Here are my predictions for trends in information security and cyber security for year 2016.
Year 2015 was bad for information security was pretty, and I would say that the trend is worrying. So I expect the year 2016 will have many information security challenges. If you want to keep yourself up at night, spend some time reading about the latest developments in cybersecurity. In 2015 there was Airplanes hacked, cars hacked, vulnerabilities in a breathtaking range of sensitive equipment from TSA locks to voting booths to medical devices. The big picture is even scarier. Former NSA Director Mike McConnell suspects China has hacked “every major corporation” in the US. Those problems will continue in 2016 and some new targets for attacks will be found. The system is broken. It isn’t keeping us, our companies, or our government safe. Worse yet, no one seems to know how to fix it.
Attacks through networks are becoming more common all the time. It will be hard to protect against targeted attacks. Hackers will not only customize malware, but they will increasingly use sophisticated phishing and social engineering tricks to gain access to sensitive data. Attackers usually cover their tracks carefully, and in the identification of target can be very difficult. Behind targeted attacks are usually professional criminals. Criminals do not respect geographical borders and hence attacks are spread evenly everywhere. Companies will struggle to absorb the security threats of combined PC and mobile devices in 2016.
EU information security decisions made in late 2015 will have impact on what comes in 2016: New EU data protection legislation package approved and EU Court of Justice decision in which it noted the Safe Harbor procedure is invalid. This means that transfers of personal data from EU countries to the United States under the Safe Harbor violation of law – you need some other agreement for this. The situation for this will probably get clarified during 2016. Data protection legislation changes will lead to increased fines for the unprepared. Legal uncertainty and big fines are a toxic cocktail for some companies. The combination of stiff penalties and ambiguously worded provisions in the new EU-wide data-protection law, which would replace a patchwork of 28 national laws, raises daunting prospects for companies operating in Europe.
After huge amount of user information leaks in 2015 from all kinds of Internet services, there will the challenges for cloud companies to gain trust in their security. You might have just dared to trust “the right cloud services,” since in principle the traditional information security point of view, they seem to be the main things okay, rising this privacy issues raised.
New environments will bring new threats. New operating systems versions means that administrators and users are less familiar with the environments. IPv6 will get more widely used, and the security of IPv6 networks is different from IPv4. Organizations are moving to virtualized environments, which are complex and create network layers that can become an attack vector. Growing network virtualization functionality and programmability are both an opportunity and a threat to security. Cyber security research will be important important in 2016 as 5G networks will be critical infrastructure, on top of which for example. transport, industry, health and the new operators set up their business around 2020.
The huge amount of information security information is becoming harder and harder to manage in 2016. A key problem in revelations as all other news coverage is the exponential growth of knowledge. There are variety of news summaries produced a daily basis, but they are not enough to get good picture of what is happening. There are bigger and smaller news, the impact of which is at times very difficult to assess. SMBs will become a bigger target for cybercriminals. Network and security professionals continue to be among the toughest IT talent to find and hire.
Old way network security focused on perimeter defense is not enough in 2016. Old mantras “encrypt everything” and “secure the perimeter,” are not enough. One deceptive truth seems to drive much of the cybersecurity industry down a rabbit hole: If you keep bad actors and bad software out of your system, you have nothing to worry about. It does not work like that anymore. As perimeter security gets stronger, malicious actors are looking for easier entry points to compromise an organisation through the breadth of its digital attack surface. Now malicious actors target “endpoints”—any device or sensor connected to a network—to break into that network. Traditional sandboxing will no longer protect against the growing malware landscape. Today, most private networks have far too many endpoints to properly secure. In an age of “Bring Your Own Device,” the cloud, remote access, and the Internet of Things, there are too many vulnerabilities hackers can exploit. Keep in mind that everything connected to the Internet can, and will be hacked. To address those threats in 2016, security experts should assume compromise – that hackers and malware already have breached their defenses, or soon will – and instead classify and mitigate threats. In addition to public key infrastructure lock-and-key system you will need also an integrity solution that acts like an alarm. To protect against advanced threats, security professionals will increase their reliance on centralized security management solutions. You need to have prioritization and response plans to various kinds of breaches – with a strong focus on integrity.
Law enforcement versus Silicon Valley tension will continue to be strong throughout year 2016. In 2015 Law enforcement and politicians on both sides of the Atlantic lined up to repeatedly complain that the web was “going dark” as the result of end-to-end encryption and that this was hampering the investigation of terrorism and other serious crimes.Technologists and cryptographers argue that governments are trying to weaken encryption by demanding some form of privileged access for government. It’s not clear how much encryption the NSA can break. With renewed focus on how encrypted messages can be used to plot terrorist attacks, President Barack Obama’s administration is stepping up pressure on the tech sector to help in the battle. Privacy remains a major counter-argument. It seems that Governments Lie About Encryption Backdoors. Encryption systems weakened by mandated backdoors would not be effective in fighting the terrorists that governments invoke as their reason for wanting those backdoors in the first place.
But this does not stop some government officials to demand such thing with varying success on different countries. Another fact is that The existence of coded communications is a reality and the U.S. may not be able to do much about it because nearly everyone living in modern society uses it: Encryption protects your bank information, prevents your password from being stolen when you log into a website, and allows all e-commerce transactions to take place securely. Encryption weakened by mandated backdoors would put all of us at an enormous risk of exposure from data breaches and associated online risks. The truth in 2016 is that any form of privileged access to government – ie, a backdoor – would inevitably weaken crypto-systems and make them more vulnerable to attacks by foreign governments’ intelligence agencies as well as criminals - Juniper’s VPN security hole is proof that govt backdoors are bonkers. Encryption backdoors would be a gleeful win-win for terrorists and a horrific lose-lose for you – the bad guys having strong protections for their data, and the rest of us not. The poorly thought-out and crude surveillance technique could have a devastating effect on the country’s internet security- as for example Kazakhstan will force its citizens to install internet backdoors by requiring all Internet users install state-issued root certificate by January 1, 2016.
Google, Mozilla and Microsoft are pushing for early SHA-1 crypto cutoff that can happen in 2016 instead of earlier planned Jan 1st, 2017. Due to recent research showing that SHA-1 is weaker than previously believed, because it’s been cracked without enormous effort. Mozilla, Microsoft and now Google are all considering bringing the deadline forward by six months to July 1, 2016. SHA-2 is going to be used as the replacement function for SHA-1. Websites like Facebook and those protected by CloudFlare have implemented a SHA-1 fallback mechanism for those systems that do not support SHA-2. Chrome will start display errors if SHA-1 certificates are employed in early 2016 and will completely stop supporting SHA-1 certificates in the end of 2016.
The use of Blockchain technology, permissionless distributed database based on the bitcoin protocol that runs across a global network of independent computers, will get used more widely than for just Bitcoin virtual money. With bitcoin, Blockchain tracks the exchange of money. But it can also track the exchange of anything else that holds value, including stocks, bonds, and other financial securities. Overstock has already used the blockchain to issue private bonds. The Securities and Exchange Commission has approved a plan from online retailer Overstock.com to issue company stock via the Internet, signaling a significant shift in the way financial securities will be distributed and traded in the years to come. Overstock built its technology under the aegis of a subsidiary called TØ.com, and it plans to offer this “cryptosecurity” tech as a service to other businesses. Nasdaq OMX—the company behind the Nasdaq stock exchange—is using the blockchain to oversee the exchange of private stock. Also several major companies from across both the technology and financial industries—including IBM, Intel, and Cisco as well as the London Stock Exchange Group and big-name banks JP Morgan, Wells Fargo, and State Street—have joined forces to create an alternative to the blockchain with Linux Foundation.
The use of disk encryption will increase and there are different ways to do it with different security levels. Microsoft has introduced Windows 10 disk encryption keys are uploaded to Microsoft. This approach has some advantages and disadvantages. The gold standard in disk encryption is end-to-end encryption, where only you can unlock your disk. This is what most companies use, and it seems to work well. It protects data in case your device is lost or stolen. But what if you forget or loose your key? There are certainly cases where it’s helpful to have a backup of your key or password – so keeping a backup of your recovery key in your Microsoft account could be genuinely useful for probably the majority of users that don’t have high security neeeds. The disadvantage of this approach is that Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.
Weak leaking passwords are still huge security problem still in 2016. Passwords are often the weakest parts when it comes to securing users’ accounts, as many don’t use complex passwords or they reuse the same password across services. Two-factor authentication – like using a USB stick with a secret token or entering in a code sent via text method to your phone – can help to increase security, but many users also find this to be a hassle as it introduces an additional step to the login process.
Google begins testing login system that uses phone notifications for authentication instead of passwords: authenticate by responding to a notification sent to their smartphone. The idea is similar to Yahoo’s recently launched “Account Key,” which also offers a password-free means of signing in involving a push notification sent to your phone that then opens an app where you approve the log-in.
Smart phone will become more and more security critical part of your life. “Increasingly, individuals and organisations are adopting password managers and multi-factor authentication technologies to plug some of the holes in password-based authentication. “We foresee a world where practically everyone uses their smartphone as a multi-factor authentication element. In this world, the smartphone becomes your most valuable asset: something that enables you to unlock your life online and a target for attackers seeking to access your services.”
Expect that number of mobile vulnerabilities will only grow in 2016. In 2016 we will see increasing numbers of cyber criminals using mobile applications to spread malware. Mobile presents an easy target for cyber criminals, because it is an attack surface that is open and extremely difficult to defend once an app has been released. Android threats will become more than just headline-grabbers. Will 2016 be the year iOS malware goes mainstream?
Critical infrastructures will be highly targeted in 2015. SCADA and ICS networks were not designed for security. Attacks against these systems have increased in recent years. I expect this trend to only get worse. There are still many companies that run their critical systems on Windows XP as “There are some people who don’t have an option to change.” Many times the OS is running in automation and process control systems that run business and mission-critical systems, both in private sector and government enterprises. For example US Navy is using obsolete operating system Microsoft Windows XP to run critical tasks. It all comes down to money and resources, but if someone is obliged to keep something running on an obsolete system, it’s the wrong approach to information security completely.
Cars were hacked at record rate in 2015, and they will be hacked at least at the same rate in 2016. Modern cars are featuring more gadgetry and connected systems, and this will make vehicles just as vulnerable to today’s threats and attacks. I Am The Cavalry has published a five star Cyber Safety Framework to mitigate this threat in cars, hopefully car component makers study it.
