Security trends for 2015

Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.

Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.

According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.

Despite the high profile CryptoLocker takedown, ransomware scams remain an all-too-real threat. Crooks are developing more sophisticated encryption schemes to support their fraud.

The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.

There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?

Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.

It seems like year 2014 has almost been “The Year of PoS Breaches.”  Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers.  I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.

Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations.  Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.

Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.

As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.

Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.

Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.

It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.

Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.

Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.

Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.

Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.

There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.

Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.

More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.

Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.

Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.

You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before.  End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.

 

3,110 Comments

  1. Tomi Engdahl says:

    Swedish police are legally allowed to break into your computer

    In Sweden, the government wants to provide for the police to eavesdrop on suspects computers from the beginning of next year.

    Act, the details are yet to be decided, but in practice this means allowing the use of computer hacking and malware official Republic, Tivi Swedish sister magazine Computer Sweden writes.

    Interior Minister Anders Ygeman said in August that the police and security services must remain with technological developments. The court could allow listening to the way the phone bugging the suspect’s Skype contacts.

    Source: http://www.tivi.fi/Kaikki_uutiset/ruotsin-poliisi-saa-laillisesti-murtautua-tietokoneelle-6092335

    More: http://computersweden.idg.se/2.2683/1.643794/polisen-far-hacka-datorer

    Reply
  2. Tomi Engdahl says:

    Lorenzo Franceschi-Bicchierai / Motherboard:
    Servers of Chinese tech toy maker VTech breached: data of 4.8M parents and 200K kids may have been accessed — One of the Largest Hacks Yet Exposes Data on Hundreds of Thousands of Kids — The personal information of almost 5 million parents and more than 200,000 kids was exposed earlier …

    One of the Largest Hacks Yet Exposes Data on Hundreds of Thousands of Kids
    http://motherboard.vice.com/read/one-of-the-largest-hacks-yet-exposes-data-on-hundreds-of-thousands-of-kids

    The personal information of almost 5 million parents and more than 200,000 kids was exposed earlier this month after a hacker broke into the servers of a Chinese company that sells kids toys and gadgets, Motherboard has learned.

    The hacked data includes names, email addresses, passwords, and home addresses of 4,833,678 parents who have bought products sold by VTech, which has almost $2 billion in revenue. The dump also includes the first names, genders and birthdays of more than 200,000 kids.

    What’s worse, it’s possible to link the children to their parents, exposing the kids’ full identities and where they live, according to an expert who reviewed the breach for Motherboard.

    This is the fourth largest consumer data breach to date, according to the website Have I Been Pwned, the most well known repository of data breaches online, which allows users to check if their emails and passwords have been compromised in any publicly known hack.

    The hacker who claimed responsibility for the breach provided files containing the sensitive data to Motherboard last week. VTech then confirmed the breach in an email on Thursday, days after Motherboard reached out to the company for comment.

    “We were not aware of this unauthorized access until you alerted us.”

    Troy Hunt / Troy Hunt’s Blog:
    Inside VTech hack: poorly encrypted passwords, security Q&As in plain text, kid data matched to parent addresses, no SSL, outdated software on many sites, more — When children are breached – inside the massive VTech hack — I suspect we’re all getting a little bit too conditioned to data breaches lately.

    When children are breached – inside the massive VTech hack
    http://www.troyhunt.com/2015/11/when-children-are-breached-inside.html

    I suspect we’re all getting a little bit too conditioned to data breaches lately. They’re in the mainstream news on what seems like a daily basis to the point where this is the new normal. Certainly the Ashley Madison debacle took that to a whole new level, but when it comes to our identities being leaked all over the place, it’s just another day on the web.

    Unless it’s our children’s identities, that’s a whole new level.

    When it’s hundreds of thousands of children including their names, genders and birthdates, that’s off the charts. When it includes their parents as well – along with their home address – and you can link the two and emphatically say “Here is 9 year old Mary, I know where she lives and I have other personally identifiable information about her parents (including their password and security question)”, I start to run out of superlatives to even describe how bad that is.

    This is the background on how this little device and other online assets created by VTech requested deeply personal info from parents about their families which they then lost in a massive data breach:

    Lorenzo passed on the data and I check it out. I found 4.8 million unique customer email addresses in one of the files and it “smelled” good, that is it didn’t have the typical hallmarks that often accompany a fabricated breach. However it wasn’t quite clear where the data had come from

    I took the email addresses from the alleged VTech breach and found 18 recent HIBP subscribers who had a comprehensive set of data in the dump. I emailed them asking for support, essentially saying that I’d been passed a data breach that included their details and if they were willing to assist, I’d send them some non-sensitive data attributes to verify. This was usually their month of birth, the city they live in and the name of their ISP based on their IP Address. All of these attributes were in the data breach and if the HIBP subscriber could confirm them and acknowledge they had a VTech account, I’d be confident it was legitimate.

    This was more than enough to now have complete confidence in the legitimacy of the data.

    Data breaches like this can be enormously damaging for both the customers and the online business alike but whilst I’m enormously sympathetic to the former, when the latter actively ignores multiple attempts at private disclosure even when they know it relates to a serious security incident, it’s hard to feel too sorry for them.

    But to their credit, VTech did eventually respond to Lorenzo and acknowledged that prior to his contact they were not aware of a data breach but have since identified an incident on November 14.

    Major security failings on VTech’s behalf

    Let me caveat what I’m about to detail by saying that everything I’m about to share is publicly observable when the systems are used in their intended way. This is all discoverable by using their websites precisely as they were intended to be used which on the one hand means that it’s easily obtainable information by anyone yet on the other, means that they could also have readily identified a whole raft of flaws themselves if only they’d looked.

    For example, there is no SSL anywhere. All communications are over unencrypted connections including when passwords, parent’s details and sensitive information about kids is transmitted. These days, we’re well beyond the point of arguing this is ok – it’s not. Those passwords will match many of the parent’s other accounts and they deserve to be properly protected in transit.

    Of course once the passwords hit the database we know they’re protected with nothing more than a straight MD5 hash which is so close to useless for anything but very strong passwords (which people rarely create), they may as well have not even bothered. The kids’ passwords are just plain text, but you could almost argue this is ok insofar as it’s not exactly going to open their eBay account or get attackers into their Gmail.

    Lack of cryptographic protection for sensitive data is yet another example of where it’s all gone wrong. Those security question and answer pairs are irrevocable pieces of personal information used to establish identity in all sorts of different places.

    Why they’re returning a SQL statement is absolutely beyond me. Lorenzo was told by the person that provided him with the data that the initial point of compromise was due to a SQL injection attack and even without seeing the behaviour above, I would have agreed that was the most likely attack vector. On seeing the haphazard way that internal database objects and queries are returned to the user, I’ve no doubt in my mind that SQL injection flaws would be rampant.

    The other rampant practice that’s increasingly frowned upon in the security space it the extensive use of Flash. It appears consistently throughout their online assets and whilst it would have made sense many years ago, the continuous stream of security vulnerabilities it’s presented coupled with the lack of mobile support and ready availability of alternative rich UIs via HTML 5 make it an increasingly rare thing to see such a dependency. There’s a sense of “systems from a bygone era” throughout their assets not just with the Flash dependency but things like the site still reporting ASP.NET 2.0 which was superseded almost six years ago now (.NET 3 or 3.5 will still report as 2.0 based on the X-AspNet-Version header) and the extensive use of WCF and SOAP services. That’s not to say all of this is security gone bad, more that you get the distinct sense VTech’s assets were created a long time ago and then just… left there.

    Despite the frequency of these incidents, companies are just not getting the message; taking security seriously is something you need to do before a data breach, not something you say afterwards to placate people.

    All 4.8M parents are now searchable in HIBP. The children aren’t, but I suspect this will be the first of many times their data will be breached, dumped and traded online.

    Reply
  3. Tomi Engdahl says:

    This is a free service that sends you an email if your account pops up in a data breach. To date, there have been 290k people sign up and verify their email address (they need to receive an email at that address and click a unique link). Now I’d always intended for this to be a feature that simply notifies people of breaches as appropriate, but I’ve realised lately is that it also means I have an excellent source of individuals supporting the project who can help me verify future data breaches as well.

    https://haveibeenpwned.com/

    Reply
  4. Tomi Engdahl says:

    Washington Post:
    FCC hires privacy maverick Jonathan Mayer as technical lead for probes into telephone, television, and Internet service providers on consumer protection issues

    With this hire, the FCC could soon get tougher on privacy and security
    https://www.washingtonpost.com/news/the-switch/wp/2015/11/24/with-this-hire-the-fcc-could-soon-get-tougher-on-privacy-and-security/

    The Federal Communications Commission has hired Jonathan Mayer, a rising star in privacy circles, to serve as its technical lead for investigations into telephone, television and Internet service providers.

    He will work primarily on consumer protection issues, especially those having to do with security and privacy, agency spokeswoman Shannon Gilson confirmed.

    Mayer is not your average bureaucrat: He’s a privacy practitioner with a track record of shining light on questionable corporate behavior. And his hiring is a sign that the FCC hopes to bring an increasingly aggressive approach to protecting consumers’ personal data and their privacy to the next level.

    His arrival also comes as the FCC and the Federal Trade Commission, long the government’s de facto online privacy watchdog, are trying to cooperate on handling online privacy and security issues.

