in Israel operate across borders via the Internet in businesses that could cross legal lines.
Tomi Engdahl says:
Critical Zen Cart Vulnerability Could Spell Black Friday Disaster For Shoppers
http://it.slashdot.org/story/15/11/25/2243251/critical-zen-cart-vulnerability-could-spell-black-friday-disaster-for-shoppers
It’s around this time of year, with Black Friday looming and Christmas just around the corner, that online sales boom. Today security firm High-Tech Bridge has issued a warning to retailers and shoppers about a critical vulnerability in the popular Zen Cart shopping management system. High-Tech Bridge has provided Zen Cart with full details of the security flaw which could allow remote attackers to infiltrate web servers and gain access to customer data. Servers running Zen Cart are also at risk of malware
Tomi Engdahl says:
Jordan Novet / VentureBeat:
Following ISIS crackdown, Telegram adds group admins, supergroups for up to 1K users
http://venturebeat.com/2015/11/25/following-isis-crackdown-telegram-adds-group-admins-supergroups-for-up-to-1k-users/
Encrypted messaging app Telegram, which has been in the news lately because of its use within the terrorist group ISIS, today announced a few new features aimed at people who use the app to chat in groups.
Now it’s possible for certain users to be designated as admins of a given group. Admins can add people to and remove people from the group. They can also change the name and photo of the group, according to a blog post on the updates.
The other big change is a good indicator of how popular Telegram is becoming: Groups can now contain a maximum of 1,000 members, up from 200 until now, thanks to the launch today of new supergroups. You’re only able to turn an existing group into a supergroup once you’ve reached the 200 mark.
Tomi Engdahl says:
Thomas Fox-Brewster / Forbes:
Study of 4000 embedded devices from over 70 vendors shows reused crypto keys leave millions of devices insecure, only 5 vendors known to have fixes on the way
‘Worrying’ 9 Per Cent Of Encrypted Web Vulnerable To Private Key Attacks
http://www.forbes.com/sites/thomasbrewster/2015/11/25/encrypted-routers-cameras-vulnerabilties-cisco-huawei-motorola/
Getting encryption right can be hard. But even basic mistakes continue to be made, as proven by Austrian researchers who claimed to have uncovered the same vulnerability in nine per cent of all devices running over HTTPS encrypted lines.
The researchers, from SEC Consult, analyzed the cryptographic keys in the firmware of more than 4,000 connected devices from more than 70 vendors, detailing their efforts in a blog post today. The affected “embedded systems” included internet gateways, routers, modems, IP cameras, network storage devices, mobile and Internet-connected phones, and more.
They were able to extract more than 580 unique private keys embedded in firmware across devices, a significant number of which were shared across systems. This is problematic as malicious hackers who can get access to those keys, as SEC Consult did, can impersonate any of the affected device servers by creating their own version of the target machine’s encryption certificate and signing it with that key, making it appear like the genuine article to users’ PCs or smartphones.
Tomi Engdahl says:
Vulnerability Note VU#566724
Embedded devices use non-unique X.509 certificates and SSH host keys
http://www.kb.cert.org/vuls/id/566724
Embedded devices use non-unique X.509 certificates and SSH host keys that can be leveraged in impersonation, man-in-the-middle, or passive decryption attacks.
Description
CWE-321: Use of Hard-coded Cryptographic Key – Multiple CVEs
Research by Stefan Viehböck of SEC Consult has found that numerous embedded devices accessible on the public Internet use non-unique X.509 certificates and SSH host keys. Products are identified as vulnerable if unpacked firmware images are found to contain hard-coded keys or certificates whose fingerprints can be matched to data from the Internet-wide scan data repository,
Impact
A remote, unauthenticated attacker may be able to carry out impersonation, man-in-the-middle, or passive decryption attacks, resulting in sensitive information exposure.
Tomi Engdahl says:
Yet more research, outlined in a paper released this month, showed embedded devices had a horrible security record. A study by French research center Eurecom and Ruhr-University Bochum, Germany, discovered that 185 out of 1925 firmware versions from 54 different vendors contained “important vulnerabilities” and that simple fixes could address the majority of them.
