Here are my predictions for trends in information security and cyber security for year 2016.
Year 2015 was bad for information security was pretty, and I would say that the trend is worrying. So I expect the year 2016 will have many information security challenges. If you want to keep yourself up at night, spend some time reading about the latest developments in cybersecurity. In 2015 there was Airplanes hacked, cars hacked, vulnerabilities in a breathtaking range of sensitive equipment from TSA locks to voting booths to medical devices. The big picture is even scarier. Former NSA Director Mike McConnell suspects China has hacked “every major corporation” in the US. Those problems will continue in 2016 and some new targets for attacks will be found. The system is broken. It isn’t keeping us, our companies, or our government safe. Worse yet, no one seems to know how to fix it.
Attacks through networks are becoming more common all the time. It will be hard to protect against targeted attacks. Hackers will not only customize malware, but they will increasingly use sophisticated phishing and social engineering tricks to gain access to sensitive data. Attackers usually cover their tracks carefully, and in the identification of target can be very difficult. Behind targeted attacks are usually professional criminals. Criminals do not respect geographical borders and hence attacks are spread evenly everywhere. Companies will struggle to absorb the security threats of combined PC and mobile devices in 2016.
EU information security decisions made in late 2015 will have impact on what comes in 2016: New EU data protection legislation package approved and EU Court of Justice decision in which it noted the Safe Harbor procedure is invalid. This means that transfers of personal data from EU countries to the United States under the Safe Harbor violation of law – you need some other agreement for this. The situation for this will probably get clarified during 2016. Data protection legislation changes will lead to increased fines for the unprepared. Legal uncertainty and big fines are a toxic cocktail for some companies. The combination of stiff penalties and ambiguously worded provisions in the new EU-wide data-protection law, which would replace a patchwork of 28 national laws, raises daunting prospects for companies operating in Europe.
After huge amount of user information leaks in 2015 from all kinds of Internet services, there will the challenges for cloud companies to gain trust in their security. You might have just dared to trust “the right cloud services,” since in principle the traditional information security point of view, they seem to be the main things okay, rising this privacy issues raised.
New environments will bring new threats. New operating systems versions means that administrators and users are less familiar with the environments. IPv6 will get more widely used, and the security of IPv6 networks is different from IPv4. Organizations are moving to virtualized environments, which are complex and create network layers that can become an attack vector. Growing network virtualization functionality and programmability are both an opportunity and a threat to security. Cyber security research will be important important in 2016 as 5G networks will be critical infrastructure, on top of which for example. transport, industry, health and the new operators set up their business around 2020.
The huge amount of information security information is becoming harder and harder to manage in 2016. A key problem in revelations as all other news coverage is the exponential growth of knowledge. There are variety of news summaries produced a daily basis, but they are not enough to get good picture of what is happening. There are bigger and smaller news, the impact of which is at times very difficult to assess. SMBs will become a bigger target for cybercriminals. Network and security professionals continue to be among the toughest IT talent to find and hire.
Old way network security focused on perimeter defense is not enough in 2016. Old mantras “encrypt everything” and “secure the perimeter,” are not enough. One deceptive truth seems to drive much of the cybersecurity industry down a rabbit hole: If you keep bad actors and bad software out of your system, you have nothing to worry about. It does not work like that anymore. As perimeter security gets stronger, malicious actors are looking for easier entry points to compromise an organisation through the breadth of its digital attack surface. Now malicious actors target “endpoints”—any device or sensor connected to a network—to break into that network. Traditional sandboxing will no longer protect against the growing malware landscape. Today, most private networks have far too many endpoints to properly secure. In an age of “Bring Your Own Device,” the cloud, remote access, and the Internet of Things, there are too many vulnerabilities hackers can exploit. Keep in mind that everything connected to the Internet can, and will be hacked. To address those threats in 2016, security experts should assume compromise – that hackers and malware already have breached their defenses, or soon will – and instead classify and mitigate threats. In addition to public key infrastructure lock-and-key system you will need also an integrity solution that acts like an alarm. To protect against advanced threats, security professionals will increase their reliance on centralized security management solutions. You need to have prioritization and response plans to various kinds of breaches – with a strong focus on integrity.
Law enforcement versus Silicon Valley tension will continue to be strong throughout year 2016. In 2015 Law enforcement and politicians on both sides of the Atlantic lined up to repeatedly complain that the web was “going dark” as the result of end-to-end encryption and that this was hampering the investigation of terrorism and other serious crimes.Technologists and cryptographers argue that governments are trying to weaken encryption by demanding some form of privileged access for government. It’s not clear how much encryption the NSA can break. With renewed focus on how encrypted messages can be used to plot terrorist attacks, President Barack Obama’s administration is stepping up pressure on the tech sector to help in the battle. Privacy remains a major counter-argument. It seems that Governments Lie About Encryption Backdoors. Encryption systems weakened by mandated backdoors would not be effective in fighting the terrorists that governments invoke as their reason for wanting those backdoors in the first place.
But this does not stop some government officials to demand such thing with varying success on different countries. Another fact is that The existence of coded communications is a reality and the U.S. may not be able to do much about it because nearly everyone living in modern society uses it: Encryption protects your bank information, prevents your password from being stolen when you log into a website, and allows all e-commerce transactions to take place securely. Encryption weakened by mandated backdoors would put all of us at an enormous risk of exposure from data breaches and associated online risks. The truth in 2016 is that any form of privileged access to government – ie, a backdoor – would inevitably weaken crypto-systems and make them more vulnerable to attacks by foreign governments’ intelligence agencies as well as criminals - Juniper’s VPN security hole is proof that govt backdoors are bonkers. Encryption backdoors would be a gleeful win-win for terrorists and a horrific lose-lose for you – the bad guys having strong protections for their data, and the rest of us not. The poorly thought-out and crude surveillance technique could have a devastating effect on the country’s internet security- as for example Kazakhstan will force its citizens to install internet backdoors by requiring all Internet users install state-issued root certificate by January 1, 2016.
Google, Mozilla and Microsoft are pushing for early SHA-1 crypto cutoff that can happen in 2016 instead of earlier planned Jan 1st, 2017. Due to recent research showing that SHA-1 is weaker than previously believed, because it’s been cracked without enormous effort. Mozilla, Microsoft and now Google are all considering bringing the deadline forward by six months to July 1, 2016. SHA-2 is going to be used as the replacement function for SHA-1. Websites like Facebook and those protected by CloudFlare have implemented a SHA-1 fallback mechanism for those systems that do not support SHA-2. Chrome will start display errors if SHA-1 certificates are employed in early 2016 and will completely stop supporting SHA-1 certificates in the end of 2016.
The use of Blockchain technology, permissionless distributed database based on the bitcoin protocol that runs across a global network of independent computers, will get used more widely than for just Bitcoin virtual money. With bitcoin, Blockchain tracks the exchange of money. But it can also track the exchange of anything else that holds value, including stocks, bonds, and other financial securities. Overstock has already used the blockchain to issue private bonds. The Securities and Exchange Commission has approved a plan from online retailer Overstock.com to issue company stock via the Internet, signaling a significant shift in the way financial securities will be distributed and traded in the years to come. Overstock built its technology under the aegis of a subsidiary called TØ.com, and it plans to offer this “cryptosecurity” tech as a service to other businesses. Nasdaq OMX—the company behind the Nasdaq stock exchange—is using the blockchain to oversee the exchange of private stock. Also several major companies from across both the technology and financial industries—including IBM, Intel, and Cisco as well as the London Stock Exchange Group and big-name banks JP Morgan, Wells Fargo, and State Street—have joined forces to create an alternative to the blockchain with Linux Foundation.
The use of disk encryption will increase and there are different ways to do it with different security levels. Microsoft has introduced Windows 10 disk encryption keys are uploaded to Microsoft. This approach has some advantages and disadvantages. The gold standard in disk encryption is end-to-end encryption, where only you can unlock your disk. This is what most companies use, and it seems to work well. It protects data in case your device is lost or stolen. But what if you forget or loose your key? There are certainly cases where it’s helpful to have a backup of your key or password – so keeping a backup of your recovery key in your Microsoft account could be genuinely useful for probably the majority of users that don’t have high security neeeds. The disadvantage of this approach is that Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.
Weak leaking passwords are still huge security problem still in 2016. Passwords are often the weakest parts when it comes to securing users’ accounts, as many don’t use complex passwords or they reuse the same password across services. Two-factor authentication – like using a USB stick with a secret token or entering in a code sent via text method to your phone – can help to increase security, but many users also find this to be a hassle as it introduces an additional step to the login process.
Google begins testing login system that uses phone notifications for authentication instead of passwords: authenticate by responding to a notification sent to their smartphone. The idea is similar to Yahoo’s recently launched “Account Key,” which also offers a password-free means of signing in involving a push notification sent to your phone that then opens an app where you approve the log-in.
Smart phone will become more and more security critical part of your life. “Increasingly, individuals and organisations are adopting password managers and multi-factor authentication technologies to plug some of the holes in password-based authentication. “We foresee a world where practically everyone uses their smartphone as a multi-factor authentication element. In this world, the smartphone becomes your most valuable asset: something that enables you to unlock your life online and a target for attackers seeking to access your services.”
Expect that number of mobile vulnerabilities will only grow in 2016. In 2016 we will see increasing numbers of cyber criminals using mobile applications to spread malware. Mobile presents an easy target for cyber criminals, because it is an attack surface that is open and extremely difficult to defend once an app has been released. Android threats will become more than just headline-grabbers. Will 2016 be the year iOS malware goes mainstream?
Critical infrastructures will be highly targeted in 2015. SCADA and ICS networks were not designed for security. Attacks against these systems have increased in recent years. I expect this trend to only get worse. There are still many companies that run their critical systems on Windows XP as “There are some people who don’t have an option to change.” Many times the OS is running in automation and process control systems that run business and mission-critical systems, both in private sector and government enterprises. For example US Navy is using obsolete operating system Microsoft Windows XP to run critical tasks. It all comes down to money and resources, but if someone is obliged to keep something running on an obsolete system, it’s the wrong approach to information security completely.
Cars were hacked at record rate in 2015, and they will be hacked at least at the same rate in 2016. Modern cars are featuring more gadgetry and connected systems, and this will make vehicles just as vulnerable to today’s threats and attacks. I Am The Cavalry has published a five star Cyber Safety Framework to mitigate this threat in cars, hopefully car component makers study it.
IoT and smart devices are still at risk. The Internet of Things will continue to emerge, and businesses will need to think about how to protect their smart devices and prepare for the wider adoption of IoT. IoT platforms – not yet the weapon of choice for commercial malware authors – but business beware. Wearables won’t be safe, either, as they are built using largerly same too often vulnerable technologies as other IoT system. IoT security is still in in infancy in 2016.
Cyber criminals have become more active in 2015 particularly in the malicious the ransom fabrications. The ransom-malware problem will continue to be big in 2016. Commercial malware authors will continue to invest heavily and Exploit kits will continue to dominate on the web. Ransomware today is big business. Ransomware takes control of a computer and holds it hostage until the victim pays, usually in the digital currency Bitcoin. As a remedy against ransom-malware I recommend to ensure IT Support or your service provider the data back-up and restoring procedure operational, practiced and tested. You can need it in 2016 to get your data back without considering paying to criminals. To date ransomware has hit Windows users hardest, although Android and MacOS users are now also facing similar extortion.
Ransomware will continue to dominate in 2016 and it is only a question of time before we see things beyond data being ransomed. We have already seen websites being held ransom to DDoS. Intel’s McAfee Labs also noted a huge spike in ransomware in early 2015, and worries about ransomware in the IoT space—including medical devices. And Kaspersky predicts the “nightmare of ransomware” to continue and “spread to new frontiers” in 2016. Ransomware Is Coming to Medical Devices article tells that according to a report released recently week by Forrester Research the number one cybersecurity prediction for 2016: “We’ll see ransomware for a medical device or wearable.” “It’s definitely feasible from a technical standpoint”. Networked medical devices save lives. Despite the hacking risk, it’s an informed trade-off. Medical device ransomware would be a modern form of highway robbery with lives at stake.
