Year 2014 is coming to end, so it is time to look forward what to expect from year 2015 in cyber security.
Cyber security will get harder year y year. Year 2014 was much worse than 2013. Heartbleed, Bash, and POODLE vulnerabilities were just the beginning of what to expect in 2015. I expect that year 2014 was easy compared to what year 2015 will be. 2015 will prove to be a challenging year for IT security professional. Attacks can happen anywhere and anytime and they don’t have to be major attacks by nation states. They could come from inside or outside.
According to Gartner and Securityweek Total information security spending will grow a further 8.2 percent in 2015 to reach $76.9 billion. Unfortunately, security investments are not keeping up with IT enhancements that are continuously widening our attack surface and making systems more vulnerable. As computer software has become the backbone of modern civilization, “hacktivists”, organized cyber criminals, state-sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to embarrass corporations and government agencies, and commit fraud.
The steady flow of software security issues will be making headlines also in 2015. Serious security flaws will be found on both open seurce and proprietary software.
There are many people looking for a good process to develop secure software, because after-the-fact band-aiding is not a sustainable approach. If the same methods continue to be used to develop the software, retrospectively adding tests, then there will only be a very modest reduction in the flow of problems. Processes exist but have yet to be broadly applied for developing reliable and secure networking software. Traditional methods used to develop software continue to result in high failure rates. Why create insecure security?
Year 2014 was a year of cybersecurity after the NSA revelations made in 2013. There were lots of articles related to the material published. Not everything has yet been published, so I would expect some new NSA revelations details to be published also in 2015. So I expect some new information leaks on how govermential security organizations spy us all.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches – companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. I expect that those new requirements do not result any quick change to the situation. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue and banks are bringing breached companies to court to pay for damages caused to them.
Public and private organizations are facing an increasing frequency and sophistication of cyber-attacks and security breaches – many of which are only discovered after the fact. McAfee Labs’ 2015 Threats Predictions report is an eye-opening read which forecasts increased levels of crime, espionage and warfare operations. Cybercriminals are expected to use more sophisticated methods to remain hidden on a victim’s network, carrying out long-term theft of data without detection.
Get Ready For The Hack Attack That Drives A Big Company Out Of Business article predicts that 2015 will be the year that some company goes out of business because they didn’t plan adequately for an attack. In the past, the most sophisticated hacks against companies were carried out by big nation-states or criminal organizations. In year 2014 the Sony Pictures hack happened and showed that motives of sophisticated hackers have changed from self-gain to destruction. Many company officers are only now becoming aware of the threat (boards of directors and C-level officers have traditionally been focused on other threats). A computerized attack can cause a lot of damage to a well prepared company, and can turn a not so well prepared company to a complete disaster it can’t recover. Sony attack opens new doors of risks in the areas of corporate extortion.
As Internet of Thigs becomes more and more used, it will be more hacked. Thus security of Internet of Things will be more and more talked about. IoT os one field where cyber security flaws can kill. The European Police Office (Europol) said governments are ill-equipped to counter the menace of “injury and possible deaths” spurred by hacking attacks on critical safety equipment. There are many potential dangers are in transportation: many new cars are Internet connected and potentially vulnerable, SCADA Systems in Railways Vulnerable to Attack and Airline bosses ignore cyber security concerns at their peril. Whether it is an unintentional cyber incident or a deliberate attack, security continues to be a vital part of the automation industry and it will remain, with safety, a growing area of concern for manufacturers in the coming years. Security awareness is on the rise throughout the industry. Security is becoming a business enabler that can provide manufacturers more than just an insurance policy.
Soon, almost every network will soon have IoT-hacking in it. IDC predicts that in two years from 90 per cent of the global IT networks have met IoT data theft. In a report, cybersecurity firm Fortinet expects greater threats from “denial of service attacks on assembly line, factory, industrial control systems, and healthcare and building management…resulting in revenue losses and reputation damages for organizations globally.” This opens new doors of risks in the areas of corporate extortion, altering of corporate business operations, and the extension of cyberattacks to include physical threats of harm to civilians.
Why cyber warfare is becoming more and more attractive to small nations and terrorist groups. Enabled by Internet connectivity, cyber war provides more bang for the buck than investment in conventional weapons. It is cheaper for and far more accessible to these small nation-states than conventional weapons . It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are caught. There are many reasons why a nation-state or non-nation entity would pursue a cyber war program, and today many countries large and small invest in cyber warfare. Recent cyber attacks suggest that fewer resources are required to wage an attack than to defend against one. As the whole world gets connected, it just provides the details that make these attacks possible. In the not-too-distant future, warfare with traditional weaponry may take a backseat to potentially more destructive tactics: computer code attacking the companies and infrastructures, including electric grids and oil and gas pipelines, that society relies on.
It was estimated that first online murder would happen in 2014. It did not seem to happen in 2014 as far as I know. I think that is likely that online murder can happen in 2015. There are tools available for this to happen. Cyber-murder it can happen without us knowing about it.
Mobile devices will be one of the focal points for cyber-attackers in 2015, as they present relatively easy, low-risk points of entry that can be monitored remotely for passwords, account numbers, and personal identification data. Sure, there are still relatively easy to publish malicious application stores. Within next year advanced mobile exploit kits will become available.
Mobile devices will start to play part in denial of service attacks. Vietnam, India and Indonesia will be the distributed denial of service volcanoes of next year due to the profieration of pwned mobiles.
Year 2014 brought encryption to mainstream smart phones (new encryption features from Apple Inc. and Google Inc). In year 2015 government organizations try to tackle a very modern problem: password-protected encrypted cellphones. It will be a fight on surveillance as everyone starts to implement encryption.
Long predicted but always seeming to be “just around the corner,” mobile payments may finally have arrived. The coming mobile payment revolution, the underlying technologies – and alternative solutions – have been emerging for some time. Technologies playing a supporting role in this shift include encryption advances, digital currencies, biometrics, NFC, Bluetooth, QR codes, and even the use of sound wave data transfer. There will also bea products mrketed to prevent different kind of potential threats the new technologies can cause.
There is a never-ending battle between good and evil in the cyber world. Various types of attacks are successful because they are well-disguised, blend different techniques, and constantly evolve. You need Layered Security – It’s Not Just for Networks. Use a layered security architecture that supports a combination of defenses in ways attackers don’t expect and that continuously evolves protections to keep up with dynamic attacks. Traditionally these approaches have been focused on the network, but they can and should be applied to other parts of IT system as well (start from email gateways). Email is the preferred channel for business communications and thus continues to be a vector of choice for attackers.
Threat Information Sharing Will Become Necessary for Survival. Security controls (SANS critical controls, ISO/IEC 27002, NIST Cybersecurity Framework, and the Cloud Controls Matrix) are safeguards and counteract or minimize security risks relating to digital property. The more you can automate a control, the better off you will be. We are in the way of Moving towards an adaptive and automated way of applying intelligence based on behavior and heuristics is clearly moving in the right direction to enable a more actionable and relevant set of controls. Threat intelligence coming from a variety of sources (security companies, the government and the open source community) is needed. Key to the success is publishing intelligence in a variety of data structures (STIX, TAXI and other standard industry formats) to best describe threats in a way that can be aggregated and understood by others.
More and more organizations are moving applications and data to IaaS/PaaS environments. Many enterprise IT departments have reason for concern: industry experts agree that moving sensitive data into the hands of third-party cloud providers expands and complicates the risk landscape in which companies operate every day. You need to understand cloud database security basics and more.
Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. HTTPS-everywhere will get boost in 2015 as a new certificate authority – backed by big names on the internet including Mozilla, Cisco and Akamai – plans to offer SSL certs at no charge starting summer 2015. This move will make it even more easier for people to run encrypted, secure HTTPS websites.
Google is proposing to warn people their data is at risk every time they visit websites that do not use the “HTTPS” system. If implemented, the change would mean that a warning would pop-up when people visited a site that used only HTTP to notify them that such a connection “provides no data security”. In the short term, the biggest headache is likely to be faced by website operators who will feel forced to migrate unencrypted HTTP websites to encrypted HTTPS.
You can’t trust that normal web security technologies will guarantee safety. Your HTTPS security will be more manipulated than before. End to end HTTPS is generally good security addition to end users, but it does not solve all the problems. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets, so they can’t block potential security treads that are carried within HTTPS packets. There are some special corporate firewall arrangements that can intercept HTTPS traffic (they do kind of man-in-the middle attack that decrypts and encryps the packets on the way). So SSL communications can be intercepted and broken.
3,110 Comments
Tomi Engdahl says:
Samuel Gibbs / Guardian:
French government can now block sites that advocate terrorism or contain images of child abuse without a court order; ISPs must comply within 24 hours — French law blocking terrorist and child abuse sites comes into effect — Law that allows blockade of offending sites without …
French law blocking terrorist and child abuse sites comes into effect
http://www.theguardian.com/technology/2015/feb/09/french-law-blocking-terrorist-and-child-abuse-sites-comes-into-effect
Law that allows blockade of offending sites without a court order criticised by free-speech groups as circumventing judicial power
France has introduced a new law that allows government agencies to order the blocking of websites that advocate acts of terrorism or contain images of child abuse.
