Here are my predictions for trends in information security and cyber security for year 2016.
Year 2015 was bad for information security was pretty, and I would say that the trend is worrying. So I expect the year 2016 will have many information security challenges. If you want to keep yourself up at night, spend some time reading about the latest developments in cybersecurity. In 2015 there was Airplanes hacked, cars hacked, vulnerabilities in a breathtaking range of sensitive equipment from TSA locks to voting booths to medical devices. The big picture is even scarier. Former NSA Director Mike McConnell suspects China has hacked “every major corporation” in the US. Those problems will continue in 2016 and some new targets for attacks will be found. The system is broken. It isn’t keeping us, our companies, or our government safe. Worse yet, no one seems to know how to fix it.
Attacks through networks are becoming more common all the time. It will be hard to protect against targeted attacks. Hackers will not only customize malware, but they will increasingly use sophisticated phishing and social engineering tricks to gain access to sensitive data. Attackers usually cover their tracks carefully, and in the identification of target can be very difficult. Behind targeted attacks are usually professional criminals. Criminals do not respect geographical borders and hence attacks are spread evenly everywhere. Companies will struggle to absorb the security threats of combined PC and mobile devices in 2016.
EU information security decisions made in late 2015 will have impact on what comes in 2016: New EU data protection legislation package approved and EU Court of Justice decision in which it noted the Safe Harbor procedure is invalid. This means that transfers of personal data from EU countries to the United States under the Safe Harbor violation of law – you need some other agreement for this. The situation for this will probably get clarified during 2016. Data protection legislation changes will lead to increased fines for the unprepared. Legal uncertainty and big fines are a toxic cocktail for some companies. The combination of stiff penalties and ambiguously worded provisions in the new EU-wide data-protection law, which would replace a patchwork of 28 national laws, raises daunting prospects for companies operating in Europe.
After huge amount of user information leaks in 2015 from all kinds of Internet services, there will the challenges for cloud companies to gain trust in their security. You might have just dared to trust “the right cloud services,” since in principle the traditional information security point of view, they seem to be the main things okay, rising this privacy issues raised.
New environments will bring new threats. New operating systems versions means that administrators and users are less familiar with the environments. IPv6 will get more widely used, and the security of IPv6 networks is different from IPv4. Organizations are moving to virtualized environments, which are complex and create network layers that can become an attack vector. Growing network virtualization functionality and programmability are both an opportunity and a threat to security. Cyber security research will be important important in 2016 as 5G networks will be critical infrastructure, on top of which for example. transport, industry, health and the new operators set up their business around 2020.
The huge amount of information security information is becoming harder and harder to manage in 2016. A key problem in revelations as all other news coverage is the exponential growth of knowledge. There are variety of news summaries produced a daily basis, but they are not enough to get good picture of what is happening. There are bigger and smaller news, the impact of which is at times very difficult to assess. SMBs will become a bigger target for cybercriminals. Network and security professionals continue to be among the toughest IT talent to find and hire.
Old way network security focused on perimeter defense is not enough in 2016. Old mantras “encrypt everything” and “secure the perimeter,” are not enough. One deceptive truth seems to drive much of the cybersecurity industry down a rabbit hole: If you keep bad actors and bad software out of your system, you have nothing to worry about. It does not work like that anymore. As perimeter security gets stronger, malicious actors are looking for easier entry points to compromise an organisation through the breadth of its digital attack surface. Now malicious actors target “endpoints”—any device or sensor connected to a network—to break into that network. Traditional sandboxing will no longer protect against the growing malware landscape. Today, most private networks have far too many endpoints to properly secure. In an age of “Bring Your Own Device,” the cloud, remote access, and the Internet of Things, there are too many vulnerabilities hackers can exploit. Keep in mind that everything connected to the Internet can, and will be hacked. To address those threats in 2016, security experts should assume compromise – that hackers and malware already have breached their defenses, or soon will – and instead classify and mitigate threats. In addition to public key infrastructure lock-and-key system you will need also an integrity solution that acts like an alarm. To protect against advanced threats, security professionals will increase their reliance on centralized security management solutions. You need to have prioritization and response plans to various kinds of breaches – with a strong focus on integrity.
Law enforcement versus Silicon Valley tension will continue to be strong throughout year 2016. In 2015 Law enforcement and politicians on both sides of the Atlantic lined up to repeatedly complain that the web was “going dark” as the result of end-to-end encryption and that this was hampering the investigation of terrorism and other serious crimes.Technologists and cryptographers argue that governments are trying to weaken encryption by demanding some form of privileged access for government. It’s not clear how much encryption the NSA can break. With renewed focus on how encrypted messages can be used to plot terrorist attacks, President Barack Obama’s administration is stepping up pressure on the tech sector to help in the battle. Privacy remains a major counter-argument. It seems that Governments Lie About Encryption Backdoors. Encryption systems weakened by mandated backdoors would not be effective in fighting the terrorists that governments invoke as their reason for wanting those backdoors in the first place.
But this does not stop some government officials to demand such thing with varying success on different countries. Another fact is that The existence of coded communications is a reality and the U.S. may not be able to do much about it because nearly everyone living in modern society uses it: Encryption protects your bank information, prevents your password from being stolen when you log into a website, and allows all e-commerce transactions to take place securely. Encryption weakened by mandated backdoors would put all of us at an enormous risk of exposure from data breaches and associated online risks. The truth in 2016 is that any form of privileged access to government – ie, a backdoor – would inevitably weaken crypto-systems and make them more vulnerable to attacks by foreign governments’ intelligence agencies as well as criminals - Juniper’s VPN security hole is proof that govt backdoors are bonkers. Encryption backdoors would be a gleeful win-win for terrorists and a horrific lose-lose for you – the bad guys having strong protections for their data, and the rest of us not. The poorly thought-out and crude surveillance technique could have a devastating effect on the country’s internet security- as for example Kazakhstan will force its citizens to install internet backdoors by requiring all Internet users install state-issued root certificate by January 1, 2016.
Google, Mozilla and Microsoft are pushing for early SHA-1 crypto cutoff that can happen in 2016 instead of earlier planned Jan 1st, 2017. Due to recent research showing that SHA-1 is weaker than previously believed, because it’s been cracked without enormous effort. Mozilla, Microsoft and now Google are all considering bringing the deadline forward by six months to July 1, 2016. SHA-2 is going to be used as the replacement function for SHA-1. Websites like Facebook and those protected by CloudFlare have implemented a SHA-1 fallback mechanism for those systems that do not support SHA-2. Chrome will start display errors if SHA-1 certificates are employed in early 2016 and will completely stop supporting SHA-1 certificates in the end of 2016.
The use of Blockchain technology, permissionless distributed database based on the bitcoin protocol that runs across a global network of independent computers, will get used more widely than for just Bitcoin virtual money. With bitcoin, Blockchain tracks the exchange of money. But it can also track the exchange of anything else that holds value, including stocks, bonds, and other financial securities. Overstock has already used the blockchain to issue private bonds. The Securities and Exchange Commission has approved a plan from online retailer Overstock.com to issue company stock via the Internet, signaling a significant shift in the way financial securities will be distributed and traded in the years to come. Overstock built its technology under the aegis of a subsidiary called TØ.com, and it plans to offer this “cryptosecurity” tech as a service to other businesses. Nasdaq OMX—the company behind the Nasdaq stock exchange—is using the blockchain to oversee the exchange of private stock. Also several major companies from across both the technology and financial industries—including IBM, Intel, and Cisco as well as the London Stock Exchange Group and big-name banks JP Morgan, Wells Fargo, and State Street—have joined forces to create an alternative to the blockchain with Linux Foundation.
The use of disk encryption will increase and there are different ways to do it with different security levels. Microsoft has introduced Windows 10 disk encryption keys are uploaded to Microsoft. This approach has some advantages and disadvantages. The gold standard in disk encryption is end-to-end encryption, where only you can unlock your disk. This is what most companies use, and it seems to work well. It protects data in case your device is lost or stolen. But what if you forget or loose your key? There are certainly cases where it’s helpful to have a backup of your key or password – so keeping a backup of your recovery key in your Microsoft account could be genuinely useful for probably the majority of users that don’t have high security neeeds. The disadvantage of this approach is that Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.
Weak leaking passwords are still huge security problem still in 2016. Passwords are often the weakest parts when it comes to securing users’ accounts, as many don’t use complex passwords or they reuse the same password across services. Two-factor authentication – like using a USB stick with a secret token or entering in a code sent via text method to your phone – can help to increase security, but many users also find this to be a hassle as it introduces an additional step to the login process.
Google begins testing login system that uses phone notifications for authentication instead of passwords: authenticate by responding to a notification sent to their smartphone. The idea is similar to Yahoo’s recently launched “Account Key,” which also offers a password-free means of signing in involving a push notification sent to your phone that then opens an app where you approve the log-in.
Smart phone will become more and more security critical part of your life. “Increasingly, individuals and organisations are adopting password managers and multi-factor authentication technologies to plug some of the holes in password-based authentication. “We foresee a world where practically everyone uses their smartphone as a multi-factor authentication element. In this world, the smartphone becomes your most valuable asset: something that enables you to unlock your life online and a target for attackers seeking to access your services.”