Keep in mind that everything connected to the Internet can, and will be hacked. In 2016 If You’re Not Paranoid, You’re Crazy. As government agencies and tech companies develop more and more intrusive means of watching and influencing people, how can we live free lives? Unfortunately I don’t have solution for that.
2,232 Comments
Tomi Engdahl says:
Post-referendum UK still part of Euro cyberterror stress test… for now
Cheer up, Europe, love. Cyberwar might never happen
http://www.theregister.co.uk/2016/10/14/cyber_europe_2016/
European enterprises are teaming with information security agencies and governments to run a pan-European cyberwar readiness exercise today.
Cyber Europe 2016 – which involves thousands of experts from all 28 EU Member States, Switzerland and Norway – is being co-ordinated by European Union security agency ENISA. It’s the fourth exercise of its type, and the most complex and wide-ranging to date. Such exercises typically focus on responding to DDoS attacks and malware but Cyber Europe 2016 will encompass a far wider range of threats and ancillary crisis management problems, as a statement by ENISA explains.
“Cyber Europe 2016 paints a very dark scenario, inspired by events such as the blackout in a European Country over Christmas period1 and the dependence on technologies manufactured outside the jurisdiction of the European Union. It also features the Internet of Things, drones, cloud computing, innovative exfiltration vectors, mobile malware, ransomware, etc. ”
Cyber Europe 2016
Are you ready for the next cyber crisis?
http://www.cyber-europe.eu/
Cyber Europe is a series of pan-European exercises aimed at testing cybersecurity, business continuity and crisis management capabilities. The exercise is organised by the European Union Agency for Network and Information Security (ENISA) since 2010.
Tomi Engdahl says:
Sheera Frenkel / BuzzFeed:
A history of Fancy Bear, the Russian group accused of hacking the DNC and DCCC to influence the US election — TRENDING — SAN FRANCISCO — On the morning of March 10, nine days after Hillary Clinton had won big on Super Tuesday and all but clinched the Democratic nomination …
Meet Fancy Bear
https://www.buzzfeed.com/sheerafrenkel/meet-fancy-bear-the-russian-group-hacking-the-us-election?utm_term=.ecwoEGM5L3#.ehpv7Bjad6
For the first time in history, Washington has accused a foreign government of trying to influence the US election. Sheera Frenkel investigates the Russian group accused of hacking the US election — and finds they’ve been practicing for this moment for a long time.
The hack first came to light on June 15, when the Washington Post published a story based on a report by the CrowdStrike cybersecurity firm alleging that a group of Russian hackers had breached the email servers of the DNC. Countries have spied on one another’s online communications in the midst of an election season for as long as spies could be taught to use computers — but what happened next, the mass leaking of emails that sought to embarrass and ultimately derail a nominee for president, had no precedent in the United States. Thousands of emails — some embarrassing, others punishing — were available for public perusal while the Republican nominee for president, Donald Trump, congratulated Russia on the hack and invited it to keep going to “find the 30,000 emails that are missing” from Clinton’s private email server. It was an attack that would edge the US and Russia closer to the brink of a cyberwar that has been simmering for the better part of a decade.
Tomi Engdahl says:
The Cyber Grand Challenge
http://www.eetimes.com/author.asp?section_id=36&doc_id=1330618&
Creating an autonomous Cyber Reasoning System capable of playing in a “Capture The Flag” hacking competition.
Several of us at GrammaTech, along with many talented people from UVA, recently participated in DARPA’s Cyber Grand Challenge (CGC) as Team TECHx. The challenge in CGC was to build an autonomous Cyber Reasoning System (CRS) capable of playing in a “Capture The Flag” (CTF) hacking competition. Our system was called Xandra.
Each system was responsible for defending network services while proving vulnerabilities (“capturing flags”) in other systems’ defended services.
The challenge started back in 2014. In two years, what was initially over 100 teams whittled down through qualifying events to just seven teams in the final event. During this final event, DARPA distributed Challenge Binaries (CBs) that implemented network services and that had been specifically crafted to have different vulnerabilities1. Each CRS was responsible for fielding a version of each of these CBs, which could be attacked by competitor CRSes. The trick was that CRSes could both re-write CBs to make them less vulnerable while simultaneously trying to exploit the vulnerabilities in other systems’ CBs.
Tomi Engdahl says:
How one researcher cracked the iPhone 5c
http://www.edn.com/electronics-blogs/test-cafe/4442843/How-one-researcher-cracked-the-iPhone-5c?_mc=NL_EDN_EDT_EDN_funfriday_20161014&cid=NL_EDN_EDT_EDN_funfriday_20161014&elqTrackId=d8f6a67b6f7f4a62b3a3973f7f527f23&elq=f80bc575682a4516812207dbd1c43c8f&elqaid=34375&elqat=1&elqCampaignId=29989
In March of this year I wrote a column asking, “Could test and measurement crack Farook’s iPhone?”
Here’s a short recap of the situation. The default passcode for the iPhone 5c is four numeric digits, so 10,000 possible combinations. The phone will allow 10 attempts before permanently deleting the key to ever get inside. So, law enforcement has a 0.1% chance of entering the phone by guessing, and a 99.9% chance of never seeing the contents. Never. As I wrote, ”You better be a good guesser.”
I proposed the scheme below:
Step 1: Read the contents of all flash memory on Farook’s iPhone, either by unsoldering the components, or via ICT (In-Circuit Test or serial ports such as JTAG). This is the test and measurement-centric portion of this plan. The data is encrypted, so it is still worthless.
Step 2: Purchase 1000 iPhone 5cs and 1000 of each memory chip. Program the memory to have the exact same data as in Farook’s.
Step 3: Unsolder the memory chips in the 1000 iPhones. Replace them with those programmed with Farook’s data.
Step 4: You now have 1000 copies of Farook’s iPhone. All 10K passcodes can be tried, 10 per iPhone. The password will be cracked within a day.
However, I was stymied on one specific aspect of the plan. In my studies of the iPhone encryption method, I found that Apple had built a crypto engine onto its A6 processor between main memory and flash. By executing the 256-bit encryption algorithm in hardware, Apple allows at-speed access to memory. But, and this is key, each A6 has fused a different 256-bit code into each device, called the UID (User ID).
The net net of this is that the above scheme won’t work. Even if you enter Farook’s passcode, it won’t unlock the phone if the UID is different, which it is on all the copy phones.
And then a researcher from the University of Cambridge came up with an ingenious approach, and demonstrated it successfully on an iPhone 5c.
reference his paper, “The bumpy road towards iPhone 5c NAND mirroring.” Mirroring, in this case, is a synonym for duplicating, and NAND refers to the specific flash memory technology.
So how did he crack the phone with the given UID issue? In retrospect, it was obvious: he used the original iPhone. He disassembled the phone, built a connectorized daughter board holding the flash memory, and then tested six passwords until powering down, swapping memory boards, and then powering up. The new board, which was a duplicate of the flash memory before any password attempts, also stored the password counter. The phone thought, once again, that no passwords had yet been attempted. Skorobogatov would try six more codes, and swap again with another newly programmed memory board. At this point the procedure continues until the correct password is entered and the phone unlocks.
The reason Skorobogatov rotated the memory boards after six attempts, not ten, was that the phone would become locked, inserting increasing delays between password attempts. After six attempts, the delay was one minute, a longer time than merely performing another memory swapping process.
Remarkably enough, the FBI had dismissed this technique. The FBI had used the 1789 All Writs Act to compel Apple’s aid in hacking the phone. A key criterion of the All Writs Act is that there is no other way to extract the needed evidence.
At a congressional hearing in early March of this year, Rep. Darrel Issa questioned FBI Director Comey on whether they had, indeed, exhausted all alternatives:
https://arxiv.org/abs/1609.04327v1
Tomi Engdahl says:
Julian Assange’s internet’s down and everyone on Twitter has a theory
http://mashable.com/2016/10/17/julian-assange-internet-down/#zhE54j0vRaqj
On Monday afternoon the WikiLeaks Twitter account sent out an urgent tweet to the masses: “Julian Assange’s internet link has been intentionally severed by a state party. We have activated the appropriate contingency plans.”
Tomi Engdahl says:
Alan Travis / Guardian:
UK court rules that bulk personal data collection by GCHQ from 1998 to 2015 was illegal under ECHR, but collection is now compliant after 2015 government avowal
UK security agencies unlawfully collected data for 17 years, court rules
https://www.theguardian.com/world/2016/oct/17/uk-security-agencies-unlawfully-collected-data-for-decade
Investigatory powers tribunal says secret collection of citizens’ personal data breached human rights law
British security agencies have secretly and unlawfully collected massive volumes of confidential personal data, including financial information, on citizens for more than a decade, top judges have ruled.
The investigatory powers tribunal, which is the only court that hears complaints against MI5, MI6 and GCHQ, said the security services operated secret regimes to collect vast amounts of personal communications data, tracking individual phone and web use and large datasets of confidential personal information, without adequate safeguards or supervision for more than 10 years.
The ruling said the regime governing the collection of bulk communications data (BCD) – the who, where, when and what of personal phone and web communications – failed to comply with article 8 protecting the right to privacy of the European convention of human rights (ECHR) between 1998, when it started, and 4 November 2015, when it was made public.
Tomi Engdahl says:
Amanda Hess / New York Times:
Some celebrities are resorting to cyberbullying tactics like posting revenge porn, sharing secret phone recordings, and rallying online mobs for PR offensives
The Latest Celebrity Diet? Cyberbullying
http://www.nytimes.com/2016/10/13/arts/celebrities-twitter-instagram-cyberbullying-kardashian-swift.html?_r=0
Lately, celebrity feuds have taken on the contours of cyberbullying, with famous rivals integrating the tactics of online harassers into their P.R. offensives. What looks like a public display of immaturity can actually be part of a sophisticated image management strategy. Retweet counts and Instagram followers are the new Billboard 100, and celebrities can gin up their numbers by instigating feuds with one another in increasingly nasty or technologically intriguing ways. But the game can have a dark side, especially for the losers.
The modern celebrity arsenal incorporates these other digital bullying tools:
SECRET RECORDINGS
SEXUAL HUMILIATION
REVENGE PORN
MOB DEPLOYMENT
It’s no coincidence that a Kardashian fingerprint can be lifted from many of the most high-profile incidents. While most celebrities use the internet to promote their mainstream careers — movies, albums — Ms. Kardashian West’s core product is herself.
Tomi Engdahl says:
Study finds ‘lurking malice’ in cloud hosting services
https://techxplore.com/news/2016-10-lurking-malice-cloud-hosting.html
A study of 20 major cloud hosting services has found that as many as 10 percent of the repositories hosted by them had been compromised – with several hundred of the “buckets” actively providing malware. Such bad content could be challenging to find, however, because it can be rapidly assembled from stored components that individually may not appear to be malicious.
Believed to be the first systematic study of cloud-based malicious activity, the research will be presented October 24 at the ACM Conference on Computer and Communications Security in Vienna, Austria. The work was supported in part by the National Science Foundation.
“Bad actors have migrated to the cloud along with everybody else,” said Raheem Beyah, a professor in Georgia Tech’s School of Electrical and Computer Engineering. “The bad guys are using the cloud to deliver malware and other nefarious things while remaining undetected. The resources they use are compromised in a variety of ways, from traditional exploits to simply taking advantage of poor configurations.”
In the cloud, malicious actors take advantage of how difficult it can be to scan so much storage. Operators of cloud hosting services may not have the resources to do the deep scans that may be necessary to find the Bars – and their monitoring of repositories may be limited by service-level agreements.