The legislation was brought in by revisions to 2011’s Loppsi Act, and an anti-terror bill passed by the French senate in October, but can now be used by the general directorate of the police’s cybercrime unit to force French internet service providers to block sites within 24 hours, without a court order.
Sites that are blocked will redirect to a page from the interior ministry describing why the action was taken. The sites will be checked quarterly to make sure they continue to display the proscribed content and that the block is still appropriate.
Costs incurred by the ISPs as part of the block can be recovered from the French government, while sites can appeal if they have sufficient grounds to do so.
Tomi Engdahl says:
Ruth Reader / VentureBeat:
HP acquires data-security firm Voltage to build out its cloud offerings
http://venturebeat.com/2015/02/09/hp-acquires-data-security-firm-voltage-to-build-out-its-cloud-offerings/
With today’s acquisition of a data security firm, Hewlett-Packard is marking a push toward cloud-based security products.
Many small security players with an emphasis on cloud-based technology have emerged in the last several years, stealing market share away from behemoth security companies like HP. To combat them, HP has acquired a smattering of security startups with Voltage being the latest.
The company’s technology focuses on tokenization to keep data safe as it travels from device to server to device and so on.
Tomi Engdahl says:
Aaron M. Kessler / New York Times:
Senate report: vulnerabilities in cars’ wireless systems can let hackers take control of vehicles’ electronics and collect personal information on drivers
http://www.nytimes.com/2015/02/09/business/report-sees-weak-security-in-cars-wireless-systems.html?_r=0
Tomi Engdahl says:
Jill Daly / Pittsburgh Post-Gazette:
Teen charged with murder after posting selfie with victim’s body to Snapchat
Jeannette 16-year-old faces murder charge in teen’s shooting death
http://www.post-gazette.com/local/east/2015/02/07/Jeannette16-year-old-faces-murder-charge-in-teen-s-shooting-death/stories/201502070133
the young man charged with murder in the case is said by police to have paused to take a phone camera self-portrait of himself and the victim after the shooting and sent it to another young man.
On Thursday, a woman told police her son had a copy of a Snapchat photo sent from the accused.
Tomi Engdahl says:
Jon Southurst / CoinDesk:
Hong Kong’s MyCoin Bitcoin exchange disappears with up to $387M, Ponzi scheme suspected
Hong Kong’s MyCoin Disappears With Up To $387 Million, Reports Claim
http://www.coindesk.com/hong-kong-exchange-mycoin-disappears-387m-reports-claim/
Reports are emerging from Hong Kong that local bitcoin exchange MyCoin has shut its doors, taking with it possibly as much as HK$3bn ($386.9m) in investor funds.
If true, the supposed losses are a staggering amount, although this estimate is based on the company’s own earlier claims that it served 3,000 clients who had invested HK$1m ($129,000) each.
For perspective, bitcoin’s entire market cap today stands at around USD$3bn.
Adding to the mystery are reports the company never operated as a genuine bitcoin business at all. Testimonies from customers describe an operation more like a Ponzi scheme that used the veneer of bitcoin trading as its lure.
The incident could lead to greater regulation of the bitcoin industry in Hong Kong, which has so far operated with little scrutiny.
Another Hong Kong exchange, KBBEX, has informed Leung that it is willing to provide assistance to help those affected, in order to regain trust in bitcoin and perhaps perform technical analysis if required.
Tomi Engdahl says:
Everett Rosenfeld / CNBC:
Ecuador is the first country to roll out a state-run electronic payment system; digital currency will be tied to the US dollar
Ecuador becomes the first country to roll out its own digital cash
http://www.cnbc.com/id/102397137
In 2000, Ecuador moved to ditch its stumbling currency for the U.S. dollar. Now more than 15 years later, the South American country is revamping its monetary system again—using digital currencies.
Ecuador’s Sistema de Dinero Electrónico (electronic money system) kicked off in December by allowing qualifying users to set up accounts, and it will begin acting as a real means of transaction this month.
Once the government flips the switch, the South American nation of 16 million will host the first-ever state-run electronic payment system. (Other countries, such as Sweden, use digital currencies widely, but they’re not state-sponsored.) But the Ecuadorean government says the scheme is designed to support its dollar-based monetary system, not replace it.
Electronic money will not only help the poor, he added, but will act as a cost-saving mechanism for the government: Ecuador spends more than $3 million every year to exchange deteriorating old notes for new dollars, Martinez said. There would presumably be less wear and tear on the currency if much of it was stored at the central bank while citizens relied on mobile payments.
White told CNBC that the government’s bitcoin ban in July and its barring of competing e-money systems demonstrate Quito’s intentions.
At the very least, White said, the government is looking to turn a profit from holding a monopoly on all electronic payments
Despite several headlines to the contrary, Ecuador’s electronic money system is dissimilar from bitcoin. While the world’s most popular cryptocurrency is a digital token running on a decentralized (yet cryptographically secured) electronic network, Ecuador’s new project would be controlled by the government and tied directly to the local currency—the dollar.
The project initially created buzz in in the bitcoin blogosphere, but that interest faltered once it was clear that Ecuador’s project would not present a competing alternative. Not only is the technology importantly different, but Ecuador’s electronic money system currently can be accessed only by qualifying citizens and residents.
Tomi Engdahl says:
Palantir Buys Fancy That To Add Retail, Shopping Data To Its Analytics Platform
http://techcrunch.com/2015/02/06/palantir-fancy-that/
Palantir is known for its data analytics platform that is used extensively in areas like law enforcement, financial and insurance research and healthcare. Now you can add retail and shopping data to the mix. It has acquired Fancy That, a startup that has built a platform to help retailers with their omnichannel strategies across physical stores, online, mobile and other platforms where they sell goods and communicate with customers.
Among its features, Fancy That optimizes store operations, including clearing inventories, managing discounts, and understanding customers’ retail habits. Tapping into the different kinds of technology that are used in retail environments today, the company incorporates elements of machine learning, mobile, and sensor technologies into its services. It works on both software and hardware technologies.
Initially aiming its services at apparel sellers, Fancy That’s longer term goal seems to be to target others in the retail industry, too.
Tomi Engdahl says:
IBM promises better protection against information leaks
IBM has released a plan for cloud-based Identity Mixer technology, which can be used to protect your network users’ personal information, for example, when creating new user accounts.
IBM pointed out in a statement, for example, that the network operating video streaming services require users to authenticate your age and area of residence by date of birth and home address. However, this is usually not necessary to use the service in terms of more users and the injury suffered, for example, the data in case of leakage.
Credit card payments at the service should Identity Mixer, via the confirmation that the user’s credit are valid and that the payment can be accepted. User no longer need to disclose credit card information service.
Source: http://www.tivi.fi/Kaikki_uutiset/2015-02-09/IBM-lupaa-parempaa-suojaa-tietovuodoilta-3215475.html
Tomi Engdahl says:
This was a gigantic hacking: slowly pushing in
Anthem data theft (80 million customer data) seems to have been a long-term process.
Security company Check Point has studied Anthem data break execution. In its view, it was several months discreetly with advanced data slow push out of the company.
Anthem has told it had a hint about the attack last week, when the company’s IT management employee noticed that his username and password were currently search the database.
Initially, there was talk of modified malware, but attack may have begun as early as three months earlier.
“This does not surprise at all. When we gathered last year, Check Point Security Report recognizes the security data for more than 10 000 organizations worldwide, 73 per cent of corporate networks was the date of the survey, at least one bot infected “, Check Point, Nordic Regional Manager Örjan Westman says the release.
Bots go unnoticed, because cybercriminals convert them to a special tool exactly that traditional security programs do not recognize them.
Source: http://www.tivi.fi/Kaikki_uutiset/2015-02-10/N%C3%A4in-tehtiin-j%C3%A4ttim%C3%A4inen-tietomurto-hitaasti-hivuttamalla-3215509.html
Tomi Engdahl says:
Huge cyber thief the victim does not encrypt customer data
Anthem Health Insurance Company maintained its 80 million customers personal data unencrypted database according to The Wall Street Journal (WSJ).
The law does not require data encryption of sickness insurance companies and storing information in plain language is also a common practice in the field. Anthem representative Kristin Binns told the WSJ for, that information is encrypted only when they are exported in or out of the system.
Of course, the fact that the requirement does not exist, does not mean that data should, logically, have to hide the normal security practices.
But it is not that simple, the WSJ writes. -Informed source told the magazine that the encryption of information would make their treatment more difficult when information is shared health and state governments. In addition, data encryption may not be other than temporary slow down criminals on the road. The main problem is that the data in general were able to steal.
Anthem believes that the intrusion used stolen employee password.