Expect that number of mobile vulnerabilities will only grow in 2016. In 2016 we will see increasing numbers of cyber criminals using mobile applications to spread malware. Mobile presents an easy target for cyber criminals, because it is an attack surface that is open and extremely difficult to defend once an app has been released. Android threats will become more than just headline-grabbers. Will 2016 be the year iOS malware goes mainstream?
Critical infrastructures will be highly targeted in 2015. SCADA and ICS networks were not designed for security. Attacks against these systems have increased in recent years. I expect this trend to only get worse. There are still many companies that run their critical systems on Windows XP as “There are some people who don’t have an option to change.” Many times the OS is running in automation and process control systems that run business and mission-critical systems, both in private sector and government enterprises. For example US Navy is using obsolete operating system Microsoft Windows XP to run critical tasks. It all comes down to money and resources, but if someone is obliged to keep something running on an obsolete system, it’s the wrong approach to information security completely.
Cars were hacked at record rate in 2015, and they will be hacked at least at the same rate in 2016. Modern cars are featuring more gadgetry and connected systems, and this will make vehicles just as vulnerable to today’s threats and attacks. I Am The Cavalry has published a five star Cyber Safety Framework to mitigate this threat in cars, hopefully car component makers study it.
IoT and smart devices are still at risk. The Internet of Things will continue to emerge, and businesses will need to think about how to protect their smart devices and prepare for the wider adoption of IoT. IoT platforms – not yet the weapon of choice for commercial malware authors – but business beware. Wearables won’t be safe, either, as they are built using largerly same too often vulnerable technologies as other IoT system. IoT security is still in in infancy in 2016.
Cyber criminals have become more active in 2015 particularly in the malicious the ransom fabrications. The ransom-malware problem will continue to be big in 2016. Commercial malware authors will continue to invest heavily and Exploit kits will continue to dominate on the web. Ransomware today is big business. Ransomware takes control of a computer and holds it hostage until the victim pays, usually in the digital currency Bitcoin. As a remedy against ransom-malware I recommend to ensure IT Support or your service provider the data back-up and restoring procedure operational, practiced and tested. You can need it in 2016 to get your data back without considering paying to criminals. To date ransomware has hit Windows users hardest, although Android and MacOS users are now also facing similar extortion.
Ransomware will continue to dominate in 2016 and it is only a question of time before we see things beyond data being ransomed. We have already seen websites being held ransom to DDoS. Intel’s McAfee Labs also noted a huge spike in ransomware in early 2015, and worries about ransomware in the IoT space—including medical devices. And Kaspersky predicts the “nightmare of ransomware” to continue and “spread to new frontiers” in 2016. Ransomware Is Coming to Medical Devices article tells that according to a report released recently week by Forrester Research the number one cybersecurity prediction for 2016: “We’ll see ransomware for a medical device or wearable.” “It’s definitely feasible from a technical standpoint”. Networked medical devices save lives. Despite the hacking risk, it’s an informed trade-off. Medical device ransomware would be a modern form of highway robbery with lives at stake.
Keep in mind that everything connected to the Internet can, and will be hacked. In 2016 If You’re Not Paranoid, You’re Crazy. As government agencies and tech companies develop more and more intrusive means of watching and influencing people, how can we live free lives? Unfortunately I don’t have solution for that.
2,232 Comments
Tomi Engdahl says:
UK’s Top Police Warn That Modding Games May Turn Kids into Hackers
http://motherboard.vice.com/read/uks-top-police-warn-that-modding-games-may-turn-kids-into-hackers
Over the last few years, the NCA has attempted to reach out to technologically savvy young people in different ways. EGX was the first time it’s pitched up to a gaming convention; the NCA said it wanted to educate young people with an interest in computers and suggested that those who mod online games in order to cheat may eventually progress to using low level cybercrime services like DDoS-for-hire and could use steering in the right direction.
Tomi Engdahl says:
MarsJoke Ransomware Mimics CTB-Locker
https://www.proofpoint.com/us/threat-insight/post/MarsJoke-Ransomware-Mimics-CTB-Locker
Ransomware in its various forms continues to make headlines as much for high-profile network disruptions as for the ubiquity of attacks among consumers. We recently noted the non-linear growth of ransomware variants and now a new type has emerged, dubbed MarsJoke.
Proofpoint researchers originally spotted the MarsJoke ransomware in late August [1] by trawling through our repository of unknown malware. However, beginning on September 22, 2016, we detected the first large-scale email campaign distributing MarsJoke. This ongoing campaign appears to target primarily state and local government agencies and educational institutions in the United States.
Tomi Engdahl says:
Android Browser Security–What You Haven’t Been Told
http://www.linuxjournal.com/content/android-browser-security-what-you-havent-been-told
This article focuses on flaws in Android’s stock web libraries, while acknowledging related exploits. Some modern Android browsers have critically weak encryption and other dangerous flaws that cannot be patched or otherwise corrected. This weakness extends to multiple browsers and applications and is determined by the linkage to the system webcore on older OS versions. HTML applications that do not provide their own rendering engine should be avoided for all versions of Android less than 5.0.
Weakened WebKit
Most mobile platforms (including Android) owe a great debt to the KHTML rendering engine from the KDE Konqueror web browser. Mobile HTML is essentially a monoculture from the perspective of an OS default browser—they all emerge from KHTML, which won this position by providing a high-quality codebase under a reasonable license at the right time.
Although one would hesitate to call Apple a consistently good steward of KHTML due to past friction with the Konqueror project, the Safari browser introduced a compelling rework of KHTML known as WebKit.
Tomi Engdahl says:
Is it Finally Time for Open Security?
http://www.securityweek.com/it-finally-time-open-security
One of the distinct advantages of working in the IT industry for over 35 years is all of the direct and indirect experience that brings, as well as the hindsight that comes with that.
One of the more personally interesting experiences for me has been watching the growth and ultimate success of the Open Source Software (OSS) movement from a fringe effort (what business would ever run on OSS?) to what has now become a significant component behind the overall success of the Internet.
Tomi Engdahl says:
Microsoft Unveils Cloud-based Fuzz Testing Service
http://www.securityweek.com/microsoft-unveils-cloud-based-fuzz-testing-service
Microsoft’s Project Springfield Allows Developers to Fuzz Code Before Hackers Do
All software has bugs. Bugs lead to vulnerabilities which then lead to breaches. Fewer bugs will inevitably lead to fewer breaches for users, and fewer costly patching exercises for software vendors. It is a no-brainer to eliminate as many bugs as possible during development; but that in itself is difficult and costly.
On Monday at its Ignite Atlanta conference, Microsoft announced a new Azure-based software fuzz testing service, based around its own internal Scalable, Automated, Guided Execution (SAGE) testing tool. The new service is labeled Project Springfield.
While fuzz testing traditionally generates and tests random inputs against software, Springfield uses artificial intelligence (AI) to focus testing around potential problem areas in what it calls ‘white box fuzz testing’. “It uses artificial intelligence to ask a series of ‘what if’ questions and make more sophisticated decisions about what might trigger a crash and signal a security concern,” said Microsoft in a blog post Monday. “Each time it runs, it gathers data to hone in on the areas that are most critical. This more focused, intelligent approach makes it more likely that Project Springfield will find vulnerabilities other fuzzing tools might miss.
Tomi Engdahl says:
Microsoft Adds Virtualization-based Security to Edge Browser
http://www.securityweek.com/microsoft-adds-virtualization-based-security-edge-browser
At its 2016 Ignite conference in Atlanta this week, Microsoft announced improved security for its Edge browser in the form of Windows Defender Application Guard, a tool that leverages virtualization-based security technology for user protection.
The new Application Guard is yet another step Microsoft has taken towards improving the overall security of Windows 10 systems, following features such as Windows Information Protection (WIP) and signed kernel mode drivers. To boost user security, Microsoft disabled RC4 in Edge and Internet Explorer 11 earlier this year.
Tomi Engdahl says:
Google Releases New XSS Prevention Tools
http://www.securityweek.com/google-releases-new-xss-prevention-tools
Google has released new tools and documentation designed to help developers mitigate cross-site scripting (XSS) attacks using the Content Security Policy (CSP) standard.
XSS vulnerabilities continue to affect numerous web applications, even ones developed by major companies. In the past two years, Google awarded researchers more than $1.2 million for these types of flaws.
One potentially efficient solution for mitigating XSS attacks is CSP, a mechanism that allows developers to restrict which scripts can be executed. If policies are configured properly, attackers are not able to load malicious scripts and other resources, even if they manage to inject HTML code into a webpage.
Tomi Engdahl says:
Apple Confirms Weakened Security in Local iOS 10 Backups
http://www.securityweek.com/apple-confirms-weakened-security-local-ios-10-backups
iOS 10 Allows for Brute Force Attacks of 6,000,000 Passwords Per Second to be Attempted on Local Backups
Apple admitted recently to an issue affecting the encryption strength for backups of devices on iOS 10 when backing up to iTunes on the Mac or PC and said a fix would be included in an upcoming update.
