Security trends for 2016

2,232 Comments

1. December 31, 2015 at 10:24 am

   Tomi Engdahl says:

   Tech Companies Face Criminal Charges If They Notify Users of UK Government Spying
   http://news.slashdot.org/story/15/12/31/0339255/tech-companies-face-criminal-charges-if-they-notify-users-of-uk-government-spying

   Last week, Yahoo became the latest company promising to alert users who it suspected were being targeted by state-sponsored attacks (excepting Microsoft, who made a similar announcement just today). Twitter, Facebook and Google had previously assured their users that they would be warned of any potential government spying. The UK, it seems, isn’t happy about this. They are pushing through a bill that will punish the leaders of any company that warns its users about British snooping with up to two years in prison.

   Tech companies face criminal charges if they notify users of UK government spying
   http://www.techspot.com/news/63292-tech-companies-face-criminal-charges-if-they-notify.html

   Last week, it was reported that Yahoo had become the latest company that promised to alert users who it suspected were being spied on by state-sponsored actors. Twitter, Facebook and Google had previously assured their users that they would also warn them of any potential government spying. The UK, it seems, isn’t happy about this, and is pushing through a bill that will see the bosses of any company that warns its members that British agencies are monitoring them face up to two years in prison.

   Specifically, UK ministers want to make it a criminal offence for tech firms to warn users of requests for access to their communication data made by security organizations such as MI5, MI6 and GCHQ (the Government Communications Headquarters).

   Reply
2. December 31, 2015 at 10:29 am

   Tomi Engdahl says:

   Lessig: Future Tech Will Help Privacy Catch Up With the Internet
   http://yro.slashdot.org/story/15/12/30/239212/lessig-future-tech-will-help-privacy-catch-up-with-the-internet

   In a new interview, Harvard law professor Lawrence Lessig shared his view of the future of privacy in this age of data breaches. “The average cost per user of a data breach is now $240 — think of businesses looking at that cost and saying, ‘What if I can find a way to not hold that data, but the value of that data?’ When we do that, our concept of privacy will be different. Our concept so far is that we should give people control over copies of data. In the future, we will not worry about copies of data, but using data.

   Lawrence Lessig: Technology Will Create New Models for Privacy Regulation
   http://blogs.wsj.com/cio/2015/12/30/lawrence-lessig-how-technology-policy-will-evolve/

   There’s no consensus about how the use of personal information should be governed, in the U.S. or globally. What do you think the best international framework for regulating the use of data should be?

   What is happening in the technology space will really change in the next three to five years. At MIT, the Enigma group basically makes it possible to use and maintain data without holding data. I am able to ping the server and it processes nothing beyond the data that I need to know … it will make sense for people to no longer hold data, accept in a very narrow sense.

   The average cost per user of a data breach is now $240 … think of businesses looking at that cost and saying “What if I can find a way to not hold that data, but the value of that data?” When we do that, our concept of privacy will be different. Our concept so far is that we should give people control over copies of data. In the future, we will not worry about copies of data, but using data. The paradigm of required use will develop once we have really simple ways to hold data. If I were king, I would say it’s too early. Let’s muddle through the next few years. The costs are costly, but the current model of privacy will not make sense going forward.

   If I ping a service, and it tells me someone is over 18, I don’t need to hold that fact. … The level of security I have to apply … [is not] the same [that] would be required if I was holding all of this data on my servers. This will radically change the burden of security that people will have.

   I think the market will move strongly in that direction. Let the bank keep the money you have. You hold it once in awhile when you want to use it. That is the analogy here.

   … I don’t hold data on how old you are, but I could of course capture that data once I ping the server. Then the law needs to control the actual uses of the data, make it possible for systems to insist on single-use purposes.

   That … is what the future of privacy regulation looks like. I think the future will be one where I will be able to block (certain) data on a driver from being passed through to an insurance company.

   The Snowden revelations triggered a lot of conversation about what the limits of mass government surveillance ought to be. Do you think that any further tightening of those limits is likely, or in order?

   I don’t see the political will to really do anything about that. The Snowden revelations advanced hope that there would be this really excited response that would get government to impose really strict regulations. There was some posturing made, and it seemed like we were heading in that direction, but I don’t think we are going there. The NSA won’t be free to do everything, but especially now, we are not going to back away from the war on terror, no matter how idiotic this way of conducting this war is.

   Now that the Safe Harbor agreement governing the exchange of data between the U.S. and Europe has been struck down by European courts, do you foresee a sustained push to rein in U.S. Internet businesses in Europe?

   I am skeptical. They are going to make it seem that they are protecting privacy, but when push comes to shove, if certain services are not available to you because of privacy restrictions, you back out of restrictions. This is where I think new architecture is going to be so important.

   Do you think that the concept of Net Neutrality, which advanced during the Obama administration, will survive coming challenges?

   The thing that people will resist … the slogan says regulation should be more technology neutral. I am not sure I ever heard a more idiotic statement in my life. There is no neutrality here, just different modes …

   Reply
3. January 1, 2016 at 6:41 am

   Tomi Engdahl says:

   Olga Kharif / Bloomberg Business:
   Future of Bitcoin Foundation remains unclear as support and funds dwindle, ex-board members face criminal investigations

   The Final Days of the Bitcoin Foundation?
   http://www.bloomberg.com/news/articles/2015-12-30/the-final-days-of-the-bitcoin-foundation-

   With support dwindling, funds almost depleted, and ex-board members under criminal investigation, bitcoin’s pioneering advocacy group is a symbol for the digital currency’s growing pains.

   Bruce Fenton, executive director at the Bitcoin Foundation, opened its Dec. 15 board meeting with a sense of urgency: “We need additional funds if we wish to retain employees.” The numbers didn’t look good. In two years, the foundation had seen at least $7 million evaporate. As of Nov. 30, its total assets stood at $12,553.06.

   To sustain the Bitcoin Foundation’s operations, which have included lobbying, putting on conferences, and providing technical support for the digital currency, Fenton urged the group to find ways to raise money quickly. They considered cold-calling ex-members, and Fenton said he’s working on marketing materials for prospective donors to explain the organization’s purpose. “There is no material saying what the foundation does,” he said.

   The Bitcoin Foundation has become a symbol of the challenges facing the digital asset it was designed to steward. While advocates have promoted bitcoin as a global, decentralized currency for the Internet age, it’s proved to be more volatile than many penny stocks. Its role in money laundering and other illegal activity is a constant source of questions, and the price fluctuates with each regulatory clampdown or criminal investigation. In November 2013, it reached a high of $1,137 before falling to $183 in January 2015 following a slew of problems, including the collapse of Mt. Gox, once the world’s largest bitcoin exchange.

   Beyond financial trouble, two former Bitcoin Foundation board members have been charged with crimes.

   When the Bitcoin Foundation was formed in 2012, the group was intended to give legitimacy to a relatively unknown technology. By the end of that year, bitcoin traded at about $13.

   U.S. lawmakers and congressional committees appreciated having a central figure to represent bitcoin, but foundation members have sometimes become punching bags for politicians.

   Techies bought into the promises of bitcoin and were eager to donate to further its cause. At the end of 2013, the Bitcoin Foundation reported $7 million in assets

   Then things changed. By mid-2014, funds were down to $4.6 million, and the burst of the bitcoin bubble that year took a toll on the foundation almost immediately. “I hired lobbying in Brussels in 2014, and then we scaled it right back because the money was gone,”

   The pressure revealed the foundation’s underlying weaknesses. Supporters were inexperienced at raising money, and until recently, few paid attention to expenses

   Lee acknowledged “budget and leadership problems in the past.”

   “There are lots of different bitcoin foundations, so the name may change, but the mission will carry on,”

   “I don’t think it matters at all if the Bitcoin Foundation were to close. The Bitcoin Foundation laid the groundwork for the ecosystem that we have today.”

   Finally, the board “voted to continue the existence of the foundation” and established an optional board seat for bitcoin’s mysterious creator, “if and when Satoshi ever reveals him or herself.”

   Reply
4. January 1, 2016 at 6:46 am

   Tomi Engdahl says:

   Scott Charney / Microsoft on the Issues:
   Microsoft now notifies users if it believes their accounts were targeted by a state-sponsored hacker — Additional steps to help keep your personal information secure — We’re committed to helping our users keep their personal information secure and private.

   Additional steps to help keep your personal information secure
   http://blogs.microsoft.com/on-the-issues/2015/12/30/additional-steps-to-help-keep-your-personal-information-secure/

   There are some important steps that everyone should take to help keep their Microsoft Account and their online personal information secure including:

   Turn on two-step verification: This makes it harder for hackers to access your account even if they guess your password because if they try to sign in on a device Microsoft doesn’t recognize, we’ll ask for an extra security code (which you can get from a special app on your phone, sent to a different email address or via SMS text message).
   Use a strong password and change it often: Make sure your password contains a mix of letters, numbers and symbols, isn’t a complete word and is different than the password you use on other sites. Be sure to change your password often.
   Watch for suspicious activity on your account: The “Recent Activity” page on your Microsoft Account shows recent sign-ins and changes to your account, and allows you to let Microsoft know if you were not the person making these changes.
   Be careful of suspicious emails and websites: Don’t open emails from unfamiliar senders or email attachments that you don’t recognize. Be careful when downloading apps or files from the Internet, and make sure you know the source.
   Keep your computer software, including your Web browser, up to date and run an up-to-date anti-virus program: For Windows PCs, you should turn on Windows Update to ensure your PC and Microsoft software stay up to date. You should install a reputable anti-virus/ anti-malware software. Both Windows 8.1 and Windows 10 already include free anti-malware software called Windows Defender.