Source: http://www.itviikko.fi/uutiset/2015/02/09/valtavan-kyberiskun-uhri-ei-salannut-asiakastietoja/20151703/7?rss=8
Health Insurer Anthem Didn’t Encrypt Data in Theft
Companies Aren’t Required by Law to Scramble Records, and Often Don’t
http://www.wsj.com/articles/investigators-eye-china-in-anthem-hack-1423167560
Anthem Inc. stored the Social Security numbers of 80 million customers without encrypting them, the result of what a person familiar with the matter described as a difficult balancing act between protecting the information and making it useful.
Tomi Engdahl says:
World’s mega-rich Swiss tax-avoidance: Meet the HSBC IT bloke at the heart of damning leak
Disguises, bodyguards and more in family man’s life
http://www.theregister.co.uk/2015/02/10/hsbc_allegations_falciani/
In 2008, HSBC IT exec Hervé Falciani blew the whistle on the huge tax-avoidance maneuvers used by some of the planet’s wealthiest people. This week, sensitive documents obtained by the 43-year-old have been published online for the world to see.
Falciani has fled across Europe, swerved extradition requests, and, fearing for his life, hired bodyguards – after he grabbed the financial records of the super-rich, which eventually found their way into the hands of the taxman.
Armed with the leaked files, watchdogs in France, UK, Italy, Belgium, Greece and Spain have spent the past three years tracking down those who squirreled away mountains of cash under the mountains of Switzerland to avoid paying tax at home.
Falciani was a systems manager at HSBC Monaco until 2006 when he was transferred to the bank’s Geneva office. In Monaco he had installed computers and software designed to detect fraudulent transactions, but he claims he met resistance when he tried to do the same thing at the Swiss subsidiary.
The tech exec dug around in the systems HSBC was running, found evidence of wrongdoing, downloaded 100GB of data proving it, and stashed it in a remote server, he alleges. He took the files to Swiss police in 2006, but says he refused to work with them as they would not guarantee anonymity for him and his family.
“Banks such as HSBC have created a system for making themselves rich at the expense of society, by assisting in tax evasion and money laundering,” the Franco-Italian national alleged in a July 2013 interview with German mag Der Spiegel.
Tomi Engdahl says:
Real-Time Rogue Wireless Access Point Detection with the Raspberry Pi
http://www.linuxjournal.com/content/real-time-rogue-wireless-access-point-detection-raspberry-pi
Years ago, I worked for an automotive IT provider, and occasionally we went out to the plants to search for rogue Wireless Access Points (WAPs). A rogue WAP is one that the company hasn’t approved to be there. So if someone were to go and buy a wireless router, and plug it in to the network, that would be a rogue WAP. A rogue WAP also could be someone using a cell phone or MiFi as a Wi-Fi hotspot.
The tools we used were laptops with Fluke Networks’ AirMagnet, at the time a proprietary external Wi-Fi card and the software dashboard.
The payment card industry, with its data security standard (PCI-DSS), is the only one I could find that requires companies to do quarterly scans for rogue WAPs.
Later, when I was a network engineer at a publishing company, I found it was good to know what was on my employer’s network. The company wanted to know if employees followed policy. The company also was worried about data loss, especially around a couple projects.
One thing I always wanted was a passive real-time wireless sensor network to watch for changes in Wi-Fi. A passive system, like Kismet and Airodump-NG, collects all the packets in the radio frequency (RF) that the card can detect and displays them. This finds hidden WAPs too, by looking at the clients talking to them. In contrast, active systems, like the old Netsumbler, try to connect WAPs by broadcasting null SSID probes and displaying the WAPs that reply back. This misses hidden networks.
Today lots of wireless intrusion detection systems exist on the market, but as listed in the Hardware sidebar, mine cost me little more than $400.00 USD to make. Based on numbers I could get, via Google Shopping, using Cisco Network’s Wireless IDS data sheet from 2014, a similar set up would have cost about $11,500 USD.
Cost of parts: $69.95 per sensor; I used six Raspberry Pis in the project.
Raspberry Pi Wireless Sensor Drone:
Wireless Survey
A wireless survey is usually a map of a building or location showing the signal strengths associated with wireless access points. Surveys are usually the first step when a new wireless network is installed. Surveys give the installers how many WAPs are needed, where they should be spaced, and what channels would be best to use in those areas.
Surveys normally are done with a WAP and a Wi-Fi-enabled device. The WAP is placed in a location, and signal strength is recorded as the client is moved around the area.
A rogue WAP or a survey WAP can be built from a Raspberry Pi with a wireless card and Hostapd.
Kali Linux:
Kali Linux is the new version of Backtrack Linux—one of the specialized Linux distributions for penetration testing and security. It is currently based off Debian Linux, with security-focused tools preinstalled.
Airodump-NG
Airodump is a raw 802.11 packet capture device. It is part of the Aircrack-NG suite.
What Is Kismet?
Kismet is an 802.11 wireless network detector, sniffer and intrusion detection system. Kismet will work with any wireless card that supports raw monitoring mode, and it can sniff 802.11b, 802.11a, 802.11g and 802.11n traffic (devices and drivers permitting).
Configuring the Raspberry Pi with Kali
Configure the Kismet Drone
Configure the Kismet Server on a PC or Server for the Drone Sensors
Tomi Engdahl says:
Ask Slashdot: What Will It Take To End Mass Surveillance?
http://ask.slashdot.org/story/15/02/10/0119231/ask-slashdot-what-will-it-take-to-end-mass-surveillance
Both the White House and the U.S. Intelligence Community have recently announced reforms to surveillance programs sanctioned under Section 215 of the Patriot Act and Section 702 of the Foreign Intelligence Surveillance Act. But do these reforms represent significant restructuring or are they just bureaucratic gestures intended to create the perception that officials are responding to public pressure?
The fact sheet reveals that the Board’s mandate to “end the NSA’s bulk telephone records program” has not been implemented.
In other words, the physical infrastructure of the NSA’s global panopticon is still in place.
Comments:
The ONE think they fear is effective encryption.
It is a sad situation, because that will also get in the way of legitimate (and yes, it can exist) investigation, however that is the arms race they are forcing you in to.
NOT encryption-when-you-have-something-to-hide, but encryption of EVERYTHING, as standard operating principle.
Right now exception is a nice bold flag to them that you should be monitored, however if even 20% of the population are regularly using it, that no longer works.
We are starting to see some very small movements in the encryption systems to escape from the over-complex not interoperable situation they let themselves
be pushed in to, and THAT is a big part of the problem, but some people now get it, and in a few years we may well have a much better choice in the area of
easy to use, interoperable, and open enough to be trustable encryption systems… and then the monitoring will work much less.
They will of course still see who is ‘communicating’ with who for some forms of link, that will be the next step.. protect the content first.
Like many things, the governments stupidity is going to make sensible law enforcement more difficult.
Go USA! and all that.. sigh.
Wide spread, end to end encryption would need to be implemented. In order to do that, you need one or two major providers to start advertising that they are completely encrypted, and that the competition is just handing your data to the government. That’s one hell of a marketing 2×4 that the NSA is giving away for free to the first company to wants to step up and claim it.
“The Banana Computer Corporation is proud to announce that our platform is completely encrypted from end to end, and will protect you and your loved ones from digital threats such as Eastern European Identity thieves, illegal government spying, and other data theft. And what about the other companies? “
Tomi Engdahl says:
Anthem Breach May Have Started in April 2014
http://krebsonsecurity.com/2015/02/anthem-breach-may-have-started-in-april-2014/
Analysis of open source information on the cybercriminal infrastructure likely used to siphon 80 million Social Security numbers and other sensitive data from health insurance giant Anthem suggests the attackers may have first gained a foothold in April 2014, nine months before the company says it discovered the intrusion.
servers and attack tools used in the attack on Anthem bear the hallmark of a state-sponsored Chinese cyber espionage group known by a number of names
ScanBox Framework, a suite of tools that have been used to launch a number of cyber espionage attacks.
particular address was until very recently the home for a very interesting domain: we11point.com.
the domain was attempting to make it look like “Wellpoint,” the former name of Anthem
We11point[dot]com was registered on April 21, 2014 to a bulk domain registration service in China.
Interestingly, that extcitrix.we11point[dot]com domain, first put online on April 22, 2014, was referenced in a malware scan from a malicious file that someone uploaded to malware scanning service Virustotal.com.
But a variety of ata points suggest that the same infrastructure used to attack Anthem may have been leveraged against a Reston, Va.-based information technology firm that primarily serves the Department of Defense.
ANALYSIS
It’s remarkable that the security industry so seldom learns from past mistakes. For example, one of the more confounding and long-running problems in the field of malware detection and prevention is the proliferation of varying names for the same threat. We’re seeing this once again with the nicknames assigned to various cyberespionage groups
Tomi Engdahl says:
Security Protocol Protects Pacemaker Information
http://www.medicaldesignbriefs.com/component/content/article/1104-mdb/news/21548
The Ladon security protocol, developed by Spain’s University of the Basque Country/EHU researcher Jasone Astorga in the 12T (Telematics Research and Engineering) research group, protects the information provided by pacemakers and similar medical devices connected to the Internet.
