Here are my predictions for trends in information security and cyber security for year 2016.
Year 2015 was bad for information security was pretty, and I would say that the trend is worrying. So I expect the year 2016 will have many information security challenges. If you want to keep yourself up at night, spend some time reading about the latest developments in cybersecurity. In 2015 there was Airplanes hacked, cars hacked, vulnerabilities in a breathtaking range of sensitive equipment from TSA locks to voting booths to medical devices. The big picture is even scarier. Former NSA Director Mike McConnell suspects China has hacked “every major corporation” in the US. Those problems will continue in 2016 and some new targets for attacks will be found. The system is broken. It isn’t keeping us, our companies, or our government safe. Worse yet, no one seems to know how to fix it.
Attacks through networks are becoming more common all the time. It will be hard to protect against targeted attacks. Hackers will not only customize malware, but they will increasingly use sophisticated phishing and social engineering tricks to gain access to sensitive data. Attackers usually cover their tracks carefully, and in the identification of target can be very difficult. Behind targeted attacks are usually professional criminals. Criminals do not respect geographical borders and hence attacks are spread evenly everywhere. Companies will struggle to absorb the security threats of combined PC and mobile devices in 2016.
EU information security decisions made in late 2015 will have impact on what comes in 2016: New EU data protection legislation package approved and EU Court of Justice decision in which it noted the Safe Harbor procedure is invalid. This means that transfers of personal data from EU countries to the United States under the Safe Harbor violation of law – you need some other agreement for this. The situation for this will probably get clarified during 2016. Data protection legislation changes will lead to increased fines for the unprepared. Legal uncertainty and big fines are a toxic cocktail for some companies. The combination of stiff penalties and ambiguously worded provisions in the new EU-wide data-protection law, which would replace a patchwork of 28 national laws, raises daunting prospects for companies operating in Europe.
After huge amount of user information leaks in 2015 from all kinds of Internet services, there will the challenges for cloud companies to gain trust in their security. You might have just dared to trust “the right cloud services,” since in principle the traditional information security point of view, they seem to be the main things okay, rising this privacy issues raised.
New environments will bring new threats. New operating systems versions means that administrators and users are less familiar with the environments. IPv6 will get more widely used, and the security of IPv6 networks is different from IPv4. Organizations are moving to virtualized environments, which are complex and create network layers that can become an attack vector. Growing network virtualization functionality and programmability are both an opportunity and a threat to security. Cyber security research will be important important in 2016 as 5G networks will be critical infrastructure, on top of which for example. transport, industry, health and the new operators set up their business around 2020.
The huge amount of information security information is becoming harder and harder to manage in 2016. A key problem in revelations as all other news coverage is the exponential growth of knowledge. There are variety of news summaries produced a daily basis, but they are not enough to get good picture of what is happening. There are bigger and smaller news, the impact of which is at times very difficult to assess. SMBs will become a bigger target for cybercriminals. Network and security professionals continue to be among the toughest IT talent to find and hire.
Old way network security focused on perimeter defense is not enough in 2016. Old mantras “encrypt everything” and “secure the perimeter,” are not enough. One deceptive truth seems to drive much of the cybersecurity industry down a rabbit hole: If you keep bad actors and bad software out of your system, you have nothing to worry about. It does not work like that anymore. As perimeter security gets stronger, malicious actors are looking for easier entry points to compromise an organisation through the breadth of its digital attack surface. Now malicious actors target “endpoints”—any device or sensor connected to a network—to break into that network. Traditional sandboxing will no longer protect against the growing malware landscape. Today, most private networks have far too many endpoints to properly secure. In an age of “Bring Your Own Device,” the cloud, remote access, and the Internet of Things, there are too many vulnerabilities hackers can exploit. Keep in mind that everything connected to the Internet can, and will be hacked. To address those threats in 2016, security experts should assume compromise – that hackers and malware already have breached their defenses, or soon will – and instead classify and mitigate threats. In addition to public key infrastructure lock-and-key system you will need also an integrity solution that acts like an alarm. To protect against advanced threats, security professionals will increase their reliance on centralized security management solutions. You need to have prioritization and response plans to various kinds of breaches – with a strong focus on integrity.
Law enforcement versus Silicon Valley tension will continue to be strong throughout year 2016. In 2015 Law enforcement and politicians on both sides of the Atlantic lined up to repeatedly complain that the web was “going dark” as the result of end-to-end encryption and that this was hampering the investigation of terrorism and other serious crimes.Technologists and cryptographers argue that governments are trying to weaken encryption by demanding some form of privileged access for government. It’s not clear how much encryption the NSA can break. With renewed focus on how encrypted messages can be used to plot terrorist attacks, President Barack Obama’s administration is stepping up pressure on the tech sector to help in the battle. Privacy remains a major counter-argument. It seems that Governments Lie About Encryption Backdoors. Encryption systems weakened by mandated backdoors would not be effective in fighting the terrorists that governments invoke as their reason for wanting those backdoors in the first place.
But this does not stop some government officials to demand such thing with varying success on different countries. Another fact is that The existence of coded communications is a reality and the U.S. may not be able to do much about it because nearly everyone living in modern society uses it: Encryption protects your bank information, prevents your password from being stolen when you log into a website, and allows all e-commerce transactions to take place securely. Encryption weakened by mandated backdoors would put all of us at an enormous risk of exposure from data breaches and associated online risks. The truth in 2016 is that any form of privileged access to government – ie, a backdoor – would inevitably weaken crypto-systems and make them more vulnerable to attacks by foreign governments’ intelligence agencies as well as criminals - Juniper’s VPN security hole is proof that govt backdoors are bonkers. Encryption backdoors would be a gleeful win-win for terrorists and a horrific lose-lose for you – the bad guys having strong protections for their data, and the rest of us not. The poorly thought-out and crude surveillance technique could have a devastating effect on the country’s internet security- as for example Kazakhstan will force its citizens to install internet backdoors by requiring all Internet users install state-issued root certificate by January 1, 2016.
Google, Mozilla and Microsoft are pushing for early SHA-1 crypto cutoff that can happen in 2016 instead of earlier planned Jan 1st, 2017. Due to recent research showing that SHA-1 is weaker than previously believed, because it’s been cracked without enormous effort. Mozilla, Microsoft and now Google are all considering bringing the deadline forward by six months to July 1, 2016. SHA-2 is going to be used as the replacement function for SHA-1. Websites like Facebook and those protected by CloudFlare have implemented a SHA-1 fallback mechanism for those systems that do not support SHA-2. Chrome will start display errors if SHA-1 certificates are employed in early 2016 and will completely stop supporting SHA-1 certificates in the end of 2016.
The use of Blockchain technology, permissionless distributed database based on the bitcoin protocol that runs across a global network of independent computers, will get used more widely than for just Bitcoin virtual money. With bitcoin, Blockchain tracks the exchange of money. But it can also track the exchange of anything else that holds value, including stocks, bonds, and other financial securities. Overstock has already used the blockchain to issue private bonds. The Securities and Exchange Commission has approved a plan from online retailer Overstock.com to issue company stock via the Internet, signaling a significant shift in the way financial securities will be distributed and traded in the years to come. Overstock built its technology under the aegis of a subsidiary called TØ.com, and it plans to offer this “cryptosecurity” tech as a service to other businesses. Nasdaq OMX—the company behind the Nasdaq stock exchange—is using the blockchain to oversee the exchange of private stock. Also several major companies from across both the technology and financial industries—including IBM, Intel, and Cisco as well as the London Stock Exchange Group and big-name banks JP Morgan, Wells Fargo, and State Street—have joined forces to create an alternative to the blockchain with Linux Foundation.
The use of disk encryption will increase and there are different ways to do it with different security levels. Microsoft has introduced Windows 10 disk encryption keys are uploaded to Microsoft. This approach has some advantages and disadvantages. The gold standard in disk encryption is end-to-end encryption, where only you can unlock your disk. This is what most companies use, and it seems to work well. It protects data in case your device is lost or stolen. But what if you forget or loose your key? There are certainly cases where it’s helpful to have a backup of your key or password – so keeping a backup of your recovery key in your Microsoft account could be genuinely useful for probably the majority of users that don’t have high security neeeds. The disadvantage of this approach is that Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.
Weak leaking passwords are still huge security problem still in 2016. Passwords are often the weakest parts when it comes to securing users’ accounts, as many don’t use complex passwords or they reuse the same password across services. Two-factor authentication – like using a USB stick with a secret token or entering in a code sent via text method to your phone – can help to increase security, but many users also find this to be a hassle as it introduces an additional step to the login process.
Google begins testing login system that uses phone notifications for authentication instead of passwords: authenticate by responding to a notification sent to their smartphone. The idea is similar to Yahoo’s recently launched “Account Key,” which also offers a password-free means of signing in involving a push notification sent to your phone that then opens an app where you approve the log-in.
Smart phone will become more and more security critical part of your life. “Increasingly, individuals and organisations are adopting password managers and multi-factor authentication technologies to plug some of the holes in password-based authentication. “We foresee a world where practically everyone uses their smartphone as a multi-factor authentication element. In this world, the smartphone becomes your most valuable asset: something that enables you to unlock your life online and a target for attackers seeking to access your services.”
Expect that number of mobile vulnerabilities will only grow in 2016. In 2016 we will see increasing numbers of cyber criminals using mobile applications to spread malware. Mobile presents an easy target for cyber criminals, because it is an attack surface that is open and extremely difficult to defend once an app has been released. Android threats will become more than just headline-grabbers. Will 2016 be the year iOS malware goes mainstream?
Critical infrastructures will be highly targeted in 2015. SCADA and ICS networks were not designed for security. Attacks against these systems have increased in recent years. I expect this trend to only get worse. There are still many companies that run their critical systems on Windows XP as “There are some people who don’t have an option to change.” Many times the OS is running in automation and process control systems that run business and mission-critical systems, both in private sector and government enterprises. For example US Navy is using obsolete operating system Microsoft Windows XP to run critical tasks. It all comes down to money and resources, but if someone is obliged to keep something running on an obsolete system, it’s the wrong approach to information security completely.