   Reply
5. January 1, 2016 at 7:09 am

   Tomi Engdahl says:

   Joseph Cox / Motherboard:
   Tor Project launching a bug bounty program with HackerOne, sponsored by Open Technology Fund — The Tor Project Is Starting a Bug Bounty Program — The Tor Project, the non-profit that maintains software for anonymity on the internet, will soon be offering a bug bounty program …

   The Tor Project Is Starting a Bug Bounty Program
   http://motherboard.vice.com/read/the-tor-project-is-starting-a-bug-bounty-program

   The Tor Project, the non-profit that maintains software for anonymity on the internet, will soon be offering a bug bounty program, meaning those who find vulnerabilities in Tor applications could get paid for their efforts.

   The announcement was made during the recurring “State of the Onion” talk at Chaos Communication Congress, an art, politics and security conference held annually in Hamburg, Germany.

   Reply
6. January 4, 2016 at 1:15 pm

   Tomi Engdahl says:

   Joshua Eaton / Christian Science Monitor:
   Phasing out of SHA-1 encryption means millions of people in developing world, where use of older devices and browsers is prevalent, will be at risk from hackers

   Digital divide widens as the Web adopts stronger encryption standard
   http://www.csmonitor.com/World/Passcode/2015/1230/Digital-divide-widens-as-the-Web-adopts-stronger-encryption-standard

   Because the switch to a newer encryption algorithm means older phones won’t be able to use basic Web security measures, many in the developing world will be at greater risk from criminals and online surveillance.

   On New Year’s Day, a change meant to strengthen online security will have the inverse effect, too, leaving millions of users’ Web traffic completely exposed.

   Microsoft, Google, and Mozilla will start phasing out older Internet encryption in Edge, Chrome, and Firefox browsers in favor of a newer, more secure standard. The aim is to get websites to adopt a beefier security method for ensuring private communications and safe bank transactions over the Internet.

   But Web browsers that haven’t been updated in the past few years or older generations of many mobile devices, which are commonplace in much of the developing world, will be unable to use the updated encryption standard. That means that many of those users will lose access to online functions protected by the Web protocol called Secure HTTP, or HTTPS.

   Losing HTTPS access will put users at risk from hackers and digital thieves, says Kurt Rohloff, an associate professor of computer science at the New Jersey Institute of Technology. It will also block one of the simplest ways of avoiding online surveillance and censorship.

   That’s especially concerning because older phones are common in many countries with the highest levels of online censorshi

   It is difficult to find hard data on the number of older smartphones in developing markets that could be affected by the change. Somewhere between 3 and 7 percent of Web browsers in use around the world cannot use the newer HTTPS standard, according to Facebook.

   In many African countries, for instance, cellphones take the place of banks as well as desktop computers, with usage of mobile money – and mobile cons – widespread. Phasing out the older encryption standard could leave those users even more exposed, experts worry.

   Reply
7. January 4, 2016 at 1:20 pm

   Tomi Engdahl says:

   Brian Krebs / Krebs on Security:
   Takeover of Brian Krebs’ PayPal account illustrates why authentication via static identifiers (like SSN and DOB) is highly vulnerable to identity thieves

   2016 Reality: Lazy Authentication Still the Norm
   http://krebsonsecurity.com/2015/12/2016-reality-lazy-authentication-still-the-norm/

   My PayPal account was hacked on Christmas Eve. The perpetrator tried to further stir up trouble by sending my PayPal funds to a hacker gang tied to the jihadist militant group ISIS. Although the intruder failed to siphon any funds, the successful takeover of the account speaks volumes about why most organizations — including many financial institutions — remain woefully behind the times in authenticating their customers and staying ahead of identity thieves.

   On Christmas Eve morning, I received an email from PayPal stating that an email address had been added to my account. I immediately logged into my account from a pristine computer, changed the password, switched my email address back to to the primary contact address, and deleted the rogue email account.

   I then called PayPal and asked how the perpetrator had gotten in, and was there anything else they could do to prevent this from happening again? The customer service person at PayPal said the attacker had simply logged in with my username and password, and that I had done everything I could in response to the attack. The representative assured me they would monitor the account for suspicious activity, and that I should rest easy.

   Twenty minutes later I was outside exercising in the unseasonably warm weather when I stopped briefly to check email again: Sure enough, the very same rogue email address had been added back to my account. But by the time I got back home to a computer, my email address had been removed and my password had been changed. So much for PayPal’s supposed “monitoring;” the company couldn’t even spot the same fraudulent email address when it was added a second time.

   PayPal locked the account shortly after the assailant allegedly tried to send my money

   In my second call to PayPal, I insisted on speaking with a supervisor. That person was able to tell me that, as I suspected, my (very long and complex) password was never really compromised. The attacker had merely called in to PayPal’s customer support, pretended to be me and was able to reset my password by providing nothing more than the last four digits of my Social Security number and the last four numbers of an old credit card account.

   Let’s leave aside for a moment the reality that all of this static information about Brian Krebs has been posted online by various miscreants over the years (and probably remains online): Any company that authenticates customers with nothing more than static identifiers — address, SSN, DOB, phone number, credit card number, etc. — is vulnerable to these takeover attempts.

   This almost certainly includes all of the companies that supply utilities to your residence, your bank or credit union, and a host of other companies. They’re vulnerable because those static identifiers about you are no longer secret and are available for sale in the underground.

   I asked the PayPal supervisor why the company couldn’t simply verify my identity by sending a text message to my phone, or a special signal to a PayPal mobile app? After all, PayPal has had the same mobile number of mine on file for years (the attacker also deleted that number from my profile as well). The supervisor explained that the company didn’t have any mobile authentication technologies, and that in order to regain access to the funds in my account I had to send the company a photocopied or scanned copy of my driver’s license.

   Nevermind that it was PayPal’s lack of any modern authentication methods that led to this mess.

   For better or worse, this isn’t the first time I’ve had to deal with weaknesses in PayPal’s anti-fraud systems.

   Reply
8. January 5, 2016 at 9:42 am

   Tomi Engdahl says:

   Microsoft Monitoring How Long You Use Windows 10
   http://yro.slashdot.org/story/16/01/04/2238225/microsoft-monitoring-how-long-you-use-windows-10

   The various privacy concerns surrounding Windows 10 have received a lot of coverage in the media, but it seems that there are ever more secrets coming to light. The Threshold 2 Update did nothing to curtail privacy invasion, and the latest Windows 10 installation figures show that Microsoft is also monitoring how long people are using the operating system.

   Why is Microsoft monitoring how long you use Windows 10?
   http://betanews.com/2016/01/04/why-is-microsoft-monitoring-how-long-you-use-windows-10/

   This might seem like a slightly strange statistic for Microsoft to keep track of, but the company knows how long, collectively, Windows 10 has been running on computers around the world. To have reached this figure (11 billion hours in December, apparently) Microsoft must have been logging individuals’ usage times. Intrigued, we contacted Microsoft to find out what on earth is going on.

   You think that Microsoft — keen as it is on transparency — would be quite happy to explain how it came about the information, and why it is being collected in the first place. But no.

   Reply
9. January 5, 2016 at 9:48 am

   Tomi Engdahl says:

   Security bod watches heart data flow from her pacemaker to doctor via … er, SMS? 3G? Email?
   Wow, beats me
   http://www.theregister.co.uk/2016/01/05/researcher_hacks_her_own_pacemaker/

   A computer security researcher has probed the communication protocols used by her pacemaker – and hopes her findings will raise awareness of just how much info medical devices are emitting.

   Moe, once of Norway’s Computer Emergency Response Team, found the device had two wireless interfaces: some near-field communications (NFC) electronics used to exchange data with medical equipment during hospital check-ups, and another system for communicating with a bedside device.

   Leverett says the bedside unit passes sensitive medical information about herself from her pacemaker to remote servers, and finally to her doctor’s workstation, via communications channels from SMS and 3G to the standard internet. Leverett fears these channels are not necessarily secure, and the servers are often held in foreign countries – which all in all is a headache for privacy.

   “Personally I am not worried about being remotely assassinated, I am more worried about software bugs,” Moe told the Chaos Communications Congress in Hamburg, Germany, at the end of December.

   “As a patient I am expected to trust that my device is working correctly and that every security bug has been corrected by the vendor, but I want to see more testing and research [because] we can’t always trust vendors.”

   Moe and Leverett say they found other sketchy devices during their research – some running Bluetooth, and others spewing critical device information to Amazon cloud instances.

   All manner of critical medical devices have been hacked, some from metres away using wireless technologies. Defibrillators have been turned off, insulin pumps forced to dump their contents, and thousands of hospital networks and critical devices and databases found open to hacking.

   “We don’t want to hype the point [of fatal medical exploits] we want to show that hacking can save lives, and that hackers are a global resource to save lives,” Leverett says.

   Moe is one of a handful of security professionals who are prodding life-critical medical devices in an effort to audit and improve security postures. Researcher Jay Radcliffe has investigated his insulin pump – describing his efforts at Black Hat 2011 – and free-software advocate Karen Sandler has explored her cardiac defibrillator. Hugo Campus is continuing to tinker with his defibrillator in an effort to gain access to his medical data.