While splitting the malicious software up helped hide it, the strategy also created a technique for finding the “bad buckets” hosting it, Beyah said.
“It’s pervasive in the cloud,” said Beyah. “We found problems in every last one of the hosting services we studied. We believe this is a significant problem for the cloud hosting industry.”
To protect cloud-based repositories from these attacks, Beyah recommends the usual defenses, including patching of systems and proper configuration settings.
Looking ahead, the researchers hope to make BarFinder available to a broader audience. That could include licensing the technology to a security company, or making it available as an open-source tool.
“Attackers are very clever, and as we secure things and make the cloud infrastructure more challenging for them to attack, they will move onto something else,” he said. “In the meantime, every system that we can secure makes the internet just a little bit safer.”
Tomi Engdahl says:
Joseph Cox / Motherboard:
Researcher says some Trump company email servers use unpatched, end-of-life software, including Windows Server 2003, and only use single factor authentication — In what might be one of the more delicious cases of irony to ever grace a presidential election, a researcher has found that a number …
Donald Trump Is Running Some Really Insecure Email Servers
http://motherboard.vice.com/read/trump-is-running-some-really-insecure-email-servers
In what might be one of the more delicious cases of irony to ever grace a presidential election, a researcher has found that a number of email servers linked to Donald Trump’s hotel and others businesses are running horribly out of date software which receive no security patches, and are lacking other precautions for keeping hackers out.
The findings come at a time when cybersecurity is a crucial topic in the presidential election, with hackers dumping documents from Hillary Clinton’s campaign online, and Trump and his supporters continuing to criticise Clinton’s use of a private email server.
“Running outdated software and operating systems for your publicly facing email infrastructure is problematic, especially when you’re a high profile organisation,” security architect Kevin Beaumont, who highlighted the issues with Trump’s servers, told Motherboard in an email. “During an election where cybersecurity is such a big issue, I was a little amazed at what I saw.”
A number of mail servers for TrumpOrg.com, a domain registered to The Trump Organization, are using end-of-life software, according to Beaumont. Those include the operating system Windows Server 2003 and IIS 6.0, which comes shipped with it.
“IIS is a webserver, and it’s particularly dangerous to run unpatched,”
Update: A Trump Organization spokesperson sent us the following comment:
“The Trump Organization deploys best in class firewall and anti-vulnerability technology with constant 24/7 monitoring. Our infrastructure is vast and leverages multiple platforms which are consistently monitored and upgraded using current cyber security best practices.”
Trump vs. Clinton: Who’s Better on Cybersecurity?
http://motherboard.vice.com/read/the-candidates-on-cybersecurity
Comparing Hillary Clinton and Donald Trump on cybersecurity is probably one of the toughest challenges for a journalist writing about the presidential race. Or, perhaps, it’s one of the easiest. Donald Trump has no mention whatsoever of cybersecurity in his official platform. In fact, he doesn’t even mention the word “internet” once, although he has mentioned the word cyber.
Clinton, on the other hand, has a whole section of her platform dedicated to innovation and technology.
Tomi Engdahl says:
Mary Jo Foley / ZDNet:
Microsoft to add single sign-on via Skype option for various Microsoft services, including Office, OneDrive, Xbox Live, and Outlook.com, starting this week
Microsoft to add single sign-on via Skype option for various Microsoft services
http://www.zdnet.com/article/microsoft-to-add-single-sign-on-via-skype-option-for-various-microsoft-services/
Microsoft will allow people to use their Skype names to sign into Office, OneDrive, Outlook.com and other Microsoft services starting next week.
Microsoft is adding an option that will allow people to use their Skype name to sign into other Microsoft services like Office, OneDrive, Outlook.com, and Xbox Live.
Starting next week, users will have an option to use their Skype name as a single sign-in — in some cases along with an email address — to access these services, officials said on Oct. 18.
I asked Microsoft what the coming changes mean to those who already have Microsoft Accounts. A spokesperson sent me the following:
“Starting next week when this capability goes live, if you already have a Microsoft account, we recommend updating it with your Skype account. This lets you access Skype, Office, Xbox and other Microsoft services with a single account. After you update your Skype account to a Microsoft account, you can continue using your Skype Name, with your Microsoft account password to sign in, even for Skype. Please note that you can only update your Skype account to a Microsoft account once. “
Tomi Engdahl says:
Ecuador curbs Assange’s internet to halt US election ‘interference’
http://www.bbc.com/news/world-latin-america-37699410
Ecuador has acknowledged it partly restricted internet access for WikiLeaks founder Julian Assange, who is taking refuge at its London embassy.
It said Mr Assange had in recent weeks released material that could have an impact on the US presidential election.
Ecuador also said its move was not the result of pressure from Washington.
The US denied WikiLeaks accusations that it had asked Ecuador to stop the site publishing documents about presidential candidate Hillary Clinton.
In a statement (in Spanish), the Ecuadorean foreign ministry said WikiLeaks’ decision to publish documents could have an impact on the US presidential election.
It said the release was entirely the responsibility of the organisation, and Ecuador did not want to interfere in the electoral process.
“In that respect, Ecuador, exercising its sovereign right, has temporarily restricted access to part of its communications systems in its UK Embassy,” the statement said.
WikiLeaks earlier said that Ecuador had cut off Mr Assange’s internet access on Saturday evening.
The site has recently been releasing material from Hillary Clinton’s campaign, including those from a hack of Clinton campaign chairman John Podesta’s emails.
Tomi Engdahl says:
Leftover Factory Debugger Doubles as Android Backdoor
https://threatpost.com/leftover-factory-debugger-doubles-as-android-backdoor/121302/
A leftover factory debugger in Android firmware made by Taiwanese electronics manufacturer Foxconn can be flipped into a backdoor by an attacker with physical access to a device. The situation is a dream for law enforcement or a forensics outfit wishing to gain root access to a targeted device. Android researcher Jon Sawyer on Wednesday publicly disclosed the situation, which he’s called Pork Explosion as a swipe at what he calls overhyped and branded vulnerabilities.
Pork Explosion Unleashed
http://bbqand0days.com/Pork-Explosion-Unleashed/
Tomi Engdahl says:
Secure Desktops with Qubes: Compartmentalization
http://www.linuxjournal.com/content/secure-desktops-qubes-compartmentalization?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+linuxjournalcom+%28Linux+Journal+-+The+Original+Magazine+of+the+Linux+Community%29
The first concept to understand with Qubes is that it groups VMs into different categories based on their use. Here are the main categories of VMs I refer to in the rest of the article:
Disposable VM: these also are referred to as dispVMs and are designed for one-time use. All data in them is erased when the application is closed.
Domain VM: these also often are referred to as appVMs. They are the VMs where most applications are run and where users spend most of their time.
Service VM: service VMs are split into subcategories of netVMs and proxyVMs. These VMs typically run in the background and provide your appVMs with services (usually network access).
Template VM: other VMs get their root filesystem template from a Template VM, and once you shut the appVM off, any changes you may have made to that root filesystem are erased (only changes in /rw, /usr/local and /home persist). Generally, Template VMs are left powered off unless you are installing or updating software.
Tomi Engdahl says:
Adding trendy tech SIEM to a hybrid computing setup
When a public cloud provider’s involved, things get tricky
http://www.theregister.co.uk/2016/10/14/siem_in_a_hybrid_setup/
As I write this, Security Information and Event Monitoring is considered rather hip and cool. Everyone’s talking about it, and the vendors of SIEM software are promoting the life out of it.
The thought process that prompts consideration of SIEM is: “No matter what I do to protect myself, an attack is possible so I need to pre-empt the need for diagnosis and forensics”.
SIEM is great for proactive, scheduled reporting – it allows you to spot things of interest and potential issues before anyone actually exploits them – but it comes into its own when you need to weed through the logs to find out what happened and how.
What does it do?
In its basic form a SIEM system goes against the principles you’ve designed into your infrastructure. Because what you do is configure all your event logs so they are sent (or at least a copy of them is sent) to the central repository that is the SIEM system.
Event logging is, of course, one of life’s irritating compromises. Author Mark Twain is quoted as saying that: “A classic is something everybody wants to have read, but no one wants to read”.
Here in 2016 we say that system log files are something that we all want to have available but none of us actually wants to have to weed through or find space for. Servers aren’t all that bad – at least disk space is cheap and it shouldn’t be too much of a problem to find a bit of storage to retain sufficient log data to allow you some measure of after-the-event analysis.
But for network devices – routers, firewalls, switches – storage is at an absolute premium, and you can seldom keep anything like enough detail in the log files. Turn down the logging level and you can probably store several days’ data but at a level of detail that’s so sketchy as to be utterly useless.
The solution is a central system with enough storage and power to let you hold the data for a sensible time and report on it at will.
Size and resilience?
As we mentioned, a SIEM system is in principle a single point of failure. You need a socking big database to keep the data in, as you’ll want to turn the logging levels up nice and high. And you’ll also need a meaty processor and plenty of memory because you’ll be processing these big lumps of data at two levels: first, you want to run reports on it which means potentially complex database queries behind the scenes; and second, the SIEM system should be working in the background collating the various streams of data it’s receiving in order to spot commonalities and inter-relationships between the streams.
It needs to be big, then. But what about resilience? Well, it’s kind-of up to you
A well-hidden intruder (or more likely a well-hidden piece of malware) can nestle undetected, quietly sending your data to its illicit external location. Realistically, then, you really need a means of storing the data for up to a year – which probably means it’s not going to be realistic to crank up the server log level and store it locally.
The point of this last comment is that the SIEM system isn’t storing a copy of the log files: it’s storing the only instance of it. If you want to look back ten months in the logs, they’re only in one place – which means if a single-instance SIEM system craps itself you’re in trouble.
In a hybrid setup you have options as to where you put the SIEM system. You could implement it as an in-house setup – either with physical appliances or on your virtual infrastructure – or you could put it in the public cloud as a virtual setup. If you go for the virtual option you have to be ultra-cautious about making it scale (even a modestly sized organisation can be throwing 1,000+ log messages per minute at the SIEM system, which has bandwidth and processing overhead implications) but this is surmountable as long as you do it properly.
SIEMing your private cloud is pretty straightforward, since all the products on the market have been built in the knowledge that this is what people will want to do. So they know how to probe WMI streams on Windows server estates, and they’ll eat as much Syslog data as you wish to feed them with. Now, with the public cloud component of the hybrid cloud the same concept applies – a Windows box in the public cloud is no different from one in your private setup as long as you’ve configured the connectivity so that the SIEM system can talk to it.
The main problem, as always, is that in the public cloud you don’t get visibility of all the layers of the infrastructure. In your private world it can deal with everything from the physical port up to the presentation layer, but in the public cloud things kind of stop when you get down to the virtual switch and virtual port level.
Where to put it
I’ve mentioned that you can choose either the public or private cloud for the SIEM system, but there’s an important point to bear in mind: you wouldn’t necessarily put it in your existing public or private cloud.
The value of SIEM is that you can use it to analyse what happened in a security incident. Now, that incident probably involved the intruder copying or corrupting data, or causing some kind of outage. So if the SIEM installation lives in the same installation as the systems whose logs it’s consuming, it’s susceptible to the same attacks and there’s every chance it could be killed off as part of the attack.
In a private setup that means that at the very least you need to host the SIEM product on separate hardware in separate cabinets from the rest of the infrastructure. Ideally you’d have it in separate premises, but there’s a hefty cost associated with that.
The hybrid cloud does have a few idiosyncrasies you have to overcome – primarily the fact that implementing SIEM in the underlying infrastructure will require a bit more jumping through hoops than it would in the private elements of your world.