Cars were hacked at record rate in 2015, and they will be hacked at least at the same rate in 2016. Modern cars are featuring more gadgetry and connected systems, and this will make vehicles just as vulnerable to today’s threats and attacks. I Am The Cavalry has published a five star Cyber Safety Framework to mitigate this threat in cars, hopefully car component makers study it.
IoT and smart devices are still at risk. The Internet of Things will continue to emerge, and businesses will need to think about how to protect their smart devices and prepare for the wider adoption of IoT. IoT platforms – not yet the weapon of choice for commercial malware authors – but business beware. Wearables won’t be safe, either, as they are built using largerly same too often vulnerable technologies as other IoT system. IoT security is still in in infancy in 2016.
Cyber criminals have become more active in 2015 particularly in the malicious the ransom fabrications. The ransom-malware problem will continue to be big in 2016. Commercial malware authors will continue to invest heavily and Exploit kits will continue to dominate on the web. Ransomware today is big business. Ransomware takes control of a computer and holds it hostage until the victim pays, usually in the digital currency Bitcoin. As a remedy against ransom-malware I recommend to ensure IT Support or your service provider the data back-up and restoring procedure operational, practiced and tested. You can need it in 2016 to get your data back without considering paying to criminals. To date ransomware has hit Windows users hardest, although Android and MacOS users are now also facing similar extortion.
Ransomware will continue to dominate in 2016 and it is only a question of time before we see things beyond data being ransomed. We have already seen websites being held ransom to DDoS. Intel’s McAfee Labs also noted a huge spike in ransomware in early 2015, and worries about ransomware in the IoT space—including medical devices. And Kaspersky predicts the “nightmare of ransomware” to continue and “spread to new frontiers” in 2016. Ransomware Is Coming to Medical Devices article tells that according to a report released recently week by Forrester Research the number one cybersecurity prediction for 2016: “We’ll see ransomware for a medical device or wearable.” “It’s definitely feasible from a technical standpoint”. Networked medical devices save lives. Despite the hacking risk, it’s an informed trade-off. Medical device ransomware would be a modern form of highway robbery with lives at stake.
Keep in mind that everything connected to the Internet can, and will be hacked. In 2016 If You’re Not Paranoid, You’re Crazy. As government agencies and tech companies develop more and more intrusive means of watching and influencing people, how can we live free lives? Unfortunately I don’t have solution for that.
2,232 Comments
Tomi Engdahl says:
Cyrus Farivar / Ars Technica:
Tor Project’s executive director Shari Steele talks about changing public perception of Tor, CMU attack, diversifying the funding sources, and more
Two months after FBI debacle, Tor Project still can’t get an answer from CMU
Ars Q&A: We sit down with Tor Project’s new executive director, Shari Steele.
http://arstechnica.com/security/2016/01/going-forward-the-tor-project-wants-to-be-less-reliant-on-us-govt-funding/
It’s been quite a few months for the Tor Project. Last November, project co-founder and director Roger Dingledine accused the FBI of paying Carnegie Mellon computer security researchers at least $1 million to de-anonymize Tor users and reveal their IP addresses as part of a large criminal investigation.
The FBI dismissed things, but the investigation in question is a very high-profile matter focused on members of the Silk Road online-drug marketplace. One of the IP addresses revealed belonged to Brian Farrell, an alleged Silk Road 2 lieutenant. An early filing in Farrell’s case, first reported by Vice Motherboard, said that a “university-based research institute” aided government efforts to unmask Farrell.
Tomi Engdahl says:
Ongoing MD5 support endangers cryptographic protocols
http://www.computerworld.com/article/3020066/security/ongoing-md5-support-endangers-cryptographic-protocols.html?token=%23tk.CTWNLE_nlt_computerworld_security_2016-01-08&idg_eid=051598d6597df87056c54033166b3242&utm_source=Sailthru&utm_medium=email&utm_campaign=Computerworld%20Security%202016-01-08&utm_term=computerworld_security#tk.cw_nlt_computerworld_security_issues_2016-01-08
The old and insecure MD5 hashing function hasn’t been used to sign SSL/TLS server certificates in many years, but continues to be used in other parts of encrypted communications protocols, including TLS, therefore weakening their security.
Researchers from the INRIA institute in France have devised several attacks which prove that the continued support for MD5 in cryptographic protocols is much more dangerous than previously believed.
They showed that man-in-the-middle attackers can impersonate clients to servers that use TLS client authentication and still support MD5 hashing for handshake transcripts. Intercepting and forwarding credentials through protocols that use a TLS channel binding mechanism is also possible.
The same will apply in the future to the SHA-1 hashing function which is currently being phased out from digital certificate signing.
Researchers from the INRIA institute in France have devised several attacks which prove that the continued support for MD5 in cryptographic protocols is much more dangerous than previously believed.
They showed that man-in-the-middle attackers can impersonate clients to servers that use TLS client authentication and still support MD5 hashing for handshake transcripts. Intercepting and forwarding credentials through protocols that use a TLS channel binding mechanism is also possible.
The same will apply in the future to the SHA-1 hashing function which is currently being phased out from digital certificate signing.
If the algorithm allows two inputs to match the same hash, then it is vulnerable to a so-called collision attack.
MD5 signatures have been known to be insecure and vulnerable to practical collisions since at least 2005 and their use for signing SSL/TLS server certificates has been phased out. However, support for the algorithm was kept in other parts of the protocol where its use was still considered safe due to other factors.
Most of the encrypted Web is based on server authentication, where the client verifies the server’s certificate to make sure that it’s talking to the right website and not a rogue one served by an attacker who can intercept and modify network traffic. But there are also implementations of TLS client authentication, where the server verifies the client’s certificate, such as with certain banking applications or virtual private networks.
During client authentication, the client signs a hash of the connection handshake transcript with its own certificate. In the case of TLS up to version 1.1 the transcript hash was generated using a combination of MD5 and SHA1, but starting in TLS 1.2 the client and server can negotiate the hashing algorithm based on what they support.
TLS 1.2 allows stronger hash functions like SHA-256 and SHA-512, but also supports MD5.
The researchers determined that to find a collision for a client impersonation attack on TLS, the attacker would need to compute 2^39 hashes, which is quite practical and would take several hours on Amazon EC2 instances. In fact, during their proof-of-concept attack, they found the collision is just one hour using a workstation with 48 CPU cores.
Channel binding with tls-unique is used in SCRAM, the default authentication protocol for XMPP (Extensible Messaging and Presence Protocol); Token Binding, which is designed to protect HTTP cookies and OAuth tokens; and the FIDO universal authentication framework.
according to Internet scans, 30 percent of HTTPS servers are currently willing to send RSA-MD5 server signatures and are theoretically vulnerable
Tomi Engdahl says:
Hackers used malware to confuse utility in Ukraine outage – report
http://www.reuters.com/article/us-ukraine-cybersecurity-attack-idUSKCN0UO00W20160110
Hackers likely caused a Dec. 23 electricity outage in Ukraine by remotely switching breakers to cut power, after installing malware to prevent technicians from detecting the attack, according to a report analyzing how the incident unfolded.
The report from Washington-based SANS ICS was released late on Saturday, providing the first detailed analysis of what caused a six-hour outage for some 80,000 customers of Western Ukraine’s Prykarpattyaoblenergo utility.
SANS ICS, which advises infrastructure operators on combating cyber attacks, also said the attackers crippled the utility’s customer-service center by flooding it with phone calls to prevent customers from alerting the utility that power was down.
“This was a multi-pronged attack against multiple facilities. It was highly coordinated with very professional logistics,”
Experts widely describe the incident as the first known power outage caused by a cyber attack. Ukraine’s SBU state security service blamed Russia, and U.S. cyber firm iSight Partners identified the perpetrator as a Russian hacking group known as “Sandworm.”
The utility’s operators were able to quickly recover by switching to manual operations, essentially disconnecting infected workstations and servers from the grid
“What is now true is that a coordinated cyber attack consisting of multiple elements is one of the expected hazards (electric utilities) may face,”
Tomi Engdahl says:
Security News This Week: Hacked Toymaker VTech Now Makes Home Monitoring Tech
http://www.wired.com/2016/01/security-news-this-week-hacked-toymaker-vtech-now-makes-home-monitoring-tech/
!
The kids’ electronics manufacturer that was hacked in November expects you to trust its new home monitoring devices
Last November, a hacker who broke into kids’ gadget maker VTech’s system was able to access names, home addresses, email addresses and passwords of more than 4 million parents and 6 million kids, including tens of thousands of kids’ photos and chats between kids and their parents. Now, VTech is expecting customers to trust it with its new line of home monitoring devices, such as cameras and sensors, all accessible through a single smartphone app that allows parents to check in on their kids and even record video. (Color me skeptical.) Although VTech’s product marketing director told Motherboard that the new products are undergoing penetration testing by a third-party vendor, the company declined to share the specifics.
Tomi Engdahl says:
FTC Fines Software Vendor Over False Data Encryption Claims
http://yro.slashdot.org/story/16/01/10/1422236/ftc-fines-software-vendor-over-false-data-encryption-claims
The US Federal Trade Commission (FTC) has fined a software vendor for lying about its product’s encryption capabilities, despite being publicly warned by US Computer Emergency Readiness Team (CERT) not to do so.
FTC Fines Software Maker over False Data Encryption Claims
http://news.softpedia.com/news/ftc-fines-software-maker-over-false-data-encryption-claims-498682.shtml
The US Federal Trade Commission (FTC) has fined a software vendor for lying about its product’s encryption capabilities, despite being publicly warned by US Computer Emergency Readiness Team (CERT) not to do so.
In 2012, software vendor Henry Schein released Dentrix G5, a powerful piece of software for helping dentists manage their day-to-day operations.
In the software’s brochure, Henry Schein said the following: “The database also provides new encryption capabilities that can help keep patient records safe and secure. And of course, encryption plays a key role in your efforts to stay compliant with HIPAA security standards.”