   These medical hackers last year successfully lobbied US Congress to allow exemptions to restrictive DMCA laws permitting hackers to explore medical devices, and hack vehicles.

   Software flaws are not only security-related; Moe recounts one instance when her pacemaker had to be debugged after it was set to deliver the wrong number of beats, making her nearly collapse after climbing stairs at Covent Garden station.

   A series of tests revealed the pacemaker software was misconfigured

   Reply
10. January 5, 2016 at 9:52 am

    Tomi Engdahl says:

    Dutch govt says no to backdoors, slides $540k into OpenSSL without breaking eye contact
    People need encryption to be safe and secure, says ministry
    http://www.theregister.co.uk/2016/01/04/dutch_government_says_no_to_backdoors/

    The Dutch government has formally opposed the introduction of backdoors in encryption products.

    A government position paper, published by the Ministry of Security and Justice on Monday and signed by the security and business ministers, concludes that “the government believes that it is currently not appropriate to adopt restrictive legal measures against the development, availability and use of encryption within the Netherlands.”

    The conclusion comes at the end of a five-page run-through of the arguments for greater encryption and the counter-arguments for allowing the authorities access to the information.

    “By introducing a technical input into an encryption product that would give the authorities access would also make encrypted files vulnerable to criminals, terrorists and foreign intelligence services,” the paper noted. “This could have undesirable consequences for the security of information communicated and stored, and the integrity of ICT systems, which are increasingly of importance for the functioning of the society.”

    The formal position comes just months after the Dutch government approved a €500,000 ($540,000) grant to OpenSSL, the project developing the widely used open-source encryption software library.

    Reply
11. January 5, 2016 at 10:18 am

    Tomi Engdahl says:

    Half of UK financial institutions vulnerable to well-known crypto flaws
    We can’t name names, say consultancy, suffice to say they’re at risk
    http://www.theregister.co.uk/2016/01/05/uk_financial_institution_ssl_shortcomings/

    Fifty per cent of UK high street financial institutions utilise weak SSL certificates on their secure authentication portals, according to a new study by Xiphos Research.

    An assessment of 84 UK- and foreign-owned banking institutions in November by the international information security firm, and published on Monday, found that more than half were running SSL certificates that may expose their customers data to unwarranted risk.

    Problems identified included certificate instances that may be vulnerable to well-documented attacks, such as CRIME and POODLE, as well as other crypto flaws.

    No 0day Necessary – Bank SSL
    http://xiphosresearch.com/2016/01/04/No-0day-Necessary-Finance-SSL.html

    In November last year we examined Cross Domain Policy issues within the Top 500 Internet applications in the United Kingdom (according to Alexa). Following this research we decided to turn our attentions to specific sectors that may be most at risk from attackers in the UK and low skilled attacks that could be utilised. One particular area of focus was the UK finance industry. The UK finance industry is one of the largest in the world, and so the logic follows should be one of the most robust from a security perspective. Sadly, our findings seem to contradict this.

    In May of 2015, noted security researcher Troy Hunt examined the security of the Secure Sockets Layer (SSL) certificates associated with Australian banking institutions

    To conduct this research we examined the SSL certificate instances associated with the secure login functions for a variety of UK based financial institutions. This was done by anonymously submitting associated URLs to the SSLLabs service from Qualys. It should be noted that no invasive testing was performed to obtain the results of this research, and that no additional actions other than enumeration of weaknesses within certificate instances were engaged in. Without further ado here is what we found:

    Of the 22 UK owned retail banks we examined, 50% were found to have insecure SSL instances.
    Of the 25 Foreign owned retail banks operating in the UK we examined, 79% were found to have insecure SSL instances.
    Of the 37 UK building societies we examined, 51% were found to have insecure instances.

    Of the 84 SSL instances included as part of this research, 12 of them (or 14%) were rated by SSLLabs as F (the worst possible score they could have had).

    That’s actually shockingly bad, when you consider that what we were concerned with was not the generic customer facing Internet sites associated with financial institutions but the URL instances associated with their login functions. So what do we mean when we say insecure?

    A number (8) of the authentication URLs associated with UK financial institutions were found to be impacted by the POODLE (Padding Oracle on Downgraded Legacy Encryption) vulnerability found by the Google security team in October 2014. This is a Man in The Middle vulnerability (meaning an attack would have to be interjected between the client browser and impacted bank servers)

    Xiphos found that of the SSL certificate instances, four (or 4.7%) were vulnerable to the CRIME attack.
    The CRIME vulnerability is a general attack that works against a number of SSL protocols. It is a security exploit that can allow an attacker to intercept secret web cookie instances over connections that use HTTPS and SPDY protocols that use data compression.

    During the course of this research it was found that 9 SSL instances (10.7%) were operating using version 3 of the SSL protocol. Initially created by Netscape SSL is a cryptographic protocol stack to provide encrypted communications. Version 3 of SSL was officially deprecated as of December 2014 owing to the POODLE attack and the potential for an attacker to downgrade the encryption in use thus potentially jeopardising the security of encrypted communications in transit.

    Of the certificate instances assessed for this research, 36 (or 36% of all certificates) were found to be operating certificate instances that presently utilise SHA1 hashing functions

    TLS (Transport Layer Security) is the successor for SSL and was first introduced in 1999. In April 2015 the PCI Council announced that no new secure applications (that accept or transact payments) should utilise older versions of the TLS protocol (the later iteration TLS 1.2 was released as of 2008). In 26 certificate instances (30.9%) Xiphos found that TLS 1.2 was unsupported.

    Attacks against the RC4 cipher have theoretically been possible for a number of years and when combined with older protocols such as TLS 1 it may be possible to degrade or negatively impact upon the security of data in transit (most notably the Lucky 13 attack detailed elsewhere in this post). The standard recommendation is that secure sites implement TLS 1.2 with the GCM cipher suites. Of the SSL certificate instances assessed as part of this research, 35 (or 41.6%) were found to support the RC4 cipher.

    As part of this research cycle, we have attempted to reach out to affected banks and financial institutions. This has not been an easy task to accomplish. All the affected organisations do not have generic security contacts and sadly many public facing call centres are ill equipped to provide details. Faced with growing frustration, we reached out to the Financial Conduct Authority

    As things stand, over 50% of banks and building societies in the UK have weak SSL implementations associated with their secure login functions. And the impacted parties don’t seem to care.

    Reply
12. January 5, 2016 at 11:16 am

    Tomi Engdahl says:

    New OpenDNSSEC doesn’t want you to … ride into the danger zone
    (With apologies to pop sysadmin Kenny Log-ons)
    http://www.theregister.co.uk/2016/01/04/opendnssec_catches_up_with_expanding_use/

    A new version of OpenDNSSEC – an open-source implementation of DNSSEC – is hoping to plug a problem it is happy to have: increased use.

    Release candidate of version 1.4.9 was put out Monday for testing, with the key new feature being the ability to deal with a large number of zones – more than 50.

    “Too much concurrent zone transfers causes new transfers to be held back. These excess transfers however were not properly scheduled for later,” the release notes highlight.

    It is a problem that the OpenDNSSEC team, which largely comprises engineers from a number of country-code top-level domains such as the UK’s Nominet, Canada’s CIRA, the Netherlands’ SIDN and Sweden’s IIS, is happy to see.

    DNSSEC enables internet infrastructure companies, including registries and ISPs, to digitally sign their zones and so make it much harder for people to spoof DNS traffic. The protocol is notoriously difficult and expensive to implement however, which has led to slower-than-hoped-for uptake.

    The OpenDNSSEC team started work back in March 2009 on a system that would make it simpler and hence cheaper to implement the protocol, releasing version 1.0.0 just under a year later.

    The software handles the complex process of signing a zone automatically and includes secure key management, all of which means fewer manual operations.

    https://lists.opendnssec.org/pipermail/opendnssec-announce/2016-January/000110.html

    Reply
13. January 5, 2016 at 11:19 am

    Tomi Engdahl says:

    Warning: the popular e-commerce software Zen Cart has a serious hole, says Finnish Communications Regulatory Authority.

    Succeeded in the critical vulnerability allows attackers to program code execution. The vulnerability was published public exploitation method. You need to update Sen Cart software immediately.

    Source: http://www.tivi.fi/Kaikki_uutiset/varoitus-suositussa-verkkokauppaohjelmistossa-on-vakava-reika-6243137

    Reply
14. January 5, 2016 at 11:59 am

    Tomi Engdahl says:

    Linode: Back at last after ten days of hell
    Geo-blocks half the world to stop the DoS
    http://www.theregister.co.uk/2016/01/04/linode_back_at_last_after_ten_days_of_hell/

    Linode reckons its long outage has come to an end, although its most-current message says there may be “intermittent” issues for users, mostly of its Atlanta facility.

    The company has been the target of a heavy and sustained denial-of-service (DoS) attack that began on Christmas Day.

    Under criticism for its initial silence about the issue, on New Year’s Eve the company offered this extensive post from a network engineer, Alex Forster. In it, Forster details just how many of the company’s systems were under attack. There were:

    High-volume attacks on its DNS infrastructure;
    The same against “all of our public-facing Websites”, knocking out Linode Manager;
    “400 bad request” attacks on the same Websites, again hitting Linode Manager;
    DoS against Linode’s colocation provider “overwhelming the router control planes and causing significant congestion/packet loss”;
    The same against Linode’s own network infrastructure.