Tomi Engdahl says:
Data integrity and failover in the hybrid cloud
Between two stools one falls to the ground
http://www.theregister.co.uk/2016/10/19/data_integrity_failover_ihybrid_cloud/
Discussions of information security tend to revolve around keeping confidential information confidential: preventing intruders from compromising the protection of the systems and gaining access to data they’re not entitled to see. But there’s more to security than just keeping information secret: it’s a three-pronged concept.
Hideous TLAs
Sadly, security is subject to a hideously twee three-letter abbreviation: CIA. Nothing to do with an American intelligence agency, but Confidentiality, Integrity and Availability. Confidentiality is the obvious one, and it tends to draw attention away from the other two – yet all three elements are as important as each other.
In this feature we’ll look at how you deal with integrity and availability in a hybrid cloud setup – where you have a multi-location setup part of which sits in your on-premise infrastructure and part of which sits in a public cloud setup.
Introducing resilience
Resilient systems are the first step to preserving availability in the event of a system failure. One server dies, a second server takes up the load either by taking over the role of the original server (in an active/passive system) or by soaking up the load of the first server as well as its own (in an active/active system).
You need to ask yourself, though, how you want to spread the resilient systems within your infrastructure. You might automatically think that the answer is to have the on-premise world replicated in the cloud and vice versa, and this is definitely a nice option
But it’s not the only answer.
You could, for instance, decide to use your public cloud provider’s multi-location capabilities if they have them. Implementing data replication and failover may well be significantly easier between (say) two of Amazon’s US regions than it is between AWS and your own private systems.
What resilience is required?
Before you start putting the protection mechanisms in place you need to decide precisely what you’re protecting, and to what extent. Because the one thing that’s certain is that while you’d like to make everything super-resilient with seamless failover, that will not be possible for some systems (particularly legacy applications) and it will probably be too costly in other cases. Real-time data replication takes bandwidth, and implementing automated failover on applications can be complex. So you need to go through each of your applications and data stores and decide what level of protection you need to implement.
Be judicious with the level of availability you need for each application. It’s probably a big deal if your core IP telephony system goes down, and so you’ll seek strong protection and automated failover. But for less critical apps it may be acceptable to wait even a few hours for files to be restored from a backup and the system resurrected.
Which brings us to backups. I’m a great believer, in multi-location setups, in having each site backing itself up to another (so in the usual two-location installation that means site A backs up to a server at site B, and vice versa). Disk-to-disk backups are increasingly the order of the day, and although the have a level of imperativeness with regard to scheduling, they don’t need to be real time.
Tomi Engdahl says:
Ken Yeung / VentureBeat:
Yahoo sends a letter to Director of National Intelligence James Clapper demanding “transparency” be allowed over security orders concerning user data — Yahoo revealed on Wednesday that it has submitted a letter to the Director of National Intelligence (DNI) …
Yahoo demands ‘transparency’ from National Intelligence director over security order
http://venturebeat.com/2016/10/19/yahoo-demands-transparency-from-national-intelligence-director-over-security-order/
Yahoo revealed on Wednesday that it has submitted a letter to the Director of National Intelligence (DNI) James Clapper demanding transparency involving national security orders issued to tech companies around obtaining user data. The move is intended to provide citizens insight about what the U.S. government is looking for.
The company acknowledged that while its communication makes “specific reference to recent allegations” levied against it, “it is intended to set a stronger precedent of transparency for our users and all citizens who could be affected by government requests for user data.” Yahoo once again denied reports that stated it secretly scanned customer emails on behalf of the intelligence community: “The mail scanning described in the article does not exist in our systems.”
In the letter, Yahoo’s general counsel Ron Bell argues that transparency “underpins the ability of any company in the information and communications technology sector to earn and preserve the trust of its customers. Erosion of that trust online implicates the safety and security of people around the world and diminishes confidence and trust in U.S. businesses at home and beyond our borders.”
Tomi Engdahl says:
Colin Lecher / The Verge:
Facebook was a Geofeedia customer before cutting ties with the surveillance firm following ACLU’s report, saying the firm was non-compliant with Facebook’s ToS
Facebook caught an office intruder using the controversial surveillance tool it just blocked
http://www.theverge.com/2016/10/19/13317890/facebook-geofeedia-social-media-tracking-tool-mark-zuckerberg-office-intruder
When it was revealed that police used Geofeedia to track protesters, Facebook cut off access to its data. But Facebook was a Geofeedia customer too.
When it was revealed last week that police used a social media monitoring program to track protestors, it inspired outrage, and major tech companies immediately cut off API access for the tool. But at least one of those companies had prior opportunity to know what the tool, Geofeedia, was capable of. According to three former Geofeedia employees who spoke with The Verge, Facebook itself used the tool for corporate security. Facebook, according to two of the sources, even used Geofeedia to catch an intruder in Mark Zuckerberg’s office.
Geofeedia has touted itself as a security and marketing tool, allowing law enforcement or private companies to aggregate and search event- or location-related posts across services, including Facebook, Twitter, Instagram, and YouTube. Its use by law enforcement has proven the most controversial: police went so far as to use the tool with facial recognition to identify protesters with outstanding warrants.
“Last month, we terminated Geofeedia’s access to our APIs because it was using these APIs in ways that were not authorized and which violated our policies,” a Facebook spokesperson said in a statement
Facebook confirmed it was a Geofeedia customer, but declined to make any comment about the trespassing incident. Geofeedia directed questions to Facebook.
Tomi Engdahl says:
Dan Goodin / Ars Technica:
LinkedIn says a Russian man arrested in the Czech Republic is believed to be involved in the 2012 breach, which saw the release of 117M passwords — Russian man drove luxury car, then collapsed after being apprehended, police say. — An alleged Russian hacker arrested in the Czech Republic following …
LinkedIn says hacking suspect is tied to breach that stole 117M passwords
Russian man drove luxury car, then collapsed after being apprehended, police say.
http://arstechnica.com/tech-policy/2016/10/linkedin-says-hacking-suspect-is-tied-to-breach-that-stole-117m-passwords/
Tomi Engdahl says:
Farhad Manjoo / New York Times:
Recent leaks show email isn’t suited for modern political and business life; tools like Slack, HipChat that let admins limit archiving avoid some email pitfalls
Whoever Wins the White House, This Year’s Big Loser Is Email
http://www.nytimes.com/2016/10/20/technology/whoever-wins-the-white-house-this-years-big-loser-is-email.html
Every four years, pundits race to anoint this or that newfangled tech trend as the next disruptive force to forever alter the mechanics of American democracy. The 2016 campaign has already been called the Snapchat election, the Periscope election, the Meerkat election, the Twitter election, the Facebook election and the meme election. (If there were a vomit emoji, I’d insert one here. And then we’d have the emoji election.)
Yet for months this bizarre campaign has been defined less by cutting-edge technology than by one of the most established: email. It’s 2016, and we’re blessed with an embarrassment of ways to securely and conveniently communicate with one another. But all anyone can talk about is Hillary Clinton’s damn emails.
This column is not about the real or imagined scandals exposed by caches of Mrs. Clinton’s and her campaign staff’s messages, which, thanks to the State Department, Russian hackers, Judicial Watch and WikiLeaks now regularly spill into public view.
Instead, let’s examine a more basic mystery buried in the emails: Why were all these people discussing so much over email in the first place? Haven’t they heard of phone calls? Face-to-face meetings in dimly lit Washington parking garage? Anyplace else where their conversations weren’t constantly being recorded, archived and rendered searchable for decades to come?
The answer, of course, is that email is as tempting as it is inescapable, for Mrs. Clinton as well as for the rest of us. More than 50 years after its birth, email exerts an uncanny hold on all of our internal affairs.
Email is simply not up to the rigors of modern political and business life. It lulls us into a sense of unguarded security that it never delivers.
The latest Clinton emails come from the hacked Gmail account of John D. Podesta, Mrs. Clinton’s campaign chairman. I emailed the campaign to ask about the breach and email security practices, but I got no response.
But if you assume the messages are authentic, you quickly discover even more shortcomings of email. What’s most striking about the Podesta cache is how central email has been to the campaign’s operations. In 2016, presidential campaigns, like all large enterprises, are far-flung operations. Lots of people in lots of different places are trying to plan things together. To the extent there’s any centrality to the organization, it’s in email communication.
You can see why this can be handy. Having a single place to discuss everything makes teams more efficient.
It’s used in place of phone calls and face-to-face meetings; it’s used as an instant messenger, a daily calendar and a collaborative whiteboard.
“It suggests that they hadn’t had their sense of security punctured yet,”
One thread from the spring of 2015 is instructive, suggesting both email’s advantages and its enormous flaws.
If they had been using some other system to communicate, they would most likely have avoided this trouble.
A more modern communication system, something like Slack or HipChat, could still be hacked, but would have allowed for a central administrator to set an archiving policy. After a few days or weeks, this sort of conversation would have been erased. That’s less practical for email, which by its very nature is decentralized. Once you send an email, your thread resides on every device that every recipient ever downloaded it on.
Better still, an app like Signal, which encrypts its messages (and which the campaign is now reported to be using), would have made cracking the messages more difficult in the first place.
But there’s something even more pernicious than weak security here. The deeper problem with email is that it has never quite settled on a social mode.
Email sometimes tricks us into feeling efficient, but it rarely is.
Tomi Engdahl says:
Ingrid Lunden / TechCrunch:
Stripe debuts new fraud detection tools for its payments service, which use machine learning
Stripe launches Radar to tackle e-commerce fraud with machine learning
https://techcrunch.com/2016/10/19/stripe-launches-radar-to-tackle-e-commerce-fraud-with-machine-learning/
Stripe, the startup that lets websites and mobile apps implement payment services through its API and a few lines of code, is today adding in another new feature as it continues to build out its platform with more tools. It is now going to help prevent fraud on Stripe transactions, through a new service called Radar.
Radar is being rolled out globally as part of Stripe’s primary payments service, meaning companies that use Stripe’s API for payments do not need to pay extra or do anything in particular to turn it on.
That may change down the line
There are already areas where I could see Stripe potentially adding in more features beyond fraud detection and prevention. For example, for now Stripe is not offering any kind of insurance or protection services alongside the fraud prevention,
In Radar, Stripe is tackling a very big issue in the world of online commerce. Retail e-commerce alone (which doesn’t include other kinds of transactions that might run through Stripe’s system) will be worth nearly $2 trillion globally this year, according to estimates from eMarketer, and over the next two years it will continue to grow at a rate above 20 percent and take an ever-bigger proportion of all commerce (including offline) transactions.
But as online commerce continues to grow, so do incidents of e-commerce fraud. A survey conducted by Pymts and Forter found that in Q4 of 2015 there were 27 fraud attempts for every 1,000 transactions, and in Q1 2016, some $4.79 out of every $100 in transactions was at risk (a year before it was $2.90).
Tomi Engdahl says:
CIA-Backed Surveillance Tool ‘Geofeedia’ Was Marketed To Public Schools
https://news.slashdot.org/story/16/10/18/230257/cia-backed-surveillance-tool-geofeedia-was-marketed-to-public-schools
An online surveillance tool that enabled hundreds of U.S. law enforcement agencies to track and collect information on social media users was also marketed for use in American public schools, the Daily Dot has learned. Geofeedia sold surveillance software typically bought by police to a high school in a northern Chicago suburb, less than 50 miles from where the company was founded in 2011.
Ultimately, the school found little use for the platform, which was operated by police liaison stationed on school grounds, and chose not to renew its subscription after the first year, citing cost and a lack of actionable information. “A lot of kids that were posting stuff that we most wanted, they weren’t doing the geo-tagging or making it public,” Conrey said. “We weren’t really seeing a lot there.”
https://geofeedia.com/
Tomi Engdahl says:
Trump vs. Clinton III – TPP looks dead, RussiaLeaks confirmed
Reg finds tech needle in a haystack of stupid
http://www.theregister.co.uk/2016/10/20/presidential_debate_3/
Expect an outbreak of denials from whoever’s got the credentials to @Wikileaks at the moment: Hillary Clinton has said no fewer than 17 civilian and government intelligence agencies point the finger to Kremlin interference in the election.