IoT and smart devices are still at risk. The Internet of Things will continue to emerge, and businesses will need to think about how to protect their smart devices and prepare for the wider adoption of IoT. IoT platforms – not yet the weapon of choice for commercial malware authors – but business beware. Wearables won’t be safe, either, as they are built using largerly same too often vulnerable technologies as other IoT system. IoT security is still in in infancy in 2016.
Cyber criminals have become more active in 2015 particularly in the malicious the ransom fabrications. The ransom-malware problem will continue to be big in 2016. Commercial malware authors will continue to invest heavily and Exploit kits will continue to dominate on the web. Ransomware today is big business. Ransomware takes control of a computer and holds it hostage until the victim pays, usually in the digital currency Bitcoin. As a remedy against ransom-malware I recommend to ensure IT Support or your service provider the data back-up and restoring procedure operational, practiced and tested. You can need it in 2016 to get your data back without considering paying to criminals. To date ransomware has hit Windows users hardest, although Android and MacOS users are now also facing similar extortion.
Ransomware will continue to dominate in 2016 and it is only a question of time before we see things beyond data being ransomed. We have already seen websites being held ransom to DDoS. Intel’s McAfee Labs also noted a huge spike in ransomware in early 2015, and worries about ransomware in the IoT space—including medical devices. And Kaspersky predicts the “nightmare of ransomware” to continue and “spread to new frontiers” in 2016. Ransomware Is Coming to Medical Devices article tells that according to a report released recently week by Forrester Research the number one cybersecurity prediction for 2016: “We’ll see ransomware for a medical device or wearable.” “It’s definitely feasible from a technical standpoint”. Networked medical devices save lives. Despite the hacking risk, it’s an informed trade-off. Medical device ransomware would be a modern form of highway robbery with lives at stake.
Keep in mind that everything connected to the Internet can, and will be hacked. In 2016 If You’re Not Paranoid, You’re Crazy. As government agencies and tech companies develop more and more intrusive means of watching and influencing people, how can we live free lives? Unfortunately I don’t have solution for that.
2,232 Comments
Tomi Engdahl says:
Did hacktivists really just expose half of Turkey’s entire population to ID theft?
Entire citizen database? Probably not
http://www.theregister.co.uk/2016/04/04/turkey_megaleak/
A trove of leaked information, purported to be the entire Turkish citizenship database, has been leaked.
The leaked info appears to contain names, addresses and ID numbers of more than 49 million citizens. If confirmed, the leak would become one of the biggest privacy breaches, by number of records, ever.
Although billed as a Turkish citizenship database there are doubts about that and it seems more likely that we’re looking at a residency database put together for the police and other law enforcement agencies, and already leaked, perhaps multiple times.
The leaked info weighs in at 6.6GB uncompressed and is searchable.
Those behind the leak imply that it was politically motivated, aimed against Turkey’s controversial president Recep Tayyip Erdoğan.
The purportedly leaked data is online
Tomi Engdahl says:
Senate asks DHS: you don’t negotiate with terrorists, but do you pay off ransomware?
Committee asks for full details on government’s handling of extortionist malware
http://www.theregister.co.uk/2015/12/05/dhs_ransomware_senate/
The US Senate Committee on Homeland Security and Governmental Affairs wants to know how secured government PCs are against ransomware, and whether any agencies have paid off hackers to unlock their files.
In a pair of open letters to the Department of Homeland Security (DHS) and Attorney General Loretta Lynch, Senators Tom Carper (D-DE) and Ron Johnson (R-WI) asked the two offices to deliver full reports on how they deal with ransomware.
Tomi Engdahl says:
Reuters:
Founding partner of Mossack Fonseca, the Panamanian firm at center of data leak, says company was hacked from outside, files complaint with state prosecutors
Panama law firm says data hack was external, files complaint
http://www.reuters.com/article/us-panama-tax-fonseca-idUSKCN0X3020
The Panamanian lawyer at the center of a data leak scandal that has embarrassed a clutch of world leaders said on Tuesday his firm was a victim of a hack from outside the company, and has filed a complaint with state prosecutors.
Founding partner Ramon Fonseca said the firm, Mossack Fonseca, which specializes in setting up offshore companies, had broken no laws and that all its operations were legal. Nor had it ever destroyed any documents or helped anyone evade taxes or launder money, he added in an interview with Reuters.
Company emails, extracts of which were published in an investigation by the U.S.-based International Consortium of Investigative Journalists and other media organizations, were “taken out of context” and misinterpreted, he added.
“We rule out an inside job. This is not a leak. This is a hack,”
“The only crime that has been proven is the hack,” Fonseca said.
Tomi Engdahl says:
New website lets anyone spy on Tinder users
https://www.theguardian.com/technology/2016/apr/05/tinder-swipebuster-spy-on-users-privacy-dating-app
Developer says Swipebuster is making a comment about privacy, but users of dating app are worried
Tinder isn’t as private as many of its users think, and a new website which aims to exploit that is causing concern among users of the dating app.
Swipebuster promises to let Tinder users find out whether people they know have an account on the dating app, and even stalk them down to their last known location.
The website charges $4.99 (£3.50) to let someone see whether the target is using Tinder, and can narrow down results by first name, age, gender and location.
But it doesn’t do so by hacking into Tinder, or even by “scraping” the app manually. Instead, it searches the database using Tinder’s official API, which is intended for use by third-party developers who want to write software that plugs in with the site. All the information that it can reveal is considered public by the company, and revealed through the API with few safeguards.
Although the site seems targeted at those who want to catch cheating partners on the app, its developer says he had a different motivation in mind, telling Vanity Fair that he wanted to highlight oversharing online.
Tinder argued there were no privacy issues raised, and told Vanity Fair “searchable information on the Web site is public information that Tinder users have on their profiles. If you want to see who’s on Tinder we recommend saving your money and downloading the app for free.”
Tomi Engdahl says:
Cyber Commander Says It’s ‘Not Realistic’ To Shut Down Internet
https://tech.slashdot.org/story/16/04/05/1818248/cyber-commander-says-its-not-realistic-to-shut-down-internet
It simply would not be possible to shut down areas of the Internet that terrorists use to conduct malicious activity, the head of U.S. Cyber Command told a Senate panel on Tuesday. “In a very simplistic way, people ask why can’t we shut down that part of the Internet. … Why are we not able to infiltrate that more?”
“I’ve had people ask me, can’t you just stop it from that area of the world where all the problems are coming, be it Syria or in parts of Iraq or Iran,” he said. “I’m not just trying to find an answer, because that question is asked like shut her down, like you do your telephone, but it doesn’t work that way,”
Cyber commander says it’s ‘not realistic’ to shut down Internet
http://www.washingtonexaminer.com/cyber-commander-says-its-not-realistic-to-shut-down-internet/article/2587694
It simply would not be possible to shut down areas of the Internet that terrorists use to conduct malicious activity, the head of U.S. Cyber Command told a Senate panel on Tuesday.
“In a very simplistic way, people ask why can’t we shut down that part of the Internet. … Why are we not able to infiltrate that more?”
“The idea that you’re just going to shut down the Internet given its construction and complexity is not realistic,” Rogers responded. “It’s just not that simple. I wish I could say that there’s a part of the Internet that was only used by a specific set of users.”
The comments came in the context of the broader cybersecurity threat potentially posed by the Islamic State. “They’ve harnessed the power of the information arena to promulgate their ideology on a global basis, to recruit on a global basis, to generate revenue and to move money as well as coordinate some level of activity on a large dispersed basis,” Rogers told the panel.
“What concerns me when I look at the future is, what happens if a non-state actor, ISIL being one of them, starts to view cyber as a weapons system? That would really be a troubling development,” Rogers said.
Tomi Engdahl says:
We Live In The Dark Ages of Internet Security, Says Kaspersky Labs CEO
https://it.slashdot.org/story/16/04/05/1759235/we-live-in-the-dark-ages-of-internet-security-says-kaspersky-labs-ceo
It is never a positive sign when one of the world’s leading security firms mentions how the world is currently in the “Dark Ages” of computer security. That particular statement was made by Kaspersky Labs CEO Eugene Kaspersky during the NCSC One conference in The Hague. Enterprises and consumers need to step up their protection sooner rather than later, as the number of security threats keeps increasing.
Kaspersky Labs CEO: “We Live In The Dark Ages of Internet Security”
http://themerkle.com/kaspersky-labs-ceo-we-live-in-the-dark-ages-of-internet-security/
It is never a positive sign when one of the world’s leading security firms mentions how the world is currently in the “Dark Ages” of computer security. That particular statement was made by Kaspersky Labs CEO Eugene Kaspersky during the NCSC One conference in The Hague. Enterprises and consumers need to step up their protection sooner rather than later, as the number of security threats keeps increasing.
One of the aspects very few people take into account when dealing with newer technologies is figuring out how to properly implement security. Kaspersky Labs CEO Eugene Kaspersky blames this lack of protection on the “cycle of innovation”, which brings technological advancements to the table first, whereas security takes a backseat.
In the case of the Internet, the protocol was developed several decades ago, yet there is still a huge lack of proper security when it comes to dealing with platforms and connectivity. Until security vulnerabilities are identified and patched, hackers will be running rampant, and breaching databases like never before.
Bitcoin ransomware, malware, database breaches, spam, and phishing attempts are just some of the more common threats consumers, and enterprises are dealing with on a regular basis. Everything needs to be secured properly, yet given the widespread and diversity of Internet-connected devices, that is much easier said than done.
Tomi Engdahl says:
Call the doctor… no, call security. Docs’ mobiles are hopelessly insecure – study
Get patching. Stat
http://www.theregister.co.uk/2016/04/06/doctors_mobiles_security/
One in five doctors’ mobile devices might be at risk of leaking sensitive data due to either malware or poor password security practices, according to a new study.
Mobile threat device firm Skycure reports that 14 per cent of smartmobes and tablets containing patient data likely have no passcode to protect them. And 11 per cent of those running outdated operating systems with high-severity vulnerabilities may have stored patient data on them.
More than four per cent of all Android devices were found to be infected with malicious apps. Skycure estimates that 27.79 million devices with medical apps installed might also be infected with high-risk malware.