Released mid-September, iOS 10 addressed a total of seven vulnerabilities, the most severe of which could be exploited by a man-in-the-middle (MitM) attacker to prevent a device from receiving updates. Because iOS 10 rendered some devices useless, Apple was quick to release iOS 10.0.1, which also included a new fix for one of the “Trident” security flaws patched last month.
Tomi Engdahl says:
U.S. Hacker Pleads Guilty to Stealing Nude Celebrity Photos
http://www.securityweek.com/us-hacker-pleads-guilty-stealing-nude-celebrity-photos
Chicago – A Chicago hacker who stole nude photos from the accounts of at least 30 celebrities pleaded guilty Tuesday in US federal court.
Under a plea agreement with prosecutors, Edward Majerczyk admitted to one count of “unauthorized access to a protected computer to obtain information.”
Prosecutors agreed to ask for a reduced sentence of nine months in prison. The charge carried a maximum sentence of five years.
In 2013 and 2014, Majerczyk hacked into the Apple iCloud and Gmail accounts of celebrities, including actresses Jennifer Lawrence and Brie Larson, and model Kate Upton, and stole photographs of the women in various states of undress.
The photographs were later leaked online, causing a scandal.
Tomi Engdahl says:
Spammers Increasingly Hijacking IPv4 Addresses
http://www.securityweek.com/spammers-increasingly-hijacking-ipv4-addresses
As new IPv4 addresses are more and more difficult to come by, spammers are increasingly hijacking existing IP address ranges for their nefarious purposes, Spamhaus researchers warn.
The issue, researchers explain, is that spammers need a constant flow of fresh IP addresses, because those they use get a bad reputation of being sources of spam quite fast. This issue isn’t new, and spammers are constantly looking for new means of getting fresh IP addresses.
Back in January, researchers accused Verizon of routing over 4 million IP addresses that were in the hands of cybercriminals. At the time, the Internet Service Provider (ISP) was accused of not looking closely at the routing requests, which allowed cybercriminals to use their stolen addresses unhindered.
Now, Spamhaus reveals that spammers are “hijacking existing IP address ranges from under the noses of the legitimate owners and ARIN (American Registry for Internet Numbers),” and that Legacy IP address ranges are most targeted by cybercriminals. These addresses, issued before ARIN’s inception in 1997, can’t be revoked even if the yearly fees aren’t paid, meaning that they can lie dormant, sometimes forgotten by the legitimate owners.
Tomi Engdahl says:
Bringing Cybersecurity to the Data Center
http://www.securityweek.com/bringing-cybersecurity-data-center
Data centers are the heart of many enterprises, providing scalable, reliable access to the information and applications that define the organization. As these data centers have become more valuable, so too has the job of securing and monitoring them. However, data centers come with their own unique requirements, challenges, and threats.
Yet, in many ways, data center and virtualized security has been built in the image of the traditional campus network security. The problem is that the data center is not the perimeter. While porting over the models from the perimeter may feel familiar and safe, it can lead to dangerous gaps in security.
Moving Beyond Segmentation to Cyber
Using the network perimeter as its model, the industry has sought to virtualize perimeter controls and move them into the data center. This approach began with the bedrock of perimeter security, the firewall. Initially this included simply porting traditional firewalls to run as virtual machines, and then progressed into more agent-based segmentation models that were closely integrated with the virtualization platform software itself. In both cases, the focus remained on enforcing policy within the data center.
However, creating and enforcing rules is not the same thing as catching an intruder.
Advanced Attacks and Mature Attacks
The problem is that data centers are not simply perimeter 2.0. A data center will often encounter an attacker at a far more mature phase of attack than the perimeter will, and likewise, will experience different types of threats and attack techniques.
Specifically, perimeter threat prevention technologies tend to be heavily focused on detecting an initial compromise or infection (e.g. exploits and malware). The problem is that attackers will often only move against the data center after they have successfully compromised the perimeter.
Getting Behavioral
This is prime example where behavioral threat detection models should come into play. More than simply looking for strange or abnormal user behavior, we also must recognize the fundamental behavior of the attack tools and techniques in the hacker’s arsenal.
Preempt the Silos
Next we must remember that attackers do not conform to our boundaries, and that attacks will often span both the campus side of a network as well as the data center. It is crucial that security teams retain full context of an attack even when it spans both environments.
For example hidden command-and-control traffic, network reconnaissance, lateral movement, the compromise of user and admin credentials can all precede an intrusion into the data center. Each of these phases represents an opportunity to detect an attack and it is important for security teams to see as much of this context as possible before the attack reaches the data center.
Tomi Engdahl says:
1982 editorial about computer security gets it right
http://www.edn.com/electronics-blogs/edn-s-60th-anniversary-collection/4442427/1982-editorial-about-computer-security-gets-it-right-
I was fascinated to find a 1982 column by EDN editor Walt Patstone entitled, “Computer security- accept responsibility now.” Predating the Internet, there is no link to it, so I will post an image of the complete editorial as this column’s final page.
I found the column particularly prescient. Walt builds on the predicted proliferation of interconnected devices to identify the major risk, one which ”the spread of distributed computing power leaves society precariously unprotected against catastrophic computer failure, deliberate sabotage or outright data theft.” This was written in 1982, when music still was recorded via mechanical grooves placed onto a vinyl surface!
Indeed, computer security was becoming an issue. In 1978, I attended a seminar from a Stanford professor describing how to crack 64-bit encryption using massively parallel 8-bit microprocessors.
Walt leverages Richard Conniff’s Computer War article of January 1982 to identify key areas prone to risk. I’ve added recent news relative to the prediction:
Military systems – Pentagon hacked
Social security – 21 million numbers stolen
Air traffic control – 20 attacks this year
Private banking theft – routine, Federal Reserve hacked 51 times in past 5 years
The predictions were generally correct, perhaps even tame. What is common to all of these is that the networked aspect of these systems make them vulnerable to attack from afar.
Tomi Engdahl says:
Smartphone Security: For Your Eyes Only
http://semiengineering.com/smartphone-security-for-your-eyes-only/
New biometric security is coming to a phone near you…very near.
Iris recognition is a technology gaining importance in the smartphone market for authentication. It works by shining a near-infrared light at the eye, and then taking an image of the eye to match what has been recorded on the device or in a database. No two iris patterns are the same, even on the same person or in twins. Because the light is used, the authentication even works in the dark. In the Samsung Galaxy Note7, the iris scanner is another camera dedicated to this function, separate from the front and rear main cameras
Sclera scanners authenticate based on the pattern of blood vessels in the sclera (white part) of the eye. A popular software technology for adding this feature to phones comes from EyeVerify. EyeVerify uses a device’s camera to image and match blood vessel patterns in the eye. There are a number of smartphones currently available with iris or sclera scanners. These include:
Microsoft Lumia 950 XL
Vivo X5Pro
Fujitsu Arrows NX F-04G (first phone to have iris recognition)
ZTE Grand S3
Alcatel Idol 3
UMI Iron
Galaxy Note7
Tomi Engdahl says:
Verizon technician admits he sold customer data for years
And he’s facing five years in prison on federal hacking charges because of it.
https://www.engadget.com/2016/09/28/verizon-technician-stole-customer-call-location-data/
A former Verizon Wireless network technician in Alabama has admitted to using company computers to steal and sell private customers’ location and call data over a period of five years. As Ars Technica reports, Daniel Traeger of Birmingham faces up to five years in prison or a $250,000 fine for the federal hacking charge. As part of a plea deal, Traeger confessed that he sold the data to an unnamed private investigator.
Traeger and the PI made a deal sometime in 2009, when Traeger agreed to provide the information even though he was aware he was not authorized to access the data or provide it to a third party. Using two different internal systems, Traeger accessed call records and pinged the victims’ cellphones to get their location.
Traeger made only $50 per month, or about $25 per record
he was finally caught in 2014
Tomi Engdahl says:
Cyber firm challenges Yahoo claim hack was state-sponsored
http://www.reuters.com/article/us-yahoo-cyber-idUSKCN11Y311
A cyber security company on Wednesday asserted that the hack of 500 million account credentials from Yahoo was the work of an Eastern European criminal gang, adding another layer of intrigue to a murky investigation into the unprecedented data heist.
Arizona-based InfoArmor issued a report whose conclusion challenged Yahoo’s position that a nation-state actor orchestrated the heist, disclosed last week by the internet company. InfoArmor, which provides companies with protection against employee identify theft, said the hacked trove of user data was later sold to at least three clients, including one state-sponsored group.
Tomi Engdahl says:
Sad reality: Look, no one’s going to patch their insecure IoT gear
‘Consumers are ready to roll the dice with their privacy every time they buy a gadget’
http://www.theregister.co.uk/2016/09/29/internet_of_things_security_patching/
If you think ordinary people are going to look out for and apply firmware fixes to patch vulnerabilities in the Internet of Things, you’re crazy.
It’s going to be down to manufacturers to secure IoT devices, Intel Security’s chief technical strategist says, because consumers will cheerfully give away their security and privacy in the name of convenience.