    The agencies have traditionally had different roles — with the FCC crafting rules for industry, while the FTC focuses more on law enforcement. But now they have shared territory.

    The relationship between the two agencies grew more complicated this year when the FCC began regulating Internet providers like traditional telephone companies, a decision that opened broadband firms, such as Verizon and Comcast, to potential new privacy obligations.

    Mayer is well known for original research. In 2012, Mayer spotted Google bypassing the privacy settings of Apple’s Safari browser, effectively letting them better track the online activities of millions of people.

    And this January, Mayer revealed that an online advertising company used a unique code — which Verizon Wireless inserts into each customer’s mobile browsing activities — to create undeletable “zombie cookies.”

    But that proactive approach has in some cases prompted probing questions from lawmakers.

    “We are concerned that the [enforcement bureau] is exceeding its authority by undertaking ‘fishing expeditions’ rather than investigating specific violations based upon tangible evidence of misconduct,” a group of GOP senators wrote to the FCC last week.

    Questions of the bureau’s authority, and its limits, will only become more intense as the FCC moves to implement its net neutrality rules.

    Reply
  5. Tomi Engdahl says:

    Martyn Williams / PCWorld:
    Hilton Worldwide identifies and eradicates malware that collected credit card data from point-of-sale systems from late 2014 to mid 2015
    http://www.pcworld.com/article/3008616/security/hilton-says-malware-targeted-its-credit-card-system.html

    Reply
  6. Tomi Engdahl says:

    Hacktivism agains ISIS propaganda:

    Hackers replace dark web Isis propaganda site with advert for Prozac
    http://www.ibtimes.co.uk/hackers-replace-dark-web-isis-propaganda-site-advert-prozac-1530385

    An Islamic State (Isis) propaganda website on the dark web has been taken down by hacktivists and replaced with an advert for a site selling Prozac and a message telling would-be IS supporters to calm down. Ghost Sec, a faction of the hacktivist collective Anonymous (unaffiliated with the counter-terrorism organisation Ghost Security Group), targeted the Isdarat website after it appeared on the Tor anonymity network last week.

    Isis mocked with rubber ducks as internet fights terror with humour
    http://www.theguardian.com/world/2015/nov/28/isis-fighters-rubber-ducks-reddit-4chan

    Members of bulletin board 4chan superimpose duck heads on to images of Isis fighters, setting off craze that has spread to Twitter and Facebook

    If it looks like a duck, swims like a duck and quacks like a duck, could it in fact be an Islamic State militant?

    As world leaders scratch their heads about the best method to defeat the terror of Isis, internet users have come up with their own way to take the sting out of the group’s feathery tail.

    Members of the image-based bulletin board 4chan began superimposing rubber duck heads on to images of Isis fighters, setting off a craze that has spread to Twitter, Facebook and elsewhere.

    “How about castrating the image of Isis by replacing the faces on ALL the propaganda photos with bath ducks?” a 4Chan user wrote on Shit4chanSays (/s4s/) board.

    Reply
  7. Tomi Engdahl says:

    It is now possible to unlock a Windows Lumia Phone for root access
    It is also possible to jump off a cliff
    http://www.theinquirer.net/inquirer/news/2436725/it-is-now-possible-to-unlock-a-windows-lumia-phone-for-root-access

    A TINKERER HAS TAMPERED WITH Windows Phone and come up with a way to break it down to root access and start running homebrew software.

    “I am proud to announce the immediate availability of Windows Phone Internals 1.0. This tool allows you to unlock the bootloader of selected Lumia Windows Phone models. After unlocking the bootloader, you can enable root access on the phone or create and flash custom ROMs,” said somebody called Heathcliff74.

    “Root access allows you to load your own homebrew software onto the phone with high privileges. Apps can escape from their sandboxes. The tool can also create backup images of the phone and access the file system in mass storage mode. The tool supports most versions of Windows Phone 8.1 and Windows 10 Mobile. For a complete list of supported phones and operating systems have a look at the Getting Started section of the tool.”

    Reply
  8. Tomi Engdahl says:

    EU privacy watchdog calls for more ‘processing of personal data’ transparency
    Opt-outs ‘subtly influence the individual to agree’
    http://www.theregister.co.uk/2015/11/30/eu_privacy_watchdog_calls_for_more_processing_of_personal_data_transparency/

    Businesses should provide people with an “opt out” right to object to the processing of their personal data when they make an assessment that consent is not necessary as part of a big data project, an EU privacy watchdog has said.

    European Data Protection Supervisor (EDPS) Giovanni Buttarelli said, though, that “more efforts are needed” by industry to show that opt-out mechanisms are sufficiently “effective and easy to exercise” before they can be “endorsed” for practical use.

    Buttarelli’s comments come in a new opinion the EDPS has issued on meeting the challenges of big data (PDF). They suggest that businesses may have greater leeway in future to rely on the “legitimate interests” ground as an alternative to consent for processing personal data under EU data protection laws when engaging in big data projects.

    “The right to object to processing … can become a powerful tool in the hand of the individuals when it is implemented as an unconditional, ‘no questions-asked’ opt-out,” Buttarelli said.

    Reply
  9. Tomi Engdahl says:

    VPN users menaced by port forwarding blunder
    Torrent users especially exposed by IPSec, PPTP and OpenVPN mess, we’re told
    http://www.theregister.co.uk/2015/11/30/port_fail_vpn/

    Virtual Private Network (VPN) protocols have a design flaw that can be potentially exploited by snoops to identify some users’ real IP addresses.

    VPN provider Perfect Privacy, which discovered the security weakness, has dubbed it “port fail”, and says it affects VPNs based on the IPSec (Internet Protocol security) or PPTP (point-to-point tunnelling protocol) specifications, or using the OpenVPN client software.

    Providers that offer port forwarding services are affected unless they’ve taken specific defensive measures, the company says.

    Major virtual private network providers have been warned about the flaw. Private Internet Access says it has fixed the flaw and paid its rival US$5,000 for the research effort.

    BitTorrent users are under particular threat, Perfect Privacy says, because if they use port forwarding as their default torrent client port, they don’t need to be tricked into visiting an attacker’s web site.

    Reply
  10. Tomi Engdahl says:

    Mobile dating apps spur HIV epidemic among Asia’s teenagers, says UN
    http://www.theguardian.com/society/2015/nov/30/mobile-dating-apps-spurr-hiv-epidemic-among-asias-teenagers-says-un

    Smartphone technology has increased the opportunities for casual sex and led to a spike in HIV infections among teenagers in Asia, researchers find

    United Nations research has found the growing use of mobile dating apps by young gay men is a major factor in a new HIV epidemic among teenagers in Asia, the Guardian can reveal.

    The report uncovered a surge of HIV infections among 10-19 years olds in the Asia-Pacific region, where more than half of the world’s 1.2 billion adolescents live.

    The two-year study found that smartphone dating apps have expanded the options for spontaneous casual sex as never before.

    “Young gay men themselves have consistently told us that they are now using mobile dating apps to meet up for sex, and are having more casual sex with more people as a result. We know that this kind of risky behaviour increases the spread of HIV,” said Wing-Sie Cheng, HIV/Aids adviser for Unicef in east Asia and the Pacific.

    While global HIV infections are falling, the number of adolescents aged 10-19 officially living with HIV in Asia and the Pacific has grown to more than 220,000, with the unofficial number expected to be much higher, Unicef says.

    Whereas internet dating involved a laborious process of arranging a meeting up, dating apps are location-based, allowing users to scan their surroundings for others.

    Reply
  11. Tomi Engdahl says:

    Deutsche Bank tests password-free mobile security
    http://www.cnbc.com/2015/11/22/deutsche-bank-tests-password-free-mobile-security-including-location-facial-recognition.html

    Deutsche Bank is experimenting with new antifraud technology that uses the way you handle and hold your phone to work out if you are really you.

    The bank hopes the system will free customers from passwords and allow it to lift limits on mobile transactions.

    The technology analyses about 50 different factors to build a picture of a user from pressure applied to the pin-pad to how the phone is held, location, facial recognition and thumbprint.

    Some of these are already in use. MasterCard is trialing facial recognition — dubbed “selfie pay” — and voice recognition.

    The boast of Callsign — the company working with Deutsche Bank on the new technology — is that its system brings so many factors together.

    “If I stole your mobile . . . and I got hold of your pin number and biometric (fingerprint) and I was trying to impersonate you in some way, just because I could do that doesn’t mean that I’m you,” said Zia Hayat, chief executive and founder of Callsign.

    “If you’ve broken your right arm and . . . you’re at home and now you’re using your left hand, it will say her location is good, her pin is good, her biometric is good, but she’s now handling it in a different way, so it might say ‘give me a facial recognition’,” he said.

    In tests, Deutsche says no one has managed to achieve a “match” above 15 per cent trying to hack someone else’s account. In most cases, the match was zero.

    The UK’s Royal Bank of Scotland and Spain’s BBVA are among several banks that employ fingerprint recognition on the iPhone 6 to authenticate users. BBVA also uses a digital wallet to send alerts to customers when their card has been used so they will see any suspect purchases immediately.

