Here are my predictions for trends in information security and cyber security for year 2016.
Year 2015 was bad for information security was pretty, and I would say that the trend is worrying. So I expect the year 2016 will have many information security challenges. If you want to keep yourself up at night, spend some time reading about the latest developments in cybersecurity. In 2015 there was Airplanes hacked, cars hacked, vulnerabilities in a breathtaking range of sensitive equipment from TSA locks to voting booths to medical devices. The big picture is even scarier. Former NSA Director Mike McConnell suspects China has hacked “every major corporation” in the US. Those problems will continue in 2016 and some new targets for attacks will be found. The system is broken. It isn’t keeping us, our companies, or our government safe. Worse yet, no one seems to know how to fix it.
Attacks through networks are becoming more common all the time. It will be hard to protect against targeted attacks. Hackers will not only customize malware, but they will increasingly use sophisticated phishing and social engineering tricks to gain access to sensitive data. Attackers usually cover their tracks carefully, and in the identification of target can be very difficult. Behind targeted attacks are usually professional criminals. Criminals do not respect geographical borders and hence attacks are spread evenly everywhere. Companies will struggle to absorb the security threats of combined PC and mobile devices in 2016.
EU information security decisions made in late 2015 will have impact on what comes in 2016: New EU data protection legislation package approved and EU Court of Justice decision in which it noted the Safe Harbor procedure is invalid. This means that transfers of personal data from EU countries to the United States under the Safe Harbor violation of law – you need some other agreement for this. The situation for this will probably get clarified during 2016. Data protection legislation changes will lead to increased fines for the unprepared. Legal uncertainty and big fines are a toxic cocktail for some companies. The combination of stiff penalties and ambiguously worded provisions in the new EU-wide data-protection law, which would replace a patchwork of 28 national laws, raises daunting prospects for companies operating in Europe.
After huge amount of user information leaks in 2015 from all kinds of Internet services, there will the challenges for cloud companies to gain trust in their security. You might have just dared to trust “the right cloud services,” since in principle the traditional information security point of view, they seem to be the main things okay, rising this privacy issues raised.
New environments will bring new threats. New operating systems versions means that administrators and users are less familiar with the environments. IPv6 will get more widely used, and the security of IPv6 networks is different from IPv4. Organizations are moving to virtualized environments, which are complex and create network layers that can become an attack vector. Growing network virtualization functionality and programmability are both an opportunity and a threat to security. Cyber security research will be important important in 2016 as 5G networks will be critical infrastructure, on top of which for example. transport, industry, health and the new operators set up their business around 2020.
The huge amount of information security information is becoming harder and harder to manage in 2016. A key problem in revelations as all other news coverage is the exponential growth of knowledge. There are variety of news summaries produced a daily basis, but they are not enough to get good picture of what is happening. There are bigger and smaller news, the impact of which is at times very difficult to assess. SMBs will become a bigger target for cybercriminals. Network and security professionals continue to be among the toughest IT talent to find and hire.
Old way network security focused on perimeter defense is not enough in 2016. Old mantras “encrypt everything” and “secure the perimeter,” are not enough. One deceptive truth seems to drive much of the cybersecurity industry down a rabbit hole: If you keep bad actors and bad software out of your system, you have nothing to worry about. It does not work like that anymore. As perimeter security gets stronger, malicious actors are looking for easier entry points to compromise an organisation through the breadth of its digital attack surface. Now malicious actors target “endpoints”—any device or sensor connected to a network—to break into that network. Traditional sandboxing will no longer protect against the growing malware landscape. Today, most private networks have far too many endpoints to properly secure. In an age of “Bring Your Own Device,” the cloud, remote access, and the Internet of Things, there are too many vulnerabilities hackers can exploit. Keep in mind that everything connected to the Internet can, and will be hacked. To address those threats in 2016, security experts should assume compromise – that hackers and malware already have breached their defenses, or soon will – and instead classify and mitigate threats. In addition to public key infrastructure lock-and-key system you will need also an integrity solution that acts like an alarm. To protect against advanced threats, security professionals will increase their reliance on centralized security management solutions. You need to have prioritization and response plans to various kinds of breaches – with a strong focus on integrity.
Law enforcement versus Silicon Valley tension will continue to be strong throughout year 2016. In 2015 Law enforcement and politicians on both sides of the Atlantic lined up to repeatedly complain that the web was “going dark” as the result of end-to-end encryption and that this was hampering the investigation of terrorism and other serious crimes.Technologists and cryptographers argue that governments are trying to weaken encryption by demanding some form of privileged access for government. It’s not clear how much encryption the NSA can break. With renewed focus on how encrypted messages can be used to plot terrorist attacks, President Barack Obama’s administration is stepping up pressure on the tech sector to help in the battle. Privacy remains a major counter-argument. It seems that Governments Lie About Encryption Backdoors. Encryption systems weakened by mandated backdoors would not be effective in fighting the terrorists that governments invoke as their reason for wanting those backdoors in the first place.
But this does not stop some government officials to demand such thing with varying success on different countries. Another fact is that The existence of coded communications is a reality and the U.S. may not be able to do much about it because nearly everyone living in modern society uses it: Encryption protects your bank information, prevents your password from being stolen when you log into a website, and allows all e-commerce transactions to take place securely. Encryption weakened by mandated backdoors would put all of us at an enormous risk of exposure from data breaches and associated online risks. The truth in 2016 is that any form of privileged access to government – ie, a backdoor – would inevitably weaken crypto-systems and make them more vulnerable to attacks by foreign governments’ intelligence agencies as well as criminals - Juniper’s VPN security hole is proof that govt backdoors are bonkers. Encryption backdoors would be a gleeful win-win for terrorists and a horrific lose-lose for you – the bad guys having strong protections for their data, and the rest of us not. The poorly thought-out and crude surveillance technique could have a devastating effect on the country’s internet security- as for example Kazakhstan will force its citizens to install internet backdoors by requiring all Internet users install state-issued root certificate by January 1, 2016.
Google, Mozilla and Microsoft are pushing for early SHA-1 crypto cutoff that can happen in 2016 instead of earlier planned Jan 1st, 2017. Due to recent research showing that SHA-1 is weaker than previously believed, because it’s been cracked without enormous effort. Mozilla, Microsoft and now Google are all considering bringing the deadline forward by six months to July 1, 2016. SHA-2 is going to be used as the replacement function for SHA-1. Websites like Facebook and those protected by CloudFlare have implemented a SHA-1 fallback mechanism for those systems that do not support SHA-2. Chrome will start display errors if SHA-1 certificates are employed in early 2016 and will completely stop supporting SHA-1 certificates in the end of 2016.
The use of Blockchain technology, permissionless distributed database based on the bitcoin protocol that runs across a global network of independent computers, will get used more widely than for just Bitcoin virtual money. With bitcoin, Blockchain tracks the exchange of money. But it can also track the exchange of anything else that holds value, including stocks, bonds, and other financial securities. Overstock has already used the blockchain to issue private bonds. The Securities and Exchange Commission has approved a plan from online retailer Overstock.com to issue company stock via the Internet, signaling a significant shift in the way financial securities will be distributed and traded in the years to come. Overstock built its technology under the aegis of a subsidiary called TØ.com, and it plans to offer this “cryptosecurity” tech as a service to other businesses. Nasdaq OMX—the company behind the Nasdaq stock exchange—is using the blockchain to oversee the exchange of private stock. Also several major companies from across both the technology and financial industries—including IBM, Intel, and Cisco as well as the London Stock Exchange Group and big-name banks JP Morgan, Wells Fargo, and State Street—have joined forces to create an alternative to the blockchain with Linux Foundation.
The use of disk encryption will increase and there are different ways to do it with different security levels. Microsoft has introduced Windows 10 disk encryption keys are uploaded to Microsoft. This approach has some advantages and disadvantages. The gold standard in disk encryption is end-to-end encryption, where only you can unlock your disk. This is what most companies use, and it seems to work well. It protects data in case your device is lost or stolen. But what if you forget or loose your key? There are certainly cases where it’s helpful to have a backup of your key or password – so keeping a backup of your recovery key in your Microsoft account could be genuinely useful for probably the majority of users that don’t have high security neeeds. The disadvantage of this approach is that Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.
Weak leaking passwords are still huge security problem still in 2016. Passwords are often the weakest parts when it comes to securing users’ accounts, as many don’t use complex passwords or they reuse the same password across services. Two-factor authentication – like using a USB stick with a secret token or entering in a code sent via text method to your phone – can help to increase security, but many users also find this to be a hassle as it introduces an additional step to the login process.
Google begins testing login system that uses phone notifications for authentication instead of passwords: authenticate by responding to a notification sent to their smartphone. The idea is similar to Yahoo’s recently launched “Account Key,” which also offers a password-free means of signing in involving a push notification sent to your phone that then opens an app where you approve the log-in.