    At the time of the post, Forster wrote, there had been 30 “significant” attacks, and each time the company closed a vector, the attackers switched vectors.

    As Linode’s status page states, the company has had to send many regions in the world to /dev/null (so to speak) to keep its systems alive:

    “For the short term, we will be using BGP communities to attempt to block Asia Pacific, the Middle East, South America, and others, hopefully leaving us only with traffic from North America and Western Europe. Blocking geographic regions this way is the only way to make sure that large botnets won’t be able to launch further attacks.”

    An update from Linode about the recent DDoS attacks
    Scheduled Maintenance Report for Linode
    http://status.linode.com/incidents/mmdbljlglnfd

    Reply
15. January 5, 2016 at 12:06 pm

    Tomi Engdahl says:

    Tor launches invite-only exploit bug bounty
    HackerOne to open to noisy rabble later this year.
    http://www.theregister.co.uk/2016/01/05/tor_launches_inviteonly_exploit_bug_bounty/

    Tor will this year investigate an exploit bug bounty paying researchers cash for flaws, lead developer Mike Perry says.

    The HackerOne invite-only scheme is expected to be opened to the public after Tor finds its feet handling disclosures.

    Bug bounties are a booming initiative under which tens of thousands of dollars are being handed out to hackers for quietly reporting dangerous holes in some of the world’s most popular platforms.

    Invite-only bounties are opened only to accomplished researchers who submit less false-positives and higher-quality reports than those competing in public bounties.

    “We will be doing exploit bounties … starting out invite only so we can get used to the flow, and then scale up to public later in the year,”

    Reply
16. January 7, 2016 at 12:59 am

    Tomi Engdahl says:

    Web developers rejoice; Internet Explorer 8, 9 and 10 die on Tuesday
    http://thenextweb.com/microsoft/2016/01/05/web-developers-rejoice-internet-explorer-8-9-and-10-die-on-tuesday/

    Internet Explorer has long been the bane of many Web developers’ existence, but here’s some news to brighten your day: Internet Explorer 8, 9 and 10 are reaching ‘end of life’ on Tuesday, meaning they’re no longer supported by Microsoft.

    A patch, which goes live on January 12, will nag Internet Explorer users on launch to upgrade to a modern browser.

    It’s great news for developers who still need to target older browsers — not needing to worry about whether or not modern CSS works in these browsers is a dream, and it’s much closer with this move.

    End of life means the browsers will no longer receive security updates or any other kind of patches, leaving those running them wide open to new vulnerabilities in the future.

    Reply
17. January 7, 2016 at 1:12 am

    Tomi Engdahl says:

    Johana Bhuiyan / BuzzFeed:
    Uber agrees to overhaul privacy and security practices and pay a $20K fine in settlement over “God View” with New York Attorney General Eric Schneiderman — Uber Settles With New York Attorney General Over “God View” Tracking Program — The ride-hailing company agrees to overhaul …

    Uber Settles With New York Attorney General Over “God View” Tracking Program
    http://www.buzzfeed.com/johanabhuiyan/uber-settles-godview#.hmzY4jljm

    The ride-hailing company agrees to adopt more rigorous privacy and security practices, and pay a $20,000 fine following an investigation prompted by a BuzzFeed News report.

    Reply
18. January 7, 2016 at 2:13 pm

    Tomi Engdahl says:

    The past year has taught us that breaches can happen to any organisation whether you’re a telecommunications company or a pub chain, but it isn’t the new “celebrity” vulnerabilities that’s we’re falling for – it’s attacks like SQL injection that have been around for 10+ years. We need to get the security basics right and solve the problems of today before trying to predict what will happen in the future.

    Source: https://information.rapid7.com/expert-panel-stop-trying-to-predict-the-future-live-emea.html?mkt_tok=3RkMMJWWfF9wsRonuKTKd%2B%2FhmjTEU5z16u0tWKOxiokz2EFye%2BLIHETpodcMTcJkNLjYDBceEJhqyQJxPr3BJdUN0dtpRhPlDw%3D%3D

    Reply
19. January 7, 2016 at 2:16 pm

    Tomi Engdahl says:

    Security testing market seen reaching $6.9 billion by 2020
    http://www.cablinginstall.com/articles/2015/12/abi-security-testing.html?cmpid=EnlCIMCablingNewsJanuary42016&eid=289644432&bid=1265815

    In a recent competitive analysis, ABI Research investigates the importance of software security, anticipating the security testing market to develop to $6.9 billion by 2020, and why secure software development remains a challenge for most businesses today.

    The analyst notes in its new “Secure Software Development Tools” report that traditionally, security audits and quality assurance testing happen toward the end of the development cycle, by which point most security issues are expensive to fix and developers would prefer to focus on releasing the features in a timely fashion, rather than re-coding problem areas.

    The changing threat landscape and increasing frequency of application attacks, however, is forcing security-focused organizations to more adequately address web application security through secure software development. As such, the analyst contends that application security testing is becoming crucial for organizations to adhere to compliance regulations, while at the same time defending themselves from security attacks.

    “With the ubiquity of web and cloud-based software applications, not only are they essential tools to interconnect enterprises with their customers and prospects, but they are now also an ever-present target,” notes the new report’s executive summary. “Threat actors continuously capitalize on software application security flaws to steal customer information, expose sensitive customer records and, ultimately, hurt a business’ reputation.”

    “The biggest challenge for company software developers lies in market forces and funding,” says Monolina Sen, senior analyst at ABI Research. “Their incentives, and consequentially their priorities, are tied to implementing new features and meeting deadlines. With companies always aiming to shorten product cycles, app security is usually among the first add-on to be cut.”

    Reply
20. January 7, 2016 at 2:24 pm

    Tomi Engdahl says:

    Andy Greenberg / Wired:
    David Chaum, known for inventing cryptographic protocols, introduces PrivaTegrity, an encryption scheme for messaging with a “carefully controlled backdoor”

    The Father of Online Anonymity Has a Plan to End the Crypto War
    http://www.wired.com/2016/01/david-chaum-father-of-online-anonymity-plan-to-end-the-crypto-wars/

    It’s been more than 30 years since David Chaum launched the ideas that would serve as much of the groundwork for anonymity online. In doing so, he also helped spark the debate that’s endured ever since, over the anarchic freedoms that digital secrecy enables—the conflict between privacy advocates and governments known today as the “crypto wars.”

    Now Chaum has returned with his first online privacy invention in more than a decade. And with it, he wants to bring those crypto wars to an end.

    At the Real World Crypto conference at Stanford University today, Chaum plans to present for the first time a new encryption scheme he calls PrivaTegrity. Like other tools Chaum has spent his long career developing, PrivaTegrity is designed to allow fully secret, anonymous communications that no eavesdropper can crack, whether a hacker or an intelligence agency. But PrivaTegrity, which Chaum’s been developing as a side project for the last two years along with a team of academic partners at Purdue, Radboud University in the Netherlands, Birmingham University and other schools, is meant to be both more secure than existing online anonymity systems like Tor or I2P and also more efficient; he claims it will be fast enough to work as a smartphone app with no perceptible delay.

    That ambitious privacy toolset aside, Chaum is also building into PrivaTegrity another feature that’s sure to be far more controversial: a carefully controlled backdoor that allows anyone doing something “generally recognized as evil” to have their anonymity and privacy stripped altogether.

    Whoever controls that backdoor within PrivaTegrity would have the power to decide who counts as “evil”—too much power, Chaum recognizes, for any single company or government. So he’s given the task to a sort of council system. When PrivaTegrity’s setup is complete, nine server administrators in nine different countries would all need to cooperate to trace criminals within the network and decrypt their communications. The result, Chaum argues, is a new approach that “breaks the crypto wars,” satisfying both the law enforcement agencies who argue that encryption offers a haven for criminals, and also those who argue that it’s necessary to hobble mass spying.

    “If you want a way to solve this apparent logjam, here it is,” says Chaum. “We don’t have to give up on privacy. We don’t have to allow terrorists and drug dealers to use it. We can have a civil society electronically without the possibility of covert mass surveillance.”

    Reply
21. January 7, 2016 at 3:27 pm

    Tomi Engdahl says:

    Reverser laments crypto game protection, says wares dead after 2018
    Just Cause 3 will be popped, but it’s getting hard, chirps Bird Sister.
    http://www.theregister.co.uk/2016/01/07/reverser_laments_crypto_game_protection_says_wares_dead_after_2018/

    A top video game cracker says cryptographic anti-reverse engineering technology could put an end to the prolific rate of game piracy.

    The Chinese reverser, known affectionately as Bird Sister, Phoenix, or Fifi, has published a short blog noting that the encryption technology protecting the popular Just Cause 3 title.

    “Recently, many people have asked for Just Cause 3 cracks, and the answer is that this is a difficult game to crack,” she says in a translated blog.

    “Because it is so difficult I almost gave up … I still believe that this game can be compromised.

    “But according to current trends in the development of encryption technology, within two years I am afraid there will be no” cracked games.

    Just Cause 3 is protected by the third version of the encryption platform, a technology which some say is outpacing the ability for cracking teams to adapt.

    It kept popular title Dragon Age: Inquisition uncracked for about a month.