The remote monitoring of implantable, wireless medical sensors is a constantly advancing field, which nevertheless still has clear shortcomings. The direct connection of medical sensors to the Internet is the next natural step
The Ladon security protocol is an efficient mechanism to authenticate, authorize, and establish the end-to-end keys (keys for communication between the terminal used by the doctor and the patient’s device).
Tomi Engdahl says:
HSBC Banking Leak Shows Tax Avoidance, Dealings With Criminals
http://news.slashdot.org/story/15/02/10/0431219/hsbc-banking-leak-shows-tax-avoidance-dealings-with-criminals
Data in a massive cache of leaked secret bank account files lift the lid on questionable practices at a subsidiary of one of the world’s biggest financial institutions. HSBC’s Swiss banking arm
HSBC files show how Swiss bank helped clients dodge taxes and hide millions
http://www.theguardian.com/business/2015/feb/08/hsbc-files-expose-swiss-bank-clients-dodge-taxes-hide-millions
Data in massive cache of leaked secret bank account files lift lid on questionable practices at subsidiary of one of world’s biggest financial institutions
US prosecutors weigh criminal charges against HSBC as Warren turns up the heat
http://www.theguardian.com/news/2015/feb/10/hsbc-us-prosecutors-criminal-charges-elizabeth-warren
Tomi Engdahl says:
Defense minister Haglund: Finnish should be able to launch cyber-attacks
Defense Minister Carl Haglund (r.) Believes that Finland should be a time of crisis the ability and the opportunity to also launch cyber-attacks.
Haglund, according to the Finnish legislation does not know the situation in which the crisis had to Finland to work otherwise than with militarily arms. Haglund asked, after the presentation, why it would be better to attack the enemy missile, for example, to save the civilians and cripple the power grid.
Haglund is of the opinion that the alignment of cyber war capability must be made during the next Parliament.
Source: http://yle.fi/uutiset/puolustusministeri_haglund_suomen_voitava_tehda_kyberhyokkayksia/7794553
Tomi Engdahl says:
Ransomware – The Worst Is Yet to Come
How long before ransomware targets sensitive devices, including cars and medical implants?
http://www.informationweek.com/partner-perspectives/bitdefender/ransomware—the-worst-is-yet-to-come/a/d-id/1319035
When reviewing the past year, anti-malware companies usually give supporting fdata such as the number of incidents, top threats, and the amount of money lost to malware. This year, unfortunately, we’re starting a new section in malware reports that counts the number of people who have paid the ultimate toll to malware: their lives.
It began in March last year when a Romanian citizen ended his and his son’s life after he was informed that he had to pay fine in excess of $21,000 for watching pornographic content; the fine was bogus.
The story repeated earlier this year, when a 17-year-old college student took his own life after seeing a ransom message impersonating the UK police.
The number of crypto-ransomware families is growing at an alarming pace, fueled by the success of crypto-ransomware such as CryptoLocker and CryptoWall.
CryptoWall developers learned their lessons: The new malware delivery and key management infrastructures of CryptoWall are so well developed and scaled that they could put a significant chunk of legitimate businesses to shame.
Evolution has trimmed out shortcomings that could make CryptoWall vulnerable: For example, paid ransom money is now split among individual, ad-hoc generated Bitcoin wallets so anti-malware companies and law enforcement can’t just look into one wallet and see the immense profit the operators have made.
The command and control infrastructure has also been migrated to the Darknet via Web-to-TOR gateways.
CryptoWall comes with a variety of features that make it more difficult to detect or take out of business, but a particularly important feature is the polymorphic builder used to create a new virus for every potential victim.
It has already been proven that ransomware can inflict huge financial damage on companies and users. It’s also a fact that ransomware has killed people in its wielders’ quest for money, although the incidents mentioned above are only collateral damage and not the hackers’ end goal.
One question still needs answering: How long will it take ransomware to target more sensitive devices we use, including cars and medical implants?
Tomi Engdahl says:
Portable Flash Drives Benefit From Encryption
http://www.eetimes.com/author.asp?section_id=36&doc_id=1325622&
USB drives that are fast and mobile clearly have uses for certain customers, especially those requiring security. Ultimately, these devices and their encryption features need to be managed by IT to truly keep sensitive data safe.
But I can see why some users or organizations might need to a portable drive – sometimes you just can’t connect to the cloud securely enough or at all, or the file you need is so large, downloading it is inconvenient. Or you don’t really trust cloud services at all.
Portable drives can pose a security risk as well. Next to hacked databases, often most of the high-profile data-theft stories we hear about are due to lost or stolen USB drives that were not secure and were holding data that should never have left the corporate firewall in the first place.
That’s why Kingston still sees a market for portable USB flash drives. In fact, it’s growing, according to Ken Campbell, the company’s encrypted USB business manager. Specifically, the opportunity is in encrypted drives, a product area that grew 19% in 2014 over the 2013, he said.
“Security is still high on people’s minds,” Campbell said in a telephone interview, and they always need to transfer data. “There are times where there is no Internet and you have to carry data around somewhere.”
Hunsaker said USB flash drive users are looking for convenient mobile, pocket-sized storage, while portable HDD users care more about expanding storage and backing up their files. “Cloud storage is still a relatively new market and not widely adopted by consumers due to concerns about data security and costly fees associated with cloud subscription services.”
Tomi Engdahl says:
Arm Buys IoT Security Firm
Offspark provides security piece for mbed OS
http://www.eetimes.com/document.asp?doc_id=1325614&
ARM acquired Offspark, a Netherlands-based supplier of Transport Layer Security, that will get folded into its mbed operating system for its Cortex-M cores. ARM aims to make mbed, announced in October, a unifying code base for the fragmented Internet of Things where security is an increasingly key concern.
Offspark’s PolarSSL, an implementation of Transport Layer Security (TLS) for embedded systems, “will form the core of the ARM mbed communication security and software cryptography strategy,” ARM said in a press release today. ARM will give PolarSSL a new name, ARM mbed TLS, and continue to provide it as open source code both as a standalone product and later this year as part of mbed.
ARM will release mbed OS under an Apache 2.0 license which will include mbed TLS, Thread, and other technologies toward the end of 2015. The independent release of mbed TLS 1.3.10, is now available online under GPL and to existing PolarSSL users.
Tomi Engdahl says:
Apple’s Cook will have to defend themselves in front of Obama
Apple CEO Tim Cook will visit the White House next Friday, tells Business Insider. Cook expected to address the technology companies cryptographic security practices in the United States at the meeting.
BI: According to Cook, will probably have to respond to the meeting to the next question: “Why are you doing Apple devices so easy to use for criminals and terrorists?”
In recent months, Apple and other technology companies have introduced a “strong” encryption devices as the default. Can not be decrypted, even if the authorities so require.
Feature develop consumer privacy, but to weaken the US security NSA’s ability to catch terrorists and other criminals. The authorities cannot get properly encrypted data access by any means.
The authorities would like the system to create a backdoor, which allows encrypted data analysis afterwards. Alternatively, it is required for strong encryption technology denial.
Critics consider the requirements of hazardous and technically impossible to implement.
Source: http://www.tivi.fi/Kaikki_uutiset/2015-02-11/Applen-Cook-joutuu-puolustautumaan-Obaman-edess%C3%A4-3215558.html
Tomi Engdahl says:
US plots to KILL hackers – with bureaucracy!
New Cyber Threat Intelligence Integration Center will share info with big biz
http://www.theregister.co.uk/2015/02/11/new_usg_cybersecurity_agency_will_share_info_with_private_sector/
A new US government “cyber threat” agency will take information on computer security breaches at private companies, pair it with classified intelligence – and put it back out to businesses so they can learn how to beef up their defences.
That’s the dream, anyway, according to President Obama’s homeland security and counterterrorism advisor Lisa Monaco, who launched the Cyber Threat Intelligence Integration Center (CTIIC) on Tuesday in Washington DC.
“So much of our critical infrastructure – and just infrastructure – is in private sector hands,” Monaco noted. “And so we are relying on it to some significant measure about information on vulnerabilities.”
In recent months, there have been high-profile “cyber” assaults against Sony Pictures, healthcare insurance company Anthem, and retail stores Target and Home Depot. The idea of CTIIC (pronounced ‘see-tick’) is for the government to build relationships with companies and share information on threats quickly in order to limit broader exposure.
There are a number of different agencies within the federal government that have cybersecurity arms including the FBI, the Department of Homeland Security, the NSA and the CIA. Monaco said the private sector should provide Homeland Security with the information and it will then share with the other arms of the federal government.
Tomi Engdahl says:
Could a wireless pacemaker let hackers take control of your heart?
http://news.sciencemag.org/health/2015/02/could-wireless-pacemaker-let-hackers-take-control-your-heart
In a 2012 episode of the TV series Homeland, Vice President William Walden is assassinated by a terrorist who hacks into his Internet-enabled heart pacemaker and accelerates his heartbeat until he has a heart attack. A flight of fancy? Not everyone thinks so.