Both candidates also said they have little interest in ratifying the controversial Trans Pacific Partnership treaty, leaving its copyright extension provisions likely sunk .
Tomi Engdahl says:
IoT insecurity: US govt summons tech bosses, bashes heads together
Everyone agrees: Our group has the best solution for patching bugs
http://www.theregister.co.uk/2016/10/19/us_govt_iot_security/
There are two things that everyone agrees on when it comes to the internet of things (IoT). First, security is a problem. And second, their approach is the best one.
The US government held a one-day meeting in Austin, Texas, today with the sole focus on a specific issue: the ability to upgrade and patch internet-connected devices.
It was this topic, noted staff from the National Telecommunications and Information Administration (NTIA) – an arm of the US Department of Commerce – that was top of the list of concerns when it held a public consultation on how and where the US government could and should help. It didn’t take long to figure out why.
Everyone – and we mean everyone – is worried about the fact that there are billions of devices that now connect to the internet, with billions more in the pipeline, and there is literally no agreed-upon security approach.
Fresh in people’s minds is the huge denial-of-service attack on security researcher Brian Krebs that knocked over his website even though he had Akamai protection. The culprit? A botnet made up of poorly patched webcams. It doesn’t take a genius to realize this is the beginning of a much bigger problem.
“The issue is urgent and it is complex,”
Follow me. No, me, not him
But just as big as the IoT security issue itself, is how to get people to agree on a solution. No one, from the chip manufacturers to the network operators to the device manufacturers, wants to be the one that will introduce new systems and approaches. As much as NTIA staff gently but repeatedly prodded the room to look at real solutions, the conversation quickly drifted back to identifying the problem and offering vague concepts of what needed to happen.
It wouldn’t be the internet of things without conflicting solutions to even the most intangible elements. In this case, it was a multitude of different frameworks for looking at the issue of IoT security.
The Online Trust Alliance outlined its principles (31, boiled down from 75) for how to start looking at the problem. A huge group people had taken 18 months coming up with it, and everyone loves it, said its chair Jeff Wilbur.
Agreement, in part
Despite the lack of any real progress in the morning session of the event, that collaborative approach does seem to be holding.
There is broad agreement that a key aspect to finding a solution would be working out how to convey any efforts to the consumer. Why? Because additional security costs money, and without some kind of market differentiation, people are just going to buy the cheapest product.
There is real agreement that there needs to be some kind of ability to flag up whether an IoT device needs patching – which can be hard when many devices don’t have a display.
There is also widespread agreement that there needs to be a way to deal with the billions of out-of-date devices that will soon cover the planet, whether they are no longer maintained by the manufacturer or if the manufacturer has gone out of business.
Multistakeholder Process; Internet of Things (IoT) Security Upgradability and Patching
https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-iot-security
Tomi Engdahl says:
Nuclear Power Plant Disrupted by Cyber Attack
https://threatpost.com/nuclear-power-plant-disrupted-by-cyber-attack/121216/
The head of an international nuclear energy consortium said this week that a cyber attack caused a “disruption” at a nuclear power plant at some point during the last several years. Yukiya Amano, the head of the International Atomic Energy Agency (IAEA) didn’t go into detail about the attack, but warned about the potential of future attacks, stressing on Monday that the idea of cyber attacks that impact nuclear infrastructure isn’t an “imaginary risk.’
“This issue of cyber attacks on nuclear-related facilities or activities should be taken very seriously. We never know if we know everything, or if it’s the tip of the iceberg,” Amano told reporters in Germany.
It’s unclear whether Amano will ever disclose which power plant was affected, or when the attack happened. He told Reuters it occurred “two to three years ago,” and declined to get further into the incident, which was previously unknown.
“It could be ransomware, malware, a targeted attack; it’s anyone’s guess what it could be,”
Tomi Engdahl says:
Who is FANCY BEAR?
https://www.crowdstrike.com/blog/who-is-fancy-bear/
The nation-state adversary group known as FANCY BEAR has been operating since at least 2008 and represents a constant threat to a wide variety of organizations around the globe. They target aerospace, defense, energy, government, media, and dissidents, using a sophisticated and cross-platform implant.
FANCY BEAR’s code has been observed targeting conventional computers and mobile devices. To attack their victims, they typically employ both phishing messages and credential harvesting using spoofed websites.
FANCY BEAR has demonstrated the ability to run multiple and extensive intrusion operations concurrently.
In his blog, Dmitri also notes that FANCY BEAR (also known as Sofacy or APT 28) is a Russian-based threat actor whose attacks have ranged far beyond the United States and Western Europe. The group has been observed targeting victims in multiple sectors across the globe. Because of its extensive operations against defense ministries and other military victims, FANCY BEAR’s profile closely mirrors the strategic interests of the Russian government
Meet Fancy Bear
https://www.buzzfeed.com/sheerafrenkel/meet-fancy-bear-the-russian-group-hacking-the-us-election?utm_term=.wdow4KVod#.snOPkwQ4X
For the first time in history, Washington has accused a foreign government of trying to influence the US election. Sheera Frenkel investigates the Russian group accused of hacking the US election — and finds they’ve been practicing for this moment for a long time.
“If Fancy Bear were a kid in the playground, it would be the kid stealing all the juice out of your lunch box and then drinking it in front of you, daring you to let him get away with it.”
“They did a great job with capturing the look and feel of Google,” said Burdette, who added that unless a person was paying clear attention to the URL or noticed that the site was not HTTPS secure, they would likely not notice the difference.
Once Democratic Party officials entered their information into the fake Gmail page, Fancy Bear had access to not just their email accounts, but to the shared calendars, documents, and spreadsheets on their Google Drive.
In their June 14 report, CrowdStrike found that not only was Fancy Bear in the DNC system, but that another group linked to Russia known as Cozy Bear, or APT 29, had also hacked into the DNC and was lurking in the system, collecting information. The report stated, “Both adversaries engage in extensive political and economic espionage for the benefit of the government of the Russian Federation and are believed to be closely linked to the Russian government’s powerful and highly capable intelligence services.”
Both bears were in the DNC system, but whereas Cozy Bear might have been there for years, undetected in the background, CrowdStrike has said that it was Fancy Bear, with their more aggressive intelligence-gathering operation, that tipped off security teams that something was amiss. It was also Fancy Bear, cybersecurity researchers believe, who was behind the disinformation campaigns that made public the thousands of emails from the DNC and Clinton.
Making those emails public, say cybersecurity experts and US intelligence officials, is what shifted the hack from another Russian cyber-espionage operation to a game changer in the long-simmering US–Russia cyberwar. Using the well-established WikiLeaks platform, as well as newly invented figureheads, ensured that the leaked emails got maximum exposure. Within 24 hours of the CrowdStrike report, a Twitter account under the name @Guccifer_2 was established and began tweeting about the hack on the DNC. One of the first tweets claimed responsibility for hacking the DNC’s servers, and in subsequent private messages with journalists, including BuzzFeed News
Within the week, WikiLeaks had published more than 19,000 DNC emails. Though WikiLeaks would not reveal the source, Guccifer 2.0 gleefully messaged journalists that he had been the source of the leak.
Meanwhile, metadata in the docs, such as Russian-language settings and software versions popular in Russia, led cybersecurity experts to believe that not only were the emails leaked by Russia, but that Guccifer 2.0 was an account created by the Russian state to try and deflect attention.
Tomi Engdahl says:
CIA reportedly plans to launch a cyberattack against Russia
It’s not so secret now, though.
https://www.engadget.com/2016/10/15/cia-cyberattack-russia/
The United States is preparing to launch an unprecedented cyber attack against Russia, according to NBC News. Sources told the publication that the White House asked the CIA to present it with several “clandestine” cyber operation tactics that the administration can choose from. The cyber strike’s purpose? To get back at Vladimir Putin and the Kremlin for allegedly interfering with the country’s elections. If you’ll recall, hackers hiding behind the pseudonym Guccifer 2.0 broke into the Democratic National Convention’s computers and leaked 20,000 DNC emails, personal info and donor data. The government believes Russia orchestrated the whole thing in an effort to influence the election’s results.
NBC’s sources didn’t mention anything specific, but the intelligence agency apparently already possesses a collection of documents that could expose Putin’s “unsavory tactics.”
A couple of CIA officers told NBC News that the White House worked with the agency to wage cyberwar against Russia several times in the past. However, the government would always drop the idea, because anything the US can do, Putin and his cohorts can, as well.
Tomi Engdahl says:
Trove of Stolen Data Is Said to Include Top-Secret U.S. Hacking Tools
http://www.nytimes.com/2016/10/20/us/harold-martin-nsa.html?_r=1
Investigators pursuing what they believe to be the largest case of mishandling classified documents in United States history have found that the huge trove of stolen documents in the possession of a National Security Agency contractor included top-secret N.S.A. hacking tools that two months ago were offered for sale on the internet.
They have been hunting for electronic clues that could link those cybertools — computer code posted online for auction by an anonymous group calling itself the Shadow Brokers — to the home computers of the contractor, Harold T. Martin III, who was arrested in late August on charges of theft of government property and mishandling of classified information.
But so far, the investigators have been frustrated in their attempt to prove that Mr. Martin deliberately leaked or sold the hacking tools to the Shadow Brokers or, alternatively, that someone hacked into his computer or otherwise took them without his knowledge.
Mr. Martin, an enigmatic loner who according to acquaintances frequently expressed his excitement about his role in the growing realm of cyberwarfare, has insisted that he got in the habit of taking material home so he could improve his skills and be better at his job, according to these officials. He has explained how he took the classified material but denied having knowingly passed it to anyone else.
“He wanted to see the overall picture so that he could be more effective.”
The material the F.B.I. found in his possession added up to “many terabytes” of information, according to court papers, which would make it by far the largest unauthorized leak of classified material from the classified sector. That volume dwarfs the hundreds of thousands of N.S.A. documents taken by Edward J. Snowden in 2013 and exceeds even the more voluminous Panama Papers, leaked records of offshore companies obtained by a German newspaper in 2015, which totaled 2.6 terabytes. One terabyte of data is equal to the contents of about one million books.
F.B.I. agents on the case, advised by N.S.A. technical experts, do not believe Mr. Martin is fully cooperating, the officials say.
In interviews, officials described how the Martin case has deeply shaken the secret world of intelligence, from the N.S.A.’s sprawling campus at Fort Meade, Md., to the White House. They expressed astonishment that Mr. Martin managed to take home such a vast collection of classified material over at least 16 years, undetected by security officers at his workplaces, including the N.S.A., the Office of the Director of National Intelligence and Pentagon offices.
Tomi Engdahl says:
Ecuador cut Assange’s internet with a little push from the US
It wasn’t entirely Ecuador’s decision, after all.
https://www.engadget.com/2016/10/20/us-urged-ecuador-to-cut-assange-internet/
When Ecuador admitted that it cut off Julian Assange’s internet connection at its embassy in London, the country’s officials said it was their own decision. According to NBC News, though, the US might have something to do with it. American intelligence officials told the publication that the US urged Ecuadorian politicians to stop allowing Assange to do Russia’s bidding from within their territory. Assange, as you know, founded WikiLeaks, which has been publishing emails stolen from the Democratic National Committee’s computers. The government believes Russia has been orchestrating the cyber attacks and releasing sensitive data to influence the US presidential elections.
American intelligence also believes that Assange knows the emails he’s been posting come from the Russians. However, they don’t think he actively played a role in the cyber attacks against the DNC. As one senior intelligence official explained: “The general view is he is a willing participant in the Russian scheme but not an active plotter in it. They just realized they could use him.”