According to the US Department of Health and Human Services, more than 260 major healthcare breaches occurred in 2015. Of those breaches, a small but significant minority – nine per cent – involved a mobile device other than a laptop.
Tomi Engdahl says:
Google reveals own security regime policy trusts no network, anywhere, ever
‘BeyondCorp’ plan prefers analysis of user behaviour and device state instead
http://www.theregister.co.uk/2016/04/06/googles_beyondcorp_security_policy/
Google sees little distinction between board rooms and bars, cubicles and coffee shops; all are untrusted under its perimeter-less security model detailed in a paper published this week.
The “BeyondCorp model” under development for more than five years is a zero-trust network model where the user is king and log in location means little.
Staff devices including laptops and phones are logged into a device inventory service which contains trust information and snapshots of the devices at a given time.
Employees are awarded varying levels of trust provided they meet minimum criteria which authors Barclay Osborn, Justin McWilliams, Betsy Beyer, and Max Saltonst all say reduces maintenance cost and improves device usability.
“Unlike the conventional perimeter security model, BeyondCorp doesn’t gate access to services and tools based on a user’s physical location or the originating network; instead, access policies are based on information about a device, its state, and its associated user.
“BeyondCorp considers both internal networks and external networks to be completely untrusted, and gates access to applications by dynamically asserting and enforcing levels, or tiers, of access.”
The centralised device inventory service has consumed billion of data sets on Google staff devices from 15 sources, including Active Directory; Puppet; and Simian; various configuration and corporate asset management systems; vulnerability scanners; certificate authorities, and network infrastructure elements such as ARP tables.
The zero trust architecture spells trouble for traditional attacks that rely on penetrating a tough perimeter to waltz freely within an open internal network.
BeyondCorp
Design to Deployment at Google
https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/44860.pdf
Tomi Engdahl says:
Ron Miller / TechCrunch:
Microsoft makes Cloud App Security generally available, using the tech from last year’s Adallom acquisition — Microsoft marches forward with its security plan, releasing Cloud App Security — As Microsoft works its way toward implementing the security plan that CEO Satya Nadella outlined …
Microsoft marches forward with its security plan, releasing Cloud App Security
http://techcrunch.com/2016/04/06/microsoft-marches-forward-with-its-security-plan-releasing-cloud-app-security/
As Microsoft works its way toward implementing the security plan that CEO Satya Nadella outlined in a talk last Fall in DC, part of that has been creating tools and part buying them. Today, it announced that Adallom, a company it bought last year was becoming generally available and renamed Microsoft Cloud App Security.
While the new name lacks the pizazz of the original, it does convey to customers and sales alike what the product actually does a bit more clearly, and that’s help companies detect cloud apps in use in a company — whether from Microsoft or a third party. That last part speaks to the new philosophy in play at Microsoft that when it makes sense, its products won’t be “all Microsoft, all the time” as they have in the past, but will work cross-product and cross-platform, even when those products may compete directly or indirectly with Microsoft.
With a product like this, it wouldn’t have made sense to work any other way.
According to the company’s research, based on using its own product, the average employee uses 17 cloud apps at work and IT doesn’t know about most of them. Of course, this tool isn’t the first to do this kind of detection, but it takes it beyond pure detection to give visibility into how much data is moving outside the organization, in some cases in violation of security or compliance rules.
When it comes to control, Rappaport is careful to point out this is not about controlling user behavior or getting in the way of running the business, but applying controls where it makes most sense for the organization such as preventing unauthorized confidential information from being shared in the cloud or controlling access from unknown networks.
Tomi Engdahl says:
Thomas Fox-Brewster / Forbes:
A look at the software and methods used to distribute 11M documents, totaling 2.6TB, of the Panama Papers to 100+ publications and about 400 journalists — From Encrypted Drives To Amazon’s Cloud — The Amazing Flight Of The Panama Papers — It was an epic haul.
From Encrypted Drives To Amazon’s Cloud — The Amazing Flight Of The Panama Papers
http://www.forbes.com/sites/thomasbrewster/2016/04/05/panama-papers-amazon-encryption-epic-leak/#79d086091df5
It was an epic haul. Whoever caused the Panama Papers breach at tax avoidance and offshore company specialist Mossack Fonseca leaked an astonishing 11 million documents and 2.6 terabytes of data, the largest of all time. Previous mega-leaks were in the gigabyte territory – Wikileaks Cablegate at 1.7GB, Ashley Madison 30GB, Sony Pictures an estimated 230GB.
The logistics of the journalistic operation behind the Panama Papers were equally astounding, a year of exchanging information over bespoke open source software between more than 100 publications, from the Guardian to the BBC, and 400 journalists. All Mossack Fonseca’s emails, files and images had to be stored on encrypted drives then moved to the cloud securely to keep the story from spilling ahead of time or to uninvited parties, whilst remaining usable for both technical and non-technical journalists.
Tomi Engdahl says:
BuzzFeed:
Report: Many Latin American governments unlawfully purchase and deploy surveillance software, often through intermediaries to avoid explicit export restrictions — Nearly Every Latin American Country Is Using This Software To Spy On Their Citizens — Governments in Latin America are ignoring …
Nearly Every Latin American Country Is Using This Software To Spy On Their Citizens
http://www.buzzfeed.com/karlazabludovsky/nearly-every-latin-american-country-is-using-this-software-t#.tgZAX2kmLJ
Governments in Latin America are ignoring their own laws that would prevent them from using the types of surveillance software offered by Hacking Team, according to a new report.
Almost every Latin American government has purchased or shown interest in obtaining aggressive surveillance software, taking advantage of a failure to enforce lax regulations but potentially violating human rights, according to a new report by the Santiago-based NGO, Derechos Digitales.
Authorities in Brazil, Chile, Colombia, Ecuador, Honduras, Mexico and Panama have all bought software licensed from Hacking Team, an Italian company that sells some of the most invasive spying software in the world. Argentina, Guatemala, Paraguay, Uruguay and Venezuela have negotiated with the company but do not appear to have bought any products as of July, according to the report, released last week.
Thomas Fox-Brewster / Forbes:
Hacking Team, known for selling spyware to authoritarian regimes, has its license to sell software outside Europe revoked by Italian government
Hacking Team In Trouble Again — Loses License To Sell Malware Outside Europe
http://www.forbes.com/sites/thomasbrewster/2016/04/06/hacking-team-loses-sales-license/#5bf333de57e2
Less than a year after it was hacked, its emails leaked all over the Web, Milan-based government spyware creator Hacking Team TISI +% is facing fresh trouble. Not from another hacktivist, however, but an official authority, which has revoked the company’s license to sell outside of Europe. At the same time CEO David Vincenzetti is under investigation for some of the deals he has made on foreign soil.
That its global license has been revoked by the Italian Ministry of Economic Development (MISE) is significant, as Hacking Team was frequently lambasted by activists for selling its malware, officially called the Galileo Remote Control System, to nations with poor records on human rights. In particular, sales to Egypt, Ethiopia, Bahrain, Morocco, Uganda, Russia and Vietnam were criticised. In some cases, such as in Morocco, activists and journalists claimed to have been hacked by snoops using the Galileo tool. Hacking Team also signed big money contracts with the FBI and the Drug Enforcement Administration (DEA), raking in nearly $2 million from both before the contracts were cancelled.
Tomi Engdahl says:
Andy Greenberg / Wired:
Hackers post personally identifiable information of 50M Turkish citizens online, more than half the country’s 80M population
Hack Brief: Turkey Breach Spills Info on More Than Half Its Citizens
http://www.wired.com/2016/04/hack-brief-turkey-breach-spills-info-half-citizens/
The nation of Turkey has been reeling from terrorist bombings in its biggest cities, a teeming refugee crisis, and a president who wants to rewrite its constitution to give himself more power. Now, in the midst of those calamities, it’s also been hit with what appears to be an enormous data breach, one that affects the majority of the country’s citizens.
On Monday, an unnamed hacker posted to the web a 1.4 gigabyte compressed bittorrent file that appears to contain personal data on 50 million Turkish citizens, including their names, addresses, parents’ first names, cities of birth, birth dates, and a national identifier number used by the Turkish government, all of which were verified as authentic by the Associated Press. The leak also included a taunting message referring to sloppy data protections and a hardcoded password that allowed the entire unencrypted database to be siphoned from the Turkish government’s servers.
“Who would have imagined that backwards ideologies, cronyism and rising religious extremism in Turkey would lead to a crumbling and vulnerable technical infrastructure?” reads a statement on the site hosting the leaked data. “Do something about [Turkish President Recep Tayyip] Erdogan! He is destroying your country beyond recognition.”
The hacker or hackers behind the breach seem to be American, based on another comment they posted with the leaked data referring to presidential candidate Donald Trump: “Lessons for the US? We really shouldn’t elect Trump,” it reads. “That guy sounds like he knows even less about running a country than Erdogan does.”
Tomi Engdahl says:
You don’t need to be a terrorist to get on no-fly list, US manual says
Guidelines say “concrete facts” are “not necessary” for terrorism watchlisting.
http://arstechnica.com/tech-policy/2014/07/you-dont-need-to-be-a-terrorist-to-get-on-no-fly-list-us-manual-says/
Federal agencies have nominated more than 1.5 million names to terrorist watchlists over the past five years alone, yet being a terrorist isn’t a condition of getting on a roster that is virtually impossible to be removed from, according to a leaked US “Watchlisting Guidance” manual.
The 166-page document, marked as “sensitive security information” and published by The Intercept, comes amid increasing skepticism over how people are placed on or get off of US terrorism databases like the no-fly list that bars flying to and within the United States.
https://theintercept.com/document/2014/07/23/march-2013-watchlisting-guidance/
Tomi Engdahl says:
IBM Completes Acquisition of Resilient Systems
http://www.securityweek.com/ibm-completes-acquisition-resilient-systems
IBM has completed its acquisition of Resilient Systems, a privately-held company that offers an Incident Response Platform (IRP) that helps organizations prepare, assess, manage, and report on privacy breaches and security incidents.
The company, now known as Resilient, an IBM Company, is part of IBM’s Security business unit and will contribute to the tech giant’s incident response capabilities, IBM said on Wednesday.
In 2015, IBM’s security business reached $2 billion in revenue and added 1,000 employees.