    Reply
22. January 7, 2016 at 3:33 pm

    Tomi Engdahl says:

    New HTTPS Bicycle Attack Reveals Details About Passwords From Encrypted Traffic
    http://yro.slashdot.org/story/16/01/06/2244201/new-https-bicycle-attack-reveals-details-about-passwords-from-encrypted-traffic

    Dutch security researcher Guido Vranken has published a paper [PDF] in which he details a new attack on TLS/SSL-encrypted traffic, one that can potentially allow attackers to extract some information from HTTPS data streams. Attackers could extract the length of a password from TLS packets, and then use this information to simplify brute-force attacks.

    New HTTPS Bicycle Attack Reveals Details About Passwords, GPS Coordinates
    http://news.softpedia.com/news/new-https-bicycle-attack-reveals-details-about-passwords-gps-coordinates-498488.shtml

    Dutch security researcher Guido Vranken has published a paper in which he details a new attack method on TLS/SSL-encrypted traffic, one that can potentially allow attackers to extract some information from HTTPS data streams.

    Mr. Vranken describes the HTTPS Bicycle Attack as a method through which an attacker can inspect HTTPS traffic and be able to determine the length of some of the data exchanged underneath the TLS protection layer.

    This includes details like the length of a cookie header, the length of passwords sent in POST requests, GPS coordinates, IPv4 addresses, or other information contained in TLS-encapsulated HTTP traffic.

    Mr. Vranken’s HTTPS Bicycle Attack is completely undetectable and can also be used retroactively on HTTPS traffic logged many years before.

    For an HTTPS Bicycle Attack to be successful, a few prerequisites need to be satisfied. First the HTTPS traffic must use a stream-based cipher, and then the attacker must know the length of the rest of the data before being able to extract details about specific parts of the HTTPS packets.

    When all of these conditions are met, carrying out an HTTPS Bicycle Attack is easy. From an attacker’s point of view, all he needs to do is to capture HTTPS packets from a user authentication operation.

    Knowing the victim’s username, login URL, and the adjacent information (usually sent to the server), the only information left in the HTTPS packet would be the length of the user’s password. After a simple subtraction, an attacker would then be in the possession of the user’s password length, which can be quite useful when an attacker is trying to brute-force his way into an account.

    There are ways to mitigate current HTTPS traffic against HTTPS Bicycle Attacks

    The HTTPS Bicycle Attack is only a theory at this point, but it is enough of a scare to make infosec researchers reconsider the usage of classic passwords for authenticating users, and also accelerate the implementation of other methods of authentication.

    HTTPS Bicycle Attack
    https://guidovranken.files.wordpress.com/2015/12/https-bicycle-attack.pdf

    Reply
23. January 7, 2016 at 3:37 pm

    Tomi Engdahl says:

    The Network and Information Security Directive – who is in and who is out?
    Do new spring 2016 rules consider YOU to be a ‘digital service provider’?
    http://www.theregister.co.uk/2016/01/07/the_network_and_information_security_directive_who_is_in_and_who_is_out/

    New cyber security laws agreed on by EU law makers in early December are set to impact on a large number of businesses.

    Political agreement on the draft Network and Information Security (NIS) Directive, which could still be amended, was reached by MEPs and representatives of EU governments in early December. It means the path has been cleared for the new rules to be formally adopted in spring 2016. National laws implementing the Directive will need to be in effect two years after it comes into force.

    The NIS Directive will impose new network and information security requirements on operators of essential services and digital service providers (DSPs). In addition, those organisations will be required to report certain security incidents to competent authorities or Computer Security Incident Response Teams (CSIRTs). Each EU country must establish these teams, the Directive says. Different security and incident reporting rules will apply to operators of essential services than to DSPs, with a lighter touch framework applicable to DSPs.

    A recently published draft of the Directive helps to clarify which businesses can expect to be classed as ‘operators of essential services’ or as DSPs for the purposes of the new regime.

    When will the NIS Directive apply?

    Before considering which types of organisations will be deemed operators of essential services or DSPs under the Directive, a key point to note is that the Directive will not apply to all operators of essential services or DSPs.

    Under the NIS Directive an operator of essential services is considered to be an entity that provides a service that is essential for the maintenance of critical societal and/or economic activities, so long as the provision of that service depends on network and information systems and if an incident to the network and information systems of that service would have significant disruptive effects on the provision of those services.

    According to the draft, suppliers of electricity and gas, as well as electricity or gas distribution or transmission system operators are listed as types of operators of essential services.

    Operators of essential services – digital infrastructure

    Operators of essential services have also been identified within the digital infrastructure sub-sector and mean the NIS rules will apply to internet exchange points, domain name system service providers and top level domain name registries.

    What companies will be considered to be digital service providers?

    Digital service providers are treated differently under the NIS Directive than operators of essential services.

    They face less stringent security obligations than operators of essential services and need to report security incidents they experience where those incidents have “a substantial impact on the provision of a service … they offer within the Union”. In contrast, operators of essential services must report “incidents having a significant impact on the continuity of the essential services they provide”.

    Digital service providers are considered by the NIS Directive as being providers of an online marketplace, online search engine or cloud computing service, while a recital says that “hardware manufacturers and software developers” are not digital service providers.

    For the purposes of the Directive, an online marketplace is defined as “a digital service that allows consumers and/or traders … to conclude online sales and service contracts with traders either on the online marketplace’s website or on a trader’s website that uses computing services provided by the online marketplace”.

    Reply
24. January 7, 2016 at 3:37 pm

    Tomi Engdahl says:

    Silent Circle Patches Modem Flaw That Exposes Blackphone to Attack – See more at: https://threatpost.com/silentcircle-patches-modem-flaw-that-exposes-blackphone-to-attack/115793/#sthash.9ZIXQ3uN.dpuf

    Reply
25. January 7, 2016 at 3:41 pm

    Tomi Engdahl says:

    Oh UK.gov. Say you’re not for weakened encryption – Google and Facebook
    Companies weigh in on Investigatory Powers Bill
    http://www.theregister.co.uk/2016/01/07/facebook_google_microsoft_twitter_yahoo_call_for_govuk_to_explicitly_reject_weakened_encryption/

    Facebook, Google, Microsoft, Twitter and Yahoo have called on the UK government to explicitly state it does not intend to weaken encryption in the forthcoming Investigatory Powers Bill, in a jointly submitted statement published today.

    The statement was one of 120 pieces of written evidence which have been submitted to the Joint Committee on the Draft Investigatory Powers Bill to have been published today.

    The companies said encryption is a fundamental security tool, important to the security of the digital economy as well as crucial to ensuring the safety of web users worldwide.

    “We reject any proposals that would require companies to deliberately weaken the security of their products via backdoors, forced decryption, or any other means,” it said.

    The Silicon Valley giants’ evidence echoes calls made by Apple that plans to hand police and security services access to the records of every UK citizen’s internet could set a dangerous precedent for other countries.

    Reply
26. January 7, 2016 at 3:54 pm

    Tomi Engdahl says:

    Finnish Communications Regulatory Authority warns of the health care sector: these are the biggest security threats

    A recent report highlights, inter alia, BYOD-shaped mobile device hands-on, software vulnerabilities and gnashing of programs such hazards.

    Source: http://www.tivi.fi/Kaikki_uutiset/viestintavirasto-varoittaa-terveydenhuoltoalaa-nama-ovat-suurimmat-tietoturvauhat-6243615

    More: https://www.viestintavirasto.fi/kyberturvallisuus/tietoturvanyt/2016/01/ttn201601071444.html

    Reply
27. January 7, 2016 at 4:29 pm

    Tomi Engdahl says:

    Always-Listening IoT Devices Raise Security Policy Questions For the Workplace
    http://devices.slashdot.org/story/16/01/07/1345251/always-listening-iot-devices-raise-security-policy-questions-for-the-workplace

    Rafal Los raises an interesting point about new Internet of Things (IoT) devices that may be coming into the office after Christmas, and the possible security risks associated. He uses an example of the Amazon Echo which is “always listening” and raises the question of how welcome it would be in an office where confidential and highly sensitive conversations are frequent. “How many things are showing up at the office this week that are an always-on conduit to your network from some external third party you really shouldn’t be trusting? Watches, streaming media widgets, phones, tablets and a whole host of other things are likely making their way into the office right now. ”

    Do You Have a Security Policy for “IoT” Gadgetry in the Office?
    http://www.securityweek.com/when-iot-comes-office

    It’s the first work week of the year, and for many of us that means hauling in some new gear into the office. Santa continues to bring more widgets and gizmos, and some of that stuff comes to the office with you. I think this is as good a time as any to think about the Internet of Things (IoT) and what it means for your CISO.

    But on a serious note — how many things are showing up at the office this week that are an always-on conduit to your network from some external third party you really shouldn’t be trusting? Watches, streaming media widgets, phones, tablets and a whole host of other things are likely making their way into the office right now. You probably have a BYOD policy, but do you have an IoT policy? BYOD policies are meant to address your mobile handsets, tablets and personal laptops, but who’s addressing all the other gadgetry?

    Enjoy those new gadgets folks, but remember, practice safe computing!

    Reply
28. January 8, 2016 at 10:27 am

    Tomi Engdahl says:

    Zack Whittaker / ZDNet:
    Mozilla reinstates support for SHA-1 certificates temporarily after some Firefox users experienced problems accessing HTTPS sites

    Firefox ban on SHA-1 dropped after many locked out of HTTPS sites
    http://www.zdnet.com/article/firefox-ban-on-sha-1-dropped-after-some-are-locked-out-of-https-sites/

    Mozilla reinstates support for the vulnerable SHA-1 crypto on a temporary basis until it can figure out how to avoid some unintended side effects.