Ecuador granted Assange asylum back in June 2012, and he’s been living in its London embassy ever since.
Tomi Engdahl says:
How Hackers Broke Into John Podesta and Colin Powell’s Gmail Accounts
https://yro.slashdot.org/story/16/10/20/2011227/how-hackers-broke-into-john-podesta-and-colin-powells-gmail-accounts
On March 19 of this year, Hillary Clinton’s campaign chairman John Podesta received an alarming email that appeared to come from Google. The email, however, didn’t come from the internet giant. It was actually an attempt to hack into his personal account. In fact, the message came from a group of hackers that security researchers, as well as the U.S. government, believe are spies working for the Russian government. At the time, however, Podesta didn’t know any of this, and he clicked on the malicious link contained in the email, giving hackers access to his account. The data linking a group of Russian hackers — known as Fancy Bear, APT28, or Sofacy — to the hack on Podesta is also yet another piece in a growing heap of evidence pointing toward the Kremlin.
More:
https://motherboard.vice.com/read/how-hackers-broke-into-john-podesta-and-colin-powells-gmail-accounts
Tomi Engdahl says:
Using Apache Hadoop to Meet Cybersecurity Challenges
http://www.securityweek.com/using-apache-hadoop-meet-cybersecurity-challenges
Apache Hadoop turned 10 this year.
What began as an experiment for processing massive volumes of data has steadily progressed to a mature enterprise solution being used to unlock the value of information in previously unimaginable ways. Today, enterprises use Hadoop to answer questions about everything from how to improve health and human well-being to how to get the most out of financial investments to … you name it. In but a decade, the industry has seen the birth and rapid growth of a vast ecosystem centered on Hadoop.
We’ve come to learn that cybersecurity, in many ways, is a data analytics problem. It is precisely for this reason that Hadoop — with its ability to ingest, process and provide analytics for nearly untold amounts of data — is being adopted to solve many of the challenges we face.
When it comes to security, Hadoop allows users to get their arms around all of the data their modern enterprises generate. It gives them complete access to information created by networks, users, endpoints and even the Internet of Things (IoT) — exactly what’s needed to produce analytics about suspicious behaviors, anomalies and other threat indicators. Add to this the ability to leverage machine learning and flexible plug-and-play applications from both proprietary and open source markets, and you have a solution capable of meeting current and emerging challenges.
It wasn’t always this way. A decade ago, many of us in the security community thought SIEM and other legacy products would be sufficient. We thought they would provide all the relevant information needed to produce the requisite analytics to meet cybersecurity challenges. But as Cloud, Mobile, distributed computing and the IoT gained steam, we learned that those systems were not nearly robust enough to handle all the variant data sources or the scale at which they grew. SIEM and other legacy solutions simply weren’t designed for massive data volumes and they certainly weren’t designed to provide all the analytic answers nor the context analysts required to ensure an effective detection capability that can keep pace with the advancing capabilities of the adversaries we all face.
When security professionals were limited by the data and the analytics available through such tools, what could be done to address risk was equally constrained. Restricted capabilities left those of us in charge of defending our organizations able to find only commodity, known and moderately advanced types of attacks. With Hadoop, an expanded set of security use cases is now available.
Tomi Engdahl says:
How to Make Threat Intelligence Practical for Your Organization
http://www.securityweek.com/how-make-threat-intelligence-practical-your-organization
If there is a drumbeat I will continue to harp on it’s the importance of practical cyber threat intelligence. With so much data out there, and so much confusion in the market as to what intel even is, intel’s practicality takes on even greater significance.
One key aspect of making threat intelligence practical is to ensure the intel is evaluated. What do I mean by this? Well, there are a lot of threat intelligence misconceptions that have to do with automation and speed. Threat intelligence feeds or platforms that provide data or indicators of compromise (IOCs) are delivering a first step toward intel, but the practicality of it is questionable at best. For example, if it’s presented in “real-time”, then it is most definitely NOT intel. It is data/information that has not been evaluated and therefore known to have occurred.
Evaluated threat intelligence is the concept of all threat data being reviewed and confirmed. It is standardized and organized in an easy-to-consume way so analysts can begin their work from the 50 yard line instead of from their own 10.
If the data is delivered in real-time, but isn’t validated, or in a context that is useful for your organization, you need to assign your own analysts to conduct that intel work.
Tomi Engdahl says:
Another Potential Victim of the Yahoo! Breach: Federated Login
http://www.securityweek.com/another-potential-victim-yahoo-breach-federated-login
Password proliferation is bad, for many, many, many reasons. But the worst reason is that people tend to re-use passwords all over the place. It’s difficult if not impossible to keep all the various passwords straight that you need to bank, shop, do just about anything on the internet these days.
It turns out there is a better way to handle authentication than having individual usernames and passwords for every online account: federated login through massive consumer sites like Facebook, Google and Twitter and Yahoo!.
All of those “Login with Facebook” and “Login with Your Twitter ID” buttons across the Internet let people create accounts at a third party website via the OAuth protocol without surrendering their password. And these third party sites have accountability with the OAuth providers to not abuse the information they receive.
In theory, a website could offer federation login via dozens of OAuth-providing social media sites. But in reality, a website designer really just wants to support the handful of mega sites like Facebook and Google that represent the largest number of users.
This brings us to Yahoo!. The leak of half a billion user credentials is, of course, a big deal in and of itself, but another potential loss is the decrease in federated login options for consumers. After this breach, it’s likely we’ll be seeing fewer and fewer “Login with Yahoo!” buttons across the Internet.
And that’s too bad, really, because Yahoo! was trying to do some cool stuff with password-less authentication.
Given its still-enormous user base, the loss of a Yahoo! as a source of federated logins could be detrimental to the Internet.
Tomi Engdahl says:
Breaking the OODA Loop!
http://www.securityweek.com/breaking-ooda-loop
The OODA loop is a well established concept often used in security which originated in the military. OODA stands for Observe, Orient, Decide, Act.
OODA is an iterative process because after each action you need to observe your results and any new opposing action. The idea is that if you can consistently get to the action faster than your opponent you can beat them. It is typically described using an airplane dogfight analogy – airplanes try to turn more quickly and sharply than their opponent in order to get off a shot. But, as you turn faster and faster the g-forces build and at this point the ever faster OODA loop is more like a centrifuge crushing us. We need to break out of the loop and find a new way to play the security game.
Consider a typical OODA loop scenario. An attacker sends a phishing email, and someone clicks on a link to a bad website which infects the user’s computer. At some point that attack is detected (observed), often well after the attacker has had a chance to move horizontally through the organization and establish a presence. The victimized enterprise then turns their attention to gathering more data about what has happened and which systems have been compromised, and quickly decides on a plan of action. Finally they start to try to clean up infected systems and prevent further compromise. Of course the attacker may notice that they have been observed and start taking counter measures at the same time.
How much better would it be if many of these attacks could be stopped or remediated without detection? Could we skip the “OOD” in most cases and move directly to Acting frequently and repeatedly?
That can only work if the cost of remediating potentially infected systems can be reduced by many orders of magnitude. Conventionally it might take an IT person an hour or more to clean up a single desktop. If we want to do that every day on every machine, or maybe more often, the cost has to be almost zero.
Virtualization and containerization make it possible to automate this kind of process very effectively. Images of the system, component, or application can be created in a known good and clean condition.
Another advantage of bypassing the observe/detect phase is the ability to be secure in the face of undetectable malware. Current generation security tools have a dismal track record for detecting sophisticated attacks.
Virtualization or containerization of small individual applications provides many advantages over virtualizing the whole system.
Tomi Engdahl says:
Battling the Botnet Armies
http://www.securityweek.com/battling-botnet-armies
Botnet armies have become bigger, more active and more heavily armed than ever before. In the first quarter of 2016, attacks launched by bots reached a record high of 311 million—a 300 percent increase compared with the same period in 2015 and a 35 percent increase compared with the final quarter of 2015.
Many botnets are used to launch distributed denial of service (DDoS) attacks, which are also becoming substantially stronger and more frequent.
This issue is being exacerbated by the wrangling of IoT devices into the hordes of infected devices being leveraged for these botnets.
As the botnet armies step up their attacks, how can organizations better defend their networks?
Who’s targeting you?
Traditionally, there have been two main strategies available to businesses looking to protect themselves against botnet attacks. The first relates to websites’ and networks’ abilities to deal with the unexpected spikes in inbound traffic to your network, resulting from DDoS attacks. Load balancing strategies based on real-world network testing can help to smooth the peaks and troughs in traffic by spreading traffic volumes, and this can be an important method for mitigating the impact of DDoS attempts. However, even an effective load-balancing strategy can be overwhelmed by a large-scale DDoS attack, bringing applications to a grinding halt—and as we saw earlier, attacks are increasing in strength.
The second strategy relates to the actual security tools, such as firewalls, which focus on identifying and blocking malicious traffic. This is extremely effective, but the processing power needed to proactively analyze very high volumes of network traffic, identify malicious packets and block them places a heavy burden even on latest-generation, high-capacity firewalls. Throw enough non-relevant traffic at them and the flood will significantly reduce their analysis performance which, in turn, causes a performance drain across the network as well.
Intelligent IP filtering
However, there is a third strategy: preventing malicious traffic generated by botnets from reaching your firewall in the first place, by intelligently pre-filtering it.
This can be done using a specialized gateway that continually monitors and proactively filters out IP addresses under botnet control. The gateway is fed with real-time, constantly updated threat and application intelligence feeds on known bad IP addresses—that is, addresses that are known to be infected with bots or are known to harbor malware.
This same strategy can even be extended to block traffic from the IP addresses of entire geographical areas where you do not have business interests or are known to harbor threats.
There’s an additional benefit of using threat intelligence gateways to filter IP traffic: they can also identify bot infections already on your network that could be stealthily sending sensitive data to criminals. The gateway can also inspect traffic leaving your network: if that traffic is heading to an IP address known to be a botnet command and control server, it is filtered and blocked automatically, cutting off the data leak permanently.
Clearly, the immediate advantage of the IP address filtering strategy is the dramatic reduction of your organization’s vulnerability to both external DDoS attacks from botnets and stopping data leaks by existing internal bot infections.
Tomi Engdahl says:
This Is Probably Why Half the Internet Shut Down Today [Updating]
http://gizmodo.com/this-is-probably-why-half-the-internet-shut-down-today-1788062835
Twitter, Spotify and Reddit, and a huge swath of other websites were down or screwed up this morning. This was happening as hackers unleashed a large distributed denial of service (DDoS) attack on the servers of Dyn, a major DNS host. It’s probably safe to assume that the two situations are related.
Dyn posted this update on its website: “Starting at 11:10 UTC on October 21th-Friday 2016 we began monitoring and mitigating a DDoS attack against our Dyn Managed DNS infrastructure. Some customers may experience increased DNS query latency and delayed zone propagation during this time. Updates will be posted as information becomes available.”
At the time of publication Dyn said that it was still dealing with the problem.
Tomi Engdahl says:
Researcher says Adult Friend Finder vulnerable to file inclusion vulnerabilities
http://www.csoonline.com/article/3132533/security/researcher-says-adult-friend-finder-vulnerable-to-file-inclusion-vulnerabilities.html
LFI vulnerabilities used to expose sensitive files and a database schema
The images show a Local File Inclusion vulnerability (LFI) being triggered. When asked directly,1×0123 confirmed LFI as the vulnerability being exploited, and said it was discovered in a module on the production servers used by Adult Friend Finder.
LFI vulnerabilities allow an attacker to include files located elsewhere on the server into the output of a given application.