Automated Dynamic Firmware Analysis at Scale:
A Case Study on Embedded Web Interfaces
http://arxiv.org/pdf/1511.03609v1.pdf
Tomi Engdahl says:
Lazy IoT, router makers reuse skeleton keys over and over in thousands of devices – new study
SSH logins, server-side HTTPS certs baked in firmware
http://www.theregister.co.uk/2015/11/26/lazy_iot_skeleton_keys/
It’s what we all assumed, but quietly hoped wasn’t quite this bad.
Lazy makers of home routers and the Internet of Things are reusing the same small set of hardcoded security keys, leaving them open to hijacking en masse, researchers have warned.
In other words, if you can log into one gizmo remotely, you can probably log into thousands upon thousands of others – even devices from a different manufacturer.
Infosec biz Sec Consult says it studied 4,000 embedded devices from 70 hardware makers, and found that many products are sharing the same hardwired SSH login keys and server-side SSL certificates.
As a result, potentially millions of gadgets can be logged into by miscreants, or their HTTPS connections silently decrypted by man-in-the-middle attackers, using these keys and certificates once they are extracted from their firmware.
The problem, says Sec Consult, lies in the way many IoT and networking gear vendors develop and deploy their products. Chipmakers will often provide a software development kit with their silicon for product manufacturers to adapt for their particular applications.
Unfortunately, hardly anyone changes this source code, not even the security keys or certificates included as examples. What we all end up with is gadgets with logins stashed in flash ROMs, and the keys known to anyone with the ability to extract the data.
House of Keys: Industry-Wide HTTPS Certificate and SSH Key Reuse Endangers Millions of Devices Worldwide
http://blog.sec-consult.com/2015/11/house-of-keys-industry-wide-https.html
In the course of an internal research project we have analyzed the firmware images of more than 4000 embedded devices of over 70 vendors. The devices we have looked at include Internet gateways, routers, modems, IP cameras, VoIP phones, etc. We have specifically analyzed cryptographic keys (public keys, private keys, certificates) in firmware images. The most common use of these static keys is:
SSH Host keys (keys required for operating a SSH server)
X.509 Certificates used for HTTPS (default server certificate for web based management)
In total we have found more than 580 unique private keys distributed over all the analysed devices. Correlation via the modulus allows us to find matching certificates.
We have correlated our data with data from Internet-wide scans (Scans.io and Censys.io) and found that our data set (580 unique keys) contains:
the private keys for more than 9% of all HTTPS hosts on the web (~150 server certificates, used by 3.2 million hosts)
the private keys for more than 6% of all SSH hosts on the web (~80 SSH host keys used by 0.9 million hosts)
So in total at least 230 out of 580 keys are actively used.
Tomi Engdahl says:
Defeating Chip and PIN With Bits of Wire
http://hackaday.com/2015/11/25/defeating-chip-and-pin-with-bits-of-wire/
One of many ways that Americans are ridiculed by the rest of the world is that they don’t have chip and PIN on their credit cards yet; US credit card companies have been slow to bring this technology to millions of POS terminals across the country. Making the transition isn’t easy because until the transition is complete, the machines have to accept both magnetic stripes and chip and PIN.
This device can disable chip and PIN, wirelessly, by forcing the downgrade to magstripe. [Samy Kamkar] created the MagSpoof to explore the binary patterns on the magnetic stripe of his AmEx card, and in the process also created a device that works with drivers licenses, hotel room keys, and parking meters.
The electronics for the MagSpoof are incredibly simple. Of course a small microcontroller is necessary for this build, and for the MagSpoof, [Samy] used the ATtiny85 for the ‘larger’ version (still less than an inch square). A smaller, credit card-sized version used an ATtiny10. The rest of the schematic is just an H-bridge and a coil of magnet wire – easy enough for anyone with a soldering iron to put together on some perfboard.
MagSpoof – “wireless” credit card/magstripe spoofer
http://samy.pl/magspoof/
Tomi Engdahl says:
Why Layered Security Strategies Don’t Work – And What You Can Do About It
https://webinar.darkreading.com/1446?keycode=DRWE01
Every year, enterprises spend record levels of money on new IT security technology – yet major breaches and compromises are more prevalent than ever. The concept of “layered security” – in which enterprises support a wide variety of security technologies in order to discourage attackers – doesn’t seem to be working.
It’s time to rethink IT security – not just the technology, but the way enterprises approach it from a strategic, architectural perspective. There are ways for organizations to build a comprehensive set of defenses – a security architecture – that can not only discourage attackers, but actually prevent them from penetrating your IT environment.