Internet security experts have been warning for years that such devices are open to both data theft and remote control by a hacker. In 2007, Vice President Dick Cheney’s cardiologist disabled the wireless functionality of his pacemaker because of just that risk. “It seemed to me to be a bad idea for the vice president to have a device that maybe somebody on a rope line or in the next hotel room or downstairs might be able to get into—hack into,” said the cardiologist, Jonathan Reiner of George Washington University Hospital in Washington, D.C., in a TV interview last year.
Medical devices such as insulin pumps, continuous glucose monitors, and pacemakers or defibrillators have become increasingly small and wearable in recent years. They often connect with a hand-held controller over short distances using Bluetooth. Often, either the controller or the device itself is connected to the Internet by means of Wi-Fi so that data can be sent directly to clinicians. But security experts have demonstrated that with easily available hardware, a user manual, and the device’s PIN number, they can take control of a device or monitor the data it sends.
Medical devices don’t get regular security updates, like smart phones and computers, because changes to their software could require recertification by regulators like the U.S. Food and Drug Administration (FDA). And FDA has focused on reliability, user safety, and ease of use—not on protecting against malicious attacks.
Tomi Engdahl says:
Samsung Edits Orwellian Clause Out Of TV Privacy Policy
http://techcrunch.com/2015/02/10/smarttv-privacy/?ncid=rss#gypjlZ:4ds
Following a storm of criticism relating to a creepy-sounding privacy policy covering its smart TVs, Samsung has today published a rebuttal and a more detailed explanation of the workings of its under-fire voice recognition feature. It has also edited the wording of its privacy policy to avoid sounding quite so eerily similar to George Orwell’s 1984 dystopia.
The original policy, which has been in place for some months, warned users of Samsung’s Internet-connected TVs:
Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.
Which sounded very much as if Samsung were asking its customers to self-censor their conversations when sitting in front of their own TVs in their own homes.
“If you enable Voice Recognition, you can interact with your Smart TV using your voice. To provide you the Voice Recognition feature, some interactive voice commands may be transmitted (along with information about your device, including device identifiers) to a third-party service provider (currently, Nuance Communications, Inc.) that converts your interactive voice commands to text and to the extent necessary to provide the Voice Recognition features to you.”
Samsung’s explanation
http://global.samsungtomorrow.com/samsung-smart-tvs-do-not-monitor-living-room-conversations/
Tomi Engdahl says:
Security is the responsibility of the management company: “Enough straightforward tools”
Corporate information security has to be the responsibility of the company management, assessing the security company Deltagon. Good practices and tools to reduce security-related risks to human.
A Finnish employee is usually committed to their work and the work ethic is high. Employees want to do the right thing, but the responsibility of the management is to create a data safe practices and to ensure that authors are working tools for data protection, the company estimated in a statement.
Most people are very serious, for example, to protect their own health data. The employer’s confidential information is treated instead got worse.
“The individual protection of personal data will be discussed in public a lot. Instead, the individual company or member of the community, as well as the employee’s role in ensuring the security of the company speaks a lot less, “says Managing Director Juha Deltagon Lapland.
He encourages corporate executives to take note of the human security risks and manage them. The key is to organizational culture and a simple security policy, which is deployed across the entire staff.
“Practice has shown that users need so straightforward tools that they serve, even in urgent situations. When a customer calls and asks for the information electronically, we must be able to respond safely, without breaking the rules. Only thus decreasing actual risks,” says Lappi.
Source: http://www.tivi.fi/Kaikki_uutiset/2015-02-11/Tietoturva-on-yritysjohdon-vastuulla-Tarpeeksi-suoraviivaisia-v%C3%A4lineit%C3%A4-3215577.html
Tomi Engdahl says:
Danny Yadron / Wall Street Journal:
Chinese hackers reprogrammed Forbes “Thought of the Day” widget to attack readers’ computers using zero day exploits in Flash and Internet Explorer — Forbes Website Used to Hack Readers — Users of Microsoft ‘s flagship Internet browser who visited Forbes.com …
Forbes Website Used to Hack Readers
http://blogs.wsj.com/digits/2015/02/10/forbes-website-used-to-hack-readers/
Users of Microsoft MSFT +0.57%’s flagship Internet browser who visited Forbes.com on the four days following Thanksgiving were open to be hacked, two cybersecurity firms said Tuesday.
The companies, iSight Partners and Invincea, said hackers who appear to be linked to China had reprogrammed Forbes’ “Thought of the Day” widget to send malicious computer code to readers’ computers.
The site appears to have been compromised from Nov. 28 to Dec. 1, the firms said. They said they did not know how many Internet users may have been affected.
Forbes, which had not previously disclosed the incident, confirmed it Tuesday. In a statement, a spokeswoman said Forbes learned of the hack, and its duration, on Dec. 1. “Forbes took immediate actions to remediate the incident,” she said.
But analysts suspect the attackers were interested in select targets.
Tomi Engdahl says:
Ellen Nakashima / Washington Post:
US forming Cyber Threat Intelligence Integration Center to collate intelligence against cyberattacks — New agency to sniff out threats in cyberspace — The Obama administration is establishing a new agency to combat the deepening threat from cyberattacks, and its mission …
New agency to sniff out threats in cyberspace
http://www.washingtonpost.com/world/national-security/white-house-to-create-national-center-to-counter-cyberspace-intrusions/2015/02/09/a312201e-afd0-11e4-827f-93f454140e2b_story.html
The Obama administration is establishing a new agency to combat the deepening threat from cyberattacks, and its mission will be to fuse intelligence from around the government when a crisis occurs.
The agency is modeled after the National Counterterrorism Center, which was launched in the wake of the Sept. 11, 2001, attacks amid criticism that the government failed to share intelligence that could have unraveled the al-Qaeda plot.
Tomi Engdahl says:
A quick checkup and a simple thanks
http://googledrive.blogspot.co.uk/2015/02/safer-internet-day-2015.html
This Safer Internet Day, we’re reminded how important online safety is and hope you’ll use this as an opportunity to take 2 minutes to complete a simple Security Checkup.
As our way of saying thanks for completing the checkup by 17 February 2015, we’ll give you a permanent 2 gigabyte bump in your Google Drive storage plan.
It takes just a couple of minutes and, unlike other checkups, it won’t leave you feeling guilty about not flossing. Here’s what it does:
Ensures your account recovery information is current
Lets you review recent sign-in activity
Confirms the apps and devices that access some account information
Ideally, you’ll revisit this checkup every so often or anytime your account changes, like when you get a new phone or replace an old laptop. While this is just one way to help you stay safe online, you can find even more tools and tips in the Google Safety Center.
Tomi Engdahl says:
Dutch government website outage caused by cyber attack
http://www.theglobeandmail.com/news/world/dutch-government-website-outage-caused-by-cyber-attack/article22906994/
Cyber attackers caused the outage of Dutch government websites and a prominent satirical news portal for most of Tuesday, a Dutch government official said on Wednesday.
The outage affected most of the central government’s main websites
The attack affected the network of hosting provider Prolocation
Tomi Engdahl says:
This how to combat denial of service attacks- “usually the operator to transmit all packets”
Fighting against denial of service attack is difficult, unless the matter has been practiced in advance.
“If the operator has not been agreed ready to practice, how the traffic will start to clean up, large quantities of the fight against it is impossible,”
Operator must consider in advance what kind of traffic can be cleaned up. In practice, the operator has the disposal of equipment which can be deemed to filter malicious packets.
“Usually, the operator of all the incoming packets, and can not filter a single package, unless the matter is specifically agreed,”
Denial of service attacks Fraud is usually an optional extra service, which means the operator separately for work and additional equipment to use in order to harmful traffic is detected. The equipment operates by different rules that differentiate between harmful and proper transport.
Source: http://summa.talentum.fi/article/tv/uutiset/121938
Tomi Engdahl says:
Network breaking and entering: Ars tests the Pwn Plug R3
Pwnie Express’ latest appliance levels up hardware, steps away from sneakiness.
http://arstechnica.com/information-technology/2015/02/palm-sized-pwnage-ars-tests-the-pwn-plug-r3/
Imagine for a moment the following scenario: you’re the manager for a busy bank branch in a major city. You come back from lunch and are told by one of your employees that someone from corporate IT dropped by to check on a reported problem with a branch PC. You don’t remember putting in a trouble ticket with IT, but apparently the guy left after looking under a desk and re-plugging a network cable or something. It took less than five minutes. You think nothing of it and go back to approving loans.
Three days later, you get a call from the head of corporate security, wanting to know why someone at your branch has been performing wire transfers from the accounts of customers who’ve never used your branch to accounts at offshore banks. A few hours later, you’re unplugging the bank’s network equipment while he’s shouting at you over the phone about gigabytes of corporate data being pulled down from something in your bank. And when the security team and police arrive to investigate, they find a little nondescript box plugged into a network port, connected to a broadband cellular modem.