Penthouse, Adult FriendFinder databases leak, at least 100 million accounts impacted
http://www.csoonline.com/article/3132933/security/penthouse-adult-friendfinder-databases-leak-at-least-100-million-accounts-impacted.html
Databases recently obtained by LeakedSource, as well as source code, configuration files, certificate keys, and access control lists, point to a massive compromise at FriendFinder Networks Inc., the company behind AdultFriendFinder.com, Penthouse.com, Cams.com, and more than a dozen other websites.
LeakedSource, a breach notification website that launched in late 2015, received the FriendFinder Networks Inc. databases within the last twenty-four hours.
Administrators for LeakedSource say they’re still sorting and verifying the data
The leaked data implies several things, said Dan Tentler, the founder of Phobos Group, and a noted security researcher.
First, he explained, the attackers got read access to the server, which means that it would be possible to install shells, or enable persistent remote access. But even if the attacker’s access was unprivileged, they could still move around enough eventually gain access.
“If we assume that dude only has access to this one server, and he got all this from one server, we can imagine what the rest of their infrastructure is like. Considering all of the above, it is very likely that an attacker at my level could turn this kind of access into a full compromise of their entire environment given enough time,” Tentler said.
For example, he could add himself to the access control list and whitelist a given IP. He could abuse any SSH keys that were discovered, or command histories. Or, better still, if root access was gained, he could just replace the SSH binary with one that performs keylogging and wait for the credentials to roll in.
Tomi Engdahl says:
Lorenzo Franceschi-Bicchierai / Motherboard:
How hackers used malicious short URLs hidden in fake Google emails to break into John Podesta’s and Colin Powell’s Gmail accounts — On March 19 of this year, Hillary Clinton’s campaign chairman John Podesta received an alarming email that appeared to come from Google.
How Hackers Broke Into John Podesta and Colin Powell’s Gmail Accounts
http://motherboard.vice.com/read/how-hackers-broke-into-john-podesta-and-colin-powells-gmail-accounts
On March 19 of this year, Hillary Clinton’s campaign chairman John Podesta received an alarming email that appeared to come from Google.
The email, however, didn’t come from the internet giant. It was actually an attempt to hack into his personal account. In fact, the message came from a group of hackers that security researchers, as well as the US government, believe are spies working for the Russian government. At the time, however, Podesta didn’t know any of this, and he clicked on the malicious link contained in the email, giving hackers access to his account.
Months later, on October 9, WikiLeaks began publishing thousands of Podesta’s hacked emails. Almost everyone immediately pointed the finger at Russia, who is suspected of being behind a long and sophisticated hacking campaign that has the apparent goal of influencing the upcoming US elections. But there was no public evidence proving the same group that targeted the Democratic National Committee was behind the hack on Podesta—until now.
The data linking a group of Russian hackers—known as Fancy Bear, APT28, or Sofacy—to the hack on Podesta is also yet another piece in a growing heap of evidence pointing toward the Kremlin.
The phishing email that Podesta received on March 19 contained a URL, created with the popular Bitly shortening service, pointing to a longer URL that, to an untrained eye, looked like a Google link.
Inside that long URL, there’s a 30-character string that looks like gibberish but is actually the encoded Gmail address of John Podesta. According to Bitly’s own statistics, that link, which has never been published, was clicked two times in March.
That’s the link that opened Podesta’s account
That link is only one of almost 9,000 links Fancy Bear used to target almost 4,000 individuals from October 2015 to May 2016. Each one of these URLs contained the email and name of the actual target.
SecureWorks was tracking known Fancy Bear command and control domains. One of these lead to a Bitly shortlink, which led to the Bitly account, which led to the thousands of Bitly URLs that were later connected to a variety of attacks, including on the Clinton campaign.
Using Bitly allowed “third parties to see their entire campaign including all their targets— something you’d want to keep secret,” Tom Finney, a researcher at SecureWorks, told Motherboard.
It was one of Fancy Bear’s “gravest mistakes,” as Thomas Rid, a professor at King’s College who has closely studied the case, put it in a new piece published on Thursday in Esquire, as it gave researchers unprecedented visibility into the activities of Fancy Bear, linking different parts of its larger campaign together.
Tomi Engdahl says:
Brendan I. Koerner / Wired:
Inside the discovery, investigation, and attempted mitigation of the devastating OPM breach last year — The US OFFICE of Personnel Management doesn’t radiate much glamour. As the human resources department for the federal government, the agency oversees the legal minutiae of how federal employees …
Inside the Cyberattack That Shocked the U.S. Government
https://www.wired.com/2016/10/inside-cyberattack-shocked-us-government/
The US OFFICE of Personnel Management doesn’t radiate much glamour. As the human resources department for the federal government, the agency oversees the legal minutiae of how federal employees are hired and promoted and manages benefits and pensions for millions of current and retired civil servants. The core of its own workforce, numbering well over 5,000, is headquartered in a hulking Washington, DC, building
The routine nature of OPM’s business made the revelations of April 15, 2015, as perplexing as they were disturbing. On that morning, a security engineer named Brendan Saulsbury set out to decrypt a portion of the Secure Sockets Layer (SSL) traffic that flows across the agency’s digital network. Hackers have become adept at using SSL encryption to cloak their exploits, much as online vendors use it to shield credit card numbers in transit.
Soon after his shift started, Saulsbury noticed that his decryption efforts had exposed an odd bit of outbound traffic: a beacon-like signal pinging to a site called opmsecurity.org.
But the agency owned no such domain. The OPM-related name suggested it had been created to deceive.
The Office of Personnel Management repels 10 million attempted digital intrusions per month—mostly the kinds of port scans and phishing attacks that plague every large-scale Internet presence—so it wasn’t too abnormal to discover that something had gotten lucky and slipped through the agency’s defenses. In March 2014, for example, OPM had detected a breach in which blueprints for its network’s architecture were siphoned away.
Based on the little he’d heard about the malware, Mejeur was certain his investigation would uncover plenty of nasty surprises.
Once Captain America’s name popped up, there could be little doubt that the Office of Personnel Management had been hit by an advanced persistent threat (APT)—security-speak for a well-financed, often state-sponsored team of hackers. APTs like China’s Unit 61398 have no interest in run-of-the-mill criminal activities such as selling pilfered Social Security numbers on the black market; they exist solely to accumulate sensitive data that will advance their bosses’ political, economic, and military objectives.
Tomi Engdahl says:
In almost all java applications have security holes
Up to 97 percent of all java applications contain security holes and other vulnerabilities. Thus says the security company Veracode, which has analyzed tens of thousands of applications and hundreds of thousands of code fixes.
Java has always had a reputation room information security issues.
Worrying is the fact that the most hassle-free of security are java applications developed for medical devices. For them, the reported holes repaired only about a third. This means that a lot of patients with sensitive data is processed applications, a level of security is abysmal.
Source: http://etn.fi/index.php?option=com_content&view=article&id=5272:lahes-kaikissa-javasovelluksissa-on-tietoturva-aukkoja&catid=13&Itemid=101
More: https://www.veracode.com/
Tomi Engdahl says:
Ageing GSM crypto cracked on commodity graphics rig
A*STAR Singapore shows how easy it is
http://www.theregister.co.uk/2016/10/24/cracking_2g_gsm/
The crypto scheme applied to second generation (2G) mobile phone data can be hacked within seconds, security researchers have demonstrated.
The work by researchers from the Agency for Science, Technology and Research (A*STAR), Singapore shows that breaking the A5/1 stream cipher used by 2G is possible using commodity hardware.
Security experts have known the A5/1 was breakable since 2009, so what the Singapore team has done is illustrate the ease with which this is now possible, re-emphasizing the need to update remaining 2G-based mobile communications networks.
“GSM uses an encryption scheme called the A5/1 stream cipher to protect data,” said Jiqiang Lu from the A*STAR Institute for Infocomm Research. “A5/1 uses a 64-bit secret key and a complex key-stream generator to make it resistant to elementary attacks such as exhaustive key searches and dictionary attacks.”
Weaknesses in the ageing A5/1 cipher, combined with the improved performance of number-crunching hardware, have rendered the crypto system crackable.
The approach adopted by the Singapore-based researchers is more sophisticated than a vanilla brute force (try every possible combination) attack.
The researchers used a cracking rig made up of a general-purpose graphics processing unit computer with three NVIDIA GeForce GTX 690 cards, costing about $15K.
Tomi Engdahl says:
Mozilla plots TLS 1.3 future for Firefox
Quicker handshake starts encrypting data sooner
http://www.theregister.co.uk/2016/10/23/mozilla_plots_tls_13_future_for_firefox/
Mozilla has decided it needs to lift its HTTPS game, and will default to TLS 1.3 in next year’s Firefox 52.
Mozilla principal engineer Martin Thomson let developers know about the decision in an e-mail last Friday.
“TLS 1.3 removes old and unsafe cryptographic primitives, it is built using modern analytic techniques to be safer, it is always forward secure, it encrypts more data, and it is faster than TLS 1.2,” Thomson’s note said.
So far, Thomson wrote, Mozilla’s limited tests haven’t turned up any incompatibilities with existing servers.
Cloudflare has a useful backgrounder on TLS 1.3 here. Filippo Valsorda notes that the draft removes one round trip during the handshake process.
An overview of TLS 1.3 and Q&A
https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/
Tomi Engdahl says:
American ‘Vigilante Hacker’ Defaces Russian Ministry’s Website
https://news.slashdot.org/story/16/10/23/0020212/american-vigilante-hacker-defaces-russian-ministrys-website
An American vigilante hacker — who calls himself “The Jester” — has defaced the website of the Russian Ministry of Foreign Affairs in retaliation for attacks on American targets…
American vigilante hacker sends Russia a warning
Jester: ‘Knock it off’
http://www.ksat.com/news/american-vigilante-hacker-sends-russia-a-warning
An American vigilante hacker — who calls himself “The Jester” — has defaced the website of the Russian Ministry of Foreign Affairs in retaliation for attacks on American targets.
On Friday night, the Jester gained access to the Russian government ministry’s website. And he left a message: Stop attacking Americans.
More News Headlines
Facebook doubles down on strategy for Live
Microsoft stock hits all-time high
Airbnb wants hosts to install solar panel systems
NRSC: Targeting millennials more than just Snapchat
Google, Amazon in a race to $1,000
Samsung Galaxy Note 7 flight ban spreading worldwide
Samsung’s losses from Note 7 disaster keep mounting
Saudi Arabia backs new $100 billion tech fund
Samsung’s pain is Apple’s gain
Samsung takes $10 billion hit to end Galaxy Note 7 fiasco
“Comrades! We interrupt regular scheduled Russian Foreign Affairs Website programming to bring you the following important message,” he wrote. “Knock it off. You may be able to push around nations around you, but this is America. Nobody is impressed.”
MID.ru is the official website of the Russian agency that is in charge of maintaining that country’s international diplomacy — equivalent to the U.S. Department of State.
The U.S. government recently blamed Russia for meddling in American politics. Russian intelligence agencies have been accused of hacking into Democratic National Committee emails and the sites of other Democratic Party-linked organizations, leaking damning information to sway the election away from Hillary Clinton.
The Jester used a classic hacking technique, finding a hole in the website’s computer code and injecting his own code into it.
Tomi Engdahl says:
VeraCrypt Security Audit Reveals Many Flaws, Some Already Patched
https://it.slashdot.org/story/16/10/23/0150244/veracrypt-security-audit-reveals-many-flaws-some-already-patched
VeraCrypt, the free, open source disk encryption software based on TrueCrypt, has been audited by experts from cybersecurity company Quarkslab. The researchers found 8 critical, 3 medium, and 15 low-severity vulnerabilities, and some of them have already been addressed in version 1.19 of the software, which was released on the same day as the audit report
VeraCrypt security audit reveals many flaws, some already patched
https://www.helpnetsecurity.com/2016/10/18/veracrypt-security-audit/
VeraCrypt, the free, open source disk encryption software based on TrueCrypt, has been audited by experts from cybersecurity company Quarkslab.