Tomi Engdahl says:
If Opportunity Makes a Thief, What Stops One?
http://www.securityweek.com/if-opportunity-makes-thief-what-stops-one
Questions Security Professionals Should Ask When Evaluating Next-Generation Firewalls
Statesman and philosopher Francis Bacon said, “Opportunity makes a thief.” And never has there been more opportunity for cybercriminals to take what’s not theirs than in today’s digital economy. Yes, digitization and the Internet of Everything is transforming our world and creating new opportunities for businesses and consumers. But these new business models are also creating more opportunities for attackers as modern networks and their components constantly evolve and spawn new attack vectors.
While adversaries are executing more advanced and damaging attacks, defenders are responding in the classic way with new point solutions. The problem with this piecemeal approach to security is that stopgap solutions create additional gaps in protection that attackers are using to their advantage. For security teams that are resource-constrained, managing all these tools is also becoming unwieldy.
As cyber attacks become more sophisticated, businesses need an equally sophisticated and intelligent way of protecting against malicious intrusions. Unfortunately, many Next-Generation Firewalls (NGFWs) focus on enabling applications and users and are not sufficiently protecting against threats. Many use traditional intrusion prevention systems that lack the ability to detect emerging attacks or evasive malware that can hide in plain sight. And most NGFWs today can’t help once an infection does occur.
So how do you make sure you’re selecting an NGFW that reduces opportunities for thieves across the full attack continuum – before, during, and after an attack?
When evaluating an NGFW you need to ask the following questions:
1. How can it help me protect against today’s advanced attacks?
2. Can it help me see what’s happening on my network at all times?
3. When malware gets into the network can it help me accelerate detection and mitigate risk?
4. With my limited resources, can it help me save costs and reduce complexity?
5. Can I take advantage of my existing security investments that are providing valuable data?
It’s true that opportunity makes a thief. But with an NGFW that offers tightly-integrated, multi-layered threat protection you also have more opportunities to stop a thief – before, during, and after an attack.
Tomi Engdahl says:
Nuclear exploit kit seen chucking CryptoWall 4.0 at late patchers
First time this one’s been seen in the wild
http://www.theregister.co.uk/2015/11/26/nuclear_exploit_kit_cryptowall_4/
The Nuclear exploit kit has been spotted throwing ransomware CryptoWall 4.0 at innocent netizens’ machines, according to a security researcher Brad Duncan, who stated it is the first time he’s noticed that particular nasty being distributed by an exploit kit.
While not as vicious a beast as Angler, the Nuclear kit remains popular with cyber-criminals, and was used earlier this year to mangle Google advertisements.
Brad Duncan, a security researcher at Rackspace, wrote that although samples of CryptoWall 4.0 have been spotted in the wild since 2 November, they were all “associated with malicious spam. Until now, I haven’t noticed CryptoWall 4.0 from any EKs. And now I’ve only seen it from the BizCN gate actor.”
Tomi Engdahl says:
Superfish 2.0: Second security flaw leaves Dell PC users vulnerable to hackers
DSDTestProvider certificate is installed via the Dell Support website
http://www.theinquirer.net/inquirer/news/2436095/dell-is-shipping-laptops-with-a-free-superfish-like-problem
DELL ISN’T HAVING A GOOD WEEK. A second root certificate has been found on its PCs and laptops, that could leave users’ personal information vulnerable to hackers.
The second certificate, called DSDTestProvider, is installed by an application called Dell System Detect (DSD), which users are prompted to download and install when they visit the Dell support website.
Carnegie Mellon University CERT said in an advisory that the flaw allows hackers to create trusted certificates and impersonate sites and launch man-in-the-middle attacks.
“An attacker can generate certificates signed by the DSDTestProvider CA. Systems that trusts the DSDTestProvider CA will trust any certificate issued by the CA,” it said.
“An attacker can impersonate web sites and other services, sign software and email messages, and decrypt network traffic and other data.
Vulnerability Note VU#925497
Dell System Detect installs root certificate and private key (DSDTestProvider)
http://www.kb.cert.org/vuls/id/925497
Tomi Engdahl says:
HTTPSohopeless: 26,000 Telstra Cisco boxen open to device hijacking
Embedded device mayhem as rivals share keys
http://www.theregister.co.uk/2015/11/27/nine_percent_of_encrypted_traffic_open_to_hijack_from_shared_keys/
More than 26,000 Cisco devices sold by Australia’s dominant telco Telstra are open to hijacking via hardcoded SSH login keys and SSL certificates.