Something like this happened to banks in London last year. A man posing as an IT contractor wired networked keyboard-video-mouse (KVM) switches connected to cellular routers into PCs at two bank branches.
Drop boxes have another, more law-abiding use in the security business—they allow penetration testers to check the security of organizations’ networks. If you don’t know what your network’s vulnerabilities are, you can’t very well defend it. It’s why penetration testing has grown from a small but lucrative consulting field to an integral part of some companies’ internal security practices
Ars has some experience with Pwnie’s devices. We used the PwnPlug R2 in our joint project with NPR last summer to act as our NSA-like passive monitoring tool, and then we purchased an R2 for our ongoing security and privacy testing. So when the Pwn Plug R3, the third generation of Pwnie’s flagship pen-testing device, arrived on the scene late last year, we decided to give it a thorough workout.
Pwning home
Outpost is also used to configure the Pwn Plug’s method of phoning home once it’s deployed, and the various tools allow a stealthy connection to the Pwn Plug to execute those tests remotely. If there’s no firewall between you and the Pwn Plug, a simple SSH connection will do. But in cases where an inbound SSH session might be a bit harder to pull off, there are several different covert channels to choose from to communicate with the device
Paying to play
Obviously, the Pwn Plug R3 is not the sort of thing everyone is going to want to own—it’s a professional-grade tool. It still requires a certain skillset to use at a level that justifies its $995 price tag. While the Web-configurable features provide a good way to keep tabs on what’s going on in a given network environment, the real penetration testing and auditing tools require a learning curve even we’re still moving up on. For many, the price of the Pwn Plug may not be justifiable.
However, the few pieces of software that are proprietary to the Pwn Plug pay for the difference in cost fairly quickly for organizations doing regular penetration testing; merely the cost of a single road trip to perform a security audit can justify the purchase.
Tomi Engdahl says:
Jon Brodkin / Ars Technica:
Box’s new Enterprise Key Management gives encryption keys to customers, thwarting third party requests for data
Box hands cloud encryption keys over to its customers
Key management system keeps data safer from intrusion—and government demands.
http://arstechnica.com/information-technology/2015/02/box-hands-cloud-encryption-keys-over-to-its-customers/
Box has been talking for more than year about letting its customers manage their own encryption keys, allowing them to store data in the cloud while maintaining control over who gets to access it.
This isn’t a straightforward problem to solve, because Box’s whole business is built on making it easier to share data and collaborate. The strictest security controls could eliminate the reason 44,000 companies are paying Box.
Today, Box says it has a new product that gets the job done. Called “Enterprise Key Management (EKM),” the service puts encryption keys inside a customer’s own data center and in a special security module stored in an Amazon data center. The Box service still must access customer’s data in order to enable sharing and collaboration, but EKM makes sure that only happens when the customer wants it to, Box says.
When asked if the service would prevent Box from handing data over to the government, a company spokesperson said, “Unless the customer provides authorization to Box to provide the content that’s asked for, Box is prevented from sharing the content. When customers use Box EKM we are not able to provide decrypted content because we don’t have the encryption keys protecting the customer’s content.”
Box has 48 percent of the Fortune 500 as customers, with millions of individual users, but “there are still some customers that can’t adopt the cloud, super regulated businesses in financial services, some very large energy companies, some major insurance companies, obviously government agencies and departments,” Box cofounder and CEO Aaron Levie told Ars.
EKM relies on a Hardware Security Module (HSM) made by SafeNet, which is placed inside Amazon’s CloudHSM service. Unlike most Amazon cloud services, this one gives each customer dedicated hardware.
CloudHSM “allows you to protect your encryption keys within HSMs designed and validated to government standards for secure key management,” Amazon says. “You can securely generate, store, and manage the cryptographic keys used for data encryption such that they are accessible only by you.”
Tomi Engdahl says:
War Gaming for Security Cred
http://hackaday.com/2015/02/08/war-gaming-for-security-cred/
Maybe you are an elite hax0r. But probably not. Maybe you feel like you should know more about how systems are compromised, and we’re all about that. You can’t keep the black hats out if you have no idea how they go about breaking in in the first place. That’s why war-gaming sites sprouted up in the first place. We find this one in particular to be delightfully engaging. OverTheWire’s Wargames teach you a little about security while the uninitiated also learn about simple concepts like SSH and, well… Linux!
http://overthewire.org/wargames/
Tomi Engdahl says:
US creates new surveillance agency in response to Sony hack
Hatches being battened down all over
http://www.theinquirer.net/inquirer/news/2394852/us-creates-new-surveillance-agency-in-response-to-sony-hack
THE UNITED STATES IS adding another security agency to the global roster, introducing it as a reaction or solution to incidents like the hack on Sony.
The Sony incident rather made a mockery of US-based businesses and their security, and showed just how little is actually achieved by communications hauling and inspection, and how infrequently serious things are nipped in the bud.
The Cyber Threat Intelligence Integration Centre (CTIIC) will put an end to this, apparently, and will work in ways that have eluded its peers. A ‘war room’ at its centre – think Dr Strangelove – will coordinate action and response.
Lisa Monaco, president Obama’s homeland security and counterterrorism adviser, revealed the agency during a think tank meeting in Washington.
“Currently, no single government entity is responsible for producing coordinated cyber threat assessments. This is filling a critical gap,” she said.
The launch follows high-profile breaches at organisations including Sony and Target in which huge numbers of people were exposed and a couple of high level jobs were lost.
The CTIIC has been welcomed by some in the industry, including Mike Lloyd, chief technology officer at security analysts RedSeal.
“The idea of a cyber intelligence hub is a good and timely one. Modern cyber security still has a lot to learn from traditional military strategists, including the central role of a ‘war room’ – a single location where complex flows of data about the fight can be centralised, filtered, compared, mapped out and acted on,”
Tomi Engdahl says:
US judge backs NSA in people vs privacy case
Fourth Amendment found to be still standing
http://www.theinquirer.net/inquirer/news/2394860/us-judge-backs-nsa-in-people-vs-privacy-case
A US JUDGE HAS ruled in favour of the National Security Agency (NSA) in a personal privacy case, despite the protests of rights group the Electronic Frontier Foundation (EFF).
Jewel vs the NSA was ruled on by judge Jeffrey White in Oakland, California, who told plaintiffs that they had failed to prove that the government violated a long established hope that ‘a man’s home is his castle’, or rather the Fourth Amendment.
Tomi Engdahl says:
Facebook Launches ThreatExchange To Let Companies Share Threat Info
http://it.slashdot.org/story/15/02/11/2254208/facebook-launches-threatexchange-to-let-companies-share-threat-info
Facebook today launched ThreatExchange, described as “an API-based clearinghouse for security threat information.” It’s really a social platform, which Facebook naturally excels at building, which allows companies to share with each other details about malware and phishing attacks.
ThreatExchange
https://threatexchange.fb.com/
Facebook launches ThreatExchange, an API-based platform that lets companies share security threat info
http://venturebeat.com/2015/02/11/facebook-launches-threatexchange-an-api-based-platform-that-lets-companies-share-security-threat-info/
Facebook today launched ThreatExchange, described as “an API-based clearinghouse for security threat information.” It’s really a social platform, something Facebook naturally excels at building, which allows companies to share with each other details about malware and phishing attacks.
Pinterest, Tumblr, Twitter, and Yahoo participated in ThreatExchange and gave feedback as Facebook was developing it. New contributors Bitly and Dropbox have also recently joined, bringing the initial participant list to seven major tech companies (including Facebook).
ThreatExchange is built on Facebook’s existing platform infrastructure, with layered APIs on top for partner companies to query available threat information and publish to participating organizations. Facebook says early feedback pushed for a platform that lets organizations be more open or selective about the information they share via a defined set of data types.
This resulted in privacy controls that let participants share only with the group or groups they wish (one participating partner, multiple, or all of them). A company may want to share specific information only with another company they know to be experiencing the same attack, for example.
Facebook’s argument is that existing tools for sharing security information between organizations are inefficient, complex, and frankly a burden:
“Email and spreadsheets are ad-hoc and inconsistent. It’s difficult to verify threats, to standardize formats, and for each company to protect its sensitive data. Commercial options can be expensive, and many open standards require additional infrastructure.”
Many teams end up tackling the same problems that others have already solved. ThreatExchange aims to help companies secure their systems by letting them learn from each other’s discoveries.
When it comes to security, collaboration is much more important than competition.
Facebook opens security industry social network for threat sharing
What the net needs is a great big sharing pot
http://www.theinquirer.net/inquirer/news/2394882/facebook-opens-security-industry-social-network-for-threat-sharing
FACEBOOK HAS LAUNCHED A THING called ThreatExchange which is the firm’s gift to the wider online security industry and a kind of sharing place for advice, updates and information.
News of ThreatExchange comes to us through an official post on the Facebook blog, and is soundtracked with some trumpeting.
It is pitched as a social network for the security community, so let’s assume it is not baggy like a first year schoolkid’s PE kit.