    Reply
29. January 8, 2016 at 12:09 pm

    Tomi Engdahl says:

    Andy Greenberg / Wired:
    ProPublica becomes first major news site on the dark web, running as a hidden service on the Tor network, offering stronger privacy than SSL to readers

    ProPublica Launches the Dark Web’s First Major News Site
    http://www.wired.com/2016/01/propublica-launches-the-dark-webs-first-major-news-site/

    The so-called dark web, for all its notoriety as a haven for criminals and drug dealers, is slowly starting to look more and more like a more privacy-preserving mirror of the web as a whole. Now it’s gained one more upstanding member: the non-profit news organization ProPublica.

    On Wednesday, ProPublica became the first known major media outlet to launch a version of its site that runs as a “hidden service” on the Tor network, the anonymity system that powers the thousands of untraceable websites that are sometimes known as the darknet or dark web. The move, ProPublica says, is designed to offer the best possible privacy protections for its visitors seeking to read the site’s news with their anonymity fully intact. Unlike mere SSL encryption, which hides the content of the site a web visitor is accessing, the Tor hidden service would ensure that even the fact that the reader visited ProPublica’s website would be hidden from an eavesdropper or Internet service provider.

    “Everyone should have the ability to decide what types of metadata they leave behind,” says Mike Tigas, ProPublica’s developer who worked on the Tor hidden service. “We don’t want anyone to know that you came to us or what you read.”

    Reply
30. January 8, 2016 at 12:11 pm

    Tomi Engdahl says:

    Tigas first began considering launching a hidden service last year when the news site was working on a report about Chinese online censorship and wanted to make sure the reporting was itself safe to visit for Chinese readers.

    Source: http://www.wired.com/2016/01/propublica-launches-the-dark-webs-first-major-news-site/

    Reply
31. January 8, 2016 at 12:12 pm

    Tomi Engdahl says:

    Reuters:
    Time Warner Cable says up to 320K customers’ email passwords may have been stolen, it’s not yet sure how data was obtained — Time Warner Cable says up to 320,000 customers’ data may have been stolen — Time Warner Cable Inc said on Wednesday up to 320,000 customers may have had their email passwords stolen.

    Time Warner Cable says up to 320,000 customers’ data may have been stolen
    http://www.reuters.com/article/us-twc-cyberattack-idUSKBN0UL01P20160107

    The company said email and password details were likely gathered either through malware downloaded during phishing attacks or indirectly through data breaches of other companies that stored Time Warner Cable’s customer information, including email addresses.

    Reply
32. January 8, 2016 at 12:13 pm

    Tomi Engdahl says:

    Time Warner Cable Says Customer Emails, Passwords Stolen
    http://www.securityweek.com/time-warner-cable-says-customer-emails-passwords-stolen-breach

    Time Warner Cable said on Wednesday that it had been contacted by the FBI who notified the cable TV and Internet service provider that its customers’ email addresses including account passwords may have been compromised.

    “Approximately 320,000 customers across our markets could be impacted by this situation,”

    The company said it has not yet determined how the information was obtained, but said there have been no indications that its computer systems were breached.

    “The emails and passwords were likely previously stolen either through malware downloaded during phishing attacks or indirectly through data breaches of other companies that stored TWC customer information, including email addresses,” the company said.

    Reply
33. January 8, 2016 at 12:15 pm

    Tomi Engdahl says:

    International ATM Malware Gang Dismantled
    http://www.securityweek.com/international-atm-malware-gang-dismantled

    Romanian law enforcement authorities assisted by Europol this week arrested eight individuals suspected of being part of an international group that used malware to steal money from ATMs.

    Europol said the attackers used a piece of malware called Tyupkin (Padpin) to conduct what are known as “jackpotting” attacks. Tyupkin was analyzed in detail by Kaspersky Lab in 2014 after the threat was discovered on more than 50 machines in Eastern Europe. The malware allows its operators to withdraw money from ATMs without payment cards.

    According to Romania’s Directorate for Investigating Organized Crime and Terrorism (DIICOT), the arrested individuals are suspected of establishment of an organized criminal group, illegal access to computer systems, computer fraud, disruption of information systems, alteration of computer data integrity, illegal operations with devices and software, and destruction of property.

    Between December 2014 and October 2015, the group, led by Moldovan national Solozabal Cuartero Rodion and Romanian national Mihaila Sorin, targeted ATMs in Romania and various other European countries, including Hungary, the Czech Republic, Spain and Russia, Romanian prosecutors said.

    Once they found an ATM they could target, the crooks tampered with the machine in an effort to gain access to its CD-ROM drive, which they could use to plant the malware. Before the actual attack, the group also verified the existence of ATM alarm systems, which they deactivated using duct tape, and ensured that the CD-ROM drive was working properly.

    The attacks took place on weekends since the malware was designed to work properly only during the weekend.

    Reply
34. January 8, 2016 at 12:17 pm

    Tomi Engdahl says:

    2016 Cyber Threat Predictions to Use to Your Advantage
    http://www.securityweek.com/2016-cyber-threat-predictions-use-your-advantage

    With a Better Understanding of What the Future May Hold, Cyber Defenders Can Gain an Upper Hand With the Adversary

    1. Attribution remains murky. Last year both the variety of threat actors and the ability to neatly “classify” these actors into types became much more difficult as attack behaviors changed, and motivations and threats increased in their complexity.

    2. Ransom continues to rule. Extortion as a mode of attack became a popular tactic for threats actors in 2015

    3. More attackers share the global stage. Advanced attack methods, such as custom malware or unusual attack vectors, were historically the domain of nation states with significant engineering capability; often those states that have or are developing a nuclear defense capability. In 2015, non-nuclear states and organized criminal groups adopted these techniques thanks to lower barriers to entry and the increased trade in espionage capabilities. We can safely expect that in 2016 non-nuclear states will continue to develop their cyber capabilities and compete on the global stage.

    4. Criminals follow the money. Organized criminals are focusing more intently on high value targets that provide a large value single payout.

    5. Hacktivists get more sophisticated. Hacktivists continue to be motivated by embarrassment of their targets, but their tactics are no longer simply DDoS, doxing, and defacement. In 2015 hacktivists stole and published data in order to attract awareness to their cause, continuing to embarrass their targets despite the collateral damage. In 2016 hacktivists will use more tactics, techniques and procedures that were previously considered the preserve of cyber criminals.

    6. Dark web marketplaces scramble for leadership. Global law enforcement will continue to takedown large dark web marketplaces

    7. Attacks on the retail industry evolve.

    Information about malicious actors is an important component of cyber situational awareness, because it analyzes which malicious actors might be targeting an organization, why, and their methods of attack.

    Reply
35. January 8, 2016 at 12:35 pm

    Tomi Engdahl says:

    WordPress 4.4.1 Patches XSS Vulnerability
    http://www.securityweek.com/wordpress-441-patches-xss-vulnerability

    The developers of the WordPress content management system (CMS) have released a security and maintenance update to address a vulnerability and dozens of non-security issues.

    WordPress 4.4.1, the first update released for WordPress 4.4 “Clifford,” resolves a cross-site scripting (XSS) vulnerability that could allow malicious actors to compromise affected websites. The flaw was reported to WordPress developers by a Philippines-based independent security researcher who uses the online moniker “Crtc4L” via the HackerOne platform.

    Reply
36. January 8, 2016 at 12:36 pm

    Tomi Engdahl says:

    Changing the Economics of Cybersecurity
    http://www.securityweek.com/changing-economics-cybersecurity

    It’s almost a cliche to talk about how often breaches occur—in 2015 alone, we’ve seen high-profile breaches from everyone from Anthem, the popular work collaboration tool Slack, and even the federal government thanks to the recent US Office of Personnel Management attack. While many organizations are implementing security solutions to avoid becoming the next headline, there’s a fundamental math problem with the money they are investing: While organizations may think their ROI is pretty good, the ROI for criminals is even better, giving criminals more incentive to work their hardest to break into an enterprise network.

    Reply
37. January 8, 2016 at 12:38 pm

    Tomi Engdahl says:

    When the IoT Comes to the Office
    http://www.securityweek.com/when-iot-comes-office

    Do You Have a Security Policy for “IoT” Gadgetry in the Office?

    It’s the first work week of the year, and for many of us that means hauling in some new gear into the office. Santa continues to bring more widgets and gizmos, and some of that stuff comes to the office with you. I think this is as good a time as any to think about the Internet of Things (IoT) and what it means for your CISO.

    Reply
38. January 8, 2016 at 12:42 pm

    Tomi Engdahl says:

    How to Tell Whether You’re Getting a Return on Governance
    http://www.securityweek.com/how-tell-whether-youre-getting-return-governance

    Like Many Security Technologies, Access Governance Won’t Directly Drive More Revenue for a Business. So How Can You Deliver a Return on Governance?

    Surveys can be mind-numbingly dry, but there is occasionally something surprising to be learned about what is happening in the industry. Ponemon’s 2015 Cost of Cyber Crime Study (PDF) shows Access Governance tools as the number one deployed security technology to enable a reduction in the cost of cyber crime. This marks the first time that Access Governance has been at the top of this list in this survey.

    More interesting is the fact that despite its wide adoption, Access Governance falls to fourth place in terms of return on investment (ROI) in that same survey. Why is the return so much lower?