Tomi Engdahl says:
Nitol Botnet Fuels 8.7 Gbps Layer 7 DDoS Attack
http://www.securityweek.com/nitol-botnet-fuels-87-gbps-layer-7-ddos-attack
A recent layer 7 distributed denial of service (DDoS) attack managed to break all previous known records in terms of bandwidth consumption, peaking at 8.7 gigabits per second (Gbps), cyber security solutions provider Imperva warns.
Layer 7 DDoS attacks – or HTTP floods – rely on crippling servers by depleting their resources at the application layer, and not the network layer, which means they aren’t usually large in terms of packet volume. With many web applications capped at hundreds of requests per second (RPS), even small attacks can take down unprotected servers.
While network layer DDoS attacks can easily peak at over 150 gigabit-per-second (Gbps), and some even go beyond the 500 Gbps mark, application layer attacks use much less bandwidth. Although they have been growing in terms of RPS rates as of late, and even surpassed 250,000 RPS in the third quarter of 2015, layer 7 attacks remained well below 500Mbps.
In this context, the newly observed HTTP POST flood attack, which peaked at the high rate of 163,000 RPS, broke all records in terms of bandwidth footprint by reaching 8.7 Gbps.
This was not only a record for an application layer attack, but also the largest the security company “had ever seen or even heard about up until that point,” Imperva’s Igal Zeifman notes in a blog post.
The attack targeted a Chinese lottery website and was launched from a botnet powered by a Nitol malware variant, which was accessing the target website disguised as a Baidu spider. The attack originated from roughly 2,700 IP addresses, over 2,500 of which are located in China, the researchers said.
Ginormous POST Flood Spells BIG Trouble for Hybrid DDoS Protection
https://www.incapsula.com/blog/post-flood-hybrid-ddos-protection.html
To work on the Incapsula team at Imperva is to be exposed to DDoS attacks all of the time. From watching 100 Gbps assaults making waves on computer screens around the office, to having our inboxes bombarded with reports of mitigated assaults, DDoS is just another part of our awesome daily routine.
Yet, every once in a while an attack stands out that makes us really take notice.
Broadly speaking, layer 7–aka application layer–DDoS attacks are attempts to exhaust server resources (e.g., RAM and CPU) by initiating a large number of processing tasks with a slew of HTTP requests.
In the context of this post it should be mention that, while deadly to servers, application layer attacks are not especially large in volume. Nor do they have to be, as many application owners only over-provision for 100 requests per second (RPS), meaning even small attacks can severely cripple unprotected servers.
Moreover, even at extremely high RPS rates—and we have seen attacks as high as 268,000 RPS—the bandwidth footprint of application layer attacks is usually low, as the packet size for each request tends to be no larger than a few hundred bytes.
Tomi Engdahl says:
Businesses Doubtful That Vendors Would Disclose a Breach: Survey
http://www.securityweek.com/businesses-doubtful-vendors-would-disclose-breach-survey
Companies in the United States aren’t confident that third-party vendors (or providers hired by their vendors) would inform them about breaches involving sensitive and confidential information, a recent survey from the Ponemon Institute reveals.
The study (PDF), Data Risk in the Third Party Ecosystem, focused on the concerns that companies have about their third-party vendors, and also looked into the businesses’ perception of fourth-nth-party vendors (indirect service providers or subcontractors).
http://www.buckleysandler.com/uploads/1082/doc/Data_Risk_in_the_Third_Party_Ecosystem_BuckleySandler_LLP_and_Treliant_R….pdf
Tomi Engdahl says:
WhatsApp Toughens Encryption After Apple-FBI Row
http://www.securityweek.com/whatsapp-toughens-encryption-after-apple-fbi-row
The popular messaging service WhatsApp said Tuesday it had implemented “full end-to-end encryption,” a move which steps up privacy but may lead to conflicts with law enforcement agencies.
“WhatsApp has always prioritized making your data and communication as secure as possible,” a blog post announcing the change said.
“And today, we’re proud to announce that we’ve completed a technological development that makes WhatsApp a leader in protecting your private communication: full end-to-end encryption.”
https://blog.whatsapp.com/10000618/end-to-end-encryption
Tomi Engdahl says:
FBI says it doesn’t know if San Bernardino iPhone is useful, may or may not share the answer
http://9to5mac.com/2016/04/06/fbi-san-bernardino-iphone-data/
Many were skeptical that the work iPhone at the centre of the San Bernardino controversy would prove in any way useful to the FBI given that the shooters left it untouched while destroying their personal phones, and so far that skepticism seems justified. Despite having had access to all the data on the phone for more than a week, the FBI has apparently not yet found anything of value.
The WSJ reports that FBI general counsel James Baker told an International Association of Privacy Professionals conference that it was “too early” to say whether anything useful would be found, and that it may or may not choose to reveal the answer once it is certain.
Tomi Engdahl says:
Ubuntu plugs code exec, DoS Linux kernel holes
This is kind of a big deal because the mess is in 14.04 LTS, expiry date 2019
http://www.theregister.co.uk/2016/04/07/ubuntu_kernel_patch/
Ubuntu has patched four Linux kernel vulnerabilities that allowed for arbitrary code execution and denial of service attacjs.
The flaws (CVE-2015-8812, CVE-2016-2085, CVE-2016-2550, CVE-2016-2847) is fixed in Ubuntu 14.04 LTS.
The problems impact Ubuntu 14.04 LTS, the current long-term support version of Ubuntu which will be smothered in love and patches until 2019.
Tomi Engdahl says:
A Lot of People Carelessly Plug In Random USB Drives Into Their Computers
https://yro.slashdot.org/story/16/04/06/1843248/a-lot-of-people-carelessly-plug-in-random-usb-drives-into-their-computers
Scientists have proven that a lot of people will carelessly plug in a USB drive found on the ground, exposing themselves to potential infections from malware. The researchers dropped 297 USB flash drives on a university campus and saw that in 48% of the cases, people picked them up, plugged them in, and opened files from the drive on their computers.
A Whole Lot of Nitwits Will Plug a Random USB Into Their Computer, Study Finds
https://motherboard.vice.com/read/study-finds-48-percent-people-will-plug-a-random-usb-into-their-computer
Using booby-trapped USB flash drives is a classic hacker technique. But how effective is it really? A group of researchers at the University of Illinois decided to find out, dropping 297 USB sticks on the school’s Urbana-Champaign campus last year.
As it turns out, it really works. In a new study, the researchers estimate that at least 48 percent of people will pick up a random USB stick, plug it into their computers, and open files contained in them. Moreover, practically all of the drives (98 percent) were picked up or moved from their original drop location.
Very few people said they were concerned about their security. Sixty-eight percent of people said they took no precautions
“I trust my macbook to be a good defense against viruses,” one participant is quoted as saying, while another one seemed aware of the risks, but didn’t care, saying: “I sacrificed a university computer.”
“It’s easy to laugh at these attacks, but the scary thing is that they work—and that’s something that needs to be addressed,”
In the study, the researchers concluded that “the anecdote that users will pick up and plug in flash drives they find is true.”
Tomi Engdahl says:
Where’s the next crash? “Information networks have thousands of serious vulnerabilities”
Vulnerabilities found in the software constantly, and they also seek to place as quickly as possible. Critical None of the patch is of no use if users fail to install.
Earlier today we wrote how racketeers were able to strike at American hospitals through a security hole. Vulnerability had been warned for the first time almost 10 years ago and repeated it after, but still the update had been installed, the saddest consequences.
F-Secure’s just published a report, this is not exceptional but unfortunately quite common. It found early F-Secure Radar tools business computer networks with large amounts of serious vulnerabilities through which systems could attack.
Sin Offering amounted to tens of thousands of incorrectly formatted systems, upgrading existing programs and other vulnerabilities. Nearly 85,000 cases falling within the scope of one hundred most common vulnerability. The study revealed that about seven percent of the cases have been classified as serious – and almost everyone would be easily remedied either by patches or with simple changes.
Almost half of these serious vulnerabilities were exploited, and they allow attackers would be able to take control of infected computers.
“We found thousands of very severe cases, reflecting the fact that the corporate information security has serious flaws”
Sources:
http://www.tivi.fi/Kaikki_uutiset/missa-rysahtaa-seuraavaksi-tietoverkoissa-tuhansia-vakavia-haavoittuvuuksia-6539166
http://www.tivi.fi/Kaikki_uutiset/kahdesta-koodirivista-jumalaton-riesa-yllapidon-lorvailu-syyna-isoon-sairaalaiskuun-6539125
Tomi Engdahl says:
Hackers broke into hospitals despite software flaw warnings
http://goo.gl/Mnl50f
The hackers who seriously disrupted operations at a large hospital chain recently and held some data hostage broke into a computer server left vulnerable despite urgent public warnings since at least 2007 that it needed to be fixed with a simple update, The Associated Press has learned.
The hackers exploited design flaws that had persisted on the MedStar Health Inc. network
The flaws were in a JBoss application server supported by Red Hat Inc. and other organizations
The JBoss technology is popular
security researchers discovered it was routinely misconfigured to allow unauthorized outside users to gain control.
was still vulnerable years after those warnings.
it could affect MedStar’s civil or administrative exposure under U.S. laws and regulations that require health providers to exercise reasonable diligence to protect their systems.
Tomi Engdahl says:
PHP programming language vulnerabilities – update immediately
PHP programming language has been found vulnerabilities. The manufacturer then asks the developers to upgrade to a newer version of the language.
PHP forum has published a security update 5.5.34, 6.5.20 and 7.0.5
Source: http://www.tivi.fi/Kaikki_uutiset/php-ohjelmointikielessa-haavoittuvuuksia-paivita-heti-6537716
Tomi Engdahl says:
Apple vs FBI: When privacy and safety collide
http://www.edn.com/electronics-blogs/from-the-edge-/4441781/Apple-vs-FBI–When-privacy-and-safety-collide?_mc=NL_EDN_EDT_EDN_weekly_20160407&cid=NL_EDN_EDT_EDN_weekly_20160407&elqTrackId=b7a16ea4a60047b3b00aaad051393c67&elq=9d6dd7061f1a46d5a4535eb93af1da75&elqaid=31714&elqat=1&elqCampaignId=27703
Once the two sides had a chance to move everything to their opposite corners of the ring, people I know (me included) began to line up behind one side or another in the fight between Apple and the FBI. Writing this blog may unleash the passions of many the same way in-depth discussions of religion or politics do. But, I just have to ask: Where do you weigh in on Apple’s refusal to unlock the phone?