    Reply
  12. Tomi Engdahl says:

    Swiss police release robot that bought ecstasy online
    http://www.theguardian.com/world/2015/apr/22/swiss-police-release-robot-random-darknet-shopper-ecstasy-deep-web

    The robot – which goes by the name Random Darknet Shopper – was part of an art installation meant to explore the dark web

    If your robot buys ecstasy, are you responsible? That is exactly what Mike Power wondered when he reviewed the Swiss exhibition The Darknet: From Memes to Onionland for the Guardian in December.

    The answer: not if it’s in the name of art, at least according to a police department in St Gallen, Switzerland.

    The police department confirmed on Tuesday it has now released the robot they arrested – er, confiscated – in January after it bought 10 ecstasy pills on the internet as part of an art installation meant to explore the deep web.

    The robot and all of the purchases it made online – including a pair of fake Diesel jeans, a baseball cap with a hidden camera, a stash can, a pair of Nike trainers, 200 Chesterfield cigarettes, a set of fire brigade-issued master keys, a fake Louis Vuitton handbag and a Lord of the Rings e-book collection – were returned to !Mediengruppe Bitnik, the art group that designed the robot, with the exception of the ecstasy pills, which were destroyed by the police.

    The robot, which goes by the name Random Darknet Shopper, is “an automated online shopping bot which we provide with a budget of $100 in Bitcoins per week”

    ‘Random Darknet Shopper’ bot that bought ecstasy online is going on another spending spree
    http://thenextweb.com/insider/2015/11/29/random-darknet-shopper-bot-that-bought-ecstasy-online-is-going-on-another-spending-spree/

    A laptop running a bot that makes automated purchases from the ‘darknet’ has just made its first since being released by the police for buying ecstasy online.

    The laptop/bot combo are part of an art installation looking to explore the deep Web and all its previous purchases – with the exception of the ecstasy – went on display in the exhibition space alongside the computer.

    First time around, the bot was spending its (roughly) $100 of weekly Bitcoins on items from the darknet marketplace Agora. Since that has now closed, the bot is crawling Alpha Bay instead, described as “currently the largest deepweb market place” by the team.

    Pointing the bot at another darknet marketplace means that another package of illegal drugs could potentially turn up at the door.

    Reply
  13. Tomi Engdahl says:

    Italians to spend €150m … snooping on PS4 jabber
    Vulgar, misogynist, violent, barely literate threats? Let’s play Terrorists or Teens!
    http://www.theregister.co.uk/2015/11/30/italy_playstation_4_terrorism/

    Italian counter-terror agents are to monitor Sony’s PlayStation Network for jihadi chatter, according to the nation’s justice minister, following alarmingly silly reports that a PS4 was used to coordinate the terrorist attacks in Paris.

    Andrea Orlando told Italian broadsheet Il Messaggero that the government would be investing €150m (£105m) in a reformation of the nation’s security services, with the aim of allowing them to monitor “any form of communication”, with the PlayStation gaming console receiving specific attention.

    The Italian plans follow an article in Forbes, cited by the Telegraph and the New York Times, which claimed, “An ISIS agent could spell out an attack plan in Super Mario Maker’s coins and share it privately with a friend, or two Call of Duty players could write messages to each other on a wall in a disappearing spray of bullets.”

    That report, in turn, appears to have been prompted by statements made by the Belgian deputy prime minister, Jan Jambon. Jambon complained that Belgian security services and their international partners were unable to decrypt communications made through the PlayStation Network.

    It is not the first time that gaming platforms have come under suspicion from counter-terrorist powers. An NSA briefing note leaked by whistleblower Edward Snowden and titled “Exploiting Terrorist /use of Games & Virtual Environments” showed the spooks had discussed infiltrating the platforms

    Reply
  14. Tomi Engdahl says:

    Just in time for Xmas: Extra stealthy Point of Sale malware
    PoS crooks also ‘support’ newer OSes. How diligent
    http://www.theregister.co.uk/2015/11/30/pro_pos_malware/

    Cybercrooks are selling a new strain of potent Point of Sale malware through underground forums.

    “Pro PoS” weights in at just 76KB and packs mechanisms to frustrate antivirus analysis, as well as root-kit functionality, according to threat intelligence firm InfoArmor.

    Developers of the malware also integrated a polymorphic engine, so that each build has different signatures, for added stealth and as a measure designed to foil security defences.

    InfoArmor warns that the current version of “Pro PoS Solution” is in active use in attacks against retailers and SMBs in the US and Canada specifically. The malware was put together by eastern European coders.

    Black Friday (27 November) brought significant updates, as well as a price increase to $2,600 for a six-month licence.

    Reply
  15. Tomi Engdahl says:

    It’s Getting Harder To Reside Anonymously In a Modern City
    http://yro.slashdot.org/story/15/11/30/1412223/its-getting-harder-to-reside-anonymously-in-a-modern-city

    In a panel on ‘Privacy in the Smart City’ during this month’s Smart City World Congress, Dr. Carmela Troncoso, a researcher from Spain, argued that data anonymization itself is almost impossible without using advanced cryptography. Our every transaction leaves a digital marker that can be mined by anyone with the right tools or enough determination.

    Most modern cities today are full of sensors and connected devices. Some are considering giving away free WiFi in exchange of personal data.

    It’s Not YOUR Data, Didn’t You know?
    http://www.citiesofthefuture.eu/its-not-your-data-didnt-you-know/

    Identity. In the digital age, this is widely characterised by our data. Internet browsing data, consumer data, digitised public service records and biometrics.

    A key thread linking many a Smart City talk today is the optimisation of public services through data technology. This encompasses everything from delivering healthcare to underserved populations to more efficient tax collection to crowdsourcing community solutions through digital engagement platforms. All this is just one facet that adds to our daily accumulation of Big Data, defined by IBM as the information that is “generated by everything around us at all times”.

    On one hand, these records provide the opportunity to analyse human and environmental activity to a degree never before imagined. On the other, this relentless identifiable torrent of individualised information has close to eradicated any hope of anonymity for those in any way connected to the grid.

    As so aptly put by Pakistani Minister (of Information, Technology and Telecommunication), Anusha Rahman Ahmad Khan at the Smart City Congress in Barcelona this month, “the greater our dependence on digital infrastructure, the greater our vulnerability” (as is the case with India’s Aadhaar mass digital identification programme) and the likelihood that this information can be used against us.

    For those with limited access to such swift connections, it’s a trade-off between privacy and entry to the digital Garden of Eden.

    According to a survey recently conducted by UK-based Digital Catapult, 76 percent of British people feel they have “no control over how data is shared or who it is shared with.” This is a figure that deserves some serious attention in the Smart Cities sphere, as we move in leaps and bounds towards total liberation of our personal data, and hand over the keys (knowingly or otherwise) to the analytical nerve centres of corporations plugging these products.

    Troncoso pointed out that, thanks to Big Data, it is now next to impossible to reside anonymously in a modern city. Why? Because data anonymization itself is almost impossible without using advanced cryptography. Our every transaction leaves a digital marker that can be mined by anyone with the right tools or enough determination.

    It is the duty of world leaders to safeguard their citizens’ privacy, just as corporations are answerable to leaks and hacks.

    Reply
  16. Tomi Engdahl says:

    The case for security intelligence services, hosted from the cloud
    http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?infotype=SA&subtype=WH&htmlfid=WGW03097USEN

    Moving your company’s security intelligence monitoring and management to the cloud can provide access to market leading capabilities and reduce capital expense. This paper outlines the advantages of the IBM security intelligence solution, delivered from the cloud, and monitored by service professionals.

    Reply
  17. Tomi Engdahl says:

    Kids techology company VTech admits to hack and data breach
    Now everybody is thinking of the kids
    http://www.theinquirer.net/inquirer/news/2436980/kids-techology-company-vtech-admits-to-hack-and-data-breach

    KID FRIENDLY TECHNOLOGY COMPANY VTech is entering the holiday season on perhaps one of two naughty lists after admitting that it has been the victim of a security breach that might have exposed some customer data.

    VTech has been open about this, posting about the leak on its official pages. The firm said that the attack happened on its Learning Lodge application store.

    It reckons that the breach happened in the middle of this month and exposed customer data hot off the database.

    “Learning Lodge allows our customers to download apps, learning games, e-books and other educational content to their VTech products,”

    The information does not extend to credit card details, but does include plenty of identity theft opportunities.

    Security firm Check Point would presumably take bets on future incidents, at least those related to the consumer. It reckons that the information haul, which takes in parents and children, could be used for phishing and other attacks.

    “There’s enough detailed personal information in the stolen records to make those people targets for identity theft and fraud.”

    Reply
  18. Tomi Engdahl says:

    Hackers threaten Greek banks, demand ransom in bitcoins
    http://www.ekathimerini.com/203906/article/ekathimerini/news/hackers-threaten-greek-banks-demand-ransom-in-bitcoins

    Greek authorities have created a special team to protect Greek banks from a team of hackers who have allegedly threatened to bring down the lenders’ electronic systems if they do not pay a ransom.

    Kathimerini understands that the group, called Armada Collective, has threatened a Distributed Denial of Service (DDoS) attack unless they are paid a ransom in bitcoins.

    The hackers caused the online banking systems of three Greek lenders to briefly stop working on Thursday, sources said.

    The group is thought to have targeted other victims, including in Switzerland and Thailand, in recent weeks.