“We quickly learned that sharing with one another was key to beating the botnet because parts of it were hosted on our respective services and none of us had the complete picture.”
“During our discussions, it became clear that what we needed was a better model for threat sharing.”
Access to the network is governed by a number of privacy controls that were requested at the start of the project.
Hammel said that all firms can become stronger by combining their efforts: “That’s the beauty of working together on security. When one company gets stronger, so do the rest of us.”
ThreatExchange: Sharing for a safer internet
https://www.facebook.com/notes/protect-the-graph/threatexchange-sharing-for-a-safer-internet/1566584370248375
Tomi Engdahl says:
Facebook announced recently that the firm has updated its privacy policy to say that it can now track your every move on the internet, even when you’re logged out of the app.
Facebook can now track your every move on the internet
Update to privacy policy means social media can see your online searches
http://www.theinquirer.net/inquirer/news/2393694/facebook-can-now-track-your-every-move-on-the-internet
THE SOCIAL NETWORK Facebook has updated its privacy policy to say that it can now track your every move, even when you’re logged out of the app.
Facebook’s latest policy change will come as a knife in the heart to the privacy-aware, as the new policy allows the website to gather data about you from across the internet, including online searches and details shared with online retailers.
A Facebook spokesman explained: “It takes into account pages and places visited on Facebook, alongside browsing on the internet at large.”
Tomi Engdahl says:
Hacker kicks one bit XP to 10 Windows scroll goal
Screwy GUI carried dead code for 15 YEARS
http://www.theregister.co.uk/2015/02/12/hacker_kicks_one_bit_xp_to_10_windows_scroll_goal/
Windows operating systems from XP to version 10 can be popped with a single bit, researcher Udi Yavo says.
The hacker, formerly chief of the electronic warfare unit for Israeli defence contractor Rafael, detailed how the local privilege escalation vulnerability (CVE-2015-0057) fixed in this week’s Patch Tuesday update could grant attackers total control of machines.
“A threat actor that gains access to a Windows machine can exploit this vulnerability to bypass all Windows security measures, defeating mitigation measures such as sandboxing, kernel segregation and memory randomisation,” Yavo said.
“Interestingly, the exploit requires modifying only a single bit of the Windows operating system.”
The vulnerability existed in the graphical user interface component of the the Win32k.sys module
The attack is useful for remote hackers with a low-privilege beachhead on a victim’s machine.
For this reason Yavo did not publish code that could allow attackers to pull off the hack, but it was reasonable to expect the Microsoft patch was being reverse engineered to forge an exploit.
Tomi Engdahl says:
IBM says dating apps can give you a nasty infection DOWN THERE!
Maybe chatting someone up at the bar isn’t such a bad idea after all
http://www.theregister.co.uk/2015/02/12/ibm_dating_app_security/
Valentine’s Day is just around the corner – and, purely coincidentally, IBM is warning techies about the risks of dating apps and websites.
Big Blue has published a report outlining the potential security risks associated with users running sex scheduling software on their smartphones and tablets.
Big Blue says it studied 41 different hookup apps, and claims it found that more than 60 per cent contained vulnerabilities that could be exploited by an attacker to compromise a device and steal data.
According to the IBM study, a number of exploitable flaws exist in the apps that could allow an attacker to perform operations such man-in-the-middle attacks, phishing and cross-site scripting.
IBM recommends that users educate themselves on safe online dating practices including limiting the information they share on their profiles, checking app permissions and only running apps on trusted network connections. All good common sense that shouldn’t be a bolt from the Big Blue.
A Perfect Match: Uniting Mobile Security With Your Employees’ Use of Online Dating Apps
http://securityintelligence.com/datingapps/#.VNxmWy53B-s
IBM Report Details Potential Vulnerabilities That Could Compromise Mobile Security
New technology has completely revolutionized the dating process. Many people are using mobile dating applications to find their “special someones.” In fact, a recent Pew Research study found that 1 in 10 Americans have used a dating site or application, and the number of people who have dated someone they met online has grown to 66 percent over the past eight years. Even though many dating applications are relatively new to the market, Pew Research also found that an astonishing 5 percent of Americans who are in a marriage or committed relationship met their significant other online.
Tomi Engdahl says:
Darpa Is Developing a Search Engine for the Dark Web
http://www.wired.com/2015/02/darpa-memex-dark-web/
A new search engine being developed by Darpa aims to shine a light on the dark web and uncover patterns and relationships in online data to help law enforcement and others track illegal activity.
The project, dubbed Memex, has been in the works for a year and is being developed by 17 different contractor teams who are working with the military’s Defense Advanced Research Projects Agency. Google and Bing, with search results influenced by popularity and ranking, are only able to capture approximately five percent of the internet. The goal of Memex is to build a better map of more internet content.
“The main issue we’re trying to address is the one-size-fits-all approach to the internet where [search results are] based on consumer advertising and ranking,”
To achieve this goal, Memex will not only scrape content from the millions of regular web pages that get ignored by commercial search engines but will also chronicle thousands of sites on the so-called Dark Web—such as sites like the former Silk Road drug emporium that are part of the TOR network’s Hidden Services.
In a demo conducted for 60 Minutes, White’s team showed how law enforcement could possibly track the movement of people—both trafficked and traffickers—based on data related to online advertisements for sex.
For example, an ad attempting to sell the sexual services of a woman or child in one locale might pop up in another location and include a regional address or phone number. White says this kind of data has been used by investigators to find women who were being trafficked.
White won’t say how much the program is costing, but says it’s comparable to other data science projects that have been funded at $10 to $20 million.
Tomi Engdahl says:
Distinguish the genuine? Watch out for this kind of scam sites or get rid of your money
The payment service PayPal users have tried to dupe completely genuine vision these fake sites that steal users’ IDs.
PayPal and its customers have long been a target for fraudsters. A genuine PayPal login page identical to scam sites have been found in a number. In general, online criminals are content to build up a trap for the code, mainly copy-paste technique.
Scammers used in typical fashion the real thing affecting the url addresses, such as “redirectly-paypal.com” and “security-paypal-center.com”.
In order to avoid the trap of users should check the browser’s address bar, and the current address is genuine. Genuine PayPal site is at https: //www.paypal.com
Source: http://www.tivi.fi/Kaikki_uutiset/2015-02-12/Erottaisitko-aidosta-Varo-t%C3%A4m%C3%A4n-kaltaisia-huijaussivustoja-tai-p%C3%A4%C3%A4set-rahoistasi-3215648.html
Tomi Engdahl says:
Cisco says GHOST is more Casper than Sleepy Hollow
Borg exorcised GHOST years ago when it sent IPv4 to the nether realms
http://www.theregister.co.uk/2015/01/29/cisco_ghost_is_more_casper_than_sleepy_hollow/
Cisco has put forward at least a partial response to 2015′s first branded bug, GHOST, saying that in The Borg’s world, the glibc vulnerability is probably of relatively low severity.
That would, at least, explain why it’s not being hunted with quite the urgency of something like Heartbleed in 2014: right now, Cisco’s advisory states that it hasn’t confirmed the vulnerability status of any individual products.
“The superseding function is getaddrinfo() which … is not affected by this buffer overflow”.
Cisco says its intrusion prevention system and next generation firewall both include rules that would block attempts to exploit GHOST, and the company will issue an advisory if any of its products turn out to be vulnerable and need patching.
Tomi Engdahl says:
EU Parliament blocks new Outlook apps over privacy concerns
http://www.itworld.com/article/2881635/eu-parliament-blocks-new-outlook-apps-over-privacy-concerns.html
Access to Microsoft’s new Outlook apps has been blocked for members of the European Parliament because of “serious security issues.”
Microsoft launched new Outlook apps for iOS and Android just over a week ago. The new apps are basically a rebranded version of a mail app made by Acompli, a company Microsoft bought in December for a reported US$200 million.
Access to the apps though was blocked on Friday by the Parliament’s IT department, DG ITEC, in order to protect the confidentiality and privacy of its users, according to an email seen by the IDG News Service.
“Please do not install this application, and in case you have already done so for your EP corporate mail, please uninstall it immediately and change your password,” it said.
The apps will send password information to Microsoft without permission and will store emails in a third-party cloud service over which the Parliament has no control, DG ITEC added in a message on the Parliament’s intranet.
In the Netherlands, the Delft University of Technology reportedly also started blocking the apps because they store contact data and passwords in the cloud.
Tomi Engdahl says:
Firefox To Mandate Extension Signing
http://tech.slashdot.org/story/15/02/11/210247/firefox-to-mandate-extension-signing
In a recent blog post, Mozilla announced its intention to require extensions to be signed in Firefox, without any possible user override. From the post: “For developers hosting their add-ons on AMO, this means that they will have to either test on Developer Edition, Nightly, or one of the unbranded builds. The rest of the submission and review process will remain unchanged, except that extensions will be automatically signed once they pass review.”