Smart phone will become more and more security critical part of your life. “Increasingly, individuals and organisations are adopting password managers and multi-factor authentication technologies to plug some of the holes in password-based authentication. “We foresee a world where practically everyone uses their smartphone as a multi-factor authentication element. In this world, the smartphone becomes your most valuable asset: something that enables you to unlock your life online and a target for attackers seeking to access your services.”
Expect that number of mobile vulnerabilities will only grow in 2016. In 2016 we will see increasing numbers of cyber criminals using mobile applications to spread malware. Mobile presents an easy target for cyber criminals, because it is an attack surface that is open and extremely difficult to defend once an app has been released. Android threats will become more than just headline-grabbers. Will 2016 be the year iOS malware goes mainstream?
Critical infrastructures will be highly targeted in 2015. SCADA and ICS networks were not designed for security. Attacks against these systems have increased in recent years. I expect this trend to only get worse. There are still many companies that run their critical systems on Windows XP as “There are some people who don’t have an option to change.” Many times the OS is running in automation and process control systems that run business and mission-critical systems, both in private sector and government enterprises. For example US Navy is using obsolete operating system Microsoft Windows XP to run critical tasks. It all comes down to money and resources, but if someone is obliged to keep something running on an obsolete system, it’s the wrong approach to information security completely.
Cars were hacked at record rate in 2015, and they will be hacked at least at the same rate in 2016. Modern cars are featuring more gadgetry and connected systems, and this will make vehicles just as vulnerable to today’s threats and attacks. I Am The Cavalry has published a five star Cyber Safety Framework to mitigate this threat in cars, hopefully car component makers study it.
IoT and smart devices are still at risk. The Internet of Things will continue to emerge, and businesses will need to think about how to protect their smart devices and prepare for the wider adoption of IoT. IoT platforms – not yet the weapon of choice for commercial malware authors – but business beware. Wearables won’t be safe, either, as they are built using largerly same too often vulnerable technologies as other IoT system. IoT security is still in in infancy in 2016.
Cyber criminals have become more active in 2015 particularly in the malicious the ransom fabrications. The ransom-malware problem will continue to be big in 2016. Commercial malware authors will continue to invest heavily and Exploit kits will continue to dominate on the web. Ransomware today is big business. Ransomware takes control of a computer and holds it hostage until the victim pays, usually in the digital currency Bitcoin. As a remedy against ransom-malware I recommend to ensure IT Support or your service provider the data back-up and restoring procedure operational, practiced and tested. You can need it in 2016 to get your data back without considering paying to criminals. To date ransomware has hit Windows users hardest, although Android and MacOS users are now also facing similar extortion.
Ransomware will continue to dominate in 2016 and it is only a question of time before we see things beyond data being ransomed. We have already seen websites being held ransom to DDoS. Intel’s McAfee Labs also noted a huge spike in ransomware in early 2015, and worries about ransomware in the IoT space—including medical devices. And Kaspersky predicts the “nightmare of ransomware” to continue and “spread to new frontiers” in 2016. Ransomware Is Coming to Medical Devices article tells that according to a report released recently week by Forrester Research the number one cybersecurity prediction for 2016: “We’ll see ransomware for a medical device or wearable.” “It’s definitely feasible from a technical standpoint”. Networked medical devices save lives. Despite the hacking risk, it’s an informed trade-off. Medical device ransomware would be a modern form of highway robbery with lives at stake.
Keep in mind that everything connected to the Internet can, and will be hacked. In 2016 If You’re Not Paranoid, You’re Crazy. As government agencies and tech companies develop more and more intrusive means of watching and influencing people, how can we live free lives? Unfortunately I don’t have solution for that.
2,232 Comments
Tomi Engdahl says:
New York has just opened a massive public spying network
http://thenextweb.com/us/2016/03/22/new-york-just-opened-massive-public-spying-network/
‘Free’ public Wi-Fi always sounds a little too good to be true and now American civil liberties campaigners have written to the Mayor of New York to tell him they are pretty creeped out about how much data the new LinkNYC booths will collect.
The anticipated 10,000-strong network across New York will be paid for by advertising, which the team explains will represent a “rich, context-aware platform to reach New Yorkers and visitors.”
Mayor de Blasio has so far only talked about this as a boon for the city as he expects it to generate $500 million in advertising sales but, of course, personalized ads require serious amounts of data.
Security and surveillance concerns
The NYCLU explains that the network: “retains a vast amount of information about users – often indefinitely – building a massive database that carries a risk of security breaches and unwarranted NYPD surveillance.”
De Blasio has boasted about just how secure the network will be, as well as putting plans in place for it to cope if there were a hack or terror attack, but none of this touched on the data retained for advertising purposes.
https://www.link.nyc/
Tomi Engdahl says:
FBI grows “Cyber Most Wanted” list with Syrian Electronic Army members
http://www.networkworld.com/article/3047172/security/fbi-grows-cyber-most-wanted-list-with-syrian-electronic-army-members.html
The FBI today added two members of a Syrian hacker group to its Cyber Most Wanted list offering a reward of up to $100,000 each for information that leads to their arrest.
According to the FBI, the new cybercriminals Amad Umar Agha22, known online as “The Pro,” and Firas Dardar,27, known online as “The Shadow,” engaged in a multi-year conspiracy that began in 2011 to collect usernames and passwords that gave them the ability to deface websites, redirect domains to sites controlled by the conspirators, steal e-mail, and hijack social media accounts. To obtain the login information they spear-phishing, where they tricked people who had privileged access to their organizations’ websites and social media channels into volunteering sensitive information by posing as a legitimate entity.
“These three members of the Syrian Electronic Army targeted and compromised computer systems in order to provide support to the Assad regime as well as for their own personal monetary gain through extortion,”
Tomi Engdahl says:
FBI backs off Apple, finds another way into iPhone 5c
Looks like the government found some hackers.
http://www.engadget.com/2016/03/21/fbi-backs-off-apple-finds-another-way-into-iphone-5c/
The Department of Justice just asked the courts to vacate tomorrow’s hearing with Apple concerning the iPhone of San Bernardino shooter Syed Rizwan Farook. Apparently, the FBI will use alternative methods to get into the locked phone without Apple’s help.
Tomi Engdahl says:
Your money or your life! Another hospital goes down to ransomware
Methodist Hospital in Kentucky calls in the FBI and refuses to pay
http://www.theregister.co.uk/2016/03/23/your_money_or_your_life_another_hospital_goes_down_to_ransomware/
Another US hospital has had its records scrambled by ransomware trying to extort money from the sawbones. This time: it’s the Methodist Hospital in Kentucky that’s been infected.
“We’ve notified the FBI, we’re dealing with federal authorities on how to deal with it,” the hospital’s chief operating officer David Park told local station News Channel 10. “Depending upon the number of records that were locked, depends upon whether we’re going to consider looking into whether we pay anything or not.”
The hospital reported that patients’ files had been copied, encrypted, and then the originals deleted. The hospital says that its backups are up to date and accessible, so it’s keeping calm and carrying on.
Tomi Engdahl says:
Webroot’s machine learning and cloud mix evolves threat intelligence
Clever computers can sniff out cyber threats
http://www.theinquirer.net/inquirer/feature/2451711/webroots-machine-learning-and-cloud-mix-evolves-threat-intelligence
HUNTING MALWARE in the vast virtual planes of the internet and amid the thousands of files on even the most basic PC is a challenge for the best cyber security boffins.
Threat researchers can usually be found at cyber security companies sifting through data, analysing files and tracing the origins of malware down rabbit warrens of scripts, file paths and rogue code hiding behind seemingly harmless executable files. Once malware is found it can be squashed and measures can be put into place to protect other systems from similar attacks.
This ‘threat intelligence’ is an important part of protecting individuals and organisations against software vulnerabilities, viruses and hackers.
“These services prioritise vulnerabilities and predict threats, enabling security
teams to rapidly take action. More advanced services also integrate vulnerability alerting with real-world threat intelligence covering geopolitical and business intelligence,” said the UK Computer Emergency Response Team.
Tomi Engdahl says:
Error checks? Eh? What could go wrong, really? (DoSing a US govt site)
More awful code you’ve seen in action … or should that be inaction
http://www.theregister.co.uk/2016/03/23/line_break_ep_8/
Tomi Engdahl says:
Hackers Modify Water Treatment Parameters By Accident
https://tech.slashdot.org/story/16/03/22/1728210/hackers-modify-water-treatment-parameters-by-accident
Verizon’s RISK security team has revealed details on a data breach they investigated where some hackers (previously tied to hacktivism campaigns) breached a payments application from an unnamed water treatment and supply company [PDF, page 38], and also escalated their access to reach SCADA equipment responsible for the water treatment process. The hackers modified water treatment chemical levels four different times.
The cause of this intrusion seems to be bad network design, since all equipment was interconnected with each other in a star network design
Of course, the hackers had no clue what they were modifying. Nobody got poisoned or sick in the end.