It’s fait accompli – the data has been taken off the phone. But still the questions linger, and the debate should not be forgotten—and won’t be. I’ll try to summarize the competing positions.
While Apple has no sympathy for terrorists, once the FBI made the mistake of changing the Apple ID password on the phone, there was no path to obtaining the data without the creation of a backdoor.
While it would seem that Apple should, according to the FBI, be able to unlock the iPhone used in the San Bernardino terrorist attacks, and then not use it again, the reality is law enforcement nationally was lining up with iPhones in the hundreds that they wanted unlocked.
Tomi Engdahl says:
A Whole Lot of Nitwits Will Plug a Random USB Into Their Computer, Study Finds
http://motherboard.vice.com/read/study-finds-48-percent-people-will-plug-a-random-usb-into-their-computer
Tomi Engdahl says:
5 ways to become a smaller target for ransomware hackers
http://goo.gl/jQbG8Z
Hacking for ransom is on the rise — on pace to beat out last year’s figures — and hits people where it hurts, locking them out of files, photos and critical records until they pay hackers a bounty to restore their access. Hackers bait users to click on infected email links or open infected attachments, or they take advantage of outdated and vulnerable systems.
MAKE SAFE AND SECURE BACKUPS
UPDATE AND PATCH YOUR SYSTEMS
USE ANTIVIRUS SOFTWARE
EDUCATE YOUR WORKFORCE
IF HIT, DON’T WAIT AND SEE
If you’re facing a ransom demand and locked out of your files, law enforcement and cybersecurity experts discourage paying ransoms
Many organizations without updated backups may decide regaining access to critical files, such as customer data, and avoiding public embarrassment is worth the cost.
The hackers, of course, are counting on that.
Tomi Engdahl says:
Devin Coldewey / TechCrunch:
Open Whisper Systems’ Signal Desktop messaging system now available to all, no longer invite-only
Now’s your chance to try Signal’s desktop Chrome app
http://techcrunch.com/2016/04/07/nows-your-chance-to-try-signals-desktop-chrome-app/
The desktop version of Edward Snowden’s favored end-to-end messaging system, Signal, is now available to anyone who wants to check it out. Open Whisper Systems announced the desktop version back in December, but until today it was invite-only.
It’s not a native app but a Chrome app, meaning it installs in the browser but gets in its own little window — which is either a plus or a minus depending on how you work. You’ll also need to be using the Signal Android app
The app is still in beta
Tomi Engdahl says:
Brian Krebs / Krebs on Security:
FBI says “CEO fraud” attacks, where scammers often scrape email addresses and impersonate execs to target employees, have cost organizations $2.3B+ since 2013
FBI: $2.3 Billion Lost to CEO Email Scams
http://krebsonsecurity.com/2016/04/fbi-2-3-billion-lost-to-ceo-email-scams/
The U.S. Federal Bureau of Investigation (FBI) this week warned about a “dramatic” increase in so-called “CEO fraud,” e-mail scams in which the attacker spoofs a message from the boss and tricks someone at the organization into wiring funds to the fraudsters. The FBI estimates these scams have cost organizations more than $2.3 billion in losses over the past three years.
In an alert posted to its site, the FBI said that since January 2015, the agency has seen a 270 percent increase in identified victims and exposed losses from CEO scams. The alert noted that law enforcement globally has received complaints from victims in every U.S. state, and in at least 79 countries.
CEO fraud usually begins with the thieves either phishing an executive and gaining access to that individual’s inbox, or emailing employees from a look-alike domain name that is one or two letters off from the target company’s true domain name.
Unlike traditional phishing scams, spoofed emails used in CEO fraud schemes rarely set off spam traps because these are targeted phishing scams that are not mass e-mailed. Also, the crooks behind them take the time to understand the target organization’s relationships, activities, interests and travel and/or purchasing plans.
FBI Warns of Dramatic Increase in Business E-Mail Scams
https://www.fbi.gov/phoenix/press-releases/2016/fbi-warns-of-dramatic-increase-in-business-e-mail-scams?utm_source=hs_email&utm_medium=email&utm_content=28140297&_hsenc=p2ANqtz–f0buz9nDeHu9YAI5KYbMmCHIthkKaP7LIvZg0vaXQ0uUOCJWXPSxi1TSlz5gdZ_ZF9OVTPnVsL2mGryCnumjJvUj_GQ&_hsmi=28140297
Tomi Engdahl says:
China’s Great Firewall inventor forced to use VPN live on stage to dodge his own creation
http://www.theregister.co.uk/2016/04/07/great_firewall_architect_forced_to_use_vpn/
The architect of China’s Great Firewall was forced to use a VPN to bypass his own creation in a lecture this week on internet safety.
Fang Binxing was speaking at his old university, the Harbin Institute of Technology in Heilongjiang, China, when he attempted to access webpages hosted in South Korea as a way to illustrate a point about internet sovereignty.
The projected image from his laptop came up “Page not found” – a common occurrence for Chinese internet users who live behind the censorship apparatus built by Binxing and run by the Chinese government.
To the audience’s amazement, Binxing then tried to bypass the firewall using a VPN installed on his computer – the same tool secretly installed by millions of Chinese to get around censorship efforts, but whose use is heavily frowned upon by officials.
As his compatriots looked on, Binxing then had the equally frustrating experience of dealing with a slow and unstable connection to the outside world, with the link falling over twice as he tried to access Facebook and Google.
Tomi Engdahl says:
Megabreach: 55 MILLION voters’ details leaked in Philippines
Election officials shrug: Yeah, we were hacked – but not of sensitive info…
http://www.theregister.co.uk/2016/04/07/philippine_voter_data_breach/
A massive data breach appears to have left 55 million Philippine voters at much greater risk of identity fraud and more.
Security researchers warn that the entire database of the Philippines’ Commission on Elections (COMELEC) has been exposed in what appears to be the biggest government related data breach in history. The COMELEC website was compromised and defaced on 27 March by Anonymous Philippines before a second hacker group, LulzSec Pilipinas posted COMELEC’s entire database online days later.
All sorts of sensitive information – including passport information and fingerprint data – appears to have been included in the data dump. Some of the data was encrypted but there were some fields that were left wide open, according to a investigation by Trend Micro.
Tomi Engdahl says:
Adobe Patches Flash Zero-Day Exploited By Magnitude Exploit Kit
https://tech.slashdot.org/story/16/04/08/0154218/adobe-patches-flash-zero-day-exploited-by-magnitude-exploit-kit
Adobe released a Flash Player update on Thursday night to patch a zero-day vulnerability that has been leveraged by cybercriminals to deliver malware via the Magnitude exploit kit. The vulnerability [CVE-2016-1019], a memory corruption that can be exploited for remote code execution, was discovered after, on April 2, security researcher Kafeine of Proofpoint noticed a change in the Magnitude exploit kit.
Security Advisory for Adobe Flash Player
Release date: April 5, 2016
https://helpx.adobe.com/security/products/flash-player/apsa16-01.html
A critical vulnerability (CVE-2016-1019) exists in Adobe Flash Player 21.0.0.197 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.
Adobe is aware of reports that CVE-2016-1019 is being actively exploited on systems running Windows 10 and earlier with Flash Player version 20.0.0.306 and earlier. A mitigation introduced in Flash Player 21.0.0.182 currently prevents exploitation of this vulnerability, protecting users running Flash Player 21.0.0.182 and later.
Tomi Engdahl says:
Stop! You will be monitored more accurately
Security and surveillance systems are an increasingly important part of our everyday lives. We were photographed, videotaped and monitored almost all the time. Today’s camera installations still use a higher level of processing and even artificial intelligence systems to automate data collection and the subsequent decision-making. Smile, you directed the camera is no longer so hidden!
Video surveillance has proven to be beneficial in many ways an advanced sensor
continuous technology development and the progress of the manufacture has taken video surveillance to a level where we can really get comfortable rely on the safety in use.
Due to lack of storage technologies in the early days of CCTV systems required to monitor the human eye, so some event had to time to get the most out of information. After that the picture was lost.
In fact, the man was a control processor alarm loop making a decision to trigger an alarm or not.
Machine vision now being integrated artificial intelligence that can produce a new generation of control systems. They need fewer operating personnel, are cheaper and recognize a larger range of items. These requirements raise the designers set the bar higher and higher more: now they need to integrate the functions at a higher level and a higher performance than ever before.
Design Issues & Concerns
Without modern memory chips speeds and densities, and without modern embedded processors in the performance of next-generation smart car vivid control systems would not be able to design a reasonable price or size. One reason is the additional burden of what improvement each image resolution can cause the entire rest of the system design.
Older 8-bit four-megahertz processors were enough well when engineers developed the first digital control loops.
The high-speed processors
Alongside video technologies has developed a number of advanced processor architectures and families, and they begin to be ready to meet the next generation of intelligent video surveillance. In all cases, use of external bus interfaces and most likely external high-speed DRAMs. The most advanced processors can handle assigned to several gigabytes of memory and support for a number of high-speed synchronous memory pathways such as DDR and SDR. The designers have to keep in mind when designing systems for memory bandwidth.
Transmission and concatenation
Communication requirements can be a key part of the design challenges of the next generation of control systems. When the data generated so much transmission speed keeps growing exponentially, as memory demands have increased. Also, the conveying distance becomes an issue to be considered. Even the popular one hundred megabit Ethernet link has its limitations when it is run long distances over CAT-type cabling.
Gigapixel level cameras have already become available in. NMOnet are concerned about security and privacy issues in society, but they can be prepared, that their doings are monitored continuously at increasingly higher resolutions. While the fiber connection supports data rates suurepia, copper has always been cheaper access to implement.
One of the most interesting emerging technology that is equivalent to, the bandwidth of the need alia, is CoaXPress standard. It is a coaxial cable acting, 6.25 gigabits per second, the transferring point-to-point link, which reaches up to 130 meters away.
What about wireless?
Although the wireless link to be possible, the range and bandwidth limitations make it practically unusable for most surveillance applications. In addition, the wireless links are easier to interfere, which would expose control applications with different attacks.