The baked-in HTTPS server-side certificates and SSH host keys were found by Sec Consult during a study of thousands of router and Internet of Things gizmos.
Cisco warns that miscreants who get hold of these certificates, can decrypt web traffic to a router’s builtin HTTPS web server via man-in-the-middle attacks. The web server is provided so people can configure devices from their browsers. The decrypted traffic will reveal usernames, passwords, and other sensitive information.
The devices’ firmware also includes hardwired SSH login keys, meaning anyone can gain control of any of the products across the network or internet once the keys are extracted.
There are no patches or workarounds available for the security blunder, which potentially affect millions of users. One workaround would be to ensure the SSH and HTTPS configuration servers in the routers are firewalled off from harm.
Tomi Engdahl says:
900 Embedded Devices Share Hard-Coded Certs, SSH Host Keys
http://hardware.slashdot.org/story/15/11/26/1541216/900-embedded-devices-share-hard-coded-certs-ssh-host-keys
Embedded devices of some 50 manufacturers has been found sharing the same hard-coded X.509 certificates (for HTTPS) and SSH host keys, a fact that can be exploited by a remote, unauthenticated attacker to carry out impersonation, man-in-the-middle, or passive decryption attacks.
More than 900 embedded devices share hard-coded certs, SSH host keys
http://www.net-security.org/secworld.php?id=19159
Embedded devices of some 50 manufacturers has been found sharing the same hard-coded X.509 certificates (for HTTPS) and SSH host keys, a fact that can be exploited by a remote, unauthenticated attacker to carry out impersonation, man-in-the-middle, or passive decryption attacks
Stefan Viehböck, Senior Security Consultant at SEC Consult, has analyzed firmware images of more than 4000 embedded devices of over 70 vendors – firmware of routers, IP cameras, VoIP phones, modems, etc. – and found that, in some cases, there are nearly half a million devices on the web using the same certificate.
“Another aspect to the whole story is the large number of devices directly accessible on the web,” the company also noted. “Just by looking at the numbers one can deduce that it is highly unlikely that each device is intentionally exposed on the web (remote management via HTTPS/SSH from WAN IP). Enabling remote management exposes an additional attack surface and enables attackers to exploit vulnerabilities in the device firmware as well as weak credentials set by the user.”
Tomi Engdahl says:
Federal Insecurity
http://blog.centrify.com/cyber-threats-and-the-federal-government/
Months after the devastating Office of Personnel Management (OPM) hack came to light — in which 21.5 million personnel records were stolen — the Government Accountability Office (GAO) has issued a report on the extent that US Federal Government is experiencing breaches. The report revealed that the number of security incidents impacting Federal agencies has grown from 5,503 in 2006 to 67,168 in 2014 — a massive 12x increase in 8 years — and that the US government is looking to hire 10,000 cyber professionals in the next year. In this blog post I will go over some of the highlights of the report and some of the short-term fixes being implemented.
So what are the threats facing the US Government? The Feds list out bot-network operators, criminal groups, hackers and hacktivists, malicious insiders, other nations and terrorists. In other words, not a trivial list of adversaries.
And what techniques or exploits are the bad guys using? You name it, they are facing it: cross-site scripting, denial of service attacks, malware, phishing, passive wiretapping, spamming, spoofing, SQL injection, war driving and zero-day exploits. Basically everything is being thrown at our government systems.
The net result is a 1121% increase in 8 years in security incidents that government knows about.
The GAO has quantified the five challenges that Federal agencies must address:
limiting, preventing, and detecting inappropriate access to computer resources;
managing the configuration of software and hardware;
segregating duties to ensure that a single individual does not have control over all key aspects of a computer-related operation;
planning for continuity of operations in the event of a disaster or disruption;
implementing agency-wide security management programs that are critical to identifying control deficiencies, resolving problems, and managing risks on an ongoing basis.