Hackers Modify Water Treatment Parameters by Accident
http://news.softpedia.com/news/hackers-modify-water-treatment-parameters-by-accident-502043.shtml
A group of hackers, previously involved in various hacktivism campaigns, have accidentally made their way into an ICS/SCADA system installed at a water treatment facility and have altered crucial settings that controlled the amount of chemicals used to treat tap water.
This strange hacking incident is described in Verizon’s 2016 Data Breach Digest (page 38, Scenario 8), a collection of case studies that the company’s RISK team was brought in to investigate.
The victim of the hack is a company that Verizon identified under the generic name of Kemuri Water Company (KWC). As the RISK team explains, the company noticed that, for a couple of weeks, its water treatment center was behaving erratically, with chemical values being modified out of the blue.
Suspecting something was wrong – and something that its IT staff wasn’t able to spot – the company brought in Verizon’s RISK team to investigate.
irst off, KWC was using extremely outdated computer systems, some of which were running ten-year-old operating systems.
Additionally, the entire IT network revolved around a single equipment, an AS400 system, which would interconnect the company’s internal IT network and the SCADA systems that managed the water treatment facility (a big no-no in terms of security).
Even worse, the same AS400 was also exposed to the Internet because it was routing traffic to a Web server where KWC’s customers could check their monthly water bill, their current water consumption level, and even pay bills via a dedicated payments application.
RISK team discovered that the hackers first breached the system via the Web-accessible payments application, looking for sensitive information about the company’s clients.
Curious as they were, the hackers accessed the AS400 system, from where they also ended up on the SCADA system and started modifying parameters at random, unknowingly changing water treatment values.
Secondary security measures allowed KWC to detect abnormalities in the levels of released chemicals, and aborted the hackers’ instructions, but this happened often enough to arouse suspicions that this had to be more than a glitch.
Data breach digest.
Scenarios from the field
http://www.verizonenterprise.com/resources/reports/rp_data-breach-digest_xg_en.pdf
Tomi Engdahl says:
The Great Linux Mint Heist: the Aftermath
http://www.linuxjournal.com/content/great-linux-mint-heist-aftermath
In a shocking move, cyber criminals recently hacked the Linux Mint Web server and used it to launch an attack against the popular distro’s user base.
The hackers managed to alter the official Linux Mint Web site to point to an infected ISO image. The infected image contains a valid installation of Linux Mint 17.3 Cinnamon edition, along with the Tsunami IRC backdoor. The backdoor allows the cyber criminals to access the unsuspecting user’s system, steal data and gain control over the software and hardware.
The hack occurred on the night of the 20th of February and was detected the next day. Any users who downloaded and installed Linux Mint 17.3 Cinnamon edition during that period are at risk. Users who installed Mint before or after that date are not at risk.
The Mint team responded by taking the site down while they worked to patch the hole. They worked for more than a week to make their Web servers much more secure. This involved isolating the specific weaknesses that allowed the attack and hardening their system against future abuses.
The Tsunami backdoor, which was installed on the infected ISO image, is usually used by attackers to launch distributed denial-of-service attacks (DDOS).
But Tsunami has other darker uses too. It provides access to the local filesystem and any sensitive information that may be installed on the computer.
The attack was made possible by a weakness in the WordPress blog used on the official Mint site
Moving forward, the Mint team is working to improve the security of the installation process, so users can verify that they have downloaded a legitimate ISO before installing it.
Tomi Engdahl says:
The incident classification patterns involving confirmed data breaches, in
order of frequency, over the past three years are:
1. Point-of-sale (POS) intrusions—POS application/system related attacks.
2. Web app attacks—web application related stolen credentials or vulnerability exploits.
3. Cyberespionage—state-affiliated, targeted attacks.
4. Crimeware—malware used to compromise systems.
5. Insider and privilege misuse—unauthorized insider related activity.
6. Payment card skimmers—physically installed malicious card readers.
7. Miscellaneous errors—any mistake that compromises security.
8. Physical theft and loss—physical loss or theft of data/IT related assets.
9. Denial of service (DoS) attacks—non-breach related attacks affecting business operations.
Source: http://www.verizonenterprise.com/resources/reports/rp_data-breach-digest_xg_en.pdf
Tomi Engdahl says:
Google’s Binary Comparison Tool “BinDiff” Available for Free
http://www.securityweek.com/google%E2%80%99s-binary-comparison-tool-bindiff-available-free
Google announced on Friday that its binary comparison tool BinDiff can be downloaded by security researchers free of charge.
BinDiff, which has been owned by Google since it acquired zynamics in 2011, uses a graph-theoretical approach to compare disassembled code. The tool can be used to identify similar and identical functions in different binaries, find changes between two variants of the same function, and port function names, local variable names and comments from one disassembly to another.
BinDiff can be used to compare files designed for various architectures, including x86, ARM/AArch64, MIPS and PowerPC.
In practice, researchers have been using the tool to analyze multiple versions of a binary, and identify vulnerability fixes in patches released by vendors. BinDiff has also been used in the analysis of malware samples, namely to transfer analysis results from one binary to another in an effort to prevent duplicate analysis.
Google has been using the BinDiff core engine as part of its malware processing system
BinDiff now available for free
https://security.googleblog.com/2016/03/bindiff-now-available-for-free.html
BinDiff is a comparison tool for binary files that helps to quickly find differences and similarities in disassembled code. It is used by security researchers and engineers across the globe to identify and isolate fixes for vulnerabilities in vendor-supplied patches and to analyze multiple versions of the same binary. Another common use case is to transfer analysis results from one binary to another, helping to prevent duplicate analyses of, for example, malware binaries.
Tomi Engdahl says:
Anti-Hack: Free Automated SSL Certificates
http://hackaday.com/2016/03/20/anti-hack-free-automated-ssl-certificates/
There was a time when getting a secure certificate (at least one that was meaningful) cost a pretty penny. However, a new initiative backed by some major players (like Cisco, Google, Mozilla, and many others) wants to give you a free SSL certificate. One reason they can afford to do this is they have automated the verification process so the cost to provide a certificate is very low.
That hasn’t always been true. Originally, trusted certificates were quite expensive. To understand why, you need to think about what an SSL certificate really means. First, you could always get a free certificate by simply creating one. The price was right, but the results left something to be desired.
A certificate contains a server’s public key, so any key is good enough to encrypt data to the server so that no one else can eavesdrop. What it doesn’t do is prove that the server is who they say they are. A self-generated certificate say “Hey! I’m your bank!” But there’s no proof of that.
To get that proof, you need two things. You need your certificate signed by a certificate authority (CA). You also need the Web browser (or other client) to accept the CA. A savvy user might install special certificates, but for the most utility, you want a CA which browsers already recognize
With the Let’s Encrypt verification, you must have the right to either configure a DNS record or place a file on the server — a process with which webmasters are already familiar.
Tomi Engdahl says:
Adobe has figured out a clever way to track people as they switch between devices
http://uk.businessinsider.com/adobe-launches-marketing-cloud-device-co-op-2016-3?r=US&IR=T
Adobe announced Tuesday it is launching a “cross-device co-op” that will offer marketers a better view of who their customers are as they switch from their laptops to their mobiles and over to their tablets.
One of the major advantages Google and Facebook have over other companies in the digital advertising and marketing space is their ability for cross-device tracking, thanks to those companies’ huge audience of logged-in users.
Many other companies — particularly ones like Adobe that don’t have popular consumer products — have to rely on dropping cookies, IP addresses, and using probabilistic (rather than deterministic) methods to make sure they are targeting ads to the right people.
There’s also the issue of counting the same user twice when it comes to measurement as they switch across different devices.
Adobe wants to solve this problem for its Marketing Cloud customers with a “co-operative” that it expects will link up to 1.2 billion different devices.
Marketers will give Adobe access to “cryptographically hashed login IDs and HTTP header,” which it says will fully-hide a consumer’s personal identity. Adobe sorts this data into clusters to build out a graph of device links.
A retailer that sees a user that isn’t logged in, who visits their site on both desktop and mobile, could use device information from a travel site in the co-operative — which does has the logged-in data — to link those two devices together to one person.
In return, that airline will also get similar data back from other participants in the scheme.
Whillock added that the benefit of the co-op versus existing cross-device products from Facebook and Google is that it avoids their “walled gardens
Tomi Engdahl says:
After Decades of Abuse, Microsoft Adds an Anti-Macro-Malware Feature To Office
https://tech.slashdot.org/story/16/03/23/0327214/after-decades-of-abuse-microsoft-adds-an-anti-macro-malware-feature-to-office
Microsoft is finally addressing the elephant in the room in terms of security for Office users and has announced a new feature in the Office 2016 suite that will make it harder for attackers to exploit macro malware. Sysadmins can now use group policies to disable the execution of macro scripts that retrieve content off the Internet
Microsoft Adds New Feature in Office 2016 That Can Block Macro Malware
http://news.softpedia.com/news/microsoft-adds-new-feature-in-office-2016-that-can-block-macro-malware-502058.shtml
Microsoft is finally addressing the elephant in the room in terms of security for Office users and has announced a new feature in the Office 2016 suite that will make it harder for attackers to exploit macro malware.