    Reply
  19. Tomi Engdahl says:

    Hackers can hijack Wi-Fi Hello Barbie to spy on your children
    http://www.theguardian.com/technology/2015/nov/26/hackers-can-hijack-wi-fi-hello-barbie-to-spy-on-your-children

    Security researcher warns hackers could steal personal information and turn the microphone of the doll into a surveillance device

    Mattel’s latest Wi-Fi enabled Barbie doll can easily be hacked to turn it into a surveillance device for spying on children and listening into conversations without the owner’s knowledge.

    The Hello Barbie doll is billed as the world’s first “interactive doll” capable of listening to a child and responding via voice, in a similar way to Apple’s Siri, Google’s Now and Microsoft’s Cortana.

    It connects to the internet via Wi-Fi and has a microphone to record children and send that information off to third-parties for processing before responding with natural language responses.

    But US security researcher Matt Jakubowski discovered that when connected to Wi-Fi the doll was vulnerable to hacking, allowing him easy access to the doll’s system information, account information, stored audio files and direct access to the microphone.

    Jakubowski told NBC: “You can take that information and find out a person’s house or business. It’s just a matter of time until we are able to replace their servers with ours and have her say anything we want.”

    Once Jakubowski took control of where the data was sent the snooping possibilities were apparent. The doll only listens in on a conversation when a button is pressed and the recorded audio is encrypted before being sent over the internet, but once a hacker has control of the doll the privacy features could be overridden.

    It was the ease with which the doll was compromise that was most concerning. The information stored by the doll could allow hackers to take over a home Wi-Fi network and from there gain access to other internet connected devices, steal personal information and cause other problems for the owners, potentially without their knowledge.

    With a Hello Barbie in the hands of a child and carried everywhere they and their parents go, it could be the ultimate in audio surveillance device for miscreant hackers.

    ToyTalk’s chief executive Oren Jacob said: “An enthusiastic researcher has reported finding some device data and called that a hack.”

    Mattel, the manufacturers of Hello Barbie, did not respond to requests for comment.

    New Wi-Fi-Enabled Barbie Can Be Hacked, Researchers Say
    http://www.nbcchicago.com/investigations/WEB-10p-pkg-Surveillance-Toy_Leitner_Chicago-353434911.html#ixzz3szkhUcYi

    The world’s first interactive Barbie doll is raising concerns with privacy and security experts. NBC 5′s Investigative Reporter Tammy Leitner reports.

    Reply
  20. Tomi Engdahl says:

    Lorenzo Franceschi-Bicchierai / Motherboard:
    VTech hacker says he downloaded 190GB of child and parent photos, and chat logs between parents and children from late 2014 until November 2015 — Hacker Obtained Childrens’ Headshots and Chatlogs From Toymaker VTech — If storing the personal data of almost 5 million parents …

    Hacker Obtained Children’s Headshots and Chatlogs From Toymaker VTech
    http://motherboard.vice.com/read/hacker-obtained-childrens-headshots-and-chatlogs-from-toymaker-vtech

    If storing the personal data of almost 5 million parents and more than 200,000 kids wasn’t bad enough, it turns out that hacked toymaker VTech also left thousands of pictures of parents and kids and a year’s worth of chat logs stored online in a way easily accessible to hackers.

    On Friday, Motherboard revealed that earlier this month a hacker broke into the servers of VTech, a Hong Kong-based company that makes internet-connected gadgets and toys. Inside the servers, the hacker found the names, email addresses, passwords, and home addresses of 4,833,678 parents, and the first names, genders and birthdays of more than 200,000 kids.

    While probing VTech servers, the hacker found tens of thousands of pictures of parents and kids. Some are blank, or duplicates, so it’s hard to establish exactly how many are legitimate pictures. But the hacker said he was able to download more than 190GB worth of photos, and considering that there were 2.3 million users registered in the Kid Connect service, it’s likely there were tens of thousands, or more, headshots of parents and kids, according to the hacker.

    ”Frankly, it makes me sick that I was able to get all this stuff,” the hacker told me in an encrypted chat. ”VTech should have the book thrown at them.”

    But it’s not just pictures. The server also contained chat messages exchanged between parents and their children.

    In most, if not all, of these cases, the logs, pictures, and recordings can be traced back to specific usernames, allowing anyone in possession of the hacked data to identify the people chatting as well as those in the pictures.

    The company, in the meantime, has taken down “as a precautionary measure” some of its vulnerable portals, such as the Learning Lodge, as well as a dozen websites, VTech announced in a press release.

    VTech:
    VTech confirms data breach of 5M accounts includes names, email accounts, passwords, IP, address, download history, and kids names, gender and birthdates — Data Breach on VTech Learning Lodge (update) — VTech Holdings Limited noted that an unauthorized party accessed VTech customer data housed …

    Data Breach on VTech Learning Lodge (update)
    http://www.vtech.com/en/press_release/2015/data-breach-on-vtech-learning-lodge-update/

    Reply
  21. Tomi Engdahl says:

    A Dark Web Vendor Is Selling Millions of Hacked Cam Girl Site Tokens
    http://motherboard.vice.com/read/a-dark-web-vendor-is-selling-millions-of-hacked-cam-girl-site-tokens?trk_source=recommended

    MyFreeCams (MFC), one of the most popular cam girl sites on the internet, can’t catch a break at the moment with its security. After Motherboard reported that the site deployed truly terrible password security for both its models and users, we’ve now found out that someone is advertising hacked “tokens” for MFC on the dark web.

    “We are two ex-developers that worked for ActiveSoft and got laid off almost two years ago,” the owner of the site selling the hacked tokens

    The hacker claims that MFC’s owners “used to care for the platform’s security when we were building it, but it came to a point where it didn’t really matter to them.”

    Mfccredithack shared a screenshot with Motherboard that appeared to show access to an “Administrator” account with millions of available tokens.

    An MFC spokesperson told Motherboard that “Websites saying that they are selling tokens are fake and simply phishing.” The spokesperson then linked to two pages on the site’s Wiki that detail scams to steal customers’ usernames and passwords, and also examples of malware that is designed to siphon off users’ info.

    Reply
  22. Tomi Engdahl says:

    Scams and Undercover Cops Are Denting the Dark Web Gun Trade
    http://motherboard.vice.com/read/scams-and-undercover-cops-are-denting-the-dark-web-gun-trade?trk_source=recommended

    With just a couple of clicks and a fistful of bitcoins, it’s trivial to buy an AK-47 or a pistol on the dark web. At least, that’s the idea presented when casually scrolling through the digital shelves of online markets.

    But the reality is that sourcing a weapon from the dark web can actually be fairly difficult—so much so that several markets have stopped stocking weapons altogether.

    One impetus for that is the heavy presence of scammers, who create fake accounts to dupe gullible gun hunters out of their money.

    “I’m just kinda addicted to the scamming part. It’s too easy,” one scammer told Motherboard in an email chat.

    The scammer encourages customers to “finalize early”—that is, send the full fee for the weapon before they receive it—and provides them with a postal tracking code.

    “Then I just send a bag of sugar,” Bartsmit said.

    This type of scam is so widespread that Agora, which was at one point the largest market on the dark web, stopped selling guns altogether.

    Another, possibly more urgent reason Agora stopped offering guns was the high number of undercover agents on the marketplaces who have been fairly successful in arresting both buyers and sellers of weapons.

    “Criminals are realising that they can in fact be tracked and identified by law enforcement”

    Reply
  23. Tomi Engdahl says:

    Twitter’s Pro-ISIS “Hackers” Are Just Good at Using Google
    http://motherboard.vice.com/read/twitters-pro-isis-hackers-are-just-good-at-using-google?trk_source=recommended

    Last week, the UK’s Chancellor of the Exchequer George Osborne laid out plans for more capabilities for law enforcement and intelligence agencies in response to a “cyber threat” from ISIS.

    But it looks like the threats made by some apparent pro-ISIS hackers over social media are overstated.

    Recently, a group that calls itself the “Islamic Cyber Army” has been dumping the supposed personal details of government employees and other data on Twitter. However the majority of the information appears to have been sourced from very simple Google searches.

    This isn’t the first time pro-ISIS hackers have exaggerated their own hacking capabilities. Junaid Hussain, who moved to Syria to join the terrorist organization, published the names and personal information of 100 US military members. He claimed he had obtained these by hacking Pentagon servers, but it seemed more likely that he also just Googled for them.

    Hussain did reportedly have some technical skills, however, with the Wall Street Journal reporting he had developed spyware for ISIS. Hussain was killed in a drone strike in August.

    Large-scale cyberattacks that have been linked to pro-ISIS hackers have also turned out to be misattributed. According to researchers from cybersecurity firm FireEye, a hack on the French television channel TV5Monde that was widely reported as the work of a pro-ISIS outfit was actually that of a group of Russian hackers.

    In all, it’s worth treating the claims of “ISIS hackers” on social media with a heavy dose of scepticism.

    FireEye claims Russian APT28 hacked France’s TV5Monde Channel
    http://securityaffairs.co/wordpress/37710/hacking/apt28-hacked-tv5monde.html

    Reply
  24. Tomi Engdahl says:

    Belgian Physicists Calculate that Everyone Is Lying About the Downed Russian Jet
    http://motherboard.vice.com/read/belgian-physicists-calculate-that-everyone-is-lying-about-the-downed-russian-jet?trk_source=popular

    It’s rare to see physics being used as an effective tool to comment on current events, but astrophysicists Tom van Doorsslaere and Giovanni Lapenta of the Belgian KU Leuven used some simple Newtonian mechanics to show that both the Russian and Turkish accounts of what happened with the downed jet can’t be right.