It is possible to use short links to wireless local centers or hubs.
It is not entirely unthinkable by the fact that in the near future all the surveillance cameras in public spaces will be integrated into the Internet of Things. This would mean that everyone would have access to all public surveillance devices
Source: http://etn.fi/index.php?option=com_content&view=article&id=4233:seis-sinua-valvotaan-yha-tarkemmin&catid=13&Itemid=101
Tomi Engdahl says:
Nation-wide radio station hack airs hours of vulgar “furry sex” ramblings
Listeners hear explicit audio caused when station equipment is commandeered.
http://arstechnica.com/security/2016/04/nation-wide-radio-station-hack-airs-hours-of-vulgar-furry-sex-ramblings/
Some Tuesday morning listeners of KIFT, a Top 40 radio station located in Breckenridge, Colorado, were treated to a radically different programming menu than they were used to. Instead of the normal fare from Taylor Swift, The Chainsmokers, or other pop stars, a hack by an unknown party caused one of the station’s signals to broadcast a sexually explicit podcast related to the erotic attraction to furry characters. The unauthorized broadcast lasted for about 90 minutes.
KIFT wasn’t the only station to be hit by the hack. On the same day, Livingston, Texas-based country music station KXAX also broadcast raunchy furry-themed audio.
“All in all the FurCast aired for an hour, possibly two,” Jason Mclelland, owner and general manager of the KXAX Radio Group, wrote in an e-mail.
Mclelland said the hack was carried out by someone who managed to take control of an audio streaming device sold by a company called Barix. The account is consistent with the RadioInsight post, which said the string of unauthorized broadcasts was accomplished when attackers attempted to log in to large numbers of Barix boxes. When successful, the attackers locked out the rightful operators and caused the equipment to play Internet-accessible podcasts made available by FurCast, a hobbyist group dedicated to furry sex.
“This appears to have been in the planning stages for some time by the person doing it,” an advisory published by the Michigan Association of Broadcasters said of the Barix system hack
According to KIFT officials, the compromise hit a studio transmitter link used to send audio to a booster antenna and didn’t affect broadcasts over the station’s main signal. The furry podcast was streamed non-stop for an hour and a half over the auxiliary channel. “Our station was unable to regain control over the STL [studio transmitter link] until the station engineer actually traveled to the remote transmitter site and reprogrammed the system from that location,” the station officials wrote.
It’s not the first time hackers have caused a TV or radio station to make an unauthorized broadcast
The Barix equipment that appears to have been targeted is susceptible to hacks when running factory default settings.
Tomi Engdahl says:
Maryland hospital: Ransomware success wasn’t IT department’s fault
MedStar denies ransom payment, denies earlier JBoss bugs played role.
http://arstechnica.com/security/2016/04/maryland-hospital-group-denies-ignored-warnings-allowed-ransomware-attack/
MedStar, the health network of 10 Maryland hospitals struck by a ransomware attack last week, has now reportedly brought all its systems back online without paying attackers. But a MedStar spokesperson denied reports that the attack was made possible because the health provider’s IT department failed to make fixes to systems that had been issued years ago. Ars will publish an in-depth analysis of the techniques used by the Samsam ransomware attackers this Friday.
Tami Abdollah of the Associated Press reported Tuesday that an anonymous source “familiar with the investigation” of the cyberattack claimed that the flaws that allowed attackers to compromise a JBoss Web application server and attack the network with Samsam crypto-ransomware had been highlighted in security warnings from JBoss maintainer Red Hat, the US government and others in February 2007, March 2010, and again this month.
MedStar denies that the earlier warnings—including one issued as a security advisory by Red Hat in April 2010—had anything to do with the attack, according to the findings of a response team from Symantec. “News reports circulating about the malware attack on MedStar Health’s IT system are incorrect,” a MedStar spokesperson said in a statement.
Analysis of other Samsam attacks shows that the most likely cause of the attack on MedStar is an improperly installed JBoss server.
Tomi Engdahl says:
‘BillGates’: Linux botnet is launching DDoS attacks on online gaming services
Malware wants control of your PC
http://www.theinquirer.net/inquirer/news/2453883/billgates-linux-botnet-is-launching-ddos-attacks-on-online-gaming-services
IRONY ALERT: Bill Gates-themed software wants to get on as many computers as possible and not budge.
Not Windows, of course, but a botnet called BillGates. The malware has been around since 2014 but now seems to be leaping forwards (not over a chair) and making a nuisance of itself, according to Akamai.
The security firm said that the botnet appears to be leaking out of Russia
“The attack vectors available in the toolkit include ICMP flood, TCP flood, UDP flood, SYN flood, HTTP Flood (Layer7) and DNS query-of-reflection flood.”
The malware uses brute force SSH attacks, added the firm, and is used to launch DDoS attacks on online gaming services.
“The botnet appears to mostly target Asia-based organisations, focusing heavily on the gaming and entertainment industries,”
Tomi Engdahl says:
Cyber fraudsters reap $2.3 billion through email wire-transfer scams
http://www.reuters.com/article/us-cyber-fraud-email-idUSKCN0X505U
Businesses have lost billions of dollars to fast-growing scams where fraudsters impersonate company executives in emails that order staff to transfer to accounts controlled by criminals, according to the U.S. Federal Bureau of Investigation.
Losses from these scams, which are known as “business email compromise,” totaled more than $2.3 billion from October 2013 through February of this year
The cases involved some 17,642 businesses of all sizes scattered across at least 79 countries,
Tomi Engdahl says:
Did Drupal and Drupalgeddon lead to Panama Papers leaks at Mossack Fonseca?
http://drupal.ovh/drupal-panama-papers-leaks-mossack-fonseca
Recently a giant information leak revealed a number of individuals practising tax evasion using the Panamanian company Mossack Fonseca. In wake of the stories revealing the culprits behind the evasion itself Forbes has done investigative journalism to find the reasons that lead to the leak itself.
For the Panama leaks information suggests the first steps to the leaks being done through a vulnerability in Drupal, known as Drupalgeddon
While it’s not clear if Drupal and Drupalgeddon are the reason behind the leak, the fact is that there are likely thousands of vulnerable installations of Drupal around the world. And it’s not limited to just Drupal, but many projects that run on the web and are deployed in large numbers. Whether or not Drupal was used in the attacks does not matter – it’s a larger thing than this (giant) data leak.
Because WordPress and Drupal are so mundane nowadays, people easily forget that they are continuously online targets for malicious activities like data breaches and DDoS platforms. Likely in most cases there is little value in breaches to attackers, but given the ease of hacking online web services automatically – they’re truly a honeypot waiting to be opened.
Mossack Fonseca Breach – WordPress Revolution Slider Plugin Possible Cause
https://www.wordfence.com/blog/2016/04/mossack-fonseca-breach-vulnerable-slider-revolution/
Mossack Fonseca (MF), the Panamanian law firm at the center of the so called Panama Papers Breach may have been breached via a vulnerable version of Revolution Slider. The data breach has so far brought down the Prime Minister of Iceland and surrounded Russian President Putin and British Prime Minister David Cameron with controversy, among other famous public figures. It is the largest data breach to journalists in history, weighing in at 2.6 terabytes and 11.5 million documents.
Forbes have reported that MF was giving their customers access to data via a web portal running a vulnerable version of Drupal. We performed an analysis on the MF website and have noted the following:
The MF website runs WordPress and is currently running a version of Revolution Slider that is vulnerable to attack and will grant a remote attacker a shell on the web server.
It appears that MF have now put their site behind a firewall which would protect against this vulnerability being exploited. This is a recent change within the last month.
A working exploit for the Revolution Slider vulnerability was published on 15 October 2014 on exploit-db which made it widely exploitable by anyone who cared to take the time.
Revolution Slider (also known as Slider Revolution) version 3.0.95 or older is vulnerable to unauthenticated remote file upload.
Tomi Engdahl says:
Karamba Security Emerges From Stealth to Protect Cars From Hackers
http://www.securityweek.com/karamba-security-emerges-stealth-protect-cars-hackers
Karamba Security, a company specializing in solutions designed to protect connected cars from cyberattacks, has come out of stealth mode with $2.5 million raised in seed funding.
Researchers have demonstrated over the past years that vehicles such as the Toyota Prius, Tesla Model S, Jeep Cherokee, and Nissan Leaf are exposed to hacker attacks due to vulnerabilities in connected systems.
Karamba Security, a company founded by a group of entrepreneurs and cybersecurity experts, aims to protect connected vehicles with an endpoint solution designed to harden electronic control units (ECUs) that can be remotely accessed via the Internet, Wi-Fi or Bluetooth.
If they can compromise one of the externally-accessible controllers, attackers can make their way into the vehicle’s Controller Area Network (CAN) bus, from where they could be able to take control of various functions.
Karamba proposes a solution that car manufacturers and their tier 1 suppliers can embed into ECUs to ensure that only authorized code and applications can be executed. The product enables vendors to define factory settings for each controller, and create a whitelist of permitted binaries, processes, scripts and network behavior.
Tomi Engdahl says:
Germany, France Hit Most by Locky Ransomware: Kaspersky
http://www.securityweek.com/germany-france-hit-most-locky-ransomware-kaspersky
While it has been roughly two months since it was first spotted, the Locky ransomware has become a global threat, targeting users in 114 countries. While the threat has infected systems around the world, a heavy concentration of attacks have registered in Germany and France, Kaspersky Lab says.
Initially distributed via malicious macros in Office documents, then via JavaScript-based attachments, Locky has recently appeared in exploit kits as well, showing that its operators are looking to expand as much as possible, fast. Recently, FireEye Labs researchers detected massive Locky spam email campaigns around the world, while Check Point noticed changes in Locky’s communication patterns.
Tomi Engdahl says:
Andy Greenberg / Wired:
Security experts say Burr-Feinstein draft encryption bill is flawed and dangerous — The Senate’s Draft Encryption Bill Is ‘Ludicrous, Dangerous, Technically Illiterate’ — As Apple battled the FBI for the last two months over the agency’s demands that Apple help crack its own encryption …
The Senate’s Draft Encryption Bill Is ‘Ludicrous, Dangerous, Technically Illiterate’
http://www.wired.com/2016/04/senates-draft-encryption-bill-privacy-nightmare/
As Apple battled the FBI for the last two months over the agency’s demands that Apple help crack its own encryption, both the tech community and law enforcement hoped that Congress would weigh in with some sort of compromise solution. Now Congress has spoken on crypto, and privacy advocates say its “solution” is the most extreme stance on encryption yet.