For years, macro malware has been the easiest avenue in infecting Microsoft users, and despite all the warnings and examples where macro-transmitted malware infections have ravaged entire companies, users kept enabling macros in their Office documents.
Created to allow dynamic content to be loaded in Word, Excel, and Powerpoint documents, macros allow crooks to automatically execute malicious scripts that connect to the Internet and download malware.
The usual way to deliver macro malware is by spam.
While security-aware users will quickly recognize this as a malware-laden file, most users will not, and will follow the instructions by enabling macros.
As soon as this happens, the malicious scripts recorded in the document’s macro are executed, and the malware is retrieved from a remote Web server, saved on the computer, and even launched in execution.
Now, Microsoft is announcing a new feature in its Office 2016 suite that will allow corporate network administrators to block the execution of macros that retrieve content from untrusted sources, which in most network configurations is “the Internet.”
Tomi Engdahl says:
Cyberthreat: How to respond…and when
Is this an all hands on deck moment?
http://www.theregister.co.uk/2016/03/23/responding_to_the_threat/
Spotting threats in cyberspace is like star gazing. There are lots of them out there, but telling them apart and working out which ones are about to go supernova takes experience and skill.
You don’t want to pour the same resource into protecting yourself against every single perceived threat, because no budget can support that. Instead, your response must be proportionate. How can you identify threats properly and ensure an appropriate response to each of them?
Tomi Engdahl says:
The Dark Arts: Cross Site Scripting
http://hackaday.com/2016/03/23/the-dark-arts-cross-site-scripting/
In 2011, a group of hackers known as Lulzsec went on a two month rampage hacking into dozens of websites including those owned by FOX, PBS, the FBI, Sony and many others. The group was eventually caught and questioned in how they were able to pull off so many hacks. It would be revealed that none of the hackers actually knew each other in real life. They didn’t even know each other’s real names. They only spoke in secluded chat rooms tucked away in a dark corner of the internet and knew each other by their aliases – [tFlow], [Sabu], [Topiary], [Kayla], to name a few. Each had their own special skill, and when combined together they were a very effective team of hackers.
It was found that they used 3 primary methods of cracking into websites – SQL injection, cross-site scripting and remote file inclusion.
Tomi Engdahl says:
Could test and measurement crack Farook’s iPhone?
http://www.edn.com/electronics-blogs/test-cafe/4441638/Could-test-and-measurement-crack-Farook-s-iPhone-?_mc=NL_EDN_EDT_EDN_today_20160323&cid=NL_EDN_EDT_EDN_today_20160323&elqTrackId=5f8f914f510841d8960cbc71d05d951d&elq=3d0696c3a0f8418a965458b5a32d073d&elqaid=31449&elqat=1&elqCampaignId=27482
So, the FBI went to a judge, and convinced the magistrate to order Apple to help them crack the phone. Apple was ordered to do two things: modify the device so that it won’t wipe the data after any number of false passcodes and, secondly, to defeat the increasing time delay after each false entry. This would then allow the FBI to do a “brute force” opening of Farook’s iPhone by entering all possible four-digit combinations at high speed until one worked. The order is based on the 1789 All Writs Act, and is being contested by Apple.
Here’s an alternative idea, and it requires test and measurement equipment.
Assuming a 4-digit password, here’s a 4-step plan for cracking Farook’s iPhone 5c:
Step 1: Read the contents of all flash memory on Farook’s iPhone, either by unsoldering the components, or via ICT (In-Circuit Test or serial ports such as JTAG). This is the test and measurement-centric portion of this plan. The data is encrypted, so it is still worthless.
Step 2: Purchase 1000 iPhone 5cs and 1000 of each memory chip. Program the memory to have the exact same data as in Farook’s phone.
Step 3: Unsolder the memory chips in the 1000 iPhones. Replace them with those programmed with Farook’s data.
Step 4: You now have 1000 copies of Farook’s iPhone. All 10,000 passcodes can be tried, 10 per iPhone.
Is this possible?
Tomi Engdahl says:
Big Data is Watching: Growing Digital Data Surveillance of Consumers by ISPs and Other Leading Video Providers
https://www.democraticmedia.org/article/big-data-watching-growing-digital-data-surveillance-consumers-isps-and-other-leading-video
Americans face growing new threats to their personal privacy as phone and cable Internet service providers (ISPs), along with leading Internet companies, expand their ability to capture details about what we do online in order to target us with data-driven personalized advertising. This report examines AT&T, Comcast, Cablevision, Charter, Cox, Verizon, Dish, Time Warner Cable, Viacom, Google, News Corp. (Fox), Turner Broadcasting (Time Warner), and Disney, focusing on some of their recent data- and video-related advertising practices.
ISPs have formed partnerships with powerful data brokers (including Acxiom, Krux, and Oracle Marketing Cloud), gaining new insights into our online and offline behaviors. They are incorporating state-of-the-art “Big Data” practices, such as “programmatic advertising” that instantaneously buys and sells individual consumers—to financial marketers, fast-food companies, and health advertisers, for example—all without the consumer’s knowledge. In the process, ISPs have transformed TV and digital video into a vast new source of personal information, analyzing set-top box and streaming-video data for our viewing habits, and combining that information with sensitive online and offline data (including financial, health, racial, ethnic, and location) to compile detailed “digital dossiers” on millions of Americans.
The Federal Communications Commission’s pending proceeding on privacy should examine all the ways that broadband networks operated by Internet service providers gather and use consumer information today.
Tomi Engdahl says:
Anonymous will continue to fight against ISIS – “is the best weapon against the rise of racism”
The hacker group Anonymous has released a new video where it says it will continue cyber war against ISIS.
Anonymous says punishes ISIS in the internet drastically. The hacker group says it had broken the electronic portfolios, exported money form terrorists accounts and hit the propaganda sites.
Anonymous exhorts all citizens to act against terrorism. The hacker A group advises that the best way to fight against terrorist organizations is not hacking.
Source: http://www.tivi.fi/Kaikki_uutiset/anonymous-jatkaa-isis-in-lyomista-paras-ase-on-nousta-rasismia-vastaan-6535551
Tomi Engdahl says:
Belgian authorities had intel on the bombers, but STILL failed to stop them
http://mashable.com/2016/03/23/belgian-intel-brussels-bombers/?utm_cid=hp-hh-pri#5SczKqtUREqE
Since Tuesday’s deadly bombings in Brussels, it’s come to light that Belgium’s security and intelligence services either missed or overlooked several clues that may have led them to the attackers — and questions about authorities’ actions are piling up.
The deadly attacks struck the heart of the European Union — right under the nose of law enforcement — despite high security measures already in place after the Paris attacks in November and a flurry of police activity in Brussels in recent days. What went wrong?
Suspects were already on law enforcement’s radar
The fact that the suspects were on Belgian authorities’ radar well before Tuesday’s bombings — some even before the Paris attacks — and yet were able to evade capture raises serious questions about their ability to gather intelligence.
Belgium’s security forces and counterintelligence services have reportedly been overwhelmed by the terror investigations following the Paris attacks, with few resources at their disposal to uncover or disrupt existing plots.
Tomi Engdahl says:
Finnish Communications Regulatory Authority: Android a serious gap – Check for Updates
Finnish Communications Regulatory Authority said on Wednesday that Google has released an update to the Android operating system, fix for the found vulnerability in the core.
Google has released an update to the Android operating system, the core of the found vulnerability. Found taking advantage of the vulnerability of the user to expand their use of powers to the administrator level. The vulnerability has been found to be utilized actively.
According to the information received by Google found the vulnerability is actively exploited. Official Play app store has been in the distribution of applications to install the user to expand the use of the right to the root level.
Vulnerable are the release of the Android devices with the operating system kernel version is 3.4, 3.10, and 3.14, and they have been compiledbefore 18/03/2016.
The upgrade level you can ensure the following: Settings -> About phone -> ‘Android-level security patch”
Sources:
http://www.tivi.fi/Kaikki_uutiset/viestintavirasto-androidissa-vakava-aukko-tarkista-paivityksesi-6535557
https://www.viestintavirasto.fi/kyberturvallisuus/haavoittuvuudet/2016/haavoittuvuus-2016-041.html
Tomi Engdahl says:
Finnish Parliament granted that they were hit by a denial of service attack – the hackers make fun of cyber protection
According to the Bulletin of Parliament blackout time has been for several hours. It was found a little after 10 am in the morning.
The hacker group FinnSec Security took responsibility for the attack early in the afternoon . The same outfit says he is also responsible for, among other things, the Social Insurance Institution and the Ministry of Defence this week’s attacks, Netra, Valtorta and several ministries.