Introducing Extension Signing: A Safer Add-on Experience
https://blog.mozilla.org/addons/2015/02/10/extension-signing-safer-experience/
This year will bring big changes for add-on development, changes that we believe are essential to safety and performance, but will require most add-ons to be updated to support them. I’ll start with extension signing, which will ship earlier, and cover other changes in an upcoming post.
The Mozilla add-ons platform has traditionally been very open to developers. Not only are extensions capable of changing Firefox in radical and innovative ways, but developers are entirely free to distribute them on their own sites, not necessarily through AMO, Mozilla’s add-ons site. This gives developers great power and flexibility, but it also gives bad actors too much freedom to take advantage of our users.
Extensions that change the homepage and search settings without user consent have become very common, just like extensions that inject advertisements into Web pages or even inject malicious scripts into social media sites. To combat this, we created a set of add-on guidelines all add-on makers must follow, and we have been enforcing them via blocklisting (remote disabling of misbehaving extensions). However, extensions that violate these guidelines are distributed almost exclusively outside of AMO and tracking them all down has become increasingly impractical. Furthermore, malicious developers have devised ways to make their extensions harder to discover and harder to blocklist, making our jobs more difficult.
An easy solution would be to force all developers to distribute their extensions through AMO, like what Google does for Chrome extensions. However, we believe that forcing all installs through our distribution channel is an unnecessary constraint. To keep this balance, we have come up with extension signing
All Firefox extensions are affected by this change, including extensions built with the Add-ons SDK. Other add-on types like themes and dictionaries will not require signing and continue to install and work normally. Signature verification will be limited to Firefox, and there are no plans to implement this in Thunderbird or SeaMonkey at the moment.
Tomi Engdahl says:
A Crypto Trick That Makes Software Nearly Impossible to Reverse-Engineer
http://www.wired.com/2015/02/crypto-trick-makes-software-nearly-impossible-reverse-engineer/
Software reverse engineering, the art of pulling programs apart to figure out how they work, is what makes it possible for sophisticated hackers to scour code for exploitable bugs. It’s also what allows those same hackers’ dangerous malware to be deconstructed and neutered. Now a new encryption trick could make both those tasks much, much harder.
At the SyScan conference next month in Singapore, security researcher Jacob Torrey plans to present a new scheme he calls Hardened Anti-Reverse Engineering System, or HARES. Torrey’s method encrypts software code such that it’s only decrypted by the computer’s processor at the last possible moment before the code is executed. This prevents reverse engineering tools from reading the decrypted code as it’s being run.
“It protects software algorithms from reverse engineering, and it prevents software from being mined for vulnerabilities that can be turned into exploits.”
A company like Adobe or Autodesk might use HARES as a sophisticated new form of DRM to protect their pricey software from being illegally copied. On the other hand, it could also mean the start of a new era of well-armored criminal or espionage malware that resists any attempt to determine its purpose, figure out who wrote it, or develop protections against it. As notable hacker the Grugq wrote on twitter when Torrey’s abstract was posted to SyScan’s schedule, HARES could mean the “end of easy malware analysis. :D”
Torrey says he intends HARES to be used for protection against hacking
HARES’s protections aren’t quite invincible. Any program that wants to use its crypto trick needs to somehow place a decryption key in a computer’s CPU when the application is installed. In some cases, a super-sophisticated reverse engineer could intercept that key and use it to read the program’s hidden commands.
Tomi Engdahl says:
This drone interceptor uses a net to take out smaller, weaker drones (and we want one)
http://metro.co.uk/2015/02/10/this-drone-interceptor-uses-a-net-to-take-out-smaller-weaker-drones-and-we-want-one-5057012/
Have you ever been getting undressed and seen a drone hovering outside your bedroom window, filming you at your most candid moments?
Well, what better way to take out a drone than with a bigger drone… with a net attached to it.
The Drone Interceptor MP200, or Rapere (which is Latin for ‘abduct’), has been developed by the French in order to stop people spying on their nuclear power sites.
Amazingly, the Rapere doesn’t even need to be controlled by a human. At just the press of a button it takes off and flies automatically.
France Tests Kamikaze, Netted Interceptor Drones To Protect Nuclear Reactors
Modern machines thwarted by flying nets
http://www.popsci.com/france-tests-kamikaze-netted-interceptor-drones-protect-nuclear-reactors
France has a drone problem. Someone keeps flying the remote-controlled devices over French nuclear reactors, which continued even after the country arrested some drone enthusiasts. So far 13 of the country’s 19 facilities have been buzzed. Looking for a way to stop quadcopters messing with, you know, nuclear reactors, France is testing out the only answer that makes sense: Bigger, badder drones.
Tomi Engdahl says:
Facebook Heir? Time to Choose Who Manages Your Account When You Die
The social network now lets you designate a ‘legacy contact’ for your digital afterlife
http://www.wsj.com/articles/facebook-heir-time-to-choose-who-manages-your-account-when-you-die-1423738802?mod=djemptech_t
You can finally decide what happens to your Facebook account when you die.
In a change of heart, the world’s most popular social network will begin allowing its members to designate someone—what they call a “legacy contact”—to manage parts of their accounts posthumously. Members can also choose to have their presence deleted entirely.
Facebook and other Internet services walk a difficult tightrope between respecting the privacy of the deceased and the demands of grieving friends and family.
Asking us to make plans for a digital afterlife may sound morbid, but it can bring clarity to an issue that’s both legally and emotionally challenging. In 2013, Google became the first major Internet company to allow users to select digital heirs for its Gmail, cloud storage and other services, dubbed “inactive account managers.”
What’s the point of maintaining a social network after death? Facebook legacy contacts will be able to manage accounts in a way that can turn the deceased person’s Facebook page into a kind of digital gravestone.
If they’re granted prior permission, legacy contacts can also download an archive of posts and photos from the deceased, but not the contents of his or her private messages.
Being a legacy contact is different from simply logging into the account of the deceased, and there are important things legacy contacts can’t alter.
To select your legacy contact, go to Settings and choose Security and then Legacy Contact at the bottom of the page—it’s the same for the Facebook website or mobile app.
Tomi Engdahl says:
Microsoft Fixes Critical Remotely Exploitable Windows Root-Level Design Bug
http://tech.slashdot.org/story/15/02/12/148215/microsoft-fixes-critical-remotely-exploitable-windows-root-level-design-bug
“In this month’s Patch Tuesday, Microsoft has released nine security bulletins to address 56 unique vulnerabilities in Microsoft Windows, Microsoft Office, Internet Explorer, and Microsoft Server software. Of the nine security bulletins, three are rated Critical in severity, and among these three is one that addresses a years-old design flaw that can be exploited remotely to grant attackers administrator-level privileges to the targeted machine or device.”
Microsoft fixes critical remotely exploitable Windows root-level design bug
http://www.net-security.org/secworld.php?id=17935
“The vulnerability could allow remote code execution if an attacker convinces a user with a domain-configured system to connect to an attacker-controlled network. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft explained in the bulletin.
“The vulnerability impacts core components of the Microsoft Windows Operating System. All computers and devices that are members of a corporate Active Directory may be at risk,” JAS Global Advisors, the discoverers of the bug, explained.
“The vulnerability is remotely exploitable and may grant the attacker administrator level privileges on the target machine/device. Roaming machines — Active Directory member devices that connect to corporate networks via the public Internet (possibly over a Virtual Private Network (VPN)) — are at heightened risk.”
Tomi Engdahl says:
Dutch government websites KO’d by 10-hour DDoS
Sustained assault took down gov mouthpiece
http://www.theregister.co.uk/2015/02/12/dutch_gov_websites_ddos/
The Netherlands government’s websites were taken offline for around 10 hours on Wednesday following a DDoS attack.
The motive for the sustained packet-flinging assault – directed against the Dutch government website’s hosting provider, Prolocation – remains unclear.
Darren Anstee, director of solutions architects at Arbor Networks, commented: “Based on the information currently available, it looks as if a variety of attack vectors may have been used in these attacks, which in itself is not that unusual.”
“Unfortunately, the sheer size and scale of hosting data centre operator network infrastructures and their massive customer base presents an incredibly attractive attack surface”
“As enterprises increasingly rely on hosted critical infrastructure or services, they are placing themselves at even greater risk from these devastating cyber threats – even as an indirect target,“
Tomi Engdahl says:
Teenage bug rocks Windows with malicious code threat
15-year-old problem is unlikely to go quietly to bed without a swift patching
http://www.theinquirer.net/inquirer/news/2395037/teenage-bug-rocks-windows-with-malicious-code-threat
A 15-YEAR-OLD Windows bug has erupted like acne and caused Microsoft to issue advice on setting up some kind of cyber sanctions.
‘No Xbox and no jelly beans for a week’ won’t work on this surly teenager, but hardened group policies should keep things in line.
Microsoft has released two patches to deal with the teenaged tearaway and they are MS15-011 and MS15-014. Taken together these plug a gap in group policies and limit the threat of third-party code execution.
“This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker convinces a user with a domain-configured system to connect to an attacker-controlled network,” warns Microsoft about the ‘critical’ MS15-011.