On Thursday evening, the draft text of a bill called the “Compliance with Court Orders Act of 2016,” authored by offices of Senators Diane Feinstein and Richard Burr, was published online by the Hill.1 It’s a nine-page piece of legislation that would require people to comply with any authorized court order for data—and if that data is “unintelligible,” the legislation would demand that it be rendered “intelligible.” In other words, the bill would make illegal the sort of user-controlled encryption that’s in every modern iPhone, in all billion devices that run Whatsapp’s messaging service, and in dozens of other tech products. “This basically outlaws end-to-end encryption,” says Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology. “It’s effectively the most anti-crypto bill of all anti-crypto bills.”
Tomi Engdahl says:
Sarah Jeong / The Atlantic:
How a cashless society enables more financial surveillance and censorship through choke points run by corporate intermediaries
How a Cashless Society Could Embolden Big Brother
When money becomes information, it can inform on you.
http://www.theatlantic.com/technology/archive/2016/04/cashless-society/477411/
In 2014, Cass Sunstein—one-time “regulatory czar” for the Obama administration—wrote an op-ed advocating for a cashless society, on the grounds that it would reduce street crime. His reasoning? A new study had found an apparent causal relationship between the implementation of the Electronic Benefit Transfer system for welfare benefits, and a drop in crime.
there was less cash circulating in poor neighborhoods. And the less cash there was on the streets, the study’s authors concluded, the less crime there was.
The year after Sunstein’s op-ed was published, in a seemingly unrelated incident, a student at Columbia University was arrested and charged with five drug-related offenses, including possession with the intent to sell. Supposedly, his fellow students and customers had paid him through the Paypal-owned smartphone app Venmo.
Venmo makes every transaction public by default. The app features a social-network-like feed where you can see your friends sending each other varying sums of money, often accompanied with cute descriptions and emoji. The alleged dealer asked his customers to write a funny description for every transaction, and in doing so, turned his feed (and others’) into an open record of drug trafficking.
In a cashless society, the cash has been converted into numbers, into signals, into electronic currents. In short: Information replaces cash.
Information is lightning-quick. It crosses cities, states, and national borders in the twinkle of an eye. It passes through many kinds of devices, flowing from phone to phone, and computer to computer, rather than being sealed away in those silent marble temples we used to call banks. Information never jangles uncomfortably in your pocket.
But wherever information gathers and flows, two predators follow closely behind it: censorship and surveillance. The case of digital money is no exception. Where money becomes a series of signals, it can be censored; where money becomes information, it will inform on you.
At various points in the chain, all transactions squeeze through bottlenecks created by big players like Visa, Mastercard, and Paypal.
Transactions route through several tangled layers of vendors, processors, and banks. At various points in the chain, all transactions squeeze through bottlenecks created by big players like Visa, Mastercard, and Paypal: These are the choke points for which Operation Choke Point is named.
The choke points are private corporations that are not only subject to government regulation on the books, but have shown a disturbing willingness to bend to extralegal requests—whether it is enforcing financial blockades against the controversial whistleblowing organization WikiLeaks or the website Backpage, which hosts classified ads by sex workers, and allegedly ads from sex traffickers as well. A little bit of pressure, and the whole financial system closes off to the government’s latest pariah. Operation Choke Point exploited this tendency on a wide scale.
A cashless society promises a world of limitation, control, and surveillance, which the poorest Americans already have in abundance
Cryptocurrency isn’t really a federal priority, and as long as that’s the case, it can be a viable backchannel when payment processors institute blockades.
Financial censorship could become pervasive, unbarred by any meaningful legal rights or guarantees.
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Researchers: hard-to-detect malicious Firefox add-ons can hijack very popular add-ons like NoScript and Firebug to execute malicious code and steal data
NoScript and other popular Firefox add-ons open millions to new attack
Unlike many browsers, Firefox doesn’t always isolate an add-on’s functions.
http://arstechnica.com/security/2016/04/noscript-and-other-popular-firefox-add-ons-open-millions-to-new-attack/
Tomi Engdahl says:
Kashmir Hill / Fusion:
How IP mapping service MaxMind locating 600M IP addresses to the geographic center of the US led to trouble for one Kansas resident — How an internet mapping glitch turned a random Kansas farm into a digital hell — An hour’s drive from Wichita, Kansas, in a little town called Potwin …
How an internet mapping glitch turned a random Kansas farm into a digital hell
http://fusion.net/story/287592/internet-mapping-glitch-kansas-farm/
An hour’s drive from Wichita, Kansas, in a little town called Potwin, there is a 360-acre piece of land with a very big problem.
The plot has been owned by the Vogelman family for more than a hundred years, though the current owner, Joyce Taylor née Vogelman, 82, now rents it out.
But instead of being a place of respite, the people who live on Joyce Taylor’s land find themselves in a technological horror story.
For the last decade, Taylor and her renters have been visited by all kinds of mysterious trouble. They’ve been accused of being identity thieves, spammers, scammers and fraudsters. They’ve gotten visited by FBI agents, federal marshals, IRS collectors, ambulances searching for suicidal veterans, and police officers searching for runaway children. They’ve found people scrounging around in their barn. The renters have been doxxed, their names and addresses posted on the internet by vigilantes. Once, someone left a broken toilet in the driveway as a strange, indefinite threat.
All in all, the residents of the Taylor property have been treated like criminals for a decade. And until I called them this week, they had no idea why.
The trouble for the Taylor farm started in 2002, when a Massachusetts-based digital mapping company called MaxMind decided it wanted to provide “IP intelligence”
There are lots of different ways a company like MaxMind can try to figure out where an IP address is located.
There are lots of different ways a company like MaxMind can try to figure out where an IP address is located.
But IP mapping isn’t an exact science. At its most precise, an IP address can be mapped to a house.
At its least precise, it can be mapped only to a country. In order to deal with that imprecision, MaxMind decided to set default locations at the city, state and country level for when it knows only roughly where the IP address lives.
As a result, for the last 14 years, every time MaxMind’s database has been queried about the location of an IP address in the United States it can’t identify, it has spit out the default location of a spot two hours away from the geographic center of the country. This happens a lot: 5,000 companies rely on MaxMind’s IP mapping information, and in all, there are now over 600 million IP addresses associated with that default coordinate.
Which happens to be in the front yard of Joyce Taylor’s house.
The harassment continued to the point where the local sheriff had to intervene.
The Kansas house is not the only house to have problems as a result of being a default location in the MaxMind database
The physical mapping of computer addresses is one of the many aspects of the internet infrastructure that is almost completely unregulated. It is a task performed by private companies, and not just MaxMind. No one is officially in charge, and so there was no obvious party that Tony Pav or Joyce Taylor could go to in order to find out why this was happening, or get it fixed.
Try locate yourself
http://whatismyipaddress.com/
Tomi Engdahl says:
This is the scariest sentence you will ever read about the internet
http://fusion.net/story/287086/this-is-the-scariest-sentence-you-will-ever-read-about-the-internet/
For those of us who care about democracy and the importance of a healthy political discourse, a story published by Bloomberg this week, “How to Hack an Election,” was incredibly distressing.
In it, Colombian hacker Andrés Sepúlveda comes clean about eight years he spent allegedly using dark, and often illegal, computer skills to help conservative candidates throughout Latin America; some won and a few lost. He describes exploits in major elections in Colombia, Nicaragua, Honduras, Venezuela, Costa Rica, Panama and Mexico.
In his most noteworthy alleged victory, he claims to have assisted the increasingly unpopular Mexican President Enrique Peña Nieto win his 2012 election. Sepúlveda claims that he was given a budget of $600,000 to rig the election in favor of the Institutional Revolutionary Party (PRI) candidate. He says he installed malware in his opponents’ routers, which let him tap their phones and computers; sent prerecorded messages to tens of thousands of people in a critical swing state at 3 a.m. on election night, purporting to support another candidate to anger voters; and set up fake Facebook accounts of gay men who purported to support a conservative Catholic candidate, angering many. Bloomberg says that it has verified some of what Sepúlveda claims to have done, but there is no way of verifying it all.
This was, according to the report, the tactic that likely had the most impact. It’s a technique that academics call “cognitive hacking”—in which an attacker attempts to change people’s perception of reality.
“When I realized that people believe what the Internet says more than reality, I discovered that I had the power to make people believe almost anything.”
- Andrés Sepúlveda, Colombian hacker
What’s notable about this tactic is that it’s not even illegal, only against Twitter policy.
he’s telling the story from behind bars
Going back to at least 2010, the use of Twitter bot armies have been decried for their ability to influence the outcome of elections in the U.S..
In the latest Pew Research Center survey, 14% of all people polled said they primarily get news about the 2016 presidential election from social media, a tie with local television. Cable television leads the pack, with 24% of all surveyed. But among 18- to 29-year-olds, social media is the top source, with 35% of them saying it’s their primary news source. That makes young people much more susceptible to this kind of manipulation.
How to Hack an Election
http://www.bloomberg.com/features/2016-how-to-hack-an-election/
Andrés Sepúlveda rigged elections throughout Latin America for almost a decade. He tells his story for the first time.
Tomi Engdahl says:
Here are the famous politicos in ‘the Wikileaks of the mega-rich’
http://fusion.net/story/287227/famous-presidents-shell-companies-trove/
It’s being called the “Panama Papers” — a trove of 11.5 million leaked internal documents from the Panamanian law firm Mossack Fonseca, showing how hundreds of thousands of people with money to hide used anonymous shell corporations across the world.
Tomi Engdahl says:
Sean Gallagher / Ars Technica:
How skilled attackers are using newly evolved crypto-ransomware to turn every network intrusion into a potential payday — OK, panic—newly evolved ransomware is bad news for everyone — Crypto-ransomware has turned every network intrusion into a potential payday.