For motive group says, inter alia, Finland and poor security and cyber protection-
“What if the next weapon would be UDP, NTP or TCP protocol-based (sic) attacks? ”
Sources:
http://www.tivi.fi/Kaikki_uutiset/eduskunta-myonsi-palvelunestohyokkayksen-hakkerit-pilkkaavat-kyberpuolustusta-6535304
http://www.tivi.fi/Kaikki_uutiset/nytko-on-eduskunnan-vuoro-aloitimme-hyokkayksen-ja-hymio-peraan-6535190
Tomi Engdahl says:
Karissa Bell / Mashable:
Facebook impersonation tool is now live in 75% of the world, alerting users when their names and profile pictures are being used by someone else
Facebook is testing a feature that alerts you if someone is impersonating your account
http://mashable.com/2016/03/22/facebook-impersonation-alert/#S5rhBkCyRgq3
Facebook is working on a new tool to help stem one source of harassment on its platform.
The social network is testing a new feature that will automatically alert you if it detects another user is impersonating your account by using your name and profile photo.
When Facebook detects that another user may be impersonating you, it will send an alert notifying you about the profile. You’ll then be prompted to identify if the profile in question is impersonating you by using your personal information, or if it belongs to someone else who is not impersonating you.
Though the notification process is automated, profiles that are flagged as impersonations are manually reviewed by Facebook’s team.
While impersonation isn’t necessarily a widespread problem on Facebook, it is a source of harassment on the platform, despite the company’s longstanding policy against it.
Tomi Engdahl says:
Alex Kantrowitz / BuzzFeed:
How the internet manipulated Microsoft’s AI chatbot into learning and repeating hate speech
How The Internet Turned Microsoft’s AI Chatbot Into A Neo-Nazi
http://www.buzzfeed.com/alexkantrowitz/how-the-internet-turned-microsofts-ai-chatbot-into-a-neo-naz#.ntZ694o2K
“Tay” was tricked by a bunch of people exploiting a dead-simple but glaring flaw.
Peter Lee / The Official Microsoft Blog:
Microsoft apologizes for Tay’s hurtful tweets, says coordinated attack exploited vulnerability in Tay — Learning from Tay’s introduction — As many of you know by now, on Wednesday we launched a chatbot called Tay. We are deeply sorry for the unintended offensive and hurtful tweets from Tay …
Learning from Tay’s introduction
http://blogs.microsoft.com/blog/2016/03/25/learning-tays-introduction/
Tomi Engdahl says:
Catalin Cimpanu / Softpedia News:
Verizon study highlights how bad network design, outdated systems, and old operating systems exposed a water treatment plant to inadvertent hacking
Hackers Modify Water Treatment Parameters by Accident
http://news.softpedia.com/news/hackers-modify-water-treatment-parameters-by-accident-502043.shtml
A group of hackers, previously involved in various hacktivism campaigns, have accidentally made their way into an ICS/SCADA system installed at a water treatment facility and have altered crucial settings that controlled the amount of chemicals used to treat tap water.
This strange hacking incident is described in Verizon’s 2016 Data Breach Digest (page 38, Scenario 8), a collection of case studies that the company’s RISK team was brought in to investigate.
The victim of the hack is a company that Verizon identified under the generic name of Kemuri Water Company (KWC). As the RISK team explains, the company noticed that, for a couple of weeks, its water treatment center was behaving erratically, with chemical values being modified out of the blue.
Tomi Engdahl says:
Brian Krebs / Krebs on Security:
1.5M stolen records for sale of customers of Verizon Enterprise, which confirmed a breach took place
Crooks Steal, Sell Verizon Enterprise Customer Data
http://krebsonsecurity.com/2016/03/crooks-steal-sell-verizon-enterprise-customer-data/
Verizon Enterprise Solutions, a B2B unit of the telecommunications giant that gets called in to help Fortune 500’s respond to some of the world’s largest data breaches, is reeling from its own data breach involving the theft and resale of customer data, KrebsOnSecurity has learned.
vzbzEarlier this week, a prominent member of a closely guarded underground cybercrime forum posted a new thread advertising the sale of a database containing the contact information on some 1.5 million customers of Verizon Enterprise.
Tomi Engdahl says:
Romain Dillet / TechCrunch:
With Privacy, you can create virtual debit cards to protect your online payments
http://techcrunch.com/2016/03/25/with-privacy-you-can-create-virtual-debit-cards-to-protect-your-online-payments/
Meet Privacy, a new startup with a confusing name but an interesting product. Privacy lets you generate a virtual burner card every time you need to enter your credit card number on the web. Your actual credit card number stays safe, and you get more control over your online subscriptions.
Privacy works with a Google Chrome browser extension. After installing the extension, a tiny Privacy icon will appear next to a credit card form when it’s time to pay. When you click the button, the extension automatically generates a new virtual Visa debit card specifically for this website.
Behind the scene, Privacy connects with your bank account so it can withdraw money from your bank account. Right now, Privacy works with the big American banks (Bank of America, Citibank, Chase, Wells Fargo), as well as a handful of others. Privacy also has an iOS app in case you’re not in front of your computer.
Tomi Engdahl says:
Lorenzo Franceschi-Bicchierai / Motherboard:
Google and Yahoo say they’re still working on usable end-to-end encrypted email but decline to predict release dates
The Dream Of Usable Email Encryption Is Still A Work In Progress
http://motherboard.vice.com/read/google-yahoo-end-to-end-email-encryption-work-in-progress
Tech-savvy people have had a way to send secure email since the mid 1990s, when legendary cryptographer Phil Zimmermann created the encryption software known as Pretty Good Privacy, or PGP.
But despite more than 20 years of existence, PGP, as well as its free replacement GPG, has never been mainstream. That’s because it’s a relatively hard-to-use tool for the few who would bother to use the command line, clunky email clients’ extensions, and bootstrapped software.
But in 2014, in the aftermath of the Edward Snowden revelations, Google and Yahoo, the two largest email providers in the world, promised to change that once and for all with a browser plugin that would make sending encrypted emails so seamless anyone could use it.
Tomi Engdahl says:
Bank Freezes Online Payment Over Dog’s ‘Terrorist-Sounding’ Name
Chase officials thought “Dash” sounded too much like “Daesh.”
http://www.huffingtonpost.com/entry/chase-bank-dog-check-refuses_us_56f8df8de4b0a372181a4653
A San Francisco man’s online payment was blocked by his bank earlier this month because his dog’s name sounded like a terrorist network.
put the 9-year-old pitbull’s moniker “Dash” in the memo line
Bank officials thought Dash sounded a little bit too much like Daesh, the Arabic term for the self-described Islamic State, and canceled the payment.
Chase also flagged the payment with the U.S. Treasury Department, which placed a note on Francis’ account asking him to “explain what Dash means.” Once Francis explained to officials at the department’s Office of Foreign Assets Control (OFAC) that Dash was his dog’s name, his payment was processed.
“This is an important part of ensuring that crime does not filter through the U.S. banking system. In this instance, the payment was flagged, reviewed and eventually released.”
Tomi Engdahl says:
More Encryption, More Notifications, More Email Security
https://security.googleblog.com/2016/03/more-encryption-more-notifications-more.html
Today, we’re announcing a variety of new protections that will help keep Gmail users even safer and promote email security best practices across the Internet as a whole.
On Safer Internet Day this year, we introduced a new visual element to Gmail that lets users know when they’ve received a message that wasn’t delivered using encryption or if they’re composing a message to a recipient whose email service doesn’t support TLS encryption.
This has had an immediate, positive effect on Gmail security. In the 44 days since we introduced it, the amount of inbound mail sent over an encrypted connection increased by 25%.
However, as our recent research with the University of Michigan and University of Illinois shows, misconfigured or malicious parts of the Internet can still tamper with email encryption. To help ensure TLS encryption works as intended, we’ve teamed-up with a variety of industry partners — including Comcast, Microsoft, and Yahoo!— to submit a draft IETF specification for “SMTP Strict Transport Security.”
Since 2007, Safe Browsing has protected users across the web by warning them before they visit dangerous sites known for phishing, malware, and Unwanted Software.
Since 2012, we’ve warned Gmail users when we suspect they’ve been targeted by state-sponsored attackers
Tomi Engdahl says:
Facebook rapidly patches Instagram bug which left one million users open to exploit
The Instagram-based issue earned a researcher $5,000 for his bug bounty report.
http://www.zdnet.com/article/facebook-rapidly-patches-instagram-bug-which-left-one-million-users-open-to-exploit/
Facebook has patched two vulnerabilities which affected approximately one million users of Instagram and left their accounts open to compromise.
The social networking giant awarded $5,000 to Belgian security researcher Arne Swinnen, who discovered the security flaw, as part of the firm’s bug bounty program.