The software vendor was lying through its teeth
The HIPAA (Health Insurance Portability and Accountability Act) security standards say that data should be encrypted with top-grade encryption algorithms like AES (Advanced Encryption Standard) and higher. HIPAA also claims that a company that has lost a laptop containing medical information is exempted from reporting a data breach incident to law authorities if the medical data was encrypted (with AES and higher).
As US-CERT learned in 2013, Henry Schein’s Gentrix G5 did not use minimal HIPAA encryption levels, despite saying so in its brochures, online website, newspaper interviews, and newsletters.
The US-CERT team issued a public vulnerability note in June 2013, warning Henry Schein customers of the lack of proper encryption in its product. The warning also addressed an issue with a similar software product sold by Faircom, another software maker.
Henry Schein continued to sell the product using false advertising
Despite the CERT warning, Henry Schein continued to sell the Gentrix G5 software for another year, until January 2014, claiming to have powerful encryption, compliant with HIPAA security standards.
Additionally, after the US-CERT warning, the company also failed to inform prior buyers that the software was not actually HIPAA compliant.
Tomi Engdahl says:
GM’s New Bug Bounty Program Lacks One Thing: A Bounty
http://developers.slashdot.org/story/16/01/10/1923224/gms-new-bug-bounty-program-lacks-one-thing-a-bounty
General Motors (GM) has become the latest “old economy” firm to launch a program to entice white hat hackers and other experts to delve into the inner workings of its products in search of security flaws, The Security Ledger reports. “The company launched a bug bounty on January 5th on the web site of Hackerone (https://hackerone.com/gm), a firm that manages bounty programs on top of other firms, promising “eternal glory” to security experts who relay information on “security vulnerabilities of General Motors products and services.” Despite a $47 billion market capitalization, however, GM is not offering monetary rewards – at least not yet.
GM Launches Bug Bounty Program, Minus the Bounty
https://securityledger.com/2016/01/gm-launches-bug-bounty-program-minus-the-bounty/
Tomi Engdahl says:
EU Cookie Law Abused in Clickjacking Campaign
http://www.securityweek.com/eu-cookie-law-abused-clickjacking-campaign
Cybercriminals are abusing a European law on the use of web Browser cookies to trick users into clicking on a fake notification alert that actually hides a legitimate advertisement.
The EU Directive was adopted in May 2011, when the European Parliament required that users be provided with the possibility to refuse the use of cookies. As a result, website owners are required to display a notification on their sites to inform visitors from the European Union region that cookies are used, with some sites actually displaying these notifications to people coming from all regions.
The cookie law was based on the idea that cookies reduce the online privacy of users, as they store information on people’s web browsing habits. While some of these cookies make the browsing experience more personal, they can also collect data across many websites to create ‘behavioral profiles’ of people.
Based on the Cookie Law, which was designed to protect users’ online privacy
As Malwarebytes’ Jérôme Segura explains in a blog post, the fake notification alerts used in this campaign actually hide a legitimate advertisement. Thus, the cybercriminals are abusing both the advertiser and the ad network that is hosting the ad.
Clickjacking Campaign Plays on European Cookie Law
https://blog.malwarebytes.org/fraud-scam/2016/01/clickjacking-campaign-plays-on-european-cookie-law/
Tomi Engdahl says:
You say advertising, I say block that malware
http://www.engadget.com/2016/01/08/you-say-advertising-i-say-block-that-malware/
Forbes asked readers to turn off ad blockers then immediately served them pop-under malware.
The real reason online advertising is doomed and adblockers thrive? Its malware epidemic is unacknowledged, and out of control.
The Forbes 30 Under 30 list came out this week and it featured a prominent security researcher. Other researchers were pleased to see one of their own getting positive attention, and visited the site in droves to view the list.
One researcher commented on Twitter that the situation was “ironic” — and while it’s certainly another variant of hackenfreude, ironic isn’t exactly the word I’d use to describe what happened.
That’s because this situation spotlights what happened in 2015 to billions — yep, billions — of people who were victims of virus-infected ads which were spread via ad networks like germs from a sneeze across the world’s most popular websites.
Less than a month ago, a bogus banner ad was found serving malvertising to visitors of video site DailyMotion. After discovering it, security company Malwarebytes contacted the online ad platform the bad ad was coming through, Atomx. The company blamed a “rogue” advertiser on the WWPromoter network.
It was estimated the adware broadcast through DailyMotion put 128 million people at risk. To be specific, it was from the notorious malware family called “Angler Exploit Kit.” Remember this name, because I’m pretty sure we’re going to be getting to know it a whole lot better in 2016.
Last August, Angler struck MSN.com with — you guessed it — another drive-by malvertising campaign. It was the same campaign that had infected Yahoo visitors back in July (an estimated 6.9 billion visits per month, it’s considered the biggest malvertising attack so far).
It’s crazy to consider what a perfect marriage this is, between the advertisers and the criminals pushing the exploit kits. They have a lot in common.
Both try to trick us into giving them something we don’t want to.
It actually makes business sense to think about malware attacks like an advertiser. You want to deliver your infection to, and scrape those dollars from, every little reader out there. You need a targeted delivery system, with the widest distribution, and as many clueless middlemen as possible.
It’s easy to want to blame Reader’s Digest, or Yahoo, or Forbes, or Daily Mail, or any of these sites for screwing viewers by serving them malicious ads and not telling them, or not helping them with the cleanup afterward. And it’s a hell of a lot easier when they’ve compelled us to turn off our ad blockers to simply see what brought us to their site.
But the problem is coming through them, from the ad networks themselves.
So, to my friend on the Forbes 30 Under 30 list — a malware researcher, which I’ll concede is actually ironic — I’m sorry I won’t be seeing your time in that particular spotlight.
Tomi Engdahl says:
Cutting Through the Noise: How to Manage a Large Volume of Cyber Alerts
http://www.securityweek.com/cutting-through-noise-how-manage-large-volume-cyber-alerts
As we have seen with cases like the Target breach, failure to adequately investigate and effectively react to security alerts can have devastating consequences for businesses and customers. Security professionals today have to deal with an escalating number of risk alerts to better manage and prioritize alerts and their response to them.
This is a growing concern for many organizations as the volume of security alerts is frequently the prevailing factor in high-profile data breaches. Alerts can number in the thousands, or tens of thousands, a month. According to a survey by International Data Corporation (IDC), 37 percent of cyber security professionals reported facing 10,000 alerts per month of which 52 percent are false positives. The end result is a swamped staff.
But despite the overwhelming volumes, staff can cut through the noise and better-manage cyber security alerts by:
Refresh Staff – On a given day, cyber security professionals are vastly outnumbered by alerts. A business with three full-time personnel can face 300 alerts a day, the IDC study found, also noting more than 35 percent of companies spend 500 hours a month responding to alerts. It’s little wonder cyber security staffs are exhausted—which is exactly what cyber criminals are counting on. Simply hiring more people to manage the ever increasing volumes is not a solution.
Instead, build a better-organized team of rotating, rested personnel to prevent fatigue against alert volume.
Behavioral Analysis – Analytics that detect but do not prioritize alerts, are giving way to big data, behavioral analytics-based threat detection and cyber defenses that help staff prioritize by utilizing more operationalized intelligence.
Automate and Streamline Responses – Operationalizing cyber response is critical in an environment in which, according to the same IDC survey, more than 40% of cyber security professionals still review alerts manually. Security personnel have many competing priorities, including analyzing alerts. Limit analysts to judging alerts and defending the company, not responding to them. Response is better handled either by your infrastructure team or by a separate incident response team that has well-thought-through remediation plans for different types of attacks.
As the number of cyber attacks increase exponentially and these attacks become more complex, the volume of alerts facing today’s cyber professionals will only continue to grow. To effectively manage cyber security alerts volume, rethink everything about cyber security.
Tomi Engdahl says:
Edward Snowden speaks at Consumer Electronics Show disguised as a robot
http://www.theguardian.com/technology/2016/jan/07/slug-edward-snowden-ces-future-robot-suitable-technology-beam
The whistleblower made a virtual appearance at Las Vegas tech convention through Suitable’s Beam, a screen-on-wheels robot with subversive potential
There are lots of people pitching fancy gadgets at the Consumer Electronics Show this week here. Add to that list: Edward Snowden.
The former National Security Agency contractor, famous for handing over western government secrets to the Guardian and other publications, made a virtual appearance at the Suitable Technologies booth here. This was possible because Snowden was speaking from Suitable’s Beam, a sort of roaming screen on wheels used for remote commuting and virtual meetings.
But Beam isn’t just another piece of office technology, Snowden said. Rather, it can be used to subvert governments.
“This is the power of Beam, or more broadly the power of technology,” he said in an onstage interview with Peter Diamandis, a Silicon Valley entrepreneur. “The FBI can’t arrest a robot.”
Snowden’s lawyer, Ben Wizner with the American Civil Liberties Union, said in an email that his client wasn’t compensated for the event, which Suitable confirmed. “But he has benefited from the technology,” Wizner said.
Tomi Engdahl says:
German spies revive internet snooping work with US: reports
http://www.reuters.com/article/us-germany-spying-usa-idUSKBN0UM29Z20160108
Tomi Engdahl says:
Bruce Schneier / CNN:
How algorithmic systems to score humans like FICO and China’s Sesame Credit can lead to social control, and some possible remedies to this problem
The risks — and benefits — of letting algorithms judge us
http://edition.cnn.com/2016/01/06/opinions/schneier-china-social-scores/
China is considering a new “social credit” system, designed to rate everyone’s trustworthiness. Many fear that it will become a tool of social control — but in reality it has a lot in common with the algorithms and systems that score and classify us all every day.
Human judgment is being replaced by automatic algorithms, and that brings with it both enormous benefits and risks. The technology is enabling a new form of social control, sometimes deliberately and sometimes as a side effect. And as the Internet of Things ushers in an era of more sensors and more data — and more algorithms — we need to ensure that we reap the benefits while avoiding the harms.
Right now, the Chinese government is watching how companies use “social credit” scores in state-approved pilot projects. The most prominent one is Sesame Credit, and it’s much more than a financial scoring system.
Citizens are judged not only by conventional financial criteria, but by their actions and associations. Rumors abound about how this system works.