    Why is Access Governance implemented?

    To understand why return on Access Governance is lower versus other security technologies, we first need to understand why Access Governance is implemented in the first place. More times than not, the driver for implementing Access Governance (and the source of budget) is compliance.

    Like kicking bickering family members out of the house after a holiday meal, we seek to make the auditors go away by demonstrating an effective access certification control. And we’ve been relatively successful at that. But there’s a downside to the focus on compliance.

    Our line of business managers have figured out how to rubber-stamp the certifications, which may be enough to satisfy an auditor, but it hasn’t reduced risk for our organizations. By allowing those managers to mindlessly approve access for everyone, there are too many people with too much access. Even worse, people who leave our organizations often continue to retain access for significant periods of time.

    We have to ask ourselves, how long will CFOs and CISOs accept this pretense? CFOs want to know that the significant spend on Access Governance is providing a return on the investment, and CISOs want to reduce risk in the environment, not just satisfy auditors.

    What kind of return can be expected on Access Governance?

    Like many security technologies, Access Governance is not going to directly drive more revenue for a business. So the question of ROI has to be reconsidered in terms of return on governance, specifically measuring the cost of Access Governance versus the risk reduced.

    Accurately representing costs is a challenge, but generally achievable if direct and indirect costs are understood. The more difficult measure is risk reduction.

    Fortunately, while imperfect, there is a metric that is an outcome of Access Governance, which can be used to measure some amount of risk reduction – the percentage of access revocation following each round of access certification. We can use %R as shorthand for this metric.

    Finding the appropriate %R for your organization will require base lining the current state, and applying corrections for business conditions. An acceptable %R will meet or exceed the expectations.

    Reply
39. January 8, 2016 at 12:47 pm

    Tomi Engdahl says:

    You’re watching TV – Is it also watching you?
    http://blog.checkpoint.com/2016/01/07/youre-watching-tv-is-it-also-watching-you/

    The Internet of Things (IoT) revolves around machine-to-machine communication, and it’s growing exponentially. Sure, it sounds like a great idea when we can use smart devices to connect to the Internet at a moment’s notice. However, most consumers don’t fully understand the security vulnerabilities.

    Let’s take a look at EZCast. It’s an HDMI dongle-based TV streamer that converts your regular TV into a smart TV and allows you to connect to the Internet and other media. It’s controlled through your smartphone device or your PC. With this dongle, you can easily connect your TV with your PC to view and transfer videos, photos, music and files.

    Getting in is easy – Since the EZCast dongle runs on its own Wi-Fi network, entering the network is actually quite easy. This network is secured only by an 8-digit numeric password, which can be easily cracked.

    So, why should I worry? Well, just about anything and everything stored on your home network is now completely exposed. This could include tax returns, bank statements, credit cards and personal health information. Identity theft could happen in an instant.

    Ok, tell me more – Check Point researchers uncovered the EZCast vulnerabilities earlier this year. Check Point has reached out to EZCast several times to alert them of our findings. As of this time, no updates or responses have been provided.

    The EZCast device was never designed with security in mind. Check Point was able to uncover a number of critical vulnerabilities, and we barely scratched the surface. Would you sell access to your network for $25 dollars? Because that’s what you’re essentially doing when you buy and use this device.

    Security for IoT should be raised to the same levels we expect and take for granted in computer security.

    EZCast is currently used by approximately 5 million users. Are you one of them?

    “EZHACK”— POPULAR SMART TV
    DONGLE REMOTE CODE EXECUTION

    CHECK POINT ALERTED EZCAST THAT ITS SMART TV DONGLE, WHICH
    IS USED BY APPROXIMATELY 5 MILLION USERS, IS EXPOSED TO SEVERE
    REMOTE CODE EXECUTION VULNERABILITIES
    http://blog.checkpoint.com/wp-content/uploads/2015/12/EZCast_Report_Check_Point.pdf

    Reply
40. January 8, 2016 at 2:30 pm

    Tomi Engdahl says:

    Dan Goodin / Ars Technica:
    Google removes 13 apps from Play Store after researchers found they made unauthorized downloads and tried to gain root privileges

    Malicious apps in Google Play made unauthorized downloads, sought root
    Apps with as many as a million downloads removed following their discovery.
    http://arstechnica.com/security/2016/01/malicious-apps-in-google-play-made-unauthorized-downloads-sought-root/

    Google has banished 13 Android apps from its Play marketplace after security researchers found the apps made unauthorized downloads and attempted to gain root privileges that allowed them to survive factory resets.

    One of the 13 apps, which was known as Honeycomb, had as many as one million downloads before it was removed, according to researchers from Lookout, the mobile security provider that spotted the malicious entries. The apps boasted a large number of downloads and highly favorable user ratings, presumably thanks to the ability of one app to automatically download other apps and then leave rave user reviews for them.

    As Ars reported in November, members of the Shedun, Shuanet, and ShiftyBug families expose phones to potentially dangerous root exploits that can make app removal extremely hard for many users. That’s because the apps are often able to root the infected device and install themselves as system applications.

    The apps found last year were hosted in third-party marketplaces. The latest ones, by contrast, were hosted in the official Google Play store. They are part of a malware family dubbed Brain Test. While the apps were caught only making unauthorized downloads of other apps, their design made it possible for them to carry out a host of fraudulent actions that could be updated on the fly by the attacker-controlled command server they connected to.

    Reply
41. January 8, 2016 at 3:09 pm

    Tomi Engdahl says:

    Mozilla Adds W^X Security Feature to Firefox
    http://news.softpedia.com/news/mozilla-adds-w-x-security-feature-to-firefox-498416.shtml

    Mozilla developers have added W^X support to Firefox, a security feature aimed at protecting against basic buffer overflow and memory corruption issues.

    W^X (Write XOR Execute) is the name of a security feature present in the OpenBSD operating system, which Firefox developers have ported inside Firefox’s JIT (Just-in-Time) code compiler.

    Added by Jan de Mooij, this feature works under Firefox’s hood and affects how code executed inside the browser interacts with the operating system’s memory.

    W^X adds protection against buffer overflow attacks

    The principle behind the W^R memory protection policy, as described by its OpenBSD implementation, states that a process (Web page in Firefox’s case) cannot be writable and executable at the same time.

    Starting with the latest Firefox 46 Nightly build, Web pages will either be allowed to write code to the memory or execute code in the memory, but not simultaneously.

    By delaying execution time, W^X memory protection prevents some types of buffer overflow attacks and also makes sure that when dynamic arbitrary code is injected into the process execution stack, Firefox will crash, instead of blindly running potentially malicious code.

    Firefox will take a very minimal performance hit, for security’s sake

    According to internal tests carried out by Mozilla’s developers, the performance hit is between 1% and 4%, depending on the benchmark suite. Because of this minimal impact, the team decided to enable R^W memory protection, which is expected to remain turned on by default, barring serious bugs and other unforeseen performance issues.

    Reply
42. January 8, 2016 at 3:36 pm

    Tomi Engdahl says:

    Android-Based Smart TVs Aren’t That Smart When You Install Malware On Them
    http://entertainment.slashdot.org/story/16/01/07/2258251/android-based-smart-tvs-arent-that-smart-when-you-install-malware-on-them

    Smart TVs running older versions of the Android operating system are being infected with malware that was specifically built to target smart TVs.

    Android-Based Smart TVs Aren’t That Smart When You Install Malware on Them
    smart TVs running older versions of Android are vulnerable
    http://news.softpedia.com/news/android-based-smart-tvs-aren-t-that-smart-when-you-install-malware-on-them-498596.shtml

    Smart TVs running older versions of the Android operating system are being infected with malware via side-loaded apps installed from unofficial app stores, Trend Micro researchers have discovered.

    According to Trend Micro’s team, infections occur via applications downloaded from a series of sites run under the H.TV brand. These are websites that offer applications specifically built for Android smart TVs that allow users to watch TV channels from other regions of the globe.

    The legality of these apps is a different matter, but users who choose to install them may have a bigger problem on their hands, which is the ANDROIDOS_ROOTSTV.A malware.

    This malware strain exploits an older Android vulnerability that allows attackers to gain elevated privileges on the device and use this advantage to secretly download and install unsolicited applications. Regardless if these latter stage applications are malicious or not, the cybercrooks behind this campaign are making a profit from pay-per-install Android app affiliate programs.

    The vulnerability, CVE-2014-7911, affects all Android versions from Cupcake 1.5 to Kitkat 4.4W.2. Because smart TVs aren’t on the same level of hardware performance compared to modern-day smartphones, their manufacturers often run older versions of the Android OS.

    According to Trend Micro, smart TV brands that use older Android versions and put their users in harm’s way include Changhong, Konka, Mi, Philips, Panasonic, and Sharp. By doing so, these TV makers are unwittingly exposing users to all the flaws that the Android infosec community has worked so hard to fix.

    Not the first time when smart TV security gets slammed by security researchers

    Reply
43. January 8, 2016 at 3:37 pm

    Tomi Engdahl says:

    Lots of Samba Vulnerabilities Closed in All Supported Ubuntu OSes
    http://linux.softpedia.com/blog/lots-of-samba-vulnerabilities-closed-in-all-supported-ubuntu-oses-498536.shtml

    Details about Samba vulnerabilities that have been found and fixed in Ubuntu 15.10, Ubuntu 15.04, Ubuntu 14.04 LTS, and Ubuntu 12.04 LTS operating systems have been published by Canonical in a security notice.