OK, panic—newly evolved ransomware is bad news for everyone
Crypto-ransomware has turned every network intrusion into a potential payday.
http://arstechnica.com/security/2016/04/ok-panic-newly-evolved-ransomware-is-bad-news-for-everyone/
There’s something inherently world-changing about the latest round of crypto-ransomware that has been hitting a wide range of organizations over the past few months. While most of the reported incidents of data being held hostage have purportedly involved a careless click by an individual on an e-mail attachment, an emerging class of criminals with slightly greater skill has turned ransomware into a sure way to cash in on just about any network intrusion.
And that means that there’s now a financial incentive for going after just about anything. While the payoff of going after businesses’ networks used to depend on the long play—working deep into the network, finding and packaging data, smuggling it back out—ransomware attacks don’t require that level of sophistication today. It’s now much easier to convert hacks into cash.
Easy money
As a form of criminal business, crypto-ransomware is low-risk with an increasingly high yield. While the potential payoff of data theft can generate a lot of cash for cybercriminals—either through credit fraud, tax return fraud, or sale of identity information—crypto-ransomware provides a way to get paid directly by the victim with little risk of exposure. It taps into an already thriving market of Bitcoin transfer services and malware-as-a-service operators, allowing just about anyone to make money off a few unlucky victims.
At least so far, there’s also little fear of law enforcement tracking ransomware operators down. Many cases of crypto-ransomware attacks go unreported to law enforcement—or to anyone else, especially when the targets are companies. “Companies don’t like talking about these incidents because they’re worried they may escalate the situation they’re in or become targets for other attackers,”
Tomi Engdahl says:
Industry Reactions to Panama Papers: Feedback Friday
http://www.securityweek.com/industry-reactions-panama-papers-feedback-friday
Hackers breached the systems of Panama-based law firm Mossack Fonseca and leaked a large number of documents that appear to show how politicians, businessmen and other public figures from across the world used offshore companies to hide their income and avoid paying taxes.
A source whose identity remains unknown provided news organizations what has become known as the Panama Papers — 2.6 terabytes of data, totaling 11.5 million emails, databases, images and documents taken from the systems of Mossack Fonseca.
While some assumed this was an inside job, Mossack Fonseca said it was an external email hack
As for how the attackers gained access to the firm’s systems, WordFence believes it might have something to do with a vulnerability in the WordPress plugin Slider Revolution. Another possible culprit, as pointed out by Forbes, is a customer portal running a three-year-old version of Drupal.
Industry professionals commented on the Panama Papers, including the privacy, security and legal implications of the breach, and how such incidents can be avoided.
” ‘Cyber Liability’ has been a cutting-edge exposure issue for lawyers and law firms for a couple years now.”
“Mossack Fonseca — had significant computer security failings that allowed hackers to infiltrate its systems and steal millions of documents, quoting security experts who said the firm used outdated software containing security holes and failed to encrypt its emails. One expert noted that the firm’s Outlook email system apparently hadn’t been updated since 2009.”
“Any potential legal malpractice claim arising out of a law firm hack like this would focus on whether the firm was negligent in its security precautions. The standard of care that firms must meet evolves over time, but the fact that sub-standard procedures have already been identified in this case does not bode well for the firm.”
“Another issue is who could sue, and for what damage.”
“What should be abundantly clear to everyone in the wake of the Panama Papers leak is that, in 2016, the quest to simply adopt a comprehensive, holistic approach to security infrastructure is fool’s gold. Few—if any—organizations have the resources to block all comers and defend all walls; and while a layered defense is always recommended, every defense has the potential to fail in some way, whether by blind spot, blind faith or lack of oversight. Security needs to be asset-driven and information-centric because the hackers’ goal is not to infect a user, it is to damage or steal information assets. Regardless of what systems were compromised or vulnerabilities exploited, Mossack Fonseca’s greatest failure was not realizing or detecting the access and wholesale theft of four decades of archives in a record setting 2.6 terabyte cache of files.”
“Political scandal, first through Edward Snowden and now through the Panama Papers hack, has followed bank robbery and espionage into the digital age. Only with online tools could a whistleblower hope to make off with 2.6 terabytes accounting for 11.5 million documents, and could journalists rely on powerful collaboration software to analyse the information. This generation’s Watergate will be conducted through shared folders and chatrooms.”
“On the business side, this data breach should be a wake-up call to all industries: Hackers are not just after social security, health insurance, and credit card numbers. Determined attackers follow ideological, political, and financial motives.”
“While it is generally good thing when corrupt practices come to light, the Panama Papers fiasco also illustrates the poor security practices – bordering on chaos – that exist at many law firms around the world. Although lawyers have a professional obligation to safeguard confidentiality, too many fail to acquaint themselves with basic information security practices, such as encryption. No one expects lawyers to be technology experts, but they do need ask the experts for their advice — and follow it.”
“Clearly we have seen in many cases of cyber-attacks, that the force majeure defense (unanticipated and impossible to protect from event (act of God)) only applies in a very tiny fraction of companies that have excellent cyber defense capabilities. As lawyers are gleeful to explain: ignorance of the law is no defense, but this case provides a new maxim: ignorance of competent cyber defense processes and technology is no excuse for allowing outside criminals and nation states access to your clients data.”
“The implications of law firm breaches are mind boggling”
“As the world becomes increasingly more digital, more and more bad actors are coming online every day and, as a result, attacks like these are becoming more prolific. Whilst hackers do not discriminate, they do also target organisations. Hackitivst groups use targeted attacks and campaigns to expose organisations and their links to unsavoury practices – and this looks like a targeted attack.”
“The scale of the leak has rightly raised eyebrows, but the fact it happened at all shouldn’t be surprising – I would estimate the information security procedures in offshore firms are not as tightened as those in say, the City of London.”
“One high-profile client puts your network at the same risk as if you were a Fortune 50 or government agency.”
Tomi Engdahl says:
Researchers Devise Scalable Attack Against Google, Facebook reCaptcha
http://www.securityweek.com/researchers-devise-scalable-attack-against-google-facebook-recaptcha
A group of security researchers has discovered vulnerabilities in the reCaptcha systems of Google and Facebook, and have created an attack that is highly successful at automatically bypassing the protection system.
According to the researchers, they discovered flaws that would allow an attacker to easily influence risk analysis, bypass restrictions, and deploy large-scale attacks. Furthermore, they managed to design their attack based on deep learning technologies for the “semantic annotation of images” and say that it is as effective, or even more effective, than existing captcha-solving services.
In their paper, Suphannee Sivakorn, Iasonas Polakis, and Angelos D. Keromytis from the Department of Computer Science at Columbia University, also propose a series of safeguards and modifications to make similar attacks less efficient and more costly.
http://www.cs.columbia.edu/~polakis/papers/sivakorn_eurosp16.pdf
Tomi Engdahl says:
Don’t Improve Network Security – Create Secure Networks
http://www.securityweek.com/dont-improve-network-security-create-secure-networks
Security Leaders Must Change Their Mindset on How to Think About Policy, Detection and Enforcement
Security practitioners have a problem. In the face of a seemingly endless barrage of cyberattacks, organizations have been faced with mounting pressure to combat threats by any means possible. In the interest of deepening defenses, too many organizations have taken a “buy it all” approach, hoping that by adding more and more security layers to their network, they will be able to keep up with the malicious threats trying to bring it down.
This has created an unmanageable system of products that all claim to make us more secure, when in reality they have taken “defense and depth” model to an extreme that is counterproductive. Too much time and money is spent keeping a litany of network security devices up to date, while not enough time is spent with an actually secure network. Instead of creating greater certainty, it’s creating agonizing complexity.
The fact is, there needs to be a fundamental change in mindset of the way we view security. We need to reset our thinking and priorities and move the focus away from improving network security and towards creating secure networks. While it’s important to have multiple layers of defense, more emphasis needs to be placed on how companies integrate, update and manage their security.
At their core, secure networks should focus on automation and management. This includes expanding enforcement beyond the firewall to determine what other points in the network can help stop threats. They should focus on how to more effectively integrate threat intelligence from multiple sources and then automate the analysis of that information. Finally, they need to find ways to more centrally manage and adapt policy rules that can be enforced as broadly across a company’s infrastructure as possible.
Tomi Engdahl says:
Good News! You Already Have Next-Gen AV
http://www.securityweek.com/good-news-you-already-have-next-gen-av
It has become customary for tech vendors to self-categorize their solutions as “next-gen” in the hope that customers used to buying the “last-gen” can be persuaded to upgrade. They try to muscle analyst firms like Gartner into recommending “next-gen” so they can cast market leaders into the bin of history. Who’d dare to stick with a firewall when Gartner says you need a “next-gen” firewall?
Applied to Anti-Virus, though, the “next-gen” moniker is meaningless. AV is, and always will be, AV. Today’s endpoint protection platforms are regularly updated with new signatures and detection engines that together represent the state of the art in pre-breach detection. In other words, if you have an endpoint protection solution you already have NG-AV – it quietly showed up this morning in the latest “.dat” file.
Unfortunately it’s not enough. In the 2015 DBIR, Verizon noted that over 70% of breaches used malware crafted to be un-detectable by the victim organization. Attackers evolve faster than EPP vendors can adapt.
Detection is a flawed protection strategy. It will fail – with certainty.
NG-AV is “faux AV”, and we already know all of its limitations:
– A false negative lets the attacker in. The endpoint is breached and you’re none the wiser.
– A false positive may be worse – sending the security team scurrying to remediate non-attacked systems, wasting time and money and distracting them from signs of an actual attack. The Target breach is a good example.
In today’s cyberscape more than 300,000 new malware variants are discovered daily, much of it polymorphic and crypted to bypass the latest detection methods. Over 97% of malware is polymorphic and unique to a specific attacked endpoint, according to Webroot.
Pretenders to the NG-AV throne lay claim to machine learning, AI or deep learning to give them an edge. But the major players use these techniques already — it’s unlikely that a newcomer has an algorithmic lead.
Post-breach detection is critical. Your organization may already have a breach in progress because your endpoints are likely only protected with today’s “NG-AV”. It is critically important to adopt tools to help you quickly identify signs of compromise.
Breaches are not inevitable. Adopting isolation will reduce your attack surface. Virtualization based security is a powerful architectural construct that enables you to reduce the attack surface by micro-segmenting your network and virtualizing workloads in the data center. Even simple network segmentation would have defeated the Target attack.
Isolation revolutionizes detection before a breach: Hardware isolation through virtualization revolutionizes attack detection because the execution environment is so robust that it is safe to permit malware to execute.