Tomi Engdahl says:
Confirmation of a Coordinated Attack on the Ukrainian Power Grid
https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid
After analyzing the information that has been made available by affected power companies, researchers, and the media it is clear that cyber attacks were directly responsible for power outages in Ukraine. The SANS ICS team has been coordinating ongoing discussions and providing analysis across multiple international community members and companies. We assess with high confidence based on company statements, media reports, and first-hand analysis that the incident was due to a coordinated intentional attack.
The attackers demonstrated planning, coordination, and the ability to use malware and possible direct remote access to blind system dispatchers, cause undesirable state changes to the distribution electricity infrastructure, and attempt to delay the restoration by wiping SCADA servers after they caused the outage. This attack consisted of at least three components: the malware, a denial of service to the phone systems, and the missing piece of evidence of the final cause of the impact. Current evidence and analysis indicates that the missing component was direct interaction from the adversary and not the work of malware. Or in other words, the attack was enabled via malware but consisted of at least three distinct efforts.
Tomi Engdahl says:
Marco Rubio: We Need To Add To US Surveillance Programs
http://politics.slashdot.org/story/16/01/11/1541256/marco-rubio-we-need-to-add-to-us-surveillance-programs
The debate over surveillance hit the 2016 race for the White House again on Sunday when Republican presidential candidate Marco Rubio said he wants to add to American surveillance programs, many of which were created after 9/11. He invoked a recent shooting of a Philadelphia police officer by a man who allegedly pledged allegiance to the Islamic State. “This the kind of threat we now face in this country,” Rubio said. “We need additional tools for intelligence.”
Marco Rubio: We need to add to U.S. surveillance programs
http://www.dailydot.com/politics/marco-rubio-freedom-act-surveillance/
Republican presidential candidate Marco Rubio wants to add American surveillance programs, many of which were created after 9/11 and curtailed in 2015′s USA Freedom Act.
Rubio, speaking Sunday on ABC, redoubled his attacks against Sen. Ted Cruz (R-Texas), who supported the Freedom Act.
“We are now at a moment in this country where we don’t just need to keep the authorities we already have, we need to add to these programs,” Rubio argued.
Early last year, Rubio said he wanted to permanently extend National Security Agency (NSA) mass surveillance. In the wake of terrorist attacks in Paris, California, and around the world, Rubio’s position now is to not only extend the NSA’s mass surveillance but to expand it. However, he didn’t offer specifics on what programs he would expand or which tools he would add to the American intelligence arsenal.
Tomi Engdahl says:
Data centre outfit Interxion admits to contact detail security breach
Chill, the ‘vulnerability’ has been fixed, people informed
http://www.theregister.co.uk/2016/01/11/interxion_security_breach/
A security breach at European data centre firm Interxion has exposed the contact details of thousands of its customers, although no financial information is thought to be involved.
Neither credit card details nor customer services were affected by last month’s security snafu, and only Interxion’s CRM system was affected, as the carrier-neutral colocation provider explained in and email to customers last weekend
A total of 23,200 customer records held on Interxion’s CRM have potentially been exposed by what the firm characterises as a vulnerability rather than a configuration error.
Tomi Engdahl says:
ICO: You call that a sentence? Courts need power to hit data thieves harder
Tooth-poor watchdog points out weakness of court
http://www.theregister.co.uk/2016/01/11/ico_moans_courts_must_issue_tougher_sentences_on_data_thieves/
Blighty’s data watchdog has moaned that the UK’s courts needs greater powers to impose penalties on data thieves after a woman was slapped with a £1,000 for flogging 28,000 customer records for £5,000
She pleaded guilty to unlawfully obtaining, disclosing and selling personal data, a criminal offence under section 55 of the Data Protection Act.
“This fine highlights the limited options the courts have. Sindy Nagra got £5,000 in cash in return for stealing thousands of people’s information.”
Tomi Engdahl says:
NVIDIA GPUs give smut viewed incognito a second coming
Diablo black loading screen swapped out for flesh-fest
http://www.theregister.co.uk/2016/01/11/nvidia_gpus_break_chrome_incognito_mode/
Canadian student hacker Evan Andersen says NVIDIA graphics cards retain content users would rather not be preserved, such as the material appearing in web pages viewed in the supposedly-private “incognito mode” offered by Google’s Chrome browser.
The flaws were reported to NVIDIA and Google in 2014; the former did not respond while the Chocolate Factory marked the bug as won’t fix.
Andersen found the flaw when an “adult entertainment” video he watched re-appeared on his screen as he loaded the game Diablo III.
The hacker hypothesises the second coming of his preferred smut came about thanks to a bug in NVIDIA drivers that means its GPUs’ memory isn’t cleared, handing over content between apps.
“Since it wasn’t erased, it still contained the previous contents. Since Diablo doesn’t clear the buffer itself – as it should – the old incognito window was put on the screen again.”
Andersen wrote an app to scan GPU memory for non-zero pixels and managed to perfectly reproduce a Reddit page.
He considers the bug a “serious problem” for users of shared computers that could be fixed easily
Tomi Engdahl says:
Foreign crime gangs have stolen up to £10million after hacking emails of house buyers and sellers and asking for some funds to be redirected on completion day
National Fraud Intelligence Bureau recorded 91 victims of fraud last year
Average conveyancing fraud gives criminals more than £122,000
Police believe overseas gangs using malware to hack email are to blame
Read more: http://www.dailymail.co.uk/news/article-3392469/Foreign-crime-gangs-stolen-10million-hacking-emails-house-buyers-sellers-asking-funds-redirected-completion-day.html#ixzz3wxRelgRi
Follow us: @MailOnline on Twitter | DailyMail on Facebook
Tomi Engdahl says:
Hacking Online Reviews
http://hackaday.com/2016/01/11/hacking-online-reviews/
For this post, I want to return the word hacking to its nefarious definition. We prefer the kinder definition of a hacker as someone who creates or modifies things to fit some purpose or to improve its function. But a hacker can also be someone who breaks into computer systems or steals phone service or breaks encryption.
Positive and Negative Reviews
In the case of online reviews, you have several competing interests. The value of positive reviews to my product is pretty obvious. A little less obvious is the value of negative reviews for my competitors. This goes on more than you might think.
One thing is for certain: cyberspace crime and physical world crime are closely related. We’ve had breaking and entering, fraud, scams, and everything else way before we had computers. Nothing so far has stopped all crime, so it is unlikely we’ll squelch all computer-based shady activity, including review tampering. However, just because bolt cutters will open a padlock doesn’t mean you don’t padlock your shed. We just need more tools to help people make informed decisions about the validity of things they read online.
Tomi Engdahl says:
Security is the responsibility of the company management: “Enough straightforward tools”
Corporate security should be the responsibility of corporate management, assesses the security company Deltagon. Good practices and tools to reduce human risks related to information security.
A Finnish employee is generally committed to their work and the work ethic is high. Employees want to do the right thing, but the management is responsible for creating insecure practices and to ensure that authors are effective instruments to data protection, the company estimated in a statement.
Most people, for example, takes the protection of their medical data very seriously. The employer confidential information is treated rather than less prudently.
Source: http://www.tivi.fi/Kaikki_uutiset/2015-02-11/Tietoturva-on-yritysjohdon-vastuulla-Tarpeeksi-suoraviivaisia-v%C3%A4lineit%C3%A4-3215577.html
Tomi Engdahl says:
Disabling Java Plugins
https://www.f-secure.com/en/web/labs_global/disabling-java-plugins
Many security researchers and national computer security organizations caution users to limit their usage of the Java Runtime Environment (JRE), unless required for business reasons, or to remove it entirely, including disabling Java plug-ins in web browsers.
Listed below are instructions for disabling Java plug-ins or add-ons in common web browsers ( based on the advice given by the US-CERT Vulnerability Note VU#636312).
Tomi Engdahl says:
THREAT DESCRIPTIONS
Technical details and removal instructions for malicious threats identified by Labs
https://www.f-secure.com/en/web/labs_global/threat-descriptions
Tomi Engdahl says:
Justin Jouvenal / Washington Post:
Some police forces score citizens’ threat level with Intrado’s Beware software based on your medical, criminal history, and social media posts
The new way police are surveilling you: Calculating your threat ‘score’
https://www.washingtonpost.com/local/public-safety/the-new-way-police-are-surveilling-you-calculating-your-threat-score/2016/01/10/e42bccac-8e15-11e5-baf4-bdf37355da0c_story.html
FRESNO, Calif. — While officers raced to a recent 911 call about a man threatening his ex-girlfriend, a police operator in headquarters consulted software that scored the suspect’s potential for violence the way a bank might run a credit report.
The program scoured billions of data points, including arrest reports, property records, commercial databases, deep Web searches and the man’s social- media postings. It calculated his threat level as the highest of three color-coded scores: a bright red warning.
The man had a firearm conviction and gang associations, so out of caution police called a negotiator. The suspect surrendered, and police said the intelligence helped them make the right call — it turned out he had a gun.
As a national debate has played out over mass surveillance by the National Security Agency, a new generation of technology such as the Beware software being used in Fresno has given local law enforcement officers unprecedented power to peer into the lives of citizens.
Police officials say such tools can provide critical information that can help uncover terrorists or thwart mass shootings, ensure the safety of officers and the public, find suspects, and crack open cases. They say that last year’s attacks in Paris and San Bernardino, Calif., have only underscored the need for such measures.
Tomi Engdahl says:
Austin Carr / Fast Company:
Tinder says it calculates a desirability rating for all users based on swipe data, used internally to facilitate better matches — I Found Out My Secret Internal Tinder Rating And Now I Wish I Hadn’t — The dating app uses data to give every user a desirability rating.
I Found Out My Secret Internal Tinder Rating And Now I Wish I Hadn’t
http://www.fastcompany.com/3054871/whats-your-tinder-score-inside-the-apps-internal-ranking-system
The dating app uses data to give every user a desirability rating. Here’s how it works—and what happened when I discovered my number.
How desirable are you on Tinder? You might not realize it, but anyone who’s used the popular dating app is assigned an internal rating: a score calculated by the company that ranks the most (and least) desirable people swiping on the service. The scores are not available to the public, but Tinder recently granted me access to my own—and I’ve regretted learning it ever since.