Scott Montgomery said time and time again non-geeks have shown little interest in the security of their IoT gizmos and were willing to put up with major security failings in things like home alarm systems and door locks in exchange for ease of use.
“Internet security and privacy are already tricky and industry hasn’t done a great job of making it more accessible and easier – that’s on us,” he told the Structure Security conference in San Francisco on Wednesday. “But consumers are very, very ready to roll the dice with their privacy every time they buy a gadget.”
A lot of manufacturers aren’t getting the message either, he noted, citing two particularly worrying cases.
Medical equipment was also singled out for his scorn. There are thousands of health-related devices that are connected to the internet, he said, but there was little reason to do so and the results meant that you can pick up their data online with very little effort.
“If you look at any dark web search engine you’ll be able to look at live MRIs going on right now,”
However, industry has got the message on IoT security very clearly, he said, citing Exxon as being a clear leader in the field. The oil giant has been conducting a massive infrastructure overhaul with the intention of adding in IoT sensors from oil wells to refineries.
As part of that, Exxon has told its suppliers to take a much firmer look at how these sensors can be locked down.
US Homeland Security launches IoT willy-waving campaign
Our policies are gonna be the best, ignore all the rest
http://www.theregister.co.uk/2016/09/22/homeland_security_launches_iot_campaign/
The US Department of Homeland Security has announced plans to make the internet-of-things just a bit more complicated – by trying to shove itself into the market with a new security framework.
On Thursday, assistant secretary for cyber policy at the DHS Robert Silvers told the Security of Things Forum in Cambridge, Massachusetts, that his department had decided to develop “a set of strategic principles” for IoT manufacturers that would ensure that security is built into future products.
While no one is going to disagree about the need for drastically improved security in this market, there are already a number of other government departments working on the issue, including the Federal Trade Commission (FTC), the Department of Commerce, and the Department of Transportation – begging the question why the DHS should get involved at all.
Tomi Engdahl says:
Michael Kan / PCWorld:
Security firm InfoArmor says hackers-for-hire, not state-sponsored actors, breached Yahoo, and have sold the entire database three times, once for $300K+ — Elite hackers-for-hire were actually behind the breach, according to InfoArmor — Common criminals, not state-sponsored hackers …
Yahoo hackers weren’t state-sponsored, a security firm says
Elite hackers-for-hire were actually behind the breach, according to InfoArmor
http://www.pcworld.com/article/3125598/security/the-yahoo-hackers-werent-state-sponsored-a-security-firm-says.html
Common criminals, not state-sponsored hackers, carried out the massive 2014 data breach that exposed information about millions of Yahoo user accounts, a security firm said Wednesday.
Yahoo has blamed state actors for the attack, but it was actually elite hackers-for-hire who did it, according to InfoArmor, which claims to have some of the stolen information.
The independent security firm found the alleged data as part of its investigation into “Group E,” a team of five professional hackers believed to be from Eastern Europe.
“According to our information, most of the group’s clientele are spammers,”
InfoArmor’s claims dispute Yahoo’s contention that a “state-sponsored actor” was behind the data breach, in which information from 500 million user accounts was stolen. Some security experts have been skeptical of Yahoo’s claim and wonder why the company isn’t offering more details.
Group E has sold the stolen Yahoo database in three private deals, Komarov said. At one point, the Yahoo database was sold for at least $300,000, he said. His firm has been monitoring the group’s activities for more than three years.
New York Times:
Sources: after hacks and questions about security, Marissa Mayer denied Yahoo security team financial resources, rejected proposal to reset all user passwords
Defending Against Hackers Took a Back Seat at Yahoo, Insiders Say
http://www.nytimes.com/2016/09/29/technology/yahoo-data-breach-hacking.html?_r=0
Six years ago, Yahoo’s computer systems and customer email accounts were penetrated by Chinese military hackers. Google and a number of other technology companies were also hit.
The Google co-founder Sergey Brin regarded the attack on his company’s systems as a personal affront and responded by making security a top corporate priority. Google hired hundreds of security engineers with six-figure signing bonuses, invested hundreds of millions of dollars in security infrastructure and adopted a new internal motto, “Never again,” to signal that it would never again allow anyone — be they spies or criminals — to hack into Google customers’ accounts.
Yahoo, on the other hand, was slower to invest in the kinds of defenses necessary to thwart sophisticated hackers that are now considered standard in Silicon Valley
When Marissa Mayer took over as chief executive of the flailing company in mid-2012, security was one of many problems she inherited. With so many competing priorities, she emphasized creating a cleaner look for services
The “Paranoids,” the internal name for Yahoo’s security team, often clashed with other parts of the business over security costs.
But Yahoo’s choices had consequences, resulting in a series of embarrassing security failures over the last four years. Last week, the company disclosed that hackers backed by what it believed was an unnamed foreign government stole the credentials of 500 million users in a breach that went undetected for two years. It was the biggest known intrusion into one company’s network, and the episode is now under investigation by both Yahoo and the Federal Bureau of Investigation.
Certainly, many big companies have struggled with cyberattacks in recent years. But Yahoo’s security efforts appear to have fallen short, in particular, when compared with those of banks and other big tech companies.
But when it came time to commit meaningful dollars to improve Yahoo’s security infrastructure, Ms. Mayer repeatedly clashed with Mr. Stamos, according to the current and former employees. She denied Yahoo’s security team financial resources and put off proactive security defenses, including intrusion-detection mechanisms for Yahoo’s production systems. Over the last few years, employees say, the Paranoids have been routinely hired away by competitors like Apple, Facebook and Google.
“Yahoo’s policy is that if we believe a user’s password has been compromised, we lock the account until the user resets the password,” Ms. Philion said.
With the 500 million accounts involved in the breach disclosed last week, the stolen passwords were encrypted. Yahoo concluded the risk of misuse was low so it notified users and encouraged them to reset their passwords themselves.
Tomi Engdahl says:
Sam Biddle / The Intercept:
Leaked document: Apple records some metadata related to whom you’re trying to contact on iMessage, including your IP address, and stores it for 30 days
Apple Logs Your iMessage Contacts — and May Share Them With Police
https://theintercept.com/2016/09/28/apple-logs-your-imessage-contacts-and-may-share-them-with-police/
Apple promises that your iMessage conversations are safe and out of reach from anyone other than you and your friends. But according to a document obtained by The Intercept, your blue-bubbled texts do leave behind a log of which phone numbers you are poised to contact and shares this (and other potentially sensitive metadata) with law enforcement when compelled by court order.
Every time you type a number into your iPhone for a text conversation, the Messages app contacts Apple servers to determine whether to route a given message over the ubiquitous SMS system, represented in the app by those déclassé green text bubbles, or over Apple’s proprietary and more secure messaging network, represented by pleasant blue bubbles, according to the document. Apple records each query in which your phone calls home to see who’s in the iMessage system and who’s not.
Phone companies routinely hand over metadata about calls to law enforcement in response to pen register warrants. But it’s noteworthy that Apple is able to provide information on iMessage contacts under such warrants given that Apple and others have positioned the messaging platform as a particularly secure alternative to regular texting.
Tomi Engdahl says:
Alex Kantrowitz / BuzzFeed:
Facebook disabled the accounts of several prominent Palestinian journalists last week, then admitted the error and restored them, a continuing pattern
Facebook’s Suspensions Of Political Speech Are Now A Pattern
https://www.buzzfeed.com/alexkantrowitz/facebooks-suspensions-of-political-speech-are-now-a-pattern?utm_term=.fgJjW6X2k#.unRE5DKOy
The social platform’s temporary suspension of several Palestinian journalists’ accounts is its latest “error,” with no policy change in sight.
Facebook, a vital forum for online speech, can’t seem to stop removing significant political content from its platform.
Last week, the company disabled several prominent Palestinian journalists’ accounts, following user reports that they were violating Facebook standards. These weren’t small-time reporters — they’re people who manage pages followed by millions. Facebook later reinstated their accounts, blaming their removal on an error: “The pages were removed in error and restored as soon as we were able to investigate,” a Facebook spokesperson said, using an excuse that didn’t need dusting off, since Facebook has offered variations of it at least four times in past six months.
“We sometimes get things wrong.”
After four such errors in six months, Facebook’s takedowns seem less like occasional missteps and more like symptoms of a flawed policy that needs to be addressed.
Tomi Engdahl says:
Taking a U2F Hardware Key from Design to Production
http://hackaday.com/2016/09/29/taking-a-u2f-hardware-key-from-design-to-production/
Building a circuit from prototyping to printed circuit board assembly is within the reach of pretty much anyone with the will to get the job done. If that turns out to be something that everyone else wants, though, the job gets suddenly much more complex. This is what happened to [Conor], who started with an idea to create two-factor authentication tokens and ended up manufacturing an selling them on Amazon. He documented his trials and tribulations along the way, it’s both an interesting and perhaps cautionary tale.
[Conor]’s tokens themselves are interesting in their simplicity: they use an Atmel ATECC508A specifically designed for P-256 signatures and keys, a the cheapest USB-enabled microcontroller he could find: a Silicon Labs EFM8UB1. His original idea was to solder all of the tokens over the course of one night, which is of course overly optimistic. Instead, he had the tokens fabricated and assembled before being shipped to him for programming.