    Using video of the incident and the maps provided by Turkish and Russian officials, they show in a post on a blog run by KU Leuven that what went down couldn’t possibly have happened as both parties present it.

    Reply
  25. Tomi Engdahl says:

    Jon Russell / TechCrunch:
    BlackBerry Confirms It Will Exit Pakistan After Rejecting Data Monitoring Demands — BlackBerry has confirmed that it is exiting Pakistan entirely in response to the national government’s continued demand to monitor user data on the Canadian company’s service.

    BlackBerry Confirms It Will Exit Pakistan After Rejecting Data Monitoring Demands
    http://techcrunch.com/2015/11/29/blackberry-confirms-it-will-exit-pakistan-after-rejecting-data-monitoring-demands/

    BlackBerry has confirmed that it is exiting Pakistan entirely in response to the national government’s continued demand to monitor user data on the Canadian company’s service.

    Back in July, the Pakistan Telecommunications Authority (PTA) said it would shutter BlackBerry Enterprise Services (known as BES) by December 1 for “security reasons.” The issue was thought to center around BlackBerry’s encryption of emails, BBM messages and other data from its users which prevented authorities from gaining the access to information that they deemed necessary for national security.

    BlackBerry kept silent at the time, but now the phone maker, which recently launched its first Android handset, has confirmed it will leave the country — with a population of 180 million people — after November 30 after it refused to grant Pakistani authorities access to its systems.

    Reply
  26. Tomi Engdahl says:

    Can’t get a break: Pwned Linux ransomware pwned again, infects 3000
    Versions one, two, decrypted days after launch.
    http://www.theregister.co.uk/2015/12/01/cant_get_a_break_pwned_linux_ransomware_pwned_again_infects_3000/

    Pwned ransomware Linux Encoder has infected 3000 machines in a month, Russian security firm Dr Web says, despite the fact both versions of the software have been neutered.

    The first version of the ransomware was decrypted by security boffins at BitDefender days after it was first revealed by Dr Web.

    Linux.Encoder.1 encrypts all files in the home, root, MySQL, Apache, and Nginx directories using 128-bit AES.

    It then encrypts directory contents that include in strings public_html, www, webapp, backup, .git, and .svn.

    WordPress and Magento sites are the main targets. The software had infected 2000 sites by 12 November and surpassed 3000 two weeks later.

    Dr Web reported the second iteration of Linux Encoder on 20 November noting that it was different thanks to its use of another pseudorandom number generator, the use of OpenSSL over PolarSSL, and encryption made using AES-OFB-128 mode with context reinitialisation every 8 AES blocks.

    That too can be unlocked using Dr Web’s online portal.
    https://vms.drweb.com/virus/?i=7736842&lng=en

    System admins should back up to offline media and consider running the low-impact the Cryptowall pre-eemptive defence tool on PCs where critical data resides which prevents the nasty malware from executing.
    http://labs.bitdefender.com/projects/cryptowall-vaccine-2/bitdefender-offers-cryptowall-vaccine/

    Reply
  27. Tomi Engdahl says:

    Take Control of Your PC with UEFI Secure Boot
    http://www.linuxjournal.com/content/take-control-your-pc-uefi-secure-boot

    UEFI (Unified Extensible Firmware Interface) is the open, multi-vendor replacement for the aging BIOS standard, which first appeared in IBM computers in 1976. The UEFI standard is extensive, covering the full boot architecture. This article focuses on a single useful but typically overlooked feature of UEFI: secure boot.

    Often maligned, you’ve probably encountered UEFI secure boot only when you disabled it during initial setup of your computer. Indeed, the introduction of secure boot was mired with controversy over Microsoft being in charge of signing third-party operating system code that would boot under a secure boot environment.

    In this article, we explore the basics of secure boot and how to take control of it. We describe how to install your own keys and sign your own binaries with those keys. We also show how you can build a single standalone GRUB EFI binary, which will protect your system from tampering, such as cold-boot attacks. Finally, we show how full disk encryption can be used to protect the entire hard disk, including the kernel image (which ordinarily needs to be stored unencrypted).

    Reply
  28. Tomi Engdahl says:

    Book Review: Security Operations Center
    http://news.slashdot.org/story/15/11/30/1752215/book-review-security-operations-center?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29

    Getting the raw hardware, software and people to create a SOC is not that difficult. The challenge, and it’s a big challenge, is integrating those 3 components to ensure that a formal SOC can operate effectively.

    In Security Operations Center: Building, Operating, and Maintaining your SOC, authors Joseph Muniz, Gary McIntyre and Nadhem AlFardan have written an indispensable reference on the topic.

    The authors have done a great job in covering every phase and many details required to build out a SOC. After going through the book, some readers will likely reconsider deploying an internal SOC given the difficulties and challenges involved. This is especially true since SOC design and deployment is something not many people have experience with.

    The book is written for an organization that is serious about building an enterprise SOC. The authors spend much of the book focusing on the myriad requirements for creation of a SOC. They constantly reiterate about details that need to be determined before moving forward.

    Chapter 4 on SOC strategy is important as the way in which a firm determines their strategy will affect every aspect of the outcome. The authors wisely note that an inadequate or inaccurate SOC strategy, and the ensuing capabilities assessment exercises would produce a SOC strategy that does not properly address the actual requirements of the organization.

    Ultimately, failing to adequately plan and design is a guarantee for SOC failure. That in turn will affect and impact deployment timelines, budgets and cause frustration, dissatisfaction and friction between the different teams involved in the SOC program.

    Building a SOC is an arduous process which takes a huge amount of planning and of work. This work must be executed by people from different teams and departments, all working together. Based on these challenges, far too many SOC deployments fail.

    Reply
  29. Tomi Engdahl says:

    Sued For Using HTTPS: Companies In Crypto Patent Fight
    http://yro.slashdot.org/story/15/12/01/0335225/sued-for-using-https-companies-in-crypto-patent-fight

    According to an article in The Register, corporations big and small are coming under legal fire from CryptoPeak. The Company holds U.S. Patent 6,202,150, which describes “auto-escrowable and auto-certifiable cryptosystems” and has claimed that the Elliptic Curve Cryptography methods/implementations used as part of the HTTPS protocol violates their intellectual property.

    Sued for using HTTPS: Big brands told to cough up in crypto patent fight
    Sony, Macy’s, GoPro, hotels, insurance giants, anyone with money accused of infringement
    http://www.theregister.co.uk/2015/12/01/cryptopeak_sues_/

    Scores of big brands – from AT&T and Yahoo! to Netflix, GoPro and Macy’s – are being sued because their HTTPS websites allegedly infringe an encryption patent.

    It appears in May this year CryptoPeak Solutions, based in Longview, Texas, got its hands on US Patent 6,202,150, which describes “auto-escrowable and auto-certifiable cryptosystems.”

    CryptoPeak reckons TLS-secured websites that use elliptic curve cryptography are infringing the patent – so it’s suing owners of HTTPS websites that use ECC. Top tip: loads of websites use ECC these days to securely encrypt their traffic.

    Starting in July, CryptoPeak began pursuing companies through the courts in the eastern district of Texas. Just in the past week or so, the patent-holding biz filed infringement claims against AT&T, Priceline, Pinterest, Hyatt Hotels, Best Western, and Experia.

    CryptoPeak has almost 70 cases in play now. It wants damages, royalties, and its legal bills paid.

    “The defendant has committed direct infringement by its actions that comprise using one or more websites that utilize Elliptic Curve Cryptography Cipher Suites for the Transport Layer Security protocol,” CryptoPeak alleged in its lawsuit against Progressive.

    The patent in question was crafted by crypto gurus Dr Adam Young and Dr Marcel “Moti” Yung, and granted in 1997

    But the patent is focused on “a key recovery agent to recover the user’s private key or information encrypted under said user’s corresponding public key” – which is really not the point of ECC. Yet, CryptoPeak seems to think there’s some overlap between today’s ECC implementations and the patent it holds.

    “The defect in these claims is so glaring that CryptoPeak’s only choice is to request that the court overlook the express words of the claims, construe the claims to read out certain language, or even correct the claims,” Netflix’s legal eagles wrote in their filing.

    Reply
  30. Tomi Engdahl says:

    HTTP/2.0 Opens Every New Connection It Makes With the Word ‘PRISM’
    http://yro.slashdot.org/story/15/11/30/2046216/http20-opens-every-new-connection-it-makes-with-the-word-prism

    British programmer and writer John Graham-Cumming has spotted what appears to be a ‘code-protest’ in the next generation of the hypertext protocol. Each new connection forged by the HTTP/2.0 protocol spells out the word ‘PRISM’ obliquely, though the word itself is obscured to the casual observer by coded returns and line-breaks. Work on the hidden message in HTTP/2.0 seems to date back to nine days after the Snowden revelations broke, with the final commit completed by July of 2013.

    The secret message hidden in every HTTP/2 connection
    http://blog.jgc.org/2015/11/the-secret-message-hidden-in-every.html

    Reply
  31. Tomi Engdahl says:

    Interviews: Stack Overflow Co-Founder Jeff Atwood Answers Your Questions
    http://interviews.slashdot.org/story/15/11/30/1736215/interviews-stack-overflow-co-founder-jeff-atwood-answers-your-questions

    If you had a magic wand to make one change in technology right now, what would it be?