The researchers found 8 critical, 3 medium, and 15 low-severity vulnerabilities, and some of them have already been addressed in version 1.19 of the software, which was released on the same day as the audit report.
The code auditing effort analyzed VeraCrypt 1.18 and its bootloaders.
“A first step consisted in verifying that the problems and vulnerabilities identified by iSec and NCC Group in TrueCrypt 7.1a for the Open Crypto Audit Project had been taken into account and fixed,” the Quarkslab researchers involved in the effort explained.
VeraCrypt is available for Windows, OS X and Linux.
https://veracrypt.codeplex.com/wikipage?title=FAQ
Tomi Engdahl says:
A New Attack Allows Intercepting Or Blocking Of Every LTE Phone Call And Text
https://yro.slashdot.org/story/16/10/24/0257256/a-new-attack-allows-intercepting-or-blocking-of-every-lte-phone-call-and-text?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
All LTE networks and devices are vulnerable to a new attack demonstrated at the Ruxon security conference in Melbourne. mask.of.sanity shared this article from The Register:
It exploits LTE fall-back mechanisms designed to ensure continuity of phone services in the event of emergency situations that trigger base station overloads… The attacks work through a series of messages sent between malicious base stations spun up by attackers and targeted phones. It results in attackers gaining a man-in-the-middle position from where they can listen to calls or read SMS, or force phones back to 2G GSM networks where only voice and basic data services are available…
Every LTE call, text, can be intercepted, blacked out, hacker finds
Emergency fail over provisions abused.
http://www.theregister.co.uk/2016/10/23/every_lte_call_text_can_be_intercepted_blacked_out_hacker_finds/
Ruxcon Hacker Wanqiao Zhang of Chinese hacking house Qihoo 360 has blown holes in 4G LTE networks by detailing how to intercept and make calls, send text messages and even force phones offline.
The still-live attacks were demonstrated at the Ruxcon hacking confab in Melbourne this weekend
The tested Frequency Division Duplexing LTE network is more popular than TDD-LTE and operates in Britain, the US, and Australia. The competing Time Division Duplexing (TDD) LTE network is more common in Asian countries and in regions where population densities are higher.
Zhang conducted further tests after The Register inquired whether the attacks would work against TDD-LTE and found all LTE networks and devices are affected.
“This attack exists [and] it’s still reasonable.”
The attacks work through a series of messages sent between malicious base stations spun up by attackers and targeted phones.
It results in attackers gaining a man-in-the-middle position from where they can listen to calls or read SMS, or force phones back to 2G GSM networks where ony voice and basic data services are available.
The attacks are not just fit for laboratories.
The Third Generation Partnership Project (3GPP) telco body has known of the hack since at least 2006 when it issued a document describing Zhang’s forced handover attack, and accepts it as a risk.
Three of the fail-over emergency features can be abused for specific attacks, Zhang says; global roaming features allow IMSI capture, battery energy saving for denial of service, and load balancing for redirection.
Tomi Engdahl says:
Researchers sabotage 3D printer files to destroy a drone
https://techcrunch.com/2016/10/21/researchers-sabotage-3d-printer-files-to-destroy-a-drone/?ncid=rss
Researchers at Ben-Gurion University of the Negev (BGU), the University of South Alabama, and Singapore University of Technology and Design have successfully injected malicious code into a computer which, in turn, added invisible commands to a file containing a 3D model of a drone propeller. When they printed the model and attached it to the drone, the propeller broke upon take-off. This killed the drone.
In short, the exploit, codenamed Dr0wned, was able to modify a digital file that, in turn, destroyed a physical device.
“Imagine that an adversary can sabotage functional parts employed in an airplane’s jet engines. Such an attack could cost lives, cause economic loss, disrupt industry, and threaten a country’s national security,” said researcher Yuval Elovici, a professor at BGU. “With the growth of additive manufacturing worldwide, we believe the ability to conduct malicious sabotage of these systems will attract the attention of many adversaries, ranging from criminal gangs to state actors, who will aim either for profit or for geopolitical power.”
The attack works by hiding instructions inside a model file like an STL. These instructions make the printer appear to print a normal, solid part, but with a fatal flaw.
The exploit requires control over the victim’s computer. It begins with a phishing email that encourages the user to read a PDF which is actually a piece of remote access malware. The attacker then looks for all STL files and injects code in them that weakens the parts.
While not many people are printing mission critical objects on their home 3D printers we could imagine a future in which airplane parts are transmitted to a third party for heavy-duty printing. An exploit in that chain could prove more than fatal. Luckily this is still a proof of concept and the only thing hurt is an innocent but expensive drone.
Tomi Engdahl says:
Moscow Confirms Ministry Website Attack After U.S. Hacker Claim
http://www.securityweek.com/moscow-confirms-ministry-website-attack-after-us-hacker-claim
Russia’s foreign ministry on Sunday said an old version of its website had been attacked after a US hacker claimed he broke in and posted a mocking message.
Foreign ministry spokeswoman Maria Zakharova wrote on Facebook that the hacker targeted “an old site that has not been used for a long time,” adding that “specialists are working out what happened.”
The attack came after Washington earlier this week formally accused the Russian government of trying to “interfere” in the 2016 White House race by hacking, charges the Kremlin has repeatedly dismissed.
“If they establish there was hacking by Americans, even of a resource that wasn’t working, this is far from pleasant,” Zakharova wrote.
She said that this could be an indication that a “cyber machine of destruction has started acting” after US Vice President Joe Biden told NBC television that President Vladimir Putin would get a “message” from Washington in response to the hacking blamed on Russia.
Alternatively, the latest hack simply shows that the “US elections have wound up people to such a state that they start smashing everything,” Zakharova wrote.
Tomi Engdahl says:
Multiple banks hit: 3.2 million debit cards compromised; how it happened, what happens now?
http://indianexpress.com/article/explained/multiple-banks-hit-3-2-million-debit-cards-compromised-how-it-happened-what-happens-now-3094108/
Indian Express explains one of the biggest data security breaches in Indian banking, situates it in the context of the rising threat from cyber crime.
On Wednesday, India’s largest bank, State Bank of India, said it had blocked close to 6 lakh debit cards following a malware-related security breach in a non-SBI ATM network. Several other banks, such as Axis Bank, HDFC Bank and ICICI Bank, too have admitted being hit by similar cyber attacks — forcing Indian banks to either replace or request users to change the security codes of as many as 3.2 million debit cards over the last two months.
On September 5, some banks came across fraudulent transactions in which debit cards were used in China and the US when customers were actually in India.
After the probe found that ATMs had been compromised as early as in May 2016, all three service providers — Visa, MasterCard and RuPay — asked banks to either tell customers who could potentially be at risk to change their PIN, or issue them new cards. Most banks asked customers to change their PIN, and in certain cases blocked the cards and decided to issue fresh ones.
This is one of the biggest data breaches in the country — about 3.2 million cards issued by Indian banks could be potentially replaced, or their holders asked to change their PINs to avoid fraud. According to NPCI, 90 ATMs have been compromised, and at least 641 customers across 19 banks have lost Rs 1.3 crore as a result of fraudulent transactions on their debit cards.
In this case, swiping a card at an allegedly compromised ATM allowed the data on the card to be transmitted to the fraudsters, who then misused it for fraudulent transactions.
Since most of the cards at risk are not chip-based, banks are planning to replace them with chip-based ones.
In June 2016, RBI issued instructions on a cyber security framework in banks, asking them to put in place a board-approved cyber security policy, prepare a cyber crisis management plan, and make arrangement for continuous surveillance. The circular also asked banks to share unusual cyber security incidents with RBI.
3.2 million debit cards compromised; SBI, HDFC Bank, ICICI, YES Bank and Axis worst hit
Read more at:
http://economictimes.indiatimes.com/articleshow/54945561.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst
Tomi Engdahl says:
Linux Backdoor Doesn’t Require Root Privileges
http://www.securityweek.com/linux-backdoor-doesnt-require-root-privileges
A newly observed Linux backdoor Trojan can perform its nefarious activities without root access, by using the privileges of the current user, Doctor Web security researchers have discovered.
Dubbed Linux.BackDoor.FakeFile.1, the malware is being distributed as an archived PDF, Microsoft, or Open Office file, the security researchers say. As soon as it has been launched, the Trojan would save itself to the user’s home directory, in the .gconf/apps/gnome-common/gnome-common folder.
Next, the malware searchers for a hidden file that matches its name, and replaces that file with itself.
The next step is to check the name of the installed Linux distribution
Next, the malicious program launches two threads, one destined to share information with the command and control (C&C) server, while the other meant to monitor the duration of the connection. Thus, if the Trojan doesn’t receive instructions within 30 minutes, the connection is terminated.
Once installed on a compromised system, the backdoor can execute a multitude of commands
The backdoor can also terminate its own operation upon command.
Tomi Engdahl says:
BIND Flaw Patched in 2013 Affects Linux Distros
http://www.securityweek.com/bind-flaw-patched-2013-affects-linux-distros
A vulnerability patched by the Internet Systems Consortium (ISC) in the BIND DNS software several years ago has been found to affect Linux distributions that use packages derived from BIND releases prior to the security hole being fixed.
The high severity vulnerability, tracked as CVE-2016-2848, was discovered by Toshifumi Sakaguch and disclosed by ISC last week. The issue can be exploited remotely to cause a denial-of-service (DoS) condition on both authoritative and recursive servers by sending them malformed DNS packets.
The vulnerability was patched in ISC-distributed versions with the change tracked as #3548, first included in BIND 9 releases in May 2013. The problem is that some software vendors, including several OS distributions, have been using repackaged versions forked from ISC’s source code before the fix was implemented.
ISC has not found any evidence that the flaw has been exploited in the wild, but the organization’s security officer, Michael McNally, warned that a proof-of-concept (PoC) exists in a public bug repository.
“Since information concerning the vulnerability, including a reproduction script, exists in a public bug repository we urge you to update vulnerable binary packages as soon as possible,”
Red Hat said the vulnerability does not affect Red Hat Enterprise Linux 7. The company has released updates for RHEL 5 and 6
Tomi Engdahl says:
Required Insider Threat Program for Federal Contractors: Will It Help?
http://www.securityweek.com/required-insider-threat-program-federal-contractors-will-it-help
Many organizations use hundreds or even thousands of third party vendors. They connect to their networks, access private corporate data, and too often, as we saw in the case of Edward Snowden and more recently Harold Martin, elevate organizations’ cyber risk. A 2016 Ponemon Institute study showed 73 percent of organizations see the number of cyber security incidents involving vendors increasing and sixty-five percent say it is difficult to manage cyber security incidents involving vendors. Each third party vendor employee that has access to organizations’ sensitive data poses a cyber risk. Just one misstep, whether intentional or not, becomes an active insider threat that could lead to a compromise.
beginning November 30, 2016, DoD third party contractors will be required to establish and maintain an insider threat program.
The more attention organizations give to insider threats the better, especially those coming from third party contractors, which is why the change is a step in the right direction. That said, Change 2 only addresses one piece of the puzzle, which is policies, procedures, training and monitoring conducted by the employer of government contractors. While that is a good start, it does not address a number of important components of identifying and stopping insider threats.
The greatest challenge is connecting the dots between what is known by government managers about how their contractors interact and access sensitive assets (which is accomplished via on site and technical behavior monitoring), business context surrounding those activities (via application security owners) and what is known by the contractor’s employer regarding the behavior of their employee. In many cases there is little to no communication between these parties and as such, nobody is viewing the user’s activities with all of the information needed to determine if an insider threat is real or not.
The greatest challenge of identifying and stopping the insider threat is piecing together and communicating the many disconnected pieces of information to the right people, so that the right conclusions can be drawn.