According to a blog post published on Friday, Swinnen came across two security weaknesses while accessing an old test account on the photo-sharing platform
How I Could Compromise 4% (Locked) Instagram Accounts
https://www.arneswinnen.net/2016/03/how-i-could-compromise-4-locked-instagram-accounts/
Missing authentication combined with a simple Insecure Direct Object Reference vulnerability allowed to overtake a selection of temporary locked Instagram accounts. An extrapolation of the PoC account range learned that 4% of all existing & active Instagram accounts (currently approximately 1 million) were in a vulnerable locked state. Facebook fixed the vulnerability within a day and granted a $5.000 bounty 10 days later.
Tomi Engdahl says:
1.5M Verizon Enterprise customer records selling on forum after breach
Unfortunate 500 among biz to get bad news letter
http://www.theregister.co.uk/2016/03/29/15m_verizon_enterprise_customer_records_selling_on_forum_after_breach/
Some 1.5 million Verizon Enterprise customer records have been stolen and are being sold on a criminal hacking forum, according to reports.
A trusted seller on a popular but shadowy unnamed criminal forum asked for US$100,000 for the database or US$10,000 for batches of 100,000 records, investigative blogger Brian Krebs reports.
Verizon Enterprise counts 99 percent of the Fortune 500 among its customer base.
“Our investigation to date found an attacker obtained basic contact information on a number of our enterprise customers.”
http://krebsonsecurity.com/2016/03/crooks-steal-sell-verizon-enterprise-customer-data/
Tomi Engdahl says:
Some old SAP systems have default kernel user accounts. Guess what happened next?
Infosec bloke pokes hornet’s nest with stick; patch ASAP
http://www.theregister.co.uk/2016/03/29/sap_vuln_accounts_password_security_flap/
Security researchers were able to access default SAP accounts on enterprise systems worldwide by using default passwords.
The security snafu meant that SAP systems worldwide were potentially vulnerable to data theft, business process disruption and fraud, specialist security outfit ERP-SEC warned.
Joris van de Vis, researcher at ERP-SEC, demonstrated full compromises of the SAP Solution Manager and connected systems via three of these default accounts during a presentation at the recent Troopers Security Conference.
Tomi Engdahl says:
R&D white coats at HP Inc will make corporate ID into wearable tech
’32,000 years of wearable evolution’ – this is what it’s come to
http://www.theregister.co.uk/2016/03/29/hp_wearables/
Sex up the corporate name badge
He said wearables are not new: “They’ve been around for 32,000 years, there’s the henna tattoo, the piece of leather that got stripped out, the piece of metal that got pounded out more.”
So after all those years of evolution, what is the next big thing? “Think about it, what is the most deployed wearable in enterprise? It’s actually your badge. All of us at any sizeable company have a badge. We see the opportunity to replace the badge with something you are already going to wear today.”
The, er, smart badge, will allow the person wearing it to get access to their work’s premises, to compute resources and it can be used to authenticate the person, as opposed to “authenticating against a badge that could be handed to someone else for entry.”
Tomi Engdahl says:
Pentagon Chief Used Personal Email Account for Nearly a Year
http://fortune.com/2016/03/26/ash-carter-personal-email/
Defense Secretary Ash Carter used his personal email account for government business for nearly a year, until December 2015, when news reports revealed the practice, according to hundreds of Carter emails released by the Defense Department.
The 1,336 pages of emails and attachments from Carter’s personal account were released late Friday in response to Freedom of Information Act requests by The Associated Press and other news organizations.
The Pentagon has long banned the use of personal email for official business.
Pentagon press secretary Peter Cook said in a statement to the AP that the released emails show that none contained classified information.
Tomi Engdahl says:
A rare good sign, “Oops, we are the subject of a data breach!”
“Oops, we are the subject of a data breach!”
If someone says a company like this, it is a good sign. Nothing short of brilliant.
Then the observation of the ability to work, which is very rare.
When online criminals strike, the company rarely finds himself what had happened. Typically, someone external to the organization to give a tip. At this point, the attacker is nested online for weeks or months, even years.
“In today’s demands can not be met without a high level of perception, and even that is not enough. Also must have the ability to understand and analyze the resources, “says Juha Launonen head of the network equipment manufacturer Cisco’s security business.
Consulting company KPMG last year, the result of a study by the Finnish companies was a cause for concern:
“40 percent of the companies surveyed had been broken, and they were not aware of it,” KPMG in charge of technical security services for Matti Järvinen says.
Security thinking has long imitated the construction of castles. Firewall, intrusion prevention, authentication, ie authentication and security software would compare with the walls of the castle, moat, well-guarded gates and word identification. An advanced version of the attempt to defend the layers and structure reminds onions.
“No longer can not be assumed that an attempt to prevent the attack, but the idea of the model, that someone is already inside,”
“The observation has become part of the agenda, thanks to that it is now available in a decent graphical user interfaces. Three years ago, was not ”
The company must be a way to create an internal intelligence service.
“Attack is always cause changes. For example, the computer may slow down, allowing the user to make the IT support fault a ticket, ”
It is essential to detect and to act as quickly as possible, when the defense fails at some point. Cracking is observed internationally on average more than 200 days after the success of the breakthrough.
“Through the work of systematic observation time can be dramatically shortened. The faster you can react, the more easily and with less damage to recover from the situation, ”
Data security experts point out that before you even think about technique, have to think about their own business, its continuity and risk management.
“A hedge must then develop it through, the threats to the environment and in the process,”
Even a small company can start internally and at little cost. First, perform a risk analysis that tells you what is critical and what is not.
For the technical basis of observation it must be modeled what is a normal state (=profiling).
“Deviation is able to detect if you will be able to identify how systems behave in a normal situation, how much traffic is and what kind of memory and processor load”
Intrusion scientists encounter all too often, the company has a lot of detection devices but is has not had taken them to use. Network monitoring must be turned on.
The network architecture might need to be re-modeled.
“Talking about the segmentation, even micro-segmenting”
“The starting point decide for your self critical points, but, for example, a workstation network browsing traffic is a very interesting place, because a big part of the attacks come from there,
observe the logs, for example, special surveys, failed events, or things that have occurred in the least.
One useful tool is the management of product security information and events or to Siem (security information and event management). Siem is easily an expensive solution, but reasonably inexpensive if it focuses on the effective protection of the essential information.
The intelligence services known to correlate information from different sources, ie searching for dependencies. In the same way the company should combine knowledge, weak and strong signals.
particular the monitoring of the use (UBA, user behavior analysis).
In addition, physical access control and detection of threats to the network, connect to each other.
Anticipate and work-out
If a company finds threatening clues, need to quickly interpret the situation and act. Is the only way to spy their target? How strong foothold in this has already been received? If the attacker is already deep, often go to forensic.
Responses need to plan in advance.
When the observation will take seriously, it becomes an endless continuum.
Source: http://www.tivi.fi/Kaikki_uutiset/harvinaisen-hyva-merkki-hups-olemme-tietomurron-kohteena-6536241
Tomi Engdahl says:
A new exploit gives hackers near-total control of any Mac
http://thenextweb.com/apple/2016/03/25/a-new-exploit-gives-hackers-near-total-control-of-any-mac/
A newly discovered zero-day vulnerability for OS X allows hackers to execute code previously thought to be protected by Apples new kernel defense, known as System Identity Protection (SIP).
“Our researchers recently uncovered a major flaw which allows for local privilege escalation and bypass of System Integrity Protection, Apple’s newest protection feature,” said SentinelOne in a blog post announcing the discovery.
Apple OS X Zero Day Vulnerability Can Bypass System Integrity Protection
https://www.sentinelone.com/blog/apple-os-x-zero-day-vulnerability-can-bypass-system-integrity-protection/
Tomi Engdahl says:
Remote Sensing Bombs Could Stem Terrorism
http://hackaday.com/2016/03/29/remote-sensing-bombs-could-stem-terrorism/
If you understand technology, there were a lot of things hard to explain on Star Trek.
Remote sensing would have a very distinct use in today’s world: finding terrorist bombs earlier. A recent article published on New Scientist by [Debora MacKenzie] points out that stopping attacks like the recent one in Brussels is difficult without increasing congestion. For example, putting checkpoints at doors instead of inside transit stations is common in Asia, but causes lines and delays.
Airport security focuses on keeping explosives off planes. Hospital-like CT scanners and X-ray diffraction machines peer into checked luggage as it moves through the bowels of airports. Passengers line up to pass through metal-detectors and be swabbed for explosives. But the Brussels attackers targeted the busy check-in area – where no security checks take place.
How do we prevent a repeat attack? Moving check-points to the front doors is one solution; metal detectors and pat-downs are ubiquitous at airport entrances across Asia. But it would mean further delays, and create new lines of people that could be targeted.
One solution, say security researchers, is to keep people moving, and scan them remotely as they pass through the building.
So how else can we stop explosives getting to crowds of people? “The technologies are either imagers or sniffers,”
Unfortunately, imagers can be tricked. Explosives can be moulded to look like ordinary objects
Sniffers are harder to fool. Dogs are the best, says Jenkins, but they are hard to use on a large scale.