    A large number of vulnerabilities were found in Samba (SMB/CIFS file, print, and login server for Unix). This is an important part of a Linux distribution and is especially useful if you want access to Windows systems.

    “Thilo Uttendorfer discovered that the Samba LDAP server incorrectly handled certain packets. A remote attacker could use this issue to cause the LDAP server to stop responding, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 15.04 and Ubuntu 15.10,” reads the security notice.

    Reply
44. January 8, 2016 at 3:42 pm

    Tomi Engdahl says:

    The FBI’s ‘Unprecedented’ Hacking Campaign Targeted Over a Thousand Computers
    https://motherboard.vice.com/read/the-fbis-unprecedented-hacking-campaign-targeted-over-a-thousand-computers

    In the summer of 2015, two men from New York were charged with online child pornography crimes. The site the men allegedly visited was a Tor hidden service, which supposedly would protect the identity of its users and server location. What made the case stand out was that the Federal Bureau of Investigation (FBI) had used a hacking tool to identify the IP addresses of the individuals.

    The case received some media attention, and snippets of information about other, related arrests started to spring up as the year went on. But only now is the true extent of the FBI’s bulk hacking campaign coming to light.

    In order to fight what it has called one of the largest child pornography sites on the dark web, the FBI hacked over a thousand computers, according to court documents reviewed by Motherboard and interviews with legal parties involved.

    “This kind of operation is simply unprecedented,” Christopher Soghoian, principal technologist at the American Civil Liberties Union (ACLU), told Motherboard in a phone interview.

    A new bulletin board site on the dark web was launched in August 2014, on which users could sign up and then upload whatever images they wanted. According to court documents, the site’s primary purpose was “the advertisement and distribution of child pornography.”

    An FBI complaint described the site as “the largest remaining known child pornography hidden service in the world.”

    A month before this peak, in February 2015, the computer server running Playpen was seized by law enforcement from a web host in Lenoir, North Carolina, according to a complaint filed against Peter Ferrell, one of the accused in New York.

    But after Playpen was seized, it wasn’t immediately closed down, unlike previous dark web sites that have been shuttered by law enforcement. Instead, the FBI ran Playpen from its own servers in Newington, Virginia, from February 20 to March 4, reads a complaint filed against a defendant in Utah. During this time, the FBI deployed what is known as a network investigative technique (NIT), the agency’s term for a hacking tool.

    “There will probably be an escalating stream of these [cases] in the next six months or so,” Fieman added. “There is going to be a lot in the pipeline.”

    It’s not totally clear exactly how it was deployed, but the warrant allowed for anyone who logged into the site to be hacked.

    Reply
45. January 8, 2016 at 3:43 pm

    Tomi Engdahl says:

    Updated versions 5.5.31, 5.6.17 and 7.0.2 of PHP programming language has been published. Updated versions of corrective several vulnerabilities. The manufacturer recommends to update vulnerable versions of the corrected versions.

    Source: https://www.viestintavirasto.fi/kyberturvallisuus/haavoittuvuudet/2016/haavoittuvuus-2016-004.html

    Reply
46. January 8, 2016 at 3:46 pm

    Tomi Engdahl says:

    James Vincent / The Verge:
    Facebook, Microsoft, and Google say UK spying laws are ‘a step in the wrong direction’ — America’s biggest tech companies have united to criticize new digital surveillance laws proposed in the UK. In evidence submitted to the committee assessing the legislation, Facebook, Google, Microsoft …

    Facebook, Microsoft, and Google say UK spying laws are ‘a step in the wrong direction’
    http://www.theverge.com/2016/1/8/10735412/us-tech-firms-criticize-investigatory-powers-bill

    Reply
47. January 8, 2016 at 3:55 pm

    Tomi Engdahl says:

    Tosibox widespread in building automation

    Finnish company Tosibox known for its award-winning and easy-qualifying VPN his apparatus. Now the company says its stations to strengthen the real estate area of ​​automation. Oulu rented building company Sivakka complained more than one hundred Real-Box remote access solution for real estate.

    Tosi-Box technology leader Veikko Ylimartimo characterizes the company’s contract with the Sivakan very important. Sivakka is the clear market leader in Oulu rental housing market and it is for lease of about 8 000 homes in various parts of the city.

    Plug & Go principle workable in practice, the product consists of two small device, called lock and key.

    The lock is the smart device on the remote site attached to cable or wirelessly. The key is to turn Dongle resembling a smart device, which the software is installed via the USB interface the user’s computer. Lock and key form a secure remote access via the Internet quickly and easily.

    Source: http://etn.fi/index.php?option=com_content&view=article&id=3808:tosibox-yleistyy-kiinteistoautomaatiossa&catid=13&Itemid=101

    Reply
48. January 9, 2016 at 12:36 am

    Tomi Engdahl says:

    Washington Post:
    White House announces DHS-led counter-terrorism task force involving other federal, local agencies, plus revamp of State Department effort to fight ISIS online

    Obama administration plans shake-up in propaganda war against the Islamic State
    https://www.washingtonpost.com/world/national-security/obama-administration-plans-shake-up-in-propaganda-war-against-the-islamic-state/2016/01/08/d482255c-b585-11e5-a842-0feb51d1d124_story.html

    The Obama administration is overhauling its faltering efforts to combat the online propaganda of the Islamic State and other terrorist groups, U.S. officials said, reflecting rising White House frustration with largely ineffective efforts so far to cut into ISIS’s use of social media to draw recruits and incite attacks.

    Officials will create a new counter­­terrorism task force, which will be based at the Department of Homeland Security but aims to enlist dozens of federal and local agencies.

    The moves come at a time of increasing public anxiety and criticism of the administration’s strategy after recent attacks in Paris and San Bernardino, Calif., that were linked to or partly inspired by the Islamic State.

    “Everybody realizes that this is a moment . . . to take advantage of,”

    “Ultimately, it is not going to be enough to defeat ISIL in the battlefield,” Obama told representatives from more than 100 nations and civil society groups . “We have to prevent it from radicalizing, recruiting and inspiring others to violence in the first place. And this means defeating their ideology.”

    But one of the biggest problems the administration has faced is determining whether any of it is working. As the U.S. government’s counter-messaging campaign has grown, so has the Islamic State’s recruitment spread.

    “The climate overall has become pretty bad,” a U.S. official said. “Our business is an uphill business.”

    Friday’s high-level conference with senior executives of YouTube, Facebook, Twitter, Microsoft, LinkedIn and Apple is the administration’s most ambitious attempt to persuade those companies to collaborate in the counter-militant campaign.

    “The idea is to come out with a work plan,” one administration official said. “Nobody wants to have their platforms co-opted by terrorists.”

    The assembled firepower was puzzling to some in Silicon Valley

    Many were angered by the public fallout for their prior cooperation with the government, the extent of which was exposed in documents leaked by former U.S. intelligence contractor Edward Snowden.

    “Being seen as having the U.S. government force our hands makes others around the world lose confidence in us,” said an industry official

    Reply
49. January 9, 2016 at 12:40 am

    Tomi Engdahl says:

    Wall Street Journal:
    Top US government officials meeting with Silicon Valley CEOs to discuss whether tech firms can do more to thwart terrorists online — Top U.S. Officials to Meet With Tech CEOs on Terror Concerns — Discussion to focus on whether social-media firms can do more to thwart terrorists

    Top U.S. Officials to Meet With Tech CEOs on Terror Concerns
    Discussion to focus on whether social-media firms can do more to thwart terrorists
    http://www.wsj.com/article_email/top-u-s-officials-to-meet-with-tech-ceos-on-terror-concerns-1452195796-lMyQjAxMTE2ODA0NzkwODc2Wj

    Reply
50. January 9, 2016 at 11:20 am

    Tomi Engdahl says:

    Guardian:
    Tech companies appear open to helping US government combat Islamic State after summit — Silicon Valley appears open to helping US spy agencies after terrorism summit — Obama administration acknowledges ‘complicated first amendment issues’ after top counter-terrorism officials traveled …

    Silicon Valley appears open to helping US spy agencies after terrorism summit
    http://www.theguardian.com/technology/2016/jan/08/technology-executives-white-house-isis-terrorism-meeting-silicon-valley-facebook-apple-twitter-microsoft

    Obama administration acknowledges ‘complicated first amendment issues’ after top counter-terrorism officials traveled to California to woo technology executives from companies including Apple, Facebook and Twitter

    The remarkable rendezvous between Apple, Facebook, Twitter, Microsoft and others and a delegation from the White House revealed a willingness on the part of tech firms to work with the government, and indicated that the Obama administration appears to have concluded it can’t combat terrorists online on its own.

    Top officials – including National Security Agency director Michael Rogers, White House chief of staff Denis McDonough and FBI director James Comey – appeared to want to know how they could launch a social media campaign to discredit Isis, a person familiar with the conversation said.

    “We are interested in exploring all options with you for how to deal with the growing threat of terrorists and other malicious actors using technology, including encrypted technology,” the briefing document said. “Are there technologies that could make it harder for terrorists to use the internet to mobilize, facilitate, and operationalize?”

    Despite recent fights over civil liberties, encryption, and surveillance, tech executives appeared receptive to this message, according to sources familiar with conversations at the meeting.

    This meeting confirmed that we are united in our goal to keep terrorists and terror-promoting material off the Internet.
    Facebook spokeswoman

    Reply