    Atwood: Users would not have to generate, remember, enter, or ever think about passwords again. Computers would automatically know who the user is through a combination of ambient biometrics plus physical possession of some kind of device. Like, say, a smartphone.

    Passwords are the enemy. And the users, because we are the idiots put in charge of making up the passwords. But mostly, it’s the *goddamn passwords*.

    Reply
  32. Tomi Engdahl says:

    Zack Whittaker / ZDNet:
    Court ruling reveals the scope of info FBI collects via NSLs for the first time, confirms it needs no warrant to get browsing, online shopping, location history — FBI’s warrantless national security powers revealed for first time — The FBI can use national security letters (NSLs) …

    Revealed: FBI can demand web history, phone location data without a warrant
    http://www.zdnet.com/article/fbi-can-force-companies-to-turn-over-user-data-without-a-warrant/

    The FBI can use national security letters (NSLs) to force companies to turn over sensitive user data without a warrant, according to filings.

    Nicholas Merrill, founder of internet provider Calyx Internet Access, who brought the 11-year-old case to court after his company was served a national security letter, won the case earlier this year.

    National security letters are almost always bundled with a gag order, preventing Merrill from speaking freely about the letter he received.

    In a statement on Monday, Merrill revealed the FBI has used its authority to force companies and individuals to turn over complete web browsing history; the IP addresses of everyone a person has corresponded with; online purchase information, and also cell-site location information, which he said can be used to turn a person’s phone into a “location tracking device.”

    According to a release, the FBI can also force a company to release postal addresses, email addresses, and “any other information which [is] considered to be an electronic communication transactional record.”

    Federal district judge Victor Marrero described in his decision that the FBI’s position was “extreme and overly broad.”

    He also found that the FBI’s overbroad gag order on Mr. Merrill “implicates serious issues, both with respect to the First Amendment and accountability of the government to the people.”

    The Patriot Act expanded the reach of national security letters when it was signed into law a month after the September 11 attacks in 2001.

    More than ten thousand national security letters are issued by the FBI every year, without a warrant or judicial oversight.

    Reply
  33. Tomi Engdahl says:

    Node.js sysadmins, get ready to patch
    DoS bug fix coming
    http://www.theregister.co.uk/2015/12/01/nodejs_sysadmins_get_ready_to_patch/

    Sysadmins: within around the next 24 to 48 hours, watch out for an upcoming update to node.js to cover off a couple of vulnerabilities.

    The most serious, CVE-2015-8027, is a remotely-exploitable denial-of-service (DoS) bug that the node.js Foundation is keeping embargoed until the patch is issued.

    The DoS bug affects all versions of v0.12.x through to v5.x, but not versions 0.10.x.

    The second, CVE-2015-6764, is an out-of-bounds access vulnerability only affects v4.x and v5.x.

    The node.js Foundation community manager Mikeal Rogers told Infoworld there are so far no exploits for the bugs in the wild.

    Node.js discloses two critical security vulnerabilities
    http://www.infoworld.com/article/3008837/javascript/nodejs-discloses-two-critical-security-vulnerabilities.html

    The Node.js Foundation revealed a denial-of-service and an out-of-bounds access issue and said the fixes will come next week

    Reply
  34. Tomi Engdahl says:

    Uses for Quantum Entanglement with Shanni Prutchi
    http://hackaday.com/2015/11/30/uses-for-quantum-entanglement-with-shanni-prutchi/

    For those of you that weren’t at the Hackaday SuperConference, it started off with a pretty intense talk that could have been tough for anyone to follow. However, [Shanni Prutchi] presented her talk on quantum entanglement of photons in a way that is both approachable, and leaves you with plenty of hints for further study.

    [Shanni Prutchi] is studying Electrical and Computer Engineering at Rowan University and has already been published on the topics of radio astronomy and radiation measurement. But more directly connected to this talk is her co-authorship of the book Exploring Quantum Physics Through Hands-On Projects.

    [Shanni] explains the current methods of identifying two entangled photons. She is not just explaining how one could conduct this experiment, she is explaining how she did conduct this experiment.

    The two particles have properties that are tied to each other in such a way that the quantum state of one particle exhibits an immediate correlation to its entangled particle, even when the particles are separated.

    The first example is a form of quantum teleportation. The sender manipulates one entangled photon while the receiver measures this. The manipulation happens instantaneously despite any physical distance between the two.

    This gives the appearance that the particle has been teleported from one place to another.

    The second application she covers is Quantum Key Distribution. This is a form of Quantum Cryptography where several pairs of entangled photons are used in something of a public/private key pair. The virtue of this system is that it make it possible to immediately detect a man-in-the-middle attack. However, as [Shanni] mentions, there is current research that points to vulnerabilities in this system.

    Reply
  35. Tomi Engdahl says:

    Best Practices for Resilient Inline Security Deployments
    https://webinar.darkreading.com/1261?keycode=DRWE03

    Today’s threat landscape demands the use of a complex array of proactive security systems and monitoring solutions. What are the most common and useful security solutions you should consider – next-gen firewalls, web-application firewalls, intrusion prevention systems?

    Many of these security tools require inline network deployment. But why in the face of almost certain cyber-security breach do organizations avoid deploying these best-practice security tools?

    Learn to deploy your security defenses like firewalls, intrusion prevention systems (IPS) and others using a safe, yet flexible security framework that improves network uptime, speeds network troubleshooting, and eases network and security maintenance for operations personnel.

    Reply
  36. Tomi Engdahl says:

    The Germans take security concerns seriously. In August, at Frankfurt airport arrested 29-year-old man who had destroyed his ID card microchip in a microwave oven, says the Frankfurter Allgemeine.

    Police release, the man was concerned about the privacy policy.

    The ID card is an official document in which destruction or alteration of illegal can get in Germany fines or even imprisonment. Microchips are of spent German ID cards since 2010.

    Some believe that the destruction of the chip ID card is a good way to prevent espionage. This is obviously at least some kind of phenomenon as YouTube can be found in German a video, which a person blow card microwave oven.

    Also in Finland, is in use with a chip, the electronic identity card, or eID card.

    Source: http://www.tivi.fi/Kaikki_uutiset/saksalaiset-paistavat-henkilokorttejaan-mikroaaltouunissa-6092860

    Video:
    Ausweis explodiert in der Mikrowelle
    https://www.youtube.com/watch?v=mQbfuU-6Kmg

    Reply
  37. Tomi Engdahl says:

    Kashmir Hill / Fusion:
    Tor’s chief architect, Nick Mathewson, explains what happened with Carnegie Mellon attack and what Tor has done to fix it

    The attack that broke the Dark Web—and how Tor plans to fix it
    http://fusion.net/story/238742/tor-carnegie-mellon-attack/

    Law enforcement has been complaining for years about the Web “going dark,” saying that encryption and privacy tools are frustrating their ability to track criminals online. But massive FBI operations over the last year that have busted ‘hidden sites’ used for the sale of drugs, hacking tools, and child pornography suggest the digital criminal world has gotten lighter, with law enforcement bragging that criminals can’t “hide in the shadows of the Dark Web anymore.” While mysterious about its tactics, law enforcement indicated that it had found a way to circumvent the tool on which these sites relied, a software called Tor. But criminals are not the only ones who rely on it.

    Tor, or The Onion Router, is a browser that lets people use the Internet without being tracked and access hidden sites, as well as a software project that supports the ‘Dark Web,’ allowing websites (or “hidden services”) to be hosted in such a way that their location is impossible to determine. Last year, Tor suffered a large-scale attack that compromised the anonymity of its users over a period of at least six months. The attack was launched by academic researchers affiliated with Carnegie Mellon University whose motives remain murky because they now refuse to talk about it.

    A review of emails sent on Tor’s public list-serv reveals that Tor saw the attack coming, but failed to stop it. It raises questions about Tor’s ability to maintain the privacy of the 2 million people who use it every day—most of them activists, human rights workers, journalists, and security-minded computer users, not criminals—as well as how far academic researchers and law enforcement should go to undermine the privacy protections people seek online.

    Tor depends on a world-wide network of computers that mask users’ identities by encrypting their activity and bouncing it through a bunch of different stops on the way to its final destination; it’s like 100 people whispering secrets in gibberish to each other during a huge game of Telephone, so that it’s hard for an outsider to tell where a message started or where it ends.

    Mathewson and Tor founder Roger Dingledine, who met at MIT, have spent the last decade building up and maintaining Tor, which was originally a Naval Research Lab project to protect government communications.

    Eighty percent of its $2.5 million budget still comes from governments, including funding from the U.S. Defense Department and the U.S. State Department. For as much as the Dark Web relies on Tor, it’s a rinky-dink operation. There are 22 full- and part-time paid employees dispersed around the world and about 50 volunteers and academics who contribute time and code (just 10 of them solidly dedicated to it currently, said Mathewson)

    Tor depends on academic researchers to identify ways to improve the technology and shore up vulnerabilities, so it regularly sees people running experiments on the network

    Reply
  38. Tomi Engdahl says:

    Nate Anderson / Ars Technica:
    Recent cases show that Dropbox is proactively notifying law enforcement about users who upload child porn

    After Dropbox finds a child porn collector, a chess club stops his knife attack
    “I failed my mission to kill everyone.”
    http://arstechnica.com/tech-policy/2015/11/how-dropbox-found-a-child-porn-collector-and-a-chess-club-stopped-his-rampage/

    Brown had been using Dropbox to store files but had made no serious effort to hide his identity.