Designing and Producing 2FA tokens to Sell on Amazon
https://conorpp.com/2016/09/23/designing-and-producing-2fa-tokens-to-sell-on-amazon/
I made a two factor authentication token and have made it available on Amazon. In this post I’ll talk about the design, how I produced it affordably, and some metrics about selling on Amazon. If you’re interested in doing something similar, you can copy everything as it’s all open source.
It uses the U2F protocol, which is a standard developed by the FIDO Alliance and Google. U2F uses challenge response for authentication and is based on the P-256 NIST Elliptic Curve. FIDO additionally provides U2F standards for transports like USB, Bluetooth, and NFC which makes a project like this ideal.
Tomi Engdahl says:
Apple Shares Some iMessage Metadata with Law Enforcement
New documents reveal what Apple shares with law enforcement
Read more: http://news.softpedia.com/news/apple-shares-some-imessages-metadata-with-law-enforcement-508752.shtml#ixzz4LieJgYJv
Apple Logs Your iMessage Contacts — and May Share Them With Police
https://theintercept.com/2016/09/28/apple-logs-your-imessage-contacts-and-may-share-them-with-police/
Apple promises that your iMessage conversations are safe and out of reach from anyone other than you and your friends. But according to a document obtained by The Intercept, your blue-bubbled texts do leave behind a log of which phone numbers you are poised to contact and shares this (and other potentially sensitive metadata) with law enforcement when compelled by court order.
Every time you type a number into your iPhone for a text conversation, the Messages app contacts Apple servers to determine whether to route a given message over the ubiquitous SMS system, represented in the app by those déclassé green text bubbles, or over Apple’s proprietary and more secure messaging network, represented by pleasant blue bubbles, according to the document. Apple records each query in which your phone calls home to see who’s in the iMessage system and who’s not.
This log also includes the date and time when you entered a number, along with your IP address — which could, contrary to a 2013 Apple claim that “we do not store data related to customers’ location,” identify a customer’s location. Apple is compelled to turn over such information via court orders for systems known as “pen registers” or “trap and trace devices,”
Tomi Engdahl says:
Russian hackers target MH17 journalists for embarrassing Putin
State threat actors are a reality for today’s scribes
http://www.theregister.co.uk/2016/09/29/russian_hackers_target_mh17_journos/
Journalists investigating the downing of the MH17 flight over eastern Ukraine in 2014 have been hacked by Russia, according to security intelligence outfit ThreatConnect.
Investigative journalism group Bellingcat, whose reports were consulted by the JIT during the investigation, were targeted in a series of sophisticated hacks.
These assaults included spearphishing, credential harvesting, SMS spoofing and more, as explained in a blog post by ThreatConnect
“[Bellingcat founder Eliot] Higgins shared data with ThreatConnect that indicates Bellingcat has come under sustained targeting by Russian threat actors, which allowed us to identify a 2015 spearphishing campaign that is consistent with FANCY BEAR’s tactics, techniques, and procedures.”
“Organisations which negatively impact Russia’s image can expect cyber operations intended to retaliate or maliciously affect them,”
Tomi Engdahl says:
‘Syrian Electronic Army’ goon extradited from Germany now coughs to hacking, extortion
His crime boss The Shadow remains at large
http://www.theregister.co.uk/2016/09/29/syrian_electronic_army_guilty/
An associate of the self-styled Syrian Electronic Army has been sentenced to five years in an American prison for his part in running a cyber extortion scheme against businesses around the world.
On Wednesday, Syrian-born Peter Romar, 37, pled guilty in a Virginia district court to conspiring to unlawfully access computers and to receive extortion proceeds from the hacking. Romar, who was extradited from Germany where he had emigrated, will be sentenced on October 21. He faces a maximum of five years in prison.
“Today’s guilty plea is by the latest international offender who believed that he could operate from abroad, behind the perceived veil of anonymity offered by the Internet, and use computers to threaten the security of our citizens and their property,” said assistant attorney general John Carlin.
Tomi Engdahl says:
Hackers have attempted more intrusions into voter databases, FBI director says
https://www.washingtonpost.com/world/national-security/hackers-have-attempted-more-intrusions-into-voter-databases-fbi-director-says/2016/09/28/03d4c942-859f-11e6-ac72-a29979381495_story.html
Hackers have attempted more intrusions into voter registration databases since those reported this summer, the FBI director said Wednesday, and federal officials are urging state authorities to gird their systems against possible other attacks.
Testifying before the House Judiciary Committee, FBI Director James B. Comey said that the bureau had detected scanning activities — essentially hackers scoping out a potential attack — as well as some actual attempted intrusions into voter registration databases.
“We are urging the states just to make sure that their deadbolts are thrown and their locks are on, and to get the best information they can from”
Federal officials have been closely watching attempted hacking of the U.S. election system. Russia is believed to be behind the high-profile hack of Democratic National Committee computers, and the FBI told Arizona officials in June that Russians tried to access their system.
That hack shut down the voter registration system for a week, although it turned out that the hackers had not compromised the state system or even any county system. Illinois officials said they discovered a successful breach in which hackers were able to retrieve a small percentage of voter records
Russian Foreign Ministry spokeswoman Maria Zakharova said the country does not interfere with U.S. elections “because we respect the Americans,” according to an Interfax news agency article.
Tomi Engdahl says:
Europol report reveals rise in child sex abuse online
http://www.bbc.com/news/world-europe-37494784
Sex offenders are using increasingly sophisticated techniques to target children online and investment is needed for the technologies to track them, Europe’s police agency warns.
In its cyber crime report, Europol said the use of encrypted tools, which enable offenders to stay anonymous, were now “becoming the norm”.
With millions of children online, access to them was “higher than ever”.
Cybercrime reporting in Europe had surpassed traditional crimes, it said.
Europol called the ability for child sex offenders to communicate, store and share materials and hunt for new victims online “one of the internet’s most damaging and abhorrent aspects”.
It said they were targeting social networks, online games and forums used mainly by children – and then encouraging a groomed child to continue communication on encrypted platforms that allow the sharing of chat, video and photos.
Tomi Engdahl says:
Mozilla Wants to Drop WoSign as Trusted CA
https://threatpost.com/mozilla-wants-to-drop-wosign-as-trusted-ca/120912/
Mozilla has accused a Chinese Certificate Authority of back-dating SHA-1 certificates to get around restrictions barring deprecated certs from being trusted, and is ready to ban the CA for one year. The back-dating is just one of many violations derived after a lengthy investigation of WoSign and one of its subsidiaries, StartCom. In addition to consistently back-dating SHA-1 certs, WoSign is accused of mis-issuing certificates for GitHub to a customer, allowing arbitrary domain names to be included in certs without validating them, failing to report its acquisition of StartCom as CAs are required to do. A report published Monday by Mozilla lists numerous other infractions that go against requirements put forth by the CA/Browser Forum’s published baseline requirements.
“Mozilla’s CA team has lost confidence in the ability of WoSign/StartCom to faithfully and competently discharge the functions of a CA,” Mozilla said in its report. “Therefore we propose that, starting on a date to be determined in the near future, Mozilla products will no longer trust newly-issued certificates issued by either of these two CA brands.”
See more at: Mozilla Wants to Drop WoSign as Trusted CA https://wp.me/p3AjUX-vsc
Tomi Engdahl says:
Jessica Conditt / Engadget:
FCC votes to expand emergency text alerts from 90 to 360 characters, add support for embedded photos and links — The FCC has voted to strengthen the Wireless Emergency Alerts system, which sends warnings about missing children, natural disasters and other dangerous events directly to citizens’ cell phones.
Wireless Emergency Alerts are about to get more detailed
The FCC voted to expand the WEA system, including the establishment of a new class of alerts.
https://www.engadget.com/2016/09/29/amber-alerts-wireless-emergency-more-power-fcc/
The FCC has voted to strengthen the Wireless Emergency Alerts system, which sends warnings about missing children, natural disasters and other dangerous events directly to citizens’ cell phones. The new rules allow government officials to write up to 360 characters, rather than 90, for 4G LTE and future networks, and it requires participating carriers to support the use of embedded phone numbers and links in all alerts.
Tomi Engdahl says:
Threats come in many shapes and sizes. Here
are security technologies to layer in your security
stack: Next Generation Threat Prevention, Firewall,
Application Control, Anti-Bot, Antivirus, Identity
Awareness, Anti-Spam and Email Security,
Intrusion Prevention System, and URL Filtering
Virtual patching protects against exploits of
unannounced vulnerabilities and bridges the
gap until patches for known vulnerabilities are
available and can be deployed.
Switching among consoles to manage security
for each network segment is inefficient and
promotes making configuration errors that
degrade security. Managing all security functions,
segments and environments through one console
streamlines management for stronger security
that is also easier to manage.