Referred to inside the company as an “Elo score,” a term the chess world uses to rank player skill levels, Tinder’s rating system helps it parse its user base in order to facilitate better matches.
He doesn’t go into too much detail, but it’s easy to imagine how many data points could make up your “desirability” score. How many people who you swipe right on, swipe right too? How many don’t? Do you include education and career information in your profile? And so on.
It’s not uncommon for technology companies to give its users ratings these days, and for good reason. In the gig economy, both customers and service providers now score each other with review systems that help platforms like Airbnb, TaskRabbit, and Lyft weed out bad actors. Drivers on Uber, for example, rate their passengers on a scale of one to five, a rating the ride-sharing company recently made accessible to its users. It can be jarring to look up your own score, as if it’s a proxy for how friendly or polite you are
It’s a vague number to process, but I knew I didn’t like hearing it. Something about “upper end of average” didn’t exactly do wonders for my ego.
Tomi Engdahl says:
Google security researcher excoriates TrendMicro for critical AV defects
“I don’t even know what to say,” exasperated researcher tells TrendMicro official.
http://arstechnica.com/security/2016/01/google-security-researcher-excoriates-trendmicro-for-critical-av-defects/
Antivirus provider TrendMicro has released an emergency product update that fixes critical defects that allow attackers to execute malicious code and to view contents of a password manager built in to the malware protection program. The release came after a Google security researcher publicly castigated a TrendMicro official for the threat.
Details of the flaws became public last week after Tavis Ormandy, a researcher with Google’s Project Zero vulnerability research team, published a scathing critique disclosing the shortcomings. While the code execution vulnerabilities were contained in the password manager included with the antivirus package, they could be maliciously exploited even if end users never make use of the password feature. Those who did use it were also susceptible to hacks that allowed attackers to view hashed passwords and the plaintext Internet domains they belonged to.
“I don’t even know what to say—how could you enable this thing *by default* on all your customer machines without getting an audit from a competent security consultant?” Ormandy wrote in an exchange with a TrendMicro official. “You need to come up with a plan for fixing this right now. Frankly, it also looks like you’re exposing all the stored passwords to the internet, but let’s worry about that screw up after you get the remote code execution under control.”
TrendMicro node.js HTTP server listening on localhost can execute commands
https://code.google.com/p/google-security-research/issues/detail?id=693
Tomi Engdahl says:
Cyber Attack Caused Massive Power Outage
http://www.epanorama.net/newepa/2016/01/11/cyber-attack-caused-massive-power-outage/comment-page-1/#comment-1466376
Tomi Engdahl says:
Finnish security research get a million
Finnish research consortium has received funding of EUR 956 000 to improve the security in the work. It is associated with security management operations research.
Beneficiary is the leader in computer sciences at the University of Jyväskylä Information Systems Science professor Mikko Siponen-led research consortium. The money will come through Tekes, the European Regional Development Fund.
The aim of the research project is a new method for security management.
“Under the right places and when used correctly, these solutions are good, but the premise of improving the organization’s information security can not be indiscriminately merchandise. Few people, for example, start of building construction project by purchasing a hardware store in the prospectus of windows without construction drawings. The same applies to the improvement of security. Good planning is the basis of everything “, emphasizes Professor Siponen release.
Nonetheless, previous research or practitioners have not developed a systematic and scientifically verified method for the preparation of the information security policy.
“Organizations are different, which means that their protection needs are different. Therefore, the information security policy should be to develop and maintain a scientifically tested method, with the capacity to design each to a suitable organization-specific security policy.”
Source: http://www.tivi.fi/Kaikki_uutiset/suomalaiselle-tietoturvatutkimukselle-miljoonapotti-6244502
Tomi Engdahl says:
602 Gbps! This May Have Been the Largest DDoS Attack in History
Friday, January 08, 2016 Swati Khandelwal
http://thehackernews.com/2016/01/biggest-ddos-attack.html?m=1
Cyber attacks are getting evil and worst nightmare for companies day-by-day, and the Distributed Denial of Service (DDoS) attack is one of the favorite weapon for hackers to temporarily suspend services of a host connected to the Internet.
Until now, nearly every big website had been a victim of this attack, and the most recent one was conducted against the BBC’s websites and Republican presidential candidate Donald Trump’s main campaign website over this past holiday weekend.
Out of two, the largest DDoS attack in the history was carried out against the BBC website: Over 600 Gbps.
Largest DDoS Attack in the History
The group calling itself New World Hacking claimed responsibility for taking down both the BBC’s global website and Donald Trump’s website last week.
One of the members of the New World Hacking group, identified himself as Ownz, claimed that the group allegedly used their own tool called BangStresser to launch a DDoS attack of up to 602 Gbps on the BBC’s website.
vastly surpass the largest DDoS attack record of 334 Gbps, recorded by Arbor Networks last year.
The recent massive DDoS attack apparently utilizes two Amazon Web Services servers that employ a large number of automated detection and mitigation techniques in order to prevent the misuse of the services, Amazon previously claimed.
“We have our ways of bypassing Amazon,” said Ownz. “The best way to describe it is we tap into a few administrative services that Amazon is use to using. The [sic] simply set our bandwidth limit as unlimited and program our own scripts to hide it.”
Ownz claimed that their main purpose behind the development of the BangStresser DDoS tool is to unmask ISIS and possibly end its online propaganda.
“We have been taking down ISIS websites in the past,” said Ownz, “this is just the start of a new year.”
Tomi Engdahl says:
Hackers Install Free SSL Certs from Let’s Encrypt On Malicious Web Sites
Wednesday, January 06, 2016 Swati Khandelwal
http://thehackernews.com/2016/01/free-ssl-certificate-malware.html
Who else didn’t see this coming?
It was so obvious as I stressed earlier that the Let’s Encrypt free HTTPS certificates would not just help legitimate website operators to encrypt its users’ traffic, but also help criminals to bother innocent users with malware through secure sites.
Let’s Encrypt allows anyone to obtain free SSL/TLS (Secure Socket Layer/Transport Layer Security) certificates for their web servers that encrypt all the Internet traffic passed between a server and users.
Let’s Encrypt is recognized by all major browsers, including Google’s Chrome, Mozilla’s Firefox and Microsoft’s Internet Explorer.
The organization started offering Free HTTPS certs to everyone from last month, and it is very easy for anyone to set up an HTTPS website in a few simple steps
However, the most bothersome part is that Let’s Encrypt free SSL certs are not only used by website owners to secure its users connection but also abused by cyber criminals to spread malware onto computers.
Malvertising is a technique of using Web ads to spread malware. By stealthy inserting malicious advertisements on legitimate websites, malware authors can redirect users to malicious sites to deliver malware payload with the help of an exploit kit.
For a long time, malware authors purchased stolen SSL certificates from the underground market and deployed them in their malvertising campaigns
with the launch of Let’s Encrypt free SSL certificates, malware authors don’t even have to pay for SSL certificates anymore, and can request one for free instead.
The issue is Let’s Encrypt only checks the main domain against the Google’s Safe Browsing API to see if a domain for which an SSL certificate is requested has been flagged for malware or phishing.
However, Let’s Encrypt never check for shadow domains like in this case in which authors of the malvertising campaign easily requested and got approved for a Let’s Encrypt certificate.
Moreover, Let’s Encrypt has a policy not to revoke certificates.
How can You Prevent Yourself From Such Attacks?
Trend Micro has reached out to both the Let’s Encrypt project, and the legitimate domain’s owner to notify them about the malvertising campaign.
And Here’s your take:
Users should be aware that a ‘secure’ website is not always or necessarily a safe website, and the best defense against exploit kits is still an easy go, i.e.:
Always keep your software up-to-date to minimize the number of vulnerabilities that may be exploited by cyber criminals.
For online advertisement brokers, an approach would be to implement internal controls to stop malicious advertisements.
Tomi Engdahl says:
Computer hacking game aimed at schools
http://newsleads.com.au/education/2016/01/11/computer-hacking-game-aimed-at-schools/
A version of a PC game that has players fill the shoes of a computer hacker is being developed for use as a training tool in schools and workplaces.
Hacknet was released in August 2015 and has already achieved more than 100,000 downloads on internet-based distribution platform Steam.
Its creator Matt Trobbiani, a 25-year-old University of Adelaide computer science graduate, said he did not focus on Hacknet’s educational benefits when developing the game.
“It turns out that US Pacific Command’s cyber warfare division already buys Hacknet and runs all their new recruits through it – it’s a big deal and I originally had no idea that this was something really very valuable at all,” Trobbiani said.
“It’s got a really good base for putting it into high schools or training courses for businesses and military programs, it just teaches this baseline technical competence and confidence.
“Everyone who’s gone through the game is less scared of computers and much more prepared to deal with technical problems in a sensible way – they know how to use a terminal, they know the basics of computer security, they know fundamental skills that I think if everyone knew then the world would be a much safer place, especially online.
Tomi Engdahl says:
Project Zero accuses Trend Micro of shipping security problems to customers
That’s kinda the opposite of what it’s supposed to do
http://www.theinquirer.net/inquirer/news/2441450/project-zero-accuses-trend-micro-of-shipping-security-problems-to-customers
SECURITY OUTFIT Trend Micro has been accused of serving its customers a treat in the form of a virus threat because of some poor housekeeping.
Trend Micro and its customers’ problems have been discussed in the news and on the Google Code thread.
According to the group, Trend Micro has installed a wide-open Node.js server by default on its customers’ computers, and apparently made some efforts to hide this. Project Zero is not having that.
“When you install Trend Micro Antivirus on Windows, by default a component called Password Manager is also installed and automatically launched on startup,” said Ormandy on the Google Security Research forum.
“This product is primarily written in JavaScript with node.js, and opens multiple HTTP RPC ports for handling API requests. It took about 30 seconds to spot one that permits arbitrary command execution, openUrlInDefaultBrowser, which eventually maps to ShellExecute(). This means any website can launch arbitrary commands.”