    At some point, Brown began to acquire videos of both pubescent and pre-pubescent girls engaged in sex acts, and he uploaded them from IP addresses in the village of Morton, in the nearby town of Pekin, and in Chicago. According to a prosecutor’s affidavit seen by Ars Technica, Dropbox discovered the videos in December 2014.

    Dropbox won’t discuss the specific techniques it uses to identify child pornography, though the company has for some time been the target of speculation that it proactively scans user uploads against a database of known illegal imagery.

    This is not particularly difficult to do. In 2009, Microsoft built a tool called PhotoDNA that automates the scanning and matching process, converting incoming images to grayscale and chopping them up into tiny squares. Each piece of image data then passes through a one-way hashing function which generates a unique number based on the square’s shading pattern. Taken together, these hashes make up the “PhotoDNA signature” of an image; any future picture that generates the same signature is almost certain to be a copy of the original image. Microsoft claims that its multi-hashing system is powerful enough to detect illegal images even after basic tweaks such as re-cropping or watermarking.

    Microsoft donated PhotoDNA to the National Center for Missing and Exploited Children (NCMEC), which maintains a massive database of PhotoDNA signatures for child pornography images.

    PhotoDNA has become the standard solution for automated processing of imagery at Internet scale. But the requirement for local installations meant hardware and IT know-how, preventing PhotoDNA from being more widely used, especially by smaller companies. In July 2015, though, Microsoft moved PhotoDNA into its Azure cloud and offered qualified Internet companies access to the tool via a REST application programming interface. PhotoDNA is free to use—and companies like Facebook, Twitter, and Kik all do—but it has one significant limitation: it does not currently work on videos.

    It also doesn’t work on encrypted files, which might seem to rule out its use by services like Dropbox. After all, Dropbox encrypts user data, bragging on its website about how “we store your file data using 256-bit AES encryption and use an SSL/TLS secure tunnel to transfer files between you and us.” But this only makes content sent to Dropbox secure from outsiders—not from Dropbox itself. The company possesses the crypto keys.

    Dropbox won’t confirm or deny that it uses PhotoDNA.

    “Child exploitation is a horrific crime. Whenever law enforcement agencies, child safety organizations, or private individuals alert us of suspected child exploitation imagery, we act quickly to report it to the National Center for Missing & Exploited Children (NCMEC). NCMEC reviews and refers our reports to the appropriate authorities. We’re deeply supportive of their important work in the fight against the exploitation of children.”

    The statement seems to suggest that Dropbox investigates when contacted by “law enforcement agencies, child safety organizations, or private individuals,”

    Reply
  39. Tomi Engdahl says:

    GCHQ v Privacy International reveals use of bulk hacking warrants
    Just how ‘soft’ is the ‘soft touch’ oversight?
    http://www.theregister.co.uk/2015/12/01/gchq_v_privacy_international_bulk_hacking/

    Documents released by GCHQ to the Investigatory Powers Tribunal suggest the agency may be allowed to hack multiple computers in the UK under single “thematic” or “class” warrants.

    Responding to complaints brought by Privacy International and seven global internet and communication service providers, the British spy agency told the tribunal it was applying for bulk hacking warrants from secretaries of state and then deciding internally whether it was necessary and proportionate to hack the individuals targeted.

    The “soft touch” oversight regime for GCHQ’s offensive hacking activities has been revealed during an IPT hearing, which has received two sets of complaints to hear over the course of this week – one from Privacy International, and one from an international coalition of internet and communications service providers which Privacy International assisted.

    Reply
  40. Tomi Engdahl says:

    US states round on kids company Vtech after 5 million plundered for data
    Firm found lacking data, and elsewhere
    http://www.theinquirer.net/inquirer/news/2436980/kids-techology-company-vtech-admits-to-hack-and-data-breach

    BAD NEWS FOR KIDS, if you have a VTech piece of technology, you might be exposing yourself to the same kind of risks that people who used sites like Ashley Madison are. Well, some of them anyway.

    Yeah, you thought your biggest problem was the running nose you can’t shift, or the football boots you want. Well you were wrong. You may be being lined up to be identity stolen, or snooped on, or trolled. Just like your parents are.

    The hack on your technology provider of choice, the outfit VTech, will have many victims according to reports. According to one, on the Motherboard website there are 4.8 million affected adults and over 200,000 blighted children

    Reuters adds that national District Attorneys in the US – some of whom may even be parents – are concerned about the news coming out about the Chinese company, and are preparing for state action in Connecticut and Illinois. However it is not clear what kind of action that will involve.

    U.S. states probe VTech hack, experts warn of more attacks
    http://uk.reuters.com/article/2015/12/01/us-vtech-cyberattack-idUKKBN0TJ0B620151201

    U.S. states said they will investigate a massive breach at digital toy maker VTech Holdings Ltd as security experts warned that hackers are likely to target similar companies that handle customer data.

    Attorneys general in the U.S. states of Connecticut and Illinois said on Monday that they would probe the breaches

    They said that manufacturers in many industries lack the security experience and expertise that the computer industry has developed over the surge in Internet use over the past two decades.

    “You have all these devices and services that are connecting to the Internet by companies that don’t have the experience that older software companies do in securing their data,” said Katie Moussouris, chief policy officer with HackerOne, a “bug bountgy” firm that helps businesses work with researchers to find cyber bugs.

    “VTech is a toymaker and I don’t expect them to be security superstars. They are amateurs in the field of security,” said Tod Beardsley, security research manager with Rapid7 Inc.

    Reply
  41. Tomi Engdahl says:

    China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets
    https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html

    FireEye Threat Intelligence analysts identified a spear phishing campaign carried out in August 2015 targeting Hong Kong-based media organizations. A China-based cyber threat group, which FireEye tracks as an uncategorized advanced persistent threat (APT) group and other researchers refer to as “admin@338,” may have conducted the activity.[1] The email messages contained malicious documents with a malware payload called LOWBALL. LOWBALL abuses the Dropbox cloud storage service for command and control (CnC). We collaborated with Dropbox to investigate the threat, and our cooperation revealed what may be a second, similar operation. The attack is part of a trend where threat groups hide malicious activity by communicating with legitimate web services such as social networking and cloud storage sites to foil detection efforts

    A Cyber Campaign Likely Intended to Monitor Hong Kong Media During a Period of Crisis

    The threat group has previously used newsworthy events as lures to deliver malware.[4] They have largely targeted organizations involved in financial, economic and trade policy, typically using publicly available RATs such as Poison Ivy, as well some non-public backdoors.[5]

    Reply
  42. Tomi Engdahl says:

    Electronic Frontier Foundation:
    Google Deceptively Tracks Students’ Internet Browsing, EFF Says in FTC Complaint
    https://www.eff.org/press/releases/google-deceptively-tracks-students-internet-browsing-eff-says-complaint-federal-trade

    EFF Launches ‘Spying on Students’ Campaign to Raise Awareness About Privacy Risks of School Technology Tools

    Reply
  43. Tomi Engdahl says:

    IRS: We Used Stingray Devices To Track 37 Phones
    http://yro.slashdot.org/story/15/12/02/0127222/irs-we-used-stingray-devices-to-track-37-phones

    IRS: Don’t worry, we’ve only used our stingray to track 37 phones
    Tax agency will soon follow similar warrant policies recently issued by DHS, DOJ.
    http://arstechnica.com/tech-policy/2015/12/irs-dont-worry-weve-only-used-our-stingray-to-track-37-phones/

    Following revised policies from other federal law enforcement agencies, the Internal Revenue Service now says it will require the use of a warrant when deploying a stingray, also known as a cell-site simulator.

    In a new letter to an Oregon senator, IRS Director John Koskinen wrote that the stingray has only been used as part of 11 grand jury investigations to track 37 phones. The IRS stingray has also been used to assist with four other non-IRS investigations both at the federal and the state level. According to the document, the IRS first obtained its stingray in October 2011, and it’s attempting to procure a second.

    Stingrays, also known as cell-site simulators, can be used to determine a phone’s location by spoofing a cell tower, and in some cases they can intercept calls and text messages. Once deployed, the devices intercept data from a target phone as well as information from other phones within the vicinity.

    Reply
  44. Tomi Engdahl says:

    Greek Banks Under Cyberattack, Face Ransom Demands
    http://tech.slashdot.org/story/15/12/01/2236258/greek-banks-under-cyberattack-face-ransom-demands

    Hackers have targeted three Greek banks for a third time in five days, demanding a ransom from each lender of 20,000 bitcoin (€7m), according to Greek police and the country’s central bank. A group calling itself the Armada Collective demanded the bitcoin ransom after staging its first attacks last Thursday, and then threatened a full collapse of the unnamed banks’ websites if they refused to pay up.

    Hackers hit three Greek banks with ransom demands-sources
    http://www.reuters.com/article/2015/11/30/greece-banks-idUSL8N13P5B420151130

    Nov 30 Hackers have staged cyber-attacks on three Greek banks and demanded a ransom in bitcoins, a virtual monetary unit, to stop their disruption, banking sources said on Monday.