Implement unified controls across all networks,
systems, endpoints and environments including
traditional , cloud, virtual, mobile, IoT, and hybrids
Source: https://www.checkpoint.com/downloads/resources/2016-security-report.pdf
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Exploit broker Zerodium triples bounty to $1.5M for iOS, and doubles bounty for Android to $200K — Zerodium triples price for iOS exploits, doubles Android bounties to $200,000. — A controversial broker of security exploits is offering $1.5 million (£1.2 million) …
iPhone exploit bounty surges to an eye-popping $1.5 million
Zerodium triples price for iOS exploits, doubles Android bounties to $200,000.
http://arstechnica.com/security/2016/09/1-5-million-bounty-for-iphone-exploits-is-sure-to-bolster-supply-of-0days/
A controversial broker of security exploits is offering $1.5 million (£1.2 million) for attacks that work against fully patched iPhones and iPads, a bounty that’s triple the size of its previous one.
Zerodium also doubled, to $200,000, the amount it will pay for attacks that exploit previously unknown vulnerabilities in Google’s competing Android operating system, and the group raised the amount for so-called zeroday exploits in Adobe’s Flash media player to $80,000 from $50,000. After buying the working exploits, the company then sells them to government entities, which use them to spy on suspected criminals, terrorists, enemies, and other targets.
Tomi Engdahl says:
Jon Brodkin / Ars Technica:
AT&T ends its Internet Preferences program, which analyzed user browsing habits to better target ads — Controversial traffic scanning program, Internet Preferences, meets its demise. — AT&T is getting rid of Internet Preferences, the controversial program that analyzes home Internet …
AT&T to end targeted ads program, give all users lowest available price
Controversial traffic scanning program, Internet Preferences, meets its demise.
http://arstechnica.com/information-technology/2016/09/att-to-end-targeted-ads-program-give-all-users-lowest-available-price/
AT&T is getting rid of Internet Preferences, the controversial program that analyzes home Internet customers’ Web browsing habits in order to serve up targeted ads.
“To simplify our offering for our customers, we plan to end the optional Internet Preferences advertising program related to our fastest Internet speed tiers,” an AT&T spokesperson confirmed to Ars today. “As a result, all customers on these tiers will receive the best rate we have available for their speed tier in their area. We’ll begin communicating this update to customers early next week.”
Data collection and targeted ads will be shut off, AT&T also confirmed.
Tomi Engdahl says:
Michael Mimoso / Threatpost:
Mozilla accuses Chinese certificate authority WoSign of back-dating SHA-1 certificates and other violations, proposes no longer trusting WoSign certificates
Mozilla Wants to Drop WoSign as Trusted CA
https://threatpost.com/mozilla-wants-to-drop-wosign-as-trusted-ca/120912/
Tomi Engdahl says:
Criticize Donald Trump, get your site smashed offline from Russia
Newsweek Cuban connection story enrages miscreants
http://www.theregister.co.uk/2016/09/30/criticizing_donald_trump_will_get_you_ddosed_off_the_internet/
It has been an odd day for Newsweek – its main site was taken offline after it published a story claiming a company owned by Republican presidential candidate Donald Trump broke an embargo against doing deals with Cuba.
The magazine first thought that the sheer volume of interest in its scoop was the cause for the outage, but quickly realized that something more sinister was afoot.
The site was being bombarded by junk traffic from servers all around the world, but the majority came from Russia, the editor in chief Jim Impoco has now said.
Newsweek Website Attacked After Report On Trump, Cuban Embargo
http://talkingpointsmemo.com/livewire/dos-hack-newsweek-trump-cuba-embargo-story
The editor-in-chief of Newsweek confirmed Friday that the magazine’s website was on the receiving end of a denial-of-service attack Thursday night, following the publication of a story accusing one of Donald Trump’s companies of violating the Cuban trade embargo.
Editor-In-Chief Jim Impoco noted that the attack came as the story earned national attention.
Later Friday afternoon, Impoco emailed TPM that in an initial investigation, the “main” IP addresses linked to the attack were found to be Russian. It should be noted that it is possible to fake an IP address.
“As with any DDoS attack, there are lots of IP addresses, but the main ones are Russian, though that in itself does not prove anything,” he wrote. “We are still investigating.”
A DoS attack makes sites completely unavailable to their intended users. Many noted that Newsweek’s website was down last night, initially assuming that it was due to high traffic on the Cuba piece. But Eichenwald tweeted Friday morning that the actual issue was an attack on the magazine’s website
Denial-of-service attacks may be considered a federal crime under the Computer Fraud and Abuse Act.
Tomi Engdahl says:
Security News This Week: FBI Finds Hackers Poking Around More Voter Registry Sites
https://www.wired.com/2016/10/security-news-week-fbi-finds-hackers-poking-around-voter-registry-sites/
Concern about potential election tampering continued this week. As noted in the roundup below, the FBI found evidence that hackers have been assessing the defenses of voter registries around the country and the cell phones of some Democratic party officials. But election officials aren’t the only ones on high alert. A bombing in New York City led the FCC to reassess its emergency text alert guidelines this week, and Tesla turned a hack of its Tesla S into an opportunity to launch code signing, a fundamentally more secure way to verify code.
FBI Says Voter Registration Databases Are Still a Target for Hackers
FBI Director James Comey told Congress on Wednesday that the bureau has observed probing and remote monitoring of voter registration databases, indicating that hackers may be targeting the sites. Official sources told ABC News, CNN and other outlets that the FBI suspects a Russian connection. Databases of voters in Illinois and Arizona had already been compromised over the summer. “There have been a variety of scanning activities, which is a preamble for potential intrusion activities,” Comey said.
Tomi Engdahl says:
French Banks Offer Credit Card Numbers That Change Every Hour
https://tech.slashdot.org/story/16/10/02/1929242/french-banks-offer-credit-card-numbers-that-change-every-hour
What if the numbers on your card changed every hour so that, even if a fraudster copied them, they’d quickly be out of date? That’s exactly what two French banks are starting to do with their new high-tech ebank cards… The three digits on the back of this card will change, every hour, for three years. And after they change, the previous three digits are essentially worthless, and that’s a huge blow for criminals…
This high-tech card is being rolled out by French banks to eliminate fraud
http://www.thememo.com/2016/09/27/oberthur-technologies-societe-generale-groupe-bpce-bank-this-high-tech-card-is-being-rolled-out-by-french-banks-to-eliminate-fraud/
Your bank security is pretty broken. It’s not your fault, it’s just really hard to keep people’s money safe, especially online.
Part of the problem is that once your card details are stolen – whether through a phishing attack or by someone copying the digits on the back – fraudsters are free to go on a spending spree until you notice something’s up.
They’re getting away with millions, and it’s a problem affecting over half a million people in the first half of 2016 alone.
Normally by the time you get around to actually cancelling your card, it’s all too late.
But what if the numbers on your card changed every hour so that, even if a fraudster copied them, they’d quickly be out of date?
That’s exactly what two French banks are starting to do with their new high-tech ebank cards.
The three digits on the back of this card will change, every hour, for three years.
“MotionCode is exactly what you’re doing today – copying the three digits from the back of your card – but with a huge additional level of security.”
As most fraud happens a few hours or days after your card details are actually taken, this would leave criminals essentially with a bunch of useless numbers.
Tomi Engdahl says:
Splunk CTO Urges Collaboration Against Cyberattacks – And ‘Shapeshifting’ Networks
https://developers.slashdot.org/story/16/10/02/2337218/splunk-cto-urges-collaboration-against-cyberattacks—and-shapeshifting-networks?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
“The cost of cyber attacks is 1/10th to 1/100th the cost of cyber defense,” says the CTO of Splunk — because the labor is cheap, the tools are free, and the resources are stolen. “He says what’s needed to bring down the cost of defense is collaboration between the public sector, academia and private industry…the space race for this generation,” reports Slashdot reader davidmwilliams.
Cyber defence collaboration to be the space race of our generation
http://www.itwire.com/enterprise-solutions/75026-cyber-defence-collaboration-to-be-the-space-race-of-our-generation.html
1. Cybernomics
Number one on Snehan’s list is what he labels “cybernomics.”
“The cost of cyber attacks is 1/10th to 1/100th the cost of cyber defence,” he said. This is because attack tools are freely distributed, the computing resources are stolen, and because the labour costs in state-sponsored attacks are typically low.
“This creates an unsustainable trajectory from a cyber-defence checkpoint. We have to fundamentally change the economics of cyber defence to a thousandth.”
This cannot be performed in isolation. “It will take tremendous collaboration across the public sector, academia and private business,” Snehal stated.
“This will be a collaboration not seen since the space race. I believe this will be the space race of our generation.
“This will be achieved through six levers,”
2. Data storytelling
Snehal describes “data storytelling” as the last mile of analytics. “It will become absolutely critical,” he states.
“Storytelling is getting these complex insights and analytics so as many people can consume the information as possible – it’s truly telling stories of the data. That’s the ‘last mile’ of analytics,”
3. IoT as a business data source
The Internet of Things – or IoT – is well-established with industrial systems and SCADA systems. Yet, Snehal sees it as a vital data source for business analytics in time and will drive much higher business outcomes.
Tomi Engdahl says:
How to steal the mind of an AI: Machine-learning models vulnerable to reverse engineering
Think SQL injections on steroids
http://www.theregister.co.uk/2016/10/01/steal_this_brain/
Amazon, Baidu, Facebook, Google and Microsoft, among other technology companies, have been investing heavily in artificial intelligence and related disciplines like machine learning because they see the technology enabling services that become a source of revenue.