Tomi Engdahl says:
Intel admits to Skylake bug that freezes Windows and Linux systems
Could affect industries that rely on complex computational workloads
http://www.theinquirer.net/inquirer/news/2441458/intel-admits-to-skylake-bug-that-freezes-windows-and-linux-systems
INTEL HAS ADMITTED that its latest 6th-generation Core Skylake processors are suffering from a bug that can cause computer systems to freeze.
The bug, which doesn’t yet have a name, was uncovered by German computing community Hardwareluxx.de, and is said to occur in Windows and Linux when the system needs to perform complex workloads.
It was later confirmed by software project group the Great Internet Mersenne Prime Search (GIMPS), which conducted more tests before presenting its findings to the big boys at Intel.
Nevertheless, Intel has already developed a fix for the problem and is apparently working with hardware partners to distribute it via a BIOS update. Even so, it is likely to be a bit of a headache for the firm, as its client computing group posted Q3 2015 revenue of $8.5bn, down seven percent year over year.
Tomi Engdahl says:
Dutch police claim to have cracked BlackBerry encryption
Netherlands Forensic Institute is making omelettes out of PGP
http://www.theinquirer.net/inquirer/news/2441512/dutch-police-claim-to-have-cracked-blackberry-encryption
THE DUTCH POLICE-ENABLING Netherlands Forensic Institute (NFI) has claimed that it has cracked PGP on BlackBerry devices and rendered any claims from the Canadian company redundant.
BlackBerry has a lump on sale called the Priv that boasts unrivalled privacy capabilities, but the crack team of crackers at the NFI said that it ain’t a very tough nut to crack, according to a report on Motherboard.
The NFI confirmed its ease of access in an emailed statement, explaining: “We are capable of obtaining encrypted data from BlackBerry PGP devices.”
Motherboard tracks this back to documents leaked from the NFI after something happened last year. Those documents reportedly show that the NFI managed to pull 325 emails from one Phantom Secure-backed device, and decrypt 279 of them. So it’s not an exact science. Unfortunately, the police-linked NFI has not released much detail on the methods used to crack the BlackBerry code.
We called the NFI and a press person confirmed the capability but declined to comment on the methods used.
Tomi Engdahl says:
Brazilian whacks: as economy tanks, cyber-crooks samba
Public boasting and n00b-friendly training colour underground forums
http://www.theregister.co.uk/2016/01/13/what_recession_brazils_carder_economy_booms/
Brazil’s economy may be hurtling towards recession but its online criminal underground is booming with wannabe hackers and carders racing to get a cut, research finds.
Trend Micro’s work is the latest in a series of papers it has published in recent months that examine regional online crime economies including North America, Japan, China, Russia, and Germany.
The South American nation has had an “influx” of new criminals to its online communities who shirk anonymity when draining user bank accounts with malware and openly boast of their success.
These include developers looking for money in the country’s bludgeoned economy. A chap called “Lord Fenix” is perhaps king of the new breed of crooks, having written 100 trojans as of last year starting off in high-school and still active in his early twenties.
“The fastest route to cybercriminal superstardom can be found in Latin America, particularly in Brazil,”
Guides and entire three-month long training courses are available to help n00bs enter Brazil’s online crime communities. Students shelling out the $70 fee will learn to pop databases, setup botnets and malware, and how to handle end-to-end credit card theft including cashing out.
Intermediate VXers with US$50 TO HAND can learn how to build crypters, critical to hiding malware from anti-virus systems.
Mature phishing, DNS changer, and keylogging malware are also on offer across Brazil’s crime forums.
Fraudsters can bypass all of this however and pay less than $150 for a fortnight’s access to hacked banking shopping panels that proffer up to 70 credit cards a day.
Tomi Engdahl says:
EFF wants Cisco in front of a judge over tech for China’s ‘Great Firewall’
Files amicus brief in decade-old Falun Gong case
http://www.theregister.co.uk/2016/01/13/eff_cisco/
The Electronic Frontier Foundation (EFF) is hoping to help re-start a lawsuit against Cisco over whether or not it provided technology China’s government used to facilitate human rights abuses.
The row over China’s “Golden Shield” (aka the Great Firewall) has gone on practically forever, with Amnesty accusing Cisco of involvement, along with now-defunct Nortel Networks, Microsoft, Oracle-swallowed Sun Microsystems, and Websense, back in 2002.
Activists in the US have been trying to sue technology companies over the technology they’ve pitched into the Great Firewall, on the grounds that it helps the Chinese government identify, and subsequently pursue, dissidents. The EFF had tried before to lodge an amicus brief, but that was dismissed in September 2014.
Tomi Engdahl says:
Verizon Accused of Helping Spammers By Routing Millions of Stolen IP Addresses
http://tech.slashdot.org/story/16/01/12/2322244/verizon-accused-of-helping-spammers-by-routing-millions-of-stolen-ip-addresses
Spamhaus, an international non-profit organization that hunts down spammers, is accusing Verizon of indifference and facilitation of cybercrime because it failed for the past six months to take down stolen IP routes hosted on its network from where spam emails originated. Spamhaus detected over 4 million IP addresses, mainly stolen from China and Korea, and routed on Verizon’s servers with forged paperwork.
Verizon Accused of Helping Cybercriminals by Routing Millions of Stolen IP Addresses
http://news.softpedia.com/news/verizon-accused-of-helping-cybercriminals-by-routing-millions-of-stolen-ip-addresses-498819.shtml
Verizon has some explaining to do because a recent report from The Spamhaus Project has pointed the finger at the company and accused it of aiding cybercriminals by routing over four million IP addresses through its network.
The Spamhaus Project is an international non-profit organization that in the last years has maintained a spam blacklist and also collaborated with law enforcement agencies to track down spammers and some of the Internet’s spam operations.
As Spamhaus representative Barry Branagh explains, the recent depletion of the IPv4 address block has forced cybercriminals to steal IP ranges from the IP pools of companies that don’t use them, or haven’t gotten around to setting up routes for those IPs.
“Setting up a route” is when an ISP tells other ISPs that a particular IP address block can be found on its servers. While spammers have found it quite easy to steal or buy IP blocks from the black market, to set up a route, they usually need to register as an AS (Autonomous System) and receive an ASN (Autonomous System Number).
Verizon doesn’t vet ASs that want to route IP addresses on its servers
Because of Verizon’s relaxed ASN setup process, cybercriminals have found it quite easy to submit forged documents to the company and have it route their stolen IP lots through their servers.
Using this approach, Mr. Branagh says that over 4 million IP addresses have been routed through Verizon’s network, which were later used to spam users via the “snowshoe approach.” With this technique, spammers use multiple addresses, in various locations, to send spam email to their victims.
Tomi Engdahl says:
Microsoft Ends Support For Internet Explorer 8-10 and Windows 8
http://tech.slashdot.org/story/16/01/12/238231/microsoft-ends-support-for-internet-explorer-8-10-and-windows-8
Microsoft today ended support for old versions of Internet Explorer, including IE8, IE9, and IE10, as well as Windows 8. For the browsers, the company has also released a final patch (KB3123303) that includes the latest cumulative security updates and an “End of Life” upgrade notification. In short, the final patch will nag Windows 7 and Windows Server 2008 R2 users to upgrade to Internet Explorer: A new tab will automatically open the download IE page.
Tomi Engdahl says:
Trend Micro Flaw Could Have Allowed Attacker To Steal All Passwords
http://it.slashdot.org/story/16/01/12/189232/trend-micro-flaw-could-have-allowed-attacker-to-steal-all-passwords
Trend Micro has released an automatic update fixing the problems in its antivirus product that Google security engineer Tavis Ormandy discovered could allow “anyone on the internet [to] steal all of your passwords completely silently, as well as execute arbitrary code with zero user interaction.” The password manager in Trend’s antivirus product is written in JavaScript and opens up multiple HTTP remote procedure call ports to handle API requests, Ormandy wrote.
Trend Micro flaw could have allowed attacker to steal all passwords
http://www.csoonline.com/article/3021774/security/trend-micro-flaw-could-have-allowed-attacker-to-steal-all-passwords.html
Trend has patched that problem and another remote execution flaw
Tavis Ormandy, an information security engineer with Google, wrote he found bugs in Trend Micro’s antivirus product that could allow remote code execution by any website and steal all of a users’ passwords.
The security firm has confirmed it has released an automatic update that fixes the problems.
“As part of our standard vulnerability response process we worked with him to identify and address the vulnerability,” wrote Christopher Budd, global threat communications manager at Trend Micro, in an email on Monday. “Customers are now getting protections through automatic updates.”
Tomi Engdahl says:
Algorithms Claimed To Hunt Terrorists While Protecting the Privacy of Others
http://yro.slashdot.org/story/16/01/13/0159221/algorithms-claimed-to-hunt-terrorists-while-protecting-the-privacy-of-others
Computer scientists at the University of Pennsylvania have developed an algorithmic framework for conducting targeted surveillance of individuals within social networks while protecting the privacy of untargeted digital bystanders. … The algorithms are based on a few basic ideas. The first is that every member of a network (a graph) comes with a sequence of bits indicating their membership in a targeted group. If say, the number two bit was set in your personal privacy register, then you might be part of the “terrorist” target population.
Algorithms Claim to Hunt Terrorists While Protecting the Privacy of Others
http://motherboard.vice.com/read/algorithms-claim-to-hunt-terrorists-while-protecting-the-privacy-of-others
Computer scientists at the University of Pennsylvania have developed an algorithmic framework for conducting targeted surveillance of individuals within social networks while protecting the privacy of “untargeted” digital bystanders. As they explain in this week’s Proceedings of the National Academy of Sciences (PNAS), the tools could facilitate counterterrorism efforts and infectious disease tracking while being “provably privacy-preserving”—having your anonymous cake and eating it too.
“The tension between the useful or essential gathering and analysis of data about citizens and the privacy rights of those citizens is at an historical peak,” the researchers begin. “Perhaps the most striking and controversial recent example is the revelation that US intelligence agencies systemically engage in ‘bulk collection’ of civilian ‘metadata’ detailing telephonic and other types of communication and activities, with the alleged purpose of monitoring and thwarting terrorist activity.”