    Reply
  45. Tomi Engdahl says:

    Hong Kong hacks hacked in democracy protest yap flap
    Beijing Someone in China casts baited lede hooks into news room feeding frenzy.
    http://www.theregister.co.uk/2015/12/02/hong_kong_hacks_hacked_in_democracy_protest_yap_flap/

    Chinese hackers who previously popped Western financial firms are now using Dropbox to target Hong Kong based journalists, FireEye says.

    The group, suspected to be an outfit known as “admin@338″, is using the cloud service to host command and control for its infection operations.

    Its attacks drop the backdoor payload dubbed Lowball delivered through an old and since-patched Microsoft Office vulnerability (CVE-2012-0158) communicating over secure sockets to Dropbox.

    FireEye researchers say the targeting of Hong Kong scribes is not out of character for the group or hackers based in China.

    “The group started targeting Hong Kong media companies, probably in response to political and economic challenges in Hong Kong and China,” the researchers say .

    “The threat group’s latest activity coincided with the announcement of criminal charges against democracy activists.”

    Reply
  46. Tomi Engdahl says:

    Entropy drought hits Raspberry Pi harvests, weakens SSH security
    Hotfix posted online to shore up Raspbian key generation
    http://www.theregister.co.uk/2015/12/02/raspberry_pi_weak_ssh_keys/

    Raspberry Pis running Raspbian – a flavor of Debian GNU/Linux tuned for the tiny computers – potentially generate weak SSH host keys.

    This gives man-in-the-middle attackers a sporting chance of decrypting people’s secure connections to the devices.

    The November 2015 release of Raspbian does not use a hardware random number generator by default, according to a bug report posted to the Pi forums.

    Crypto keys crafted from these predictable sequences during the machine’s first boot-up can be recreated by eavesdroppers, and used to decrypt intercepted SSH connections to reveal login passwords and snoop on terminals.

    The issue is due to be fixed in the next Raspbian image release, we’re told, and users should ensure they upgrade when that’s available. In the meantime, people worried about the security of their SSH servers should regenerate their host keys after seeding /dev/urandom with the hardware random number generator in the Pi’s system-on-chip processor.

    “This is something that’s easily fixed but then relies on Raspberry Pi users to be aware and update their systems,” said Patrick Hilt, CTO of two-factor authentication biz MIRACL (previously known as CertiVox). “If they don’t, it creates a potential weak spot.”

    Reply
  47. Tomi Engdahl says:

    EFF: Google Chromebooks are slurping student data
    Privacy group is taking this right to the FTC
    http://www.theinquirer.net/inquirer/news/2437415/eff-google-chromebooks-are-slurping-student-data

    CUDDLY INTERNET OUTFIT Google has been accused of using school-friendly Chromebooks to spy on kids, and has been pulled up by the Electronic Frontier Foundation (EFF).

    The EFF is taking these concerns, under its Spying on Students campaign, to the Federal Trade Commission (FTC).

    Communications
    EFF: Google Chromebooks are slurping student data
    Privacy group is taking this right to the FTC
    By Dave Neal
    Wed Dec 02 2015, 12:54
    Kids using technology

    CUDDLY INTERNET OUTFIT Google has been accused of using school-friendly Chromebooks to spy on kids, and has been pulled up by the Electronic Frontier Foundation (EFF).

    The EFF is taking these concerns, under its Spying on Students campaign, to the Federal Trade Commission (FTC). Presumably the privacy group expects to get a warm reception and to send a frosty inspection in the direction of Mountain View.

    The EFF is particularly miffed because Google had promised not to take any liberties with data, and accused the firm of tracking kids and using their data to produce advertising coin.

    “Despite publicly promising not to, Google mines students’ browsing data and other information, and uses it for the company’s own purposes. Making such promises and failing to live up to them is a violation of FTC rules against unfair and deceptive business practices,” said EFF staff attorney Nate Cardozo in a statement.

    “Minors shouldn’t be tracked or used as guinea pigs, with their data treated as a profit centre.”

    Spying on Students: School-issued devices and student privacy
    https://www.eff.org/issues/student-privacy

    Understanding and using technology is fundamental to education in the 21st century. As a result, many school districts around the country are making use of cloud-based educational platforms and assigning laptops and tablets to students.

    Almost one third of all students—elementary through high school—already use school-issued digital devices, and many of these devices present a serious risk to student privacy. They collect far more information on kids than is necessary, store this information indefinitely, and sometimes even upload it to the cloud automatically. In short, they’re spying on students—and school districts, which often provide inadequate privacy policies (or no privacy policy at all), are helping them.

    Reply
  48. Tomi Engdahl says:

    Canonical Patches Two Kernel Vulnerabilities In Ubuntu 14.04
    http://news.slashdot.org/story/15/12/02/025228/canonical-patches-two-kernel-vulnerabilities-in-ubuntu-1404

    Canonical has announced that a new kernel update is now live in the default software repositories for the Ubuntu 14.04 operating system. According to the security notice, two Linux kernel vulnerabilities have been fixed. The first security flaw was discovered in the SCTP (Stream Control Transmission Protocol) implementation

    USN-2823-1: Linux kernel vulnerabilities
    Ubuntu Security Notice USN-2823-1
    http://www.ubuntu.com/usn/usn-2823-1/

    It was discovered that the SCTP protocol implementation in the Linux kernel
    performed an incorrect sequence of protocol-initialization steps. A local
    attacker could use this to cause a denial of service (system crash).
    (CVE-2015-5283)

    update your system

    After a standard system update you need to reboot your computer to make
    all the necessary changes.

    ATTENTION: Due to an unavoidable ABI change the kernel updates have
    been given a new version number, which requires you to recompile and
    reinstall all third party kernel modules you might have installed.

    Reply
  49. Tomi Engdahl says:

    People are selling hacked subscriptions to Netflix, Spotify, HBO, and pretty much everything else, on the dark web
    http://www.techinsider.io/subscriptions-to-netflix-and-hbo-on-the-dark-web-2015-11

    When you think of marketplaces on the so-called “Dark Web,” that place on the internet that you can only access with special browsers that anonymize your IP address, you probably think of sites that sell drugs, weapons, and other illicit products and services.

    But it’s also full of cheap subscriptions to some of the most popular legitimate streaming video and music services, like Netflix, Spotify, and HBO.

    “We found pretty much everything possible available for sale,”

    Indeed, a recent visit to one of these marketplace on the Dark Web by Tech Insider found that he could easily buy lifetime subscriptions to Spotify and Netflix for a fraction of the price of a monthly subscription.

    What’s remarkable about this is that buying legitimate subscriptions to these services is both easy and relatively inexpensive, yet a marketplace still exists for these.

    The Hidden Data Economy
    The Marketplace for Stolen Digital Information
    http://www.mcafee.com/us/resources/reports/rp-hidden-data-economy.pdf

    Reply
  50. Tomi Engdahl says:

    China Blamed For Attack On Australian Bureau of Meteorology
    http://yro.slashdot.org/story/15/12/02/1321250/china-blamed-for-attack-on-australian-bureau-of-meteorology

    officials within the Australian government are blaming China for an attack on computer systems at the Bureau of Meteorology. “The bureau owns one of Australia’s largest supercomputers and provides critical information to a host of agencies. Its systems straddle the nation, including one link into the Department of Defence at Russell Offices in Canberra.” China has denied involvement

    China blamed for ‘massive’ cyber attack on Bureau of Meteorology computer
    http://www.abc.net.au/news/2015-12-02/china-blamed-for-cyber-attack-on-bureau-of-meteorology/6993278

    China is being blamed for a major cyber attack on the computers at the Bureau of Meteorology, which has compromised sensitive systems across the Federal Government.

    Multiple official sources have confirmed the recent attack, and the ABC has been told it will cost millions of dollars to plug the security breach, as other agencies have also been affected.

    The bureau owns one of Australia’s largest supercomputers and provides critical information to a host of agencies.

    Cyber attacks on government agencies are routine and the “adversaries” range from thrill-seeking hackers, through to criminals and foreign states.

    But the ABC has been told this is a “massive” breach and one official said there was little doubt where it came from.

    “It’s China,” he said.

    But, China has denied any involvement in the attack.

    ‘Range of adversaries’ motivated to target networks

    A spokesman for Prime Minister Malcolm Turnbull said a range of adversaries, including “state-sponsored actors and serious organised criminals”, were motivated to attack government networks.

    “The Government’s aware of a press report that the Bureau has been the subject of a cyber attack,” the spokesperson said in a statement, adding the Government would not comment on specific cases.

    “The Government takes any cyber attacks seriously and is currently reviewing its cyber security policy.”

    Cyber attacks traced to Chinese army building in Shanghai

    Australia has been recruiting cyber warriors, with the Australian Signals Directorate hiring IT professionals who can put themselves “in the shoes of the hacker”.

    The most detailed publicly available study of China’s capabilities was published by American computer security firm Mandiant in 2013.

    The Centre said it “sees daily cyber espionage activity targeting Australian Government networks”.

    “Cyber adversaries will target the weakest link; if the network security of their primary target is robust, they will move to secondary targeting of other networks that may hold the same information but are easier to compromise.

    “A cyber adversary is an individual or organisation (including an agency of a nation state) that conducts cyber espionage, crime or attack.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*