Consultancy Accenture earlier this week quantified this enthusiasm, predicting that AI “could double annual economic growth rates by 2035 by changing the nature of work and spawning a new relationship between man and machine” and by boosting labor productivity by 40 per cent.
But the machine learning algorithms underpinning this harmonious union of people and circuits aren’t secure.
In a paper [PDF] presented in August at the 25th Annual Usenix Security Symposium, researchers at École Polytechnique Fédérale de Lausanne, Cornell University, and The University of North Carolina at Chapel Hill showed that machine learning models can be stolen and that basic security measures don’t really mitigate attacks.
Machine learning models may, for example, accept image data and return predictions about what’s in the image.
Stealing Machine Learning Models via Prediction APIs
https://regmedia.co.uk/2016/09/30/sec16_paper_tramer.pdf
Tomi Engdahl says:
Catherine Stupp / EurActiv.com:
EU proposes new export controls for cyber-surveillance technologies to places where they can be used to damage human rights
Commission proposes export controls to rein in surveillance technologies, to industry fury
http://www.euractiv.com/section/digital/news/commission-proposes-export-controls-to-rein-in-surveillance-technologies-angering-firms/
EU companies are about to get hit with a controversial new export control law that faced a wave of criticism this summer from technology firms that fear that it will destroy their business abroad.
The European Commission proposed changes today (28 September) to a seven-year-old law requiring special export controls for so-called dual-use items that can be used for military or civil use. Under the new rules, surveillance technologies will fall under an EU export control law for the first time.
But the bill may be tripped up once it moves into negotiations with national governments and the European Parliament. A group of diplomats from nine EU countries – Austria, Finland, France, Germany, Poland, Slovenia, Spain, Sweden and the UK – sent the Commission a memo objecting to the new law’s restrictions on technology products that could cut into companies’ business outside the EU.
Tomi Engdahl says:
Are Flawed Languages Creating Bad Software?
https://developers.slashdot.org/story/16/10/01/2249256/are-flawed-languages-creating-bad-software
“Most software, even critical system software, is insecure Swiss cheese held together with duct tape, bubble wrap, and bobby pins…” writes TechCrunch.
Everything is terrible because the fundamental tools we use are, still, so flawed that when used they inevitably craft terrible things… Almost all software has been bug-ridden and insecure for so long that we have grown to think that this is the natural state of code. This learned helplessness is not correct. Everything does not have to be terrible…
Learned helplessness and the languages of DAO
https://techcrunch.com/2016/10/01/learned-helplessness-and-the-languages-of-dao/
Everything is terrible. Most software, even critical system software, is insecure Swiss cheese held together with duct tape, bubble wrap, and bobby pins. See eg this week’s darkly funny post “How to Crash Systemd in One Tweet.” But it’s not just systemd, not just Linux, not just software; the whole industry is at fault. We have taught ourselves, wrongly, that there is no alternative.
Systemd is an integral component of most Linux distributions, used to boot the system, among other things. Ayer found a very simple way to crash it
Everything is terrible because the fundamental tools we use are, still, so flawed that when used they inevitably craft terrible things. This applies to software ranging from low-level components like systemd, to the cameras and other IoT devices recently press-ganged into massive DDoS attacks —
— to high-level science-fictional abstractions like the $150 million Ethereum DAO catastrophe. Almost all software has been bug-ridden and insecure for so long that we have grown to think that this is the natural state of code. This learned helplessness is not correct. Everything does not have to be terrible.
In principle, code can be proved correct with formal verification. This is a very difficult, time-consuming, and not-always-realistic thing to do; but when you’re talking about critical software, built for the long term, that conducts the operation of many millions of machines, or the investment of many millions of dollars, you should probably at least consider it.
Less painful and rigorous, and hence more promising, is the langsec initiative:
The Language-theoretic approach (LANGSEC) regards the Internet insecurity epidemic as a consequence of ad hoc programming of input handling at all layers of network stacks, and in other kinds of software stacks. LANGSEC posits that the only path to trustworthy software that takes untrusted inputs is treating all valid or expected inputs as a formal language, and the respective input-handling routines as a recognizer for that language.
…which is moving steadily into the real world, and none too soon, via vectors such as the French security company Prevoty.
As mentioned, programming languages themselves are a huge problem. Vast experience has shown us that it is unrealistic to expect programmers to write secure code in memory-unsafe languages. (Hence my “Death to C” post last year.)
“However, I see improvement on the horizon. Go and Rust are compelling, safe languages for writing the type of systems software that has traditionally been written in C.”
The best is the enemy of the good.
Let’s move towards writing system code in better languages, first of all — this should improve security and speed. Let’s move towards formal specifications and verification of mission-critical code.
And when we’re stuck with legacy code and legacy systems, which of course is still most of the time, let’s do our best to learn how make it incrementally better, by focusing on the basic precepts and foundations of programming
I write this as large swathes of the industry are moving away from traditional programming and towards the various flavors of AI. How do we formally specify a convoluted neural network? How does langsec apply to the real-world data we feed to its inputs?
Tomi Engdahl says:
How to Crash Systemd in One Tweet
https://www.agwa.name/blog/post/how_to_crash_systemd_in_one_tweet
The following command, when run as any user, will crash systemd
The bug is remarkably banal. The above systemd-notify command sends a zero-length message to the world-accessible UNIX domain socket
The immediate question raised by this bug is what kind of quality assurance process would allow such a simple bug to exist for over two years
Systemd’s problems run far deeper than this one bug. Systemd is defective by design. Writing bug-free software is extremely difficult.
In particular, any code that accepts messages from untrustworthy sources like systemd-notify should run in a dedicated process as a unprivileged user. The unprivileged process parses and validates messages before passing them along to the privileged process. This is called privilege separation and has been a best practice in security-aware software for over a decade. Systemd, by contrast, does text parsing on messages from untrusted sources, in C, running as root in PID 1.
The Linux ecosystem has fallen behind other operating systems in writing secure and robust software. While Microsoft was hardening Windows and Apple was developing iOS, open source software became complacent. However, I see improvement on the horizon. Heartbleed and Shellshock were wake-up calls that have led to increased scrutiny of open source software. Go and Rust are compelling, safe languages for writing the type of systems software that has traditionally been written in C. Systemd is dangerous not only because it is introducing hundreds of thousands of lines of complex C code without any regard to longstanding security practices like privilege separation or fail-safe design, but because it is setting itself up to be irreplaceable. Systemd is far more than an init system: it is becoming a secondary operating system kernel, providing a log server, a device manager, a container manager, a login manager, a DHCP client, a DNS resolver, and an NTP client.
Consider systemd’s DNS resolver. DNS is a complicated, security-sensitive protocol.
It is not too late to stop this. Although almost every Linux distribution now uses systemd for their init system, init was a soft target for systemd because the systems they replaced were so bad. That’s not true for the other services which systemd is trying to replace such as network management, DNS, and NTP. Systemd offers very few compelling features over existing implementations, but does carry a large amount of risk.
Tomi Engdahl says:
Domain name resolution is a Tor attack vector, but don’t worry
Nation-state attackers probably pwn you anyhow
http://www.theregister.co.uk/2016/10/04/domain_name_resolution_is_a_tor_attack_vector_but_dont_worry/
This one needs the words “Don’t Panic” in large friendly letters on the cover: privacy researchers have worked out that Tor’s use of the domain name system (DNS) can be exploited to identify users.
However, they say, right now an attacker with resources to drop Tor sniffers at “Internet scale” can already de-anonymise users. Rather, they hope to have Tor and relay operators start hardening their use of DNS against future attacks.
So: read if you’re interested in the interaction between Tor and the DNS, but not if you need the sensation of smelling salts after a faint.
The basis of Tor is that your ISP can see you’re talking to a Tor node, but nothing else, because your content is encrypted; while a Tor Website is responding to your requests, but doesn’t know your IP address.
While the user’s traffic is encrypted when it enters the network, what travels from the exit node to a resolver is a standard – unencrypted – DNS request.
Like other attacks, DefecTor needs a network-level sniffer at ingress. While ingress traffic is encrypted, existing research demonstrates that packet length and direction provides a fingerprint that can identify the Website that originated the traffic.
Tomi Engdahl says:
FBI agreed to destroy laptops of Clinton aides with immunity deal, lawmaker says
http://www.foxnews.com/politics/2016/10/03/fbi-agreed-to-destroy-immunized-clinton-aides-laptops-sources-say.html
Immunity deals for two top Hillary Clinton aides included a side arrangement obliging the FBI to destroy their laptops after reviewing the devices, House Judiciary Committee sources told Fox News on Monday.
This meant investigators could not review documents for the period after the email server became public — in turn preventing the bureau from discovering if there was any evidence of obstruction of justice, sources said.
Tomi Engdahl says:
Carbon Black, IBM Partner on Attack Remediation
http://www.securityweek.com/carbon-black-ibm-partner-attack-remediation
Endpoint security firm Carbon Black announced a new partnership with IBM Security that will allow Carbon Black endpoint threat data to feed into IBM’s BigFix for instant attack remediation.