Other conflicts mentioned by the Penn group include issues around medical data and targeted advertising. In every case, the friction is between individual privacy and some larger purpose, whether it’s corporate profits, public health, or domestic security. Can we really have both?
Probably not, but we might not have to live with an “all or nothing” approach to privacy either. This is what we have now, according to the researchers: either every person has a right to privacy or no person does. What they propose instead is a population divided and classified. This is already sounding pretty ominous, but let’s hear them out.
“There is a protected subpopulation that enjoys (either by law, policy, or choice) certain privacy guarantees,” the researchers write. “For instance, in the examples above, these protected individuals might be nonterrorists, or uninfected citizens (and perhaps informants and health care professionals). They are to be contrasted with the ‘unprotected’ or targeted subpopulation, which does not share those privacy assurances.” Still ominous.
Private algorithms for the protected in social network search
http://www.pnas.org/content/early/2016/01/05/1510612113
Tomi Engdahl says:
As easy as ‘Citrix123′ – Hacker claims he popped Citrix’s CMS
And once he was in, it became possible to pour malware onto all customers
http://www.theregister.co.uk/2016/01/13/ruskie_hacker_pops_citrix/
A Russian hacker claims he popped Citrix gaining access to potentially hose scores of customers with malware.
The binary buster known as “W0rm” exploited an insecure password – seemingly universal press credentials paired with the code Citrix123 – used to protect Citrix’s content management system
W0rm published the findings in October on his blog and to the antichat security forum in October.
The hacker gained access to admin functions including remote support, and informed Citrix but did not receive a response.
Israeli firm CyberInt stumbled across the report and again notified the firm which reportedly did not respond.
CyberInt’s Elad Ben-Meir reportedly said the attack could have allowed W0rm or anyone else reproducing the steps to compromise Citrix customers.
W0rm has previously attacked the the BBC, the Wall Street Journal, and Vice offering to sell stolen databases for cash.
I hacked Citrix, says Russian hacker w0rm
http://www.scmagazineuk.com/i-hacked-citrix-says-russian-hacker-w0rm/article/464362/
Citrix, a US software company specialising in virtualisation and cloud computing, has reportedly been compromised by a Russian hacker called w0rm.
w0rm is infamous for several attacks over the past five years on a number of high profile targets including the BBC, CNET, Adobe and Bank of America. The identity of the person or group behind w0rm is unknown.
According to Elad Ben-Meir, vice president of marketing at Cyberint, the company made repeated efforts to notify Citrix but received no response. In addition, the hacker w0rm tweeted Citrix with a link to its blog posting on 25 October 2015 and says it received no response.
Tomi Engdahl says:
We know this isn’t about PRISM, Matt Warman MP. But do you?
Evidence-based policy requires receiving evidence
http://www.theregister.co.uk/2016/01/13/matt_warman_mp_interrupts_bill_binney_ipb_evidence/
Former consumer technology editor at The Telegraph and current Conservative MP Matt Warman derailed an NSA whistleblower’s attempt to deliver evidence on GCHQ spying, raising questions about the committee’s competence to scrutinise the government’s draft surveillance bill.
Delivering his oral evidence to the committee, Binney, a former technical director at the NSA, said the bulk acquisition of enormous datasets was not helping the work of intelligence analysts.
“The point is to do a professional job and they’re not doing that right now,” Binney told The Register. The former TD suggested to us that the urgent actions of security services in the aftermath of atrocities showed what kind of efforts they should be engaged in all the time. He stated much the same thing to the committee: “Bulk collection means ‘you don’t know anything, so give me everything.’”
Tomi Engdahl says:
Windows 10 shattered Remote Desktop’s security defaults – so get patching
All users of Windows, Office, and Adobe software, should update ASAP
http://www.theregister.co.uk/2016/01/12/microsoft_adobe_january_2016_patches/
Microsoft has issued its January batch of security updates – including what will be the final round of patches for many versions of Internet Explorer.
The first Patch Tuesday monthly security release of the year includes fixes for 25 CVE-listed flaws in Windows, Internet Explorer, Edge, and Office. Among the patched bugs are remote code execution vulnerabilities, elevation of privilege holes, and a spoofing vulnerability.
Microsoft reckons no one is actively exploiting the security vulnerabilities addressed in this month’s patch bundle, but it’s only a matter of time before criminals reverse-engineer the updates and target them.
In addition to Microsoft’s patch bundle, Adobe has issued its monthly update for flaws in its Acrobat and Reader software. A total of 17 CVE-listed security bugs are patched for both OS X and Windows.
Tomi Engdahl says:
Fortinet tries to explain weird SSH ‘backdoor’ discovered in firewalls
Update your firmware or suffer the consequences
http://www.theregister.co.uk/2016/01/12/fortinet_bakdoor/
Enterprise security vendor Fortinet has attempted to explain why its FortiOS firewalls were shipped with hardcoded SSH logins.
It appears Fortinet’s engineers implemented their own method of authentication for logging-into FortiOS-powered devices, and the mechanism ultimately uses a secret passphrase. This code was reverse-engineered by persons unknown, and a Python script to exploit the hole emerged on the Full Disclosure mailing list this week.
Anyone who uses this script against vulnerable firewalls will gain administrator-level command-line access to the equipment. After some outcry on Twitter and beyond, Fortinet responded by saying it has already killed off the dodgy login system.
“This issue was resolved and a patch was made available in July 2014 as part of Fortinet’s commitment to ensuring the quality and integrity of our codebase,” a spokeswoman told El Reg.
“This was not a ‘backdoor’ vulnerability issue but rather a management authentication issue
SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7
http://seclists.org/fulldisclosure/2016/Jan/26
Tomi Engdahl says:
$30 webcam spun into persistent network backdoor
Bring on the Internet of dangerously hacked things
http://www.theregister.co.uk/2016/01/13/30_dlink_web_cam_spun_into_persistent_network_backdoor/
Vectra Networks security wonks have spun a cheap webcam into a backdoor to persistently p0wn PCs.
The junk hacking expedition led Vectra’s chief security chap Gunter Ollman into the internals of the D-Link DCS 930L, a network camera that can be had for US$30.
The attacks are useful as an alternative backdoor for targeted attackers who already have access to a machine, or for those capable of compromising a device before it is installed by the user.
It is not something users should expect to surface in the wild and is rather an example of the risks posed by internet-of-things devices.
Ollman dumped and reflashed the camera’s firmware so that it opened a remote backdoor that was difficult to detect and did not affect normal operation.
The update feature was also removed, preventing the backdoor from being lost through patches.
“The irony in this particular scenario is that WiFi cameras are typically deployed to enhance an organisation’s physical security, yet they can easily become a network security vulnerability by allowing attackers to enter and steal information without detection,” Ollmann says.
Vectra Networks Demonstrates How Vulnerabilities in IoT Devices Can Create Hidden Backdoors for Persistent Attacks
https://finance.yahoo.com/news/vectra-networks-demonstrates-vulnerabilities-iot-130000551.html
SAN JOSE, CA–(Marketwired – Jan 12, 2016) – Vectra® Networks, the leader in real-time detection of in-progress cyber-attacks, today announced that the Vectra Threat Labs™ has verified that consumer-grade Internet of Things (IoT) products, such as Wi-Fi security web cameras, can be hacked and reprogrammed to serve as permanent backdoors, enabling potential attackers to remotely command and control a cyber attack without being detected by traditional security products.
“Consumer-grade IoT products can be easily manipulated by an attacker, used to steal an organization’s private information, and go undetected by traditional security solutions,” said Gunter Ollmann, CSO of Vectra Networks. “While many of these devices are low-value in terms of hard costs, they can affect the security and integrity of the network, and teams need to keep an eye on them to reveal any signs of malicious behavior.”
Turning an IoT device into a backdoor essentially gives hackers 24×7 access to an organization’s network without needing to infect a laptop, workstation or server, all of which are usually under high scrutiny by firewalls, intrusion prevention systems and malware sandboxes, and typically run antivirus software that is updated regularly.
“Most organizations don’t necessarily think of these devices as miniature computers, but essentially they are in that they can still give attackers access to sensitive company information, particularly because they are connected to the corporate network,”
Tomi Engdahl says:
Microsoft: Upgrade to IE11 even if you dump our browser
http://www.computerworld.com/article/3021824/web-browsers/microsoft-upgrade-to-ie11-even-if-you-dump-our-browser.html
Components embedded in the OS won’t receive patches unless users have the newest IE on their PC
Users of the Internet Explorer (IE) browser should update to the newest edition for their operating system — in most cases, that means IE11 — even if they’ve discarded the browser for a rival, Microsoft said.
performance evaluation review inspect manage teamwork
IT careers: How to get a fair performance review
You’re killing it at work, but does anyone notice? A large percentage of IT professionals say the
Read Now
On Tuesday, Microsoft served up the final security updates for most users of editions prior to IE11, making good on a pledge that it would pull the patch plug on its older browsers.
But even if Windows users have ditched IE for an alternate browser — like Google’s Chrome, Mozilla’s Firefox or Opera Software’s Opera — they should still migrate to the newest-possible IE, and keep updating the browser, said Pat Altimore, a Microsoft senior software developer consultant.
That’s because of the decision Microsoft made decades ago to tightly intertwine IE and Windows
“There are many components that constitute the [IE] browser. Most of the components are part of the operating system,” Altimore wrote in a Jan. 8 post to the MSDN (Microsoft Developer Network) blog.
Applications other than Microsoft’s IE can, and do, call on those components to display HTML or execute scripts. “If you aren’t upgraded to the current version of IE, you won’t be able to apply the current security updates. This could result in some Windows components not being serviced. To ensure applications using components are fully patched, update to the latest version of IE and apply future cumulative IE updates,” Altimore said.