There are other ways to detect explosives remotely. Rather than analysing captured molecules – like the failed puffers – the Lincoln Laboratory at the Massachusetts Institute of Technology has turned to lasers to “sniff” explosives from a distance.
Lasers are also the main ingredient of a gun-shaped device called G-Scan, developed by Laser Detect Systems of Ramat Gan in Israel. This fires a green laser at a target then uses Raman spectroscopy to identify the molecules that are scattered back.
Detecting explosive material from a distance would let security services search for bomb-making materials – not just finished weapons.
Tomi Engdahl says:
Motherboard:
DoJ asks judge to reconsider order that FBI reveal Tor exploit used in child porn sting
FBI Is Pushing Back Against Judge’s Order to Reveal Tor Browser Exploit
http://motherboard.vice.com/read/fbi-is-pushing-back-against-judges-order-to-reveal-tor-browser-exploit
Last month, the FBI was ordered to reveal the full malware code used to hack visitors of a dark web child pornography site. The judge behind that decision, Robert J. Bryan, said it was a “fair question” to ask how exactly the FBI caught the defendant.
But the agency is pushing back.
In short, the FBI agent says that revealing the exploit used to bypass the protections offered by the Tor Browser is not necessary for the defense and their case. The defense, in previous filings, has said they want to determine whether the network investigative technique (NIT)—the FBI’s term for a hacking tool—carried out additional functions beyond those authorised in the warrant.
DoJ attorneys have also asked to submit a filing ex parte and in camera, meaning that only the judge would be presented with evidence under the motion.
“Knowing how someone unlocked the front door provides no information about what that person did after entering the house.”
Tomi Engdahl says:
Evan Ratliff / The Atavist Magazine:
The story of kingpin Paul Le Roux, who started E4M, the software that originally served as the basis for TrueCrypt
He Always Had a Dark Side
https://mastermind.atavist.com/he-always-had-a-dark-side
Tomi Engdahl says:
The police warns of a new trend: teens naked
Fashion phenomenon among teens has become to spread own naked photos taken with mobile phones. The US authorities to share the information and guidance for parents.
Source: http://www.iltalehti.fi/iltvuutiset/201603160120419_v0.shtml?_ga=1.85605916.483596618.1402989016
Tomi Engdahl says:
Andy Greenberg / Wired:
71% of people want the dark web shut down, according to global survey of 24K respondents
Dark Web’s Got a Bad Rep: 7 in 10 People Want It Shut Down, Study Shows
http://www.wired.com/2016/03/study-finds-7-10-people-want-dark-web-shut/
Speculation—no matter how baseless—that online black markets for weapons helped make the terrorist attacks in Paris and Brussels possible hasn’t helped the reputation of the dark web’s anonymous corner of the internet. But one new study shows that even before that dubious link between online anonymity and terror attacks, global opinion on the dark web was already overwhelmingly negative.
On Tuesday, the Canadian think tank the Center for International Governance Innovation released the results of a survey of more than 24,000 individuals in 24 countries, asking their opinion of the dark web—the collection of anonymous web sites that can only be accessed via tools like the anonymity software Tor. In total, 71 percent of the respondents—and 72 percent of Americans in particular—said they believed the “dark net” should be shut down. “The basic perception is that it’s not a good thing,” says Eric Jardine, a CIGI fellow who specializes in research on the dark web and Tor. “For your average Joe or Jane, the dark web is not perceived as a very useful technology, and in fact it’s seen as harmful.”
CIGI’s researchers offered a three-sentence description of it as an anonymous part of the web accessible through only “special web browsers,” mentioning that “journalists, human rights activists, dissidents and whistleblowers can use these services to rally against repression, exercise their fundamental rights to free expression and shed light upon corruption,” while “hackers, illegal marketplaces (eg. selling weapons and narcotics), and child abuse sites can also use these services to hide from law enforcement.” With that prompting in mind, a majority of respondents in all of the two dozen countries surveyed said that the darknet should be shut down.
Tomi Engdahl says:
What you need to know about DDoS and how it threatens your business
https://webinar.darkreading.com/1645?keycode=DRWE03
DDoS attacks have been legitimized as a weapon of cyber warfare and are increasing used by those with sinister motives in conjunction with other nefarious activities including breach, theft, and destruction.
As a tier-one DDoS protection service provider, Neustar fends off thousands of attacks each year from the very large to the dangerously small.
How attacks are growing in strength and complexity
Why breach should be a foremost concern when experience a DDoS attack
How multi-vector attacks pose a real danger to your infrastructure and users
Tomi Engdahl says:
Hack-proof RFID chips being developed by researchers
http://www.controleng.com/single-article/hack-proof-rfid-chips-being-developed-by-researchers/10833fe7a9789dbe17610743f7741eb1.html
Researchers at MIT and Texas Instruments have developed a new type of radio frequency identification (RFID) chip that would prevent burglars from swiping personal information as well as goods from a warehouse by swiping the tags because of innovative countermeasures being developed.
Tomi Engdahl says:
Microsoft extends its Windows Hello login security features to apps and the web
http://techcrunch.com/2016/03/30/microsoft-extends-its-windows-hello-login-security-features-to-apps-and-the-web/
Being able to log in to an app with the help of the fingerprint scanner is quickly becoming a standard feature on mobile. But while Windows PCs and laptops have long had fingerprint scanners to allow you to securely log in to your machine, that protection didn’t extend any further than the login screen.
Now Microsoft is bringing to Windows apps (and even the web) some of the convenience and security of being able to use the same tech it uses to keep enterprise laptops safe. The idea here is to let you use the same technology that powers “Windows Hello” — the login security feature of Windows 10 that supports fingerprint scanners, facial recognition and even iris scanners — to log into other services, as well.
Tomi Engdahl says:
OmniShare: Cloud Storage Encryption
https://ssg.aalto.fi/omnishare/
Existing cloud storage protection solutions use passwords to derive encryption keys. This allows easy access to encrypted storage from multiple devices. However, this approach is vulnerable to brute force attacks and requires user engagement. We want to provide a solution which uses client-side encryption with strong keys (possibly protected by on-device trusted hardware) without significant reduction in the user experience. The solution is also available on different types of devices (Mobiles, Desktop).
Tomi Engdahl says:
Cyber security protection enters a new era
http://www.controleng.com/single-article/cyber-security-protection-enters-a-new-era/3d3c1ba515930f89646e36e6078a96c4.html
Watch for a backdoor cyber security assault. The Juniper Networks incident in December 2015 changed how industry looks at device security as hackers exploit deliberate weaknesses being installed into software. End users, integrators, and device manufacturers need to adapt and prepare for this new reality. Follow these cyber security steps.
A software engineer is trying to complete a major block of code, but his boss cut out a large section including some open-source routines downloaded from the Internet. Replacing those routines will add days to the project. He runs to his boss’ office and pleads: “I need to use that software in the system!”
“You can’t use it. It’s been compromised.”
The engineer nods, having anticipated that reply. “Yes, it’s open-source and came from the Web, but we’ve used it before. I also talked with the software engineers, and they will do a line-by-line review of the source and object code.”
The boss looks up and glances at his award for years of service at an undisclosed location. “You can never be sure something isn’t in there,” he says.
Bosch Rexroth
That brief scene might sound like something from a suspense movie, but the situation could be very real given recent events in the cyber security community.
Software engineers trying to write code for devices and industrial systems want to avoid re-inventing the wheel. If someone has already written code to do a certain job, and it works, they don’t want to write it again. They’d rather save time by downloading freeware and open-source code off the Web. Or, they could pick up existing code from earlier products with a proven track record. All of this gets cobbled together and loaded into a new device. As long as it does what it’s supposed to, nobody needs to know or care where it came from.
This has been the working assumption for quite a while, but the landscape is changing. The cyber security world is becoming more confusing with nation-states, hacktivists, and cyber criminals making their presence known. Hackers and their efforts reflect a wide spectrum of skill levels. Some are clumsy and easy to spot. Others are more insidious and undetectable by all except the most sophisticated forensic cyber specialists.
While the engineer looking to streamline the project means well, his boss is correct: unsecure code can lurk within such software. Sometimes it can be found and removed, but a recent example of a cyber security breach proves that the threat can be well camouflaged.
In December 2015, Ars Technica published a stunning report: “On December 17 [2015], Juniper Networks issued an urgent security advisory about ‘unauthorized code’ found within the operating system used by some of the company’s NetScreen firewalls and secure service gateway (SSG) appliances. A patch was issued to the affected device OS, and forensic investigation determined the unauthorized code acted as a backdoor into the device”
This suggests two conclusions:
1. The unauthorized backdoor was put there intentionally.
2. It was carefully designed to evade detection.
This is the beginning of a new era of cyber criminal threats. We are all used to the notion of attackers exploiting vulnerabilities caused by software flaws. It is a common tactic, and everyone is aware of it. Software patches are supposed to fix these flaws and address these vulnerabilities.