Announced today, the partnership addresses a major problem for the enterprise: vulnerability management. According to Gartner, “Through 2020, 99% of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year.” Rapid patching can help this problem; but enterprises have so many endpoints with so many vulnerabilities that prioritizing patches is difficult if not impossible.
Tomi Engdahl says:
Google Patches 78 Vulnerabilities in Android
http://www.securityweek.com/google-patches-78-vulnerabilities-android
Google this week released another set of monthly patches for the Android mobile operating system, in an attempt to address no less than 78 security vulnerabilities.
Tomi Engdahl says:
DressCode Malware Infects 400 Apps in Google Play
http://www.securityweek.com/dresscode-malware-infects-400-apps-google-play
A recently discovered mobile malware family called DressCode has infected over 400 applications that are being distributed via Google Play, Trend Micro security researchers warn.
The malware was initially said to have infected only around 40 apps in Google Play and a total of 400 apps distributed via third party app stores, but the actual infection numbers might be much higher, it seems. Over 3,000 apps distributed by several well-known Android mobile markets have been infected with this Trojan, security researchers say.
DressCode Android Malware Discovered on Google Play
http://blog.checkpoint.com/2016/08/31/dresscode-android-malware-discovered-on-google-play/
The oldest apps were uploaded to Google Play on April 2016, where they remained undetected until recently. Some of the apps reached between 100,000 and 500,000 downloads each. Between 500,000 and 2,000,000 users downloaded the malicious apps from Google Play.
Similar to Viking Horde, DressCode creates a botnet that uses proxied IP addresses, which Check Point researchers suspect were used to disguise ad clicks and generate false traffic, generating revenue for the attacker. A botnet is a group of devices controlled by hackers without the knowledge of their owners. The bots can be used for various reasons based on the distributed computing capabilities of all the devices. The larger the botnet, the greater its capabilities.
Tomi Engdahl says:
Enhancing Communication Between Security and DevOps
http://www.securityweek.com/enhancing-communication-between-security-and-devops
Security teams and DevOps teams aren’t always on the same page and the lack of communication often results in misaligned priorities that significantly inhibit productivity. Developers need enhanced communiation and instruction from the risk management team to remediate vulnerabilities that are being discovered in applications.
The shift to DevOps is inevitable in many organizations. With businesses focused on higher and faster performance, and fearful of falling behind competitors, the allure of being more responsive to customers and stakeholders will inevitably overwhelm security teams’ concerns. This means that security organizations must learn to meaningfully insert themselves into this transition. A key part of this change is evolving to effectively work with, not against, application development teams – the “Dev” side of DevOps.
The majority of developers do not have a strong background in secure coding or secure design. This is unfortunate and is the result of a variety of factors, including namely that universities who train developers via computer science programs rarely teach secure coding topics. Many software development projects also treat security as an afterthought – limiting their focus to security features like encryption rather than secure coding fundamentals such as input validation, output encoding, and so on.
Tomi Engdahl says:
Hackers Could Harm Diabetics via Insulin Pump Attacks
http://www.securityweek.com/hackers-could-harm-diabetics-insulin-pump-attacks
OneTouch Ping insulin pumps manufactured by Johnson & Johnson-owned Animas are plagued by several vulnerabilities that can be exploited by remote hackers to compromise devices and potentially harm the diabetic patients who use them. While the security holes are serious, the risk is considered relatively low and the vendor does not plan on releasing a firmware update.
Rapid7 researcher Jay Radcliffe, who has been a Type I diabetic for 17 years, analyzed Animas’ OneTouch Ping insulin pumps. The product has two main components: the actual insulin pump and a remote that controls the pump’s functions from up to 10 feet away.
The four major vulnerabilities found by Radcliffe in the OneTouch Ping product have been detailed in a Rapid7 blog post and an advisory published by the Department of Homeland Security’s CERT Coordination Center.
Vulnerability Note VU#884840
Animas OneTouch Ping insulin pump contains multiple vulnerabilities
http://www.kb.cert.org/vuls/id/884840
Tomi Engdahl says:
Clinton Foundation Denies Being Hacked
http://www.securityweek.com/clinton-foundation-denies-being-hacked
The hacker calling himself Guccifer 2.0 leaked hundreds of megabytes of files allegedly stolen from the Clinton Foundation, but the organization’s representatives said there was no evidence of a data breach.
Guccifer 2.0 has taken credit for hacking the Democratic National Committee (DNC) and the Democratic Congressional Campaign Committee (DCCC), from which he leaked numerous files. However, researchers believe Guccifer 2.0, who has claimed to be Romanian, is actually a persona used by Russia-backed threat actors.
While some of the leaked information could come from a Clinton Foundation server, many of the files appear to originate from earlier hacks for which Guccifer 2.0 took credit.
Evidence uncovered by Ars Technica and others also suggests that many of the files come from the DCCC and not the Clinton Foundation.
Tomi Engdahl says:
Zero Trust or Bust?
http://www.securityweek.com/zero-trust-or-bust
Implementing a Zero Trust Model Represents a Dramatic Change and Requires a Well-planned Transition
The use of a Zero Trust model to minimize cyber risk exposure has returned to the spotlight after a report by the U.S. House of Representatives’ Committee on Oversight and Government Reform detailed the events leading up to the sweeping hack of the U.S. Office of Personnel Management (OPM). One of the report’s recommendations was for Federal information security efforts to move toward a Zero Trust model, in which users inside a network are treated as no more trustworthy than users outside a network.
According to the committee’s report, the OPM data breach can be attributed to a longstanding failure to implement basic cyber security measures (e.g., multi-factor authentication), botched usage of existing security tools to streamline the mitigation of the agency’s extensive vulnerabilities, and lack of applying new security methods to secure sensitive data. Ultimately, the committee outlined the following recommendations:
• Reprioritize Federal information security efforts toward Zero Trust.
• Ensure agency CIOs are empowered, accountable, and competent.
• Reduce use of social security numbers by Federal agencies.
• Modernize existing legacy Federal information technology assets.
• Improve Federal recruitment, training, and retention of Federal cyber security specialists.
These recommendations as well as the continued number of almost daily reports of new data breaches make it abundantly clear that traditional, perimeter-centric security strategies are no longer effective. Instead, the committee’s report promotes the Zero Trust model as an alternative approach.
The Zero Trust model is not a new concept. It was first proposed a few years ago by Forrester Research in collaboration with the National Institute of Standards and Technology (NIST).
The Zero Trust model as propagated by Forrester Research is based on three main pillars:
1. Ensuring that all resources are accessed securely, regardless of location (in other words, there is no longer a trusted zone).
2. Applying a least privilege strategy, and strictly enforcing access control. In Zero Trust, all users are initially untrusted.
3. Inspecting and logging all traffic. Even traffic originating on the LAN is assumed to be suspicious, and is analyzed and logged just as if it came from the WAN.
These fundamentals are closely aligned with the newer NIST concept of Continuous Diagnostics and Mitigation, as it builds upon the concept of near real-time analysis of all transactions, be it on the network, application, database, or human layer.
Tomi Engdahl says:
Flaws Found in Moxa Factory Automation Products
http://www.securityweek.com/flaws-found-moxa-factory-automation-products
Applied Risk, a company that specializes in protecting industrial control systems (ICS), published an advisory this week describing several vulnerabilities found in one of Moxa’s factory automation products.
The security firm’s researchers have identified various types of flaws in the web interface of Moxa’s ioLogik Ethernet I/O products, which are used in oil and gas, manufacturing, nuclear, and water plants.
The most serious of the vulnerabilities are related to password management. Experts discovered that an MD5 hash of the password used for authentication is sent to the server in a GET request. Since the information is transmitted over HTTP instead of HTTPS, a man-in-the-middle (MitM) attacker can easily obtain and crack the password.
“The discovered vulnerabilities can be exploited remotely, but there are some prerequisites to be met. Being in the same network as the devices would make exploitation trivial but it’s not much harder to exploit the vulnerabilities remotely,” Ariciu explained. “It depends on the type of access the attacker has – normally the entry point in a network is not the device that sits in the field.”
The issues were reported to Moxa on May 26 and they were addressed in ioLogik E1242 on September 30 with the release of firmware version 2.5.
Tomi Engdahl says:
Endpoint Security Wars: Is Peace Breaking Out?
http://www.securityweek.com/endpoint-security-wars-peace-breaking-out
In May 2016 VirusTotal (VT) changed its rules. Any vendor wishing to receive antivirus results via the VT API would in future be required to integrate its own detection scanner into the public VT interface. Furthermore, such vendors would need to be certified by The Anti-Malware Testing Standards Organization (AMTSO).
At the time it looked like a coup engineered by the first-generation anti-malware industry, AMTSO and VT itself to exclude next-generation (next-gen) endpoint security products from gaining benefit from VT. Since that time, however, at least four next-gen companies have joined AMTSO and agreed to abide by the VT rules. More are likely to follow – and it’s beginning to seem that what appeared to be a declaration of war was actually an invitation to peace.