If I Remove or Don’t Use Internet Explorer 8, 9, or 10, Can I Avoid Upgrading to Internet Explorer 11?
http://blogs.msdn.com/b/patricka/archive/2016/01/08/if-i-remove-or-don-t-use-internet-explorer-8-9-or-10-can-i-avoid-upgrading-to-internet-explorer-11.aspx
Tomi Engdahl says:
Arik Hesseldahl / Re/code:
Shape Security now protects apps in addition to websites from automated hacking, raises $25M from Beijing-based Northern Light Venture Capital
Shape Security Brings Its Bot-Blinding Technology to Mobile Apps
http://recode.net/2016/01/13/shape-security-brings-its-bot-blinding-technology-to-mobile-apps/
Two years ago, the startup Shape Security emerged from stealth mode with an interesting new idea for protecting websites from some of the most common forms of attack. Today it announced it has applied the same ideas to protecting mobile apps.
Many Web security issues arise from known technical problems surrounding the process used to sign in to the site: Typing in account names and passwords. Attackers know about this vulnerability so they use software called bots to automatically scan the Web for these weaknesses and then attack sites by the thousands. Most hacking attacks have become automated in this way.
When it first launched, Shape created Shapeshifter, hardware that handles the complicated behind-the-scenes computing work of constantly changing the source code of the sections of a website that are responsible for creating a sign-in interface. The constant changes — a technique known as polymorphism — are invisible to human users but have the effect of blinding the bots that hackers use to carry out their automated attacks. The website becomes a moving target to which the evil bots can’t adapt.
Today the company says it has adapted its polymorphic techniques to protect mobile apps. The same tricks that make attack bots blind on the Web are now blinding them when they attack mobile APIs.
The new mobile service is already in use by several customers
Tomi Engdahl says:
New Remote Access Trojan Used In Cyberespionage Operations
http://it.slashdot.org/story/16/01/13/237247/new-remote-access-trojan-used-in-cyberespionage-operations
Researchers from Arbor Networks have discovered a new remote access Trojan, dubbed Trochilus, whose detection rate was very low among antivirus products.
New remote access Trojan Trochilus used in cyberespionage operations
http://www.csoonline.com/article/3021271/security/new-remote-access-trojan-trochilus-used-in-cyberespionage-operations.html
The program was used by a group that recently targeted organizations in Myanmar
A cyberespionage group has been discovered using a new remote access Trojan, dubbed Trochilus, whose detection rate was very low among antivirus products.
The researchers linked the compromises to a sophisticated group of attackers known as Group 27, who are known to use different malware programs in their operations, some with overlapping capabilities.
Arbor Networks has uncovered seven malware programs used by the group so far, including three remote access Trojans: PlugX, 9002, and the new Trochilus.
“These seven packaged malware offer threat actors a variety of capabilities including the means to engage in espionage and the ability to move laterally within target networks in order to achieve more strategic access,” the Arbor researchers said in a blog post.
Tomi Engdahl says:
Baby monitor hacker delivers creepy message to child
http://www.cbsnews.com/news/baby-monitor-hacker-delivers-creepy-message-to-child/
NEW YORK – “Wake up little boy, daddy’s looking for you.”
That’s the message a stranger delivered to a couple’s 3-year-old son through a baby monitor after hacking the device, reports CBS New York.
The parents did not want to reveal their identity because they were worried the stranger could find them.
It’s not the only time the couple says the man hacked into their baby monitor.
The family says the hacker was even able to remotely control the camera on the monitor.
CBS New York reports that because many new baby monitors connect to the Internet and come with a smartphone app, it has become easier for hackers to infiltrate them.
Tomi Engdahl says:
ISIS Has Its Own Secure Messaging App
http://fortune.com/2016/01/13/isis-has-its-own-secure-messaging-app/
Encrypted communication for the modern terrorist.
The Islamic State has long relied on messaging apps like Facebook’s FB -3.93% What’sApp, Telegram, and Twitter TWTR -4.79% direct messaging to communicate and distribute propaganda. Now, online counterterrorism outfit Ghost Security Group claims ISIS has built its own Android-based, encrypted messaging app that circumvents conventional messaging apps like WhatsApp that are easier for the F.B.I. to monitor.
Ghost Security is the same hacking collective that last month pointed out that ISIS members used Telegram
The site hosting the Amaq Agency app download has since disappeared. Shortly thereafter another app surfaced in its place called Alrawi.apk.
These messaging features aren’t quite as secure or sophisticated as those of Telegram or WhatsApp, but they share the distinct advantage of being independent of any third-party company or organization that might help anti-ISIS governments or law enforcement agencies. In recent months, FBI Director James Comey and others within the U.S. national security apparatus have argued that governments should require services like WhatsApp to build back doors into their encryption so law enforcement can more easily intercept terrorist communications.
Without going quite as far as Comey, President Barack Obama and presidential contenders like Hillary Clinton have in recent weeks urged Silicon Valley to voluntarily join the fight against ISIS.
The emergence of a messaging app by ISIS complicates those efforts. With its own encrypted messaging app, ISIS doesn’t have to worry about WhatsApp or another of its favorite messaging services letting the FBI or other agencies in.
Communication has become a cornerstone of ISIS’s operations as the organization has spread not only across Iraq and Syria, but also into Libya, Egypt, and elsewhere in the region.
The group has also taken to encouraging so-called “lone wolf” attackers to take up the ISIS cause in their own countries
Even when it is not being particularly tech-savvy, ISIS drives home the importance of secure communications to its members and prospective followers.
“Any operation that doesn’t have a strong security and precaution base is deemed to fail, just like a big building needs strong foundations,” the booklet says. “Security precautions are the foundations of any operation.”
Tomi Engdahl says:
Microsoft Windows XP Embedded ends extended support
Ask Control Engineering: Extended support for Microsoft Windows XP Embedded has ended; what should I do?
http://www.controleng.com/single-article/microsoft-windows-xp-embedded-ends-extended-support/b8a8e891e850a9d011c656a0c92348ee.html
Ask Control Engineering: Since Microsoft has ended extended support for Microsoft Windows XP Embedded support as of Jan. 12, what should I do, if anything?
Answer: Since Microsoft is no longer offering support for its 15-year-old operating system, Microsoft Windows XP Embedded, so those who have procrastinated now have additional concerns and risks to address.
“What’s worse,” said one manufacturing IT expert, “is to not even know if you have any XP systems running.”
warns that users still using Microsoft Windows XP Embedded systems in their facilities will be running into several additional security risks. Finding compatible software will be very difficult and this, in turn, will make the systems more vulnerable to cyber security attacks. Brandl explains that running a complete system inventory will at least make it clear if there’s a potential support problem.
The long goodbye to Microsoft Windows XP Embedded
http://en.ofweek.com/news/The-long-goodbye-to-Microsoft-Windows-XP-Embedded-38178
There are those that get work done early, those that get it done on time, and those that procrastinate until every task is an emergency. Those still using Microsoft Windows XP Embedded in their industrial environments will fall into the latter category because Microsoft’s extended support for Windows XP Embedded ends on January 12, 2016. The 15-year-old operating system will no longer be supported or updated, no matter how much users clamor or beg.
Companies still using Microsoft Windows XP Embedded systems in their facilities will be running into several additional risks. For example, it will be difficult to find compatible hardware and software, and it will be difficult, if not impossible, to get updates to the applications currently running, which will make the systems more vulnerable. If there are Microsoft Windows XP systems running and they can’t be replaced, then take measures to reduce potential risks. What is worse is to not even know if you have any XP systems running.
It is vital to complete a software and IT hardware inventory of the entire facility, which includes far more than just the production systems. It is important to also consider your laboratory systems, maintenance systems, warehouse systems, tank farm systems, HVAC systems, physical security systems, document management systems, planning systems, and development systems. Without a complete inventory, “hidden” systems under employee’s desks, which are performing critical functions, might go unnoticed. For example, is the scheduling department still using a XP-based tool, or worse: a DOS-based tool; is the laboratory using XP-based test equipment; are the automated material movement systems running XP-based configuration and maintenance software; or is the security department using an XP-based badge scanning system
At the very minimum, a complete system inventory will make it clear if there’s a potential support problem.
The worst situation is to have high risk and obsolete systems where there are no readily available replacements.
In these situations, the first step is to virtualize the hardware, which at least removes the risk of a hardware failure and provides backups in case of software failures. Second, the systems should be isolated from other networks through demilitarized zones (DMZs), firewalls, or physical separation. It is likely the Microsoft Windows XP system will be running vulnerable browsers, databases, applications, and drivers, which makes isolation even more vital. However, virtualization and isolation are only temporary fixes to give the manager time to implement long-term solutions.
For machines that cannot be upgraded, what needs to change now that Microsoft Windows XP support has ended?
Ask Control Engineering sought advice from industrial software developers related to the end of Microsoft Windows XP support. Here, Beckhoff Automation provides answers related to Microsoft Windows XP obsolescence.
http://www.controleng.com/single-article/for-machines-that-cannot-be-upgraded-what-needs-to-change-now-that-microsoft-windows-xp-support-has-ended/ca31607ec0c97a6267c25dec3762cfeb.html
Ask Control Engineering: For manufacturers that may not be able to upgrade certain machines or systems past Microsoft Windows XP, what should change now that Microsoft Windows XP support has ended? Answers for related questions below are provided by Debra Lee, software specialist, Beckhoff Automation.
A. Now that support from Microsoft for Windows XP has ended, machines with this operating system (OS) will no longer be able to get OS updates, including security updates. Naturally, best practices dictate that machines be kept up to date with the latest security updates. However, most of these machines are not connected to the Internet, and those that are generally are not used for surfing the Internet nor do they open files or attachments in software applications such as e-mail, both of which are notorious for the spread of viruses and malware. It is important to note as well that many machines are actually running Windows XP Embedded. Support for Windows XP Embedded is still active and does not end until Jan. 12, 2016.
Q. If customers cannot upgrade, what should change, if anything, on April 9?
A. If a security audit finds that access to the machine is secured and there is no Internet connectivity or e-mail “read” access with file download capability on the machine, nothing necessarily needs to change today even if a machine has devices with Windows XP OS on it. If the security audit finds a potential hazard in these areas, however, action may need to be taken to remove the access points, or if that is not possible for some reason, upgrade the device(s) on the machine. Of course, users should remember that Windows XP Embedded support is still active and will continue to be active until the beginning of 2016.