Tomi Engdahl says:
Hacker Uncovers Security Holes at CSL Dualcom
http://hackaday.com/2015/11/26/hacker-uncovers-security-holes-at-csl-dualcom/
CSL Dualcom, a popular maker of security systems in England, is disputing claims from [Cybergibbons] that their CS2300-R model is riddled with holes. The particular device in question is a communications link that sits in between an alarm system and their monitoring facility. Its job is to allow the two systems to talk to each other via internet, POT lines or cell towers. Needless to say, it has some heavy security features built in to prevent alarm_01tampering. It appears, however, that the security is not very secure. [Cybergibbons] methodically poked and prodded the bits and bytes of the CS2300-R until it gave up its secrets. It turns out that the encryption it uses is just a few baby steps beyond a basic Caesar Cipher.
CSL Dualcom CS2300-R signalling unit vulnerabilities
http://cybergibbons.com/security-2/csl-dualcom-cs2300-signalling-unit-vulnerabilities/
Today, CERT will be disclosing a series of vulnerabilities I have discovered in one particular alarm signalling product made by CSL Dualcom – the CS2300-R. These are:
CWE-287: Improper Authentication – CVE-2015-7285
CWE-327: Use of a Broken or Risky Cryptographic Algorithm – CVE-2015-7286
CWE-255: Credentials Management – CVE-2015-7287
CWE-912: Hidden Functionality – CVE-2015-7288
The purpose of this blog post is to act as an intermediate step between the CERT disclosure and my detailed report. This is for people that are interested in some of the detail but don’t want to read a 27-page document.
First, some context.
What are these CSL Dualcom CS2300-R devices? Very simply, they are a small box that sits between an intruder alarm and a monitoring centre, providing a communications link. When an alarm goes off, they send a signal to the monitoring centre for action to be taken. They can send this over a mobile network, normal phone lines, or the Internet.
They protect homes, shops, offices, banks, jewellers, data centres and more. If they don’t work, alarms may not reach the monitoring centre. If their security is poor, thousands of spoofed alarms could be generated. To me, it is clear that the security of these devices must be to a reasonable standard.
I am firmly of the opinion that the security of the CS2300-R devices is very poor. I would not recommend that new CSL Dualcom signalling devices are installed (regardless of model), and I would advise seeking an alternative provider if any were found on a pen-test. This is irrespective of risk profile of the home or business.
If you do use any Dualcom signalling devices, I would be asking CSL to provide evidence that their newer units are secure. This would be a pen-test carried out by an independent third-party, not a test house or CSL.
CSL Dualcom CS2300-R security analysis
http://cybergibbons.com/wp-content/uploads/2015/11/CSL-Dualcom-CS2300-Security-Analysis-2015-v4.pdf
Tomi Engdahl says:
Response to Concerns Regarding eDellroot Certificate
http://en.community.dell.com/dell-blogs/direct2dell/b/direct2dell/archive/2015/11/23/response-to-concerns-regarding-edellroot-certificate#pi30757=2
Tomi Engdahl says:
Hungryhouse resets thousands of customers’ passwords
Good security hygiene after third-party data breach
http://www.theregister.co.uk/2015/11/27/hungryhouse_password_change/
Online takeaway service Hungryhouse has reset the passwords of thousands of its customers following an apparent data breach at a third party hosting company.
Scott Fletcher, chief executive of Hungryhouse, said: “We had no affiliation with the web hosting company that was hit by a data breach. But when our head of security noticed that a number of our customers’ details appeared on the list of emails that had been breached, we took the pre-emptive step of asking them to change their passwords.”
Tomi Engdahl says:
Windows Defender removes potentially dangerous Dell certificate
http://www.zdnet.com/article/windows-defender-removes-potentially-dangerous-dell-certificate/
Days after security experts identified a self-signed root certificate that could allow attackers to gain access to some Dell PCs, Microsoft is using its built-in security software to neutralize the threat.
Tomi Engdahl says:
Lenovo patches serious vulnerabilities in PC system update tool
http://www.csoonline.com/article/3008869/security/lenovo-patches-serious-vulnerabilities-in-pc-system-update-tool.html
The vulnerabilities could allow attackers with access to limited user accounts to gain administrator privileges
For the third time in less than six months security issues have forced Lenovo to update one of the tools preloaded on its PCs.
Last week, the company released version 5.07.0019 of Lenovo System Update, a tool that helps users keep their computers’ drivers and BIOS up to date and which was previously called ThinkVantage System Update. The new version fixes two local privilege escalation vulnerabilities discovered by researchers from security firm IOActive.