Network device vendors are targeted in this manner because their products are entry points to networks. Access to a router or gateway provides entry to an industrial or enterprise system. Network device security thus often proves to be the soft underbelly of many organizations’ defensive strategies. The value of such a backdoor secretly placed in a device, hidden with normal-looking code, is huge, and the larger implications are frightening.
Why? Let’s consider some examples of how this new network device threat will change security best practices:
1. Using network switches to implement virtual local area network (VLAN) separation between industrial control and business networks is no longer adequate. No organization can design networks with VLAN separation and expect them to be secure.
2. Depending on VPN encryption as a magic bullet to protect confidentiality is no longer adequate. An organization will need to start looking at how deeply it depends on VPN techniques as their “go to” solution to move information on secured networks. A VPN tunnel is no longer safe across any network-particularly for long-distance communication within global organizations.
3. Assuming all is well with network device configuration isn’t safe anymore. Many organizations follow a basic practice: if nobody touches a device, it has the same configuration it had before. That is no longer true. Companies will need to ramp up configuration control and auditing to account for the possibility of device configurations being changed by unauthorized means.
Researchers confirm backdoor password in Juniper firewall code
“Unauthorized code” included password disguised to look like debug code.
http://arstechnica.com/security/2015/12/researchers-confirm-backdoor-password-in-juniper-firewall-code/
Tomi Engdahl says:
Virtualization benefits and challenges
http://www.controleng.com/single-article/virtualization-benefits-and-challenges/f5ea0eced393a44f963e678518c8a4fd.html
Virtualization has significant benefits in computing and in networking and that is why both have been accepted so readily. This is especially true in operational technology (OT) networking and control systems, where the rest of the system is intended to live for 30 years, and the life of the computer and network components is less than two years.
Virtualization also permits rapid changes and agile re-deployment, which are necessary in the Internet of Things (IoT) environment.
Virtualizing computers and servers, as well as network components, can add a significant measure of safety and robustness to the network. Virtualization has significant benefits in computing and in networking and that is why both have been accepted so readily. This is especially true in operational technology (OT) networking and control systems, where the rest of the system is intended to live for 30 years, and the life of the computer and network components is less than two years.
Virtualization also permits rapid changes and agile re-deployment, which are necessary in the Internet of Things (IoT) environment.
Virtualizing computers and servers, as well as network components, can add a significant measure of safety and robustness to the network.
Storing images of the virtual machines off-site, in the cloud, or at another location means that if the site has an accident, or the site network ends up destroyed by weather (like Hurricane Katrina did to many petrochemical plants), it will be easy to re-construct the systems, re-use the disk images, and be back in business. In addition, virtual systems have a failover mode, where a defective disk simply switches to a backup on the fly, and the failed component can end up repaired while the system continues to run.
There is, however, a fundamental issue with lifecycle. This is especially true with OT systems such as building automation, factory automation, and process control system networks.
The control system, its input/output (I/O), and the final control elements (valves, etc.) are built to last the life of the project-easily 30 years. Unfortunately, through the action of the market and Moore’s Law, computer, server, and network components have a lifecycle of about 18 months.
Virtualization solves this problem by creating virtual machines that run on operating systems that would otherwise be obsolete and no longer maintained.
More secure environment
Completely virtualizing the servers and networks provides a measure of security that wasn’t there before. Virtualization by itself won’t necessarily make the system secure, but it will get rid of much of the chance for hardware to be compromised by, say, inserting a USB stick or a CD-Rom or DVD with malware on it. Virtualization severely reduces the number of physical devices that the user needs to control as well.
Network segmentation is also easier, and there’s more direct control with policies and procedures.
Virtualization challenges
While there are great benefits from virtualization, there can also be serious challenges. One of the challenges is that the IT staff, OT staff, or system administrators must truly know their servers and network. Especially in a virtualization overlay on an existing physical network, the administrator must know exactly what the system is doing, what it needs to do, and how it will grow for future expansion.
The user can’t just throw another managed switch on a line and call it good. The data center that is being virtualized needs to have adequate and appropriate electric power and backup generation in case of power outages
Virtualization technology is in thousands of devices and systems already, and with the huge growth of IoT and cloud computing, engineers’ lives in the demanding and intense manufacturing automation environment will become smoother, more efficient, and profitable.
Virtualization has significant benefits in computing and in networking, but the IT staff, OT staff, or system administrators must truly know their servers and network so they can be ready for challenges or potential cyber security breaches.
Tomi Engdahl says:
SamSam: The Doctor Will See You, After He Pays The Ransom
http://blog.talosintel.com/2016/03/samsam-ransomware.html?m=1
Cisco Talos is currently observing a widespread campaign leveraging the Samas/Samsam/MSIL.B/C ransomware variant. Unlike most ransomware, SamSam is not launched via user focused attack vectors, such as phishing campaigns and exploit kits. This particular family seems to be distributed via compromising servers and using them as a foothold to move laterally through the network to compromise additional machines which are then held for ransom. A particular focus appears to have been placed on the healthcare industry.
Adversaries have been seen leveraging JexBoss, an open source tool for testing and exploiting JBoss application servers, to gain a foothold in the network. Once they have access to the network they proceed to encrypt multiple Windows systems using SamSam.
Upon compromising the system the sample will launch a samsam.exe process which begins the process of encrypting files on the system.
One interesting note regarding the samples Talos has observed is that the malware will abort the encryption routine if the system is running a version of Microsoft Windows prior to Vista. This is likely done for compatibility reasons.
There were a couple of open source tools that were seen being leveraged by the adversaries.
Tomi Engdahl says:
Kid hacker spoofs Steam site with paint drying game
16-year-old snuck his sneaky game in the backdoor
http://www.theinquirer.net/inquirer/news/2452890/kid-hacker-spoofs-steam-site-with-paint-drying-game
A 16-YEAR-OLD has confessed to a prank that saw a paint drying adventure game go on sale on Steam.
The teen, a security researcher called Ruby Nealon, confessed to the early April Fool on the Medium website, and explained how he was able to get a Steam account and start making merry with it.
Nealon, who was heavily criticised by gamers over the title, has been accused of taking the account through social engineering. He did not confirm this, but did admit his access and explain why he uploaded a game that lasts 45 seconds, costs money and involves the drying of paint on a wall.
“I’m not going to comment on how/why I have access to Steamworks but I will confirm it was not exploiting any web forms, not Greenlight and not through direct contact with someone from Valve,” he wrote.
“Either way, I’d got access to Steamworks (Valve’s internal publishing platform for Steam and backbone for game achievements, DRM, multiplayer, etc) and this gave me the idea to look around for vulnerabilities.
Watch Paint Dry: How I got a game on the Steam Store without anyone from Valve ever looking at it.
Was getting caught part of your plan? Of course!
https://medium.com/swlh/watch-paint-dry-how-i-got-a-game-on-the-steam-store-without-anyone-from-valve-ever-looking-at-it-2e476858c753#.6q7l2dpe7
If you were on the Steam homepage on Sunday night, you might have noticed a somewhat interesting new title available: “Watch paint dry”. This sparked a lot of controversy (and I, honestly, had a little bit of fun in the forum :p) on Steam as people were claiming that Valve/Steam had lost all quality control for games on Greenlight. But this game was never on Greenlight. In fact, I haven’t even paid the $100 “no time wasters fee” to post games to Greenlight.
Valve’s approval process
To give you a bit of insight, before Valve puts anything on steam, they have a 3 step release process. First, you submit your store page to a review queue, then the final or near-final build of your game, then you are given the option to release it.
The Steamworks website is majorly AJAX. All the code for the Javascript functions that powers the source is not obfuscated and readable by anyone (authenticated into Steamworks at least).
Tah-dah! I will admit that it appearing straight away in the new releases section was an oversight on my part. I initially wanted it to have “Coming April 1st” and not show up until Friday
Tomi Engdahl says:
Legion of demons found in ancient auto drug dispensing cabinets
The Register’s free consulting desk says: if it runs on Windows XP, fire it into the sun
http://www.theregister.co.uk/2016/03/31/legion_of_demons_found_in_ancient_auto_drug_dispensing_cabinets/
Consider this a reminder that end-of-life software doesn’t get patches: researchers have turned up more than 1,400 vulnerabilities in a widespread automatic drug dispensing system from CareFusion, because old units are still running Windows XP.
The computer-controlled dispensing cabinets are installed in hospitals and pharmacies around the world. In large deployments, they can be connected as a network of dispensary workstations that report usage in real time – incidentally providing a vector for remote attacks.
Long time researcher Billy Rios (formerly of Cylance and Qualys, now with Whitescope) worked with Mike Ahmadi (Synopsis) on the independent project.
Finding vulns in outdated software would be considered a stunt-hack in many contexts, but the healthcare sector has a long and well-documented habit of leaving dead systems in operation.