Here are my predictions for trends in information security and cyber security for year 2016.
Year 2015 was bad for information security was pretty, and I would say that the trend is worrying. So I expect the year 2016 will have many information security challenges. If you want to keep yourself up at night, spend some time reading about the latest developments in cybersecurity. In 2015 there was Airplanes hacked, cars hacked, vulnerabilities in a breathtaking range of sensitive equipment from TSA locks to voting booths to medical devices. The big picture is even scarier. Former NSA Director Mike McConnell suspects China has hacked “every major corporation” in the US. Those problems will continue in 2016 and some new targets for attacks will be found. The system is broken. It isn’t keeping us, our companies, or our government safe. Worse yet, no one seems to know how to fix it.
Attacks through networks are becoming more common all the time. It will be hard to protect against targeted attacks. Hackers will not only customize malware, but they will increasingly use sophisticated phishing and social engineering tricks to gain access to sensitive data. Attackers usually cover their tracks carefully, and in the identification of target can be very difficult. Behind targeted attacks are usually professional criminals. Criminals do not respect geographical borders and hence attacks are spread evenly everywhere. Companies will struggle to absorb the security threats of combined PC and mobile devices in 2016.
EU information security decisions made in late 2015 will have impact on what comes in 2016: New EU data protection legislation package approved and EU Court of Justice decision in which it noted the Safe Harbor procedure is invalid. This means that transfers of personal data from EU countries to the United States under the Safe Harbor violation of law – you need some other agreement for this. The situation for this will probably get clarified during 2016. Data protection legislation changes will lead to increased fines for the unprepared. Legal uncertainty and big fines are a toxic cocktail for some companies. The combination of stiff penalties and ambiguously worded provisions in the new EU-wide data-protection law, which would replace a patchwork of 28 national laws, raises daunting prospects for companies operating in Europe.
After huge amount of user information leaks in 2015 from all kinds of Internet services, there will the challenges for cloud companies to gain trust in their security. You might have just dared to trust “the right cloud services,” since in principle the traditional information security point of view, they seem to be the main things okay, rising this privacy issues raised.
New environments will bring new threats. New operating systems versions means that administrators and users are less familiar with the environments. IPv6 will get more widely used, and the security of IPv6 networks is different from IPv4. Organizations are moving to virtualized environments, which are complex and create network layers that can become an attack vector. Growing network virtualization functionality and programmability are both an opportunity and a threat to security. Cyber security research will be important important in 2016 as 5G networks will be critical infrastructure, on top of which for example. transport, industry, health and the new operators set up their business around 2020.
The huge amount of information security information is becoming harder and harder to manage in 2016. A key problem in revelations as all other news coverage is the exponential growth of knowledge. There are variety of news summaries produced a daily basis, but they are not enough to get good picture of what is happening. There are bigger and smaller news, the impact of which is at times very difficult to assess. SMBs will become a bigger target for cybercriminals. Network and security professionals continue to be among the toughest IT talent to find and hire.
Old way network security focused on perimeter defense is not enough in 2016. Old mantras “encrypt everything” and “secure the perimeter,” are not enough. One deceptive truth seems to drive much of the cybersecurity industry down a rabbit hole: If you keep bad actors and bad software out of your system, you have nothing to worry about. It does not work like that anymore. As perimeter security gets stronger, malicious actors are looking for easier entry points to compromise an organisation through the breadth of its digital attack surface. Now malicious actors target “endpoints”—any device or sensor connected to a network—to break into that network. Traditional sandboxing will no longer protect against the growing malware landscape. Today, most private networks have far too many endpoints to properly secure. In an age of “Bring Your Own Device,” the cloud, remote access, and the Internet of Things, there are too many vulnerabilities hackers can exploit. Keep in mind that everything connected to the Internet can, and will be hacked. To address those threats in 2016, security experts should assume compromise – that hackers and malware already have breached their defenses, or soon will – and instead classify and mitigate threats. In addition to public key infrastructure lock-and-key system you will need also an integrity solution that acts like an alarm. To protect against advanced threats, security professionals will increase their reliance on centralized security management solutions. You need to have prioritization and response plans to various kinds of breaches – with a strong focus on integrity.
Law enforcement versus Silicon Valley tension will continue to be strong throughout year 2016. In 2015 Law enforcement and politicians on both sides of the Atlantic lined up to repeatedly complain that the web was “going dark” as the result of end-to-end encryption and that this was hampering the investigation of terrorism and other serious crimes.Technologists and cryptographers argue that governments are trying to weaken encryption by demanding some form of privileged access for government. It’s not clear how much encryption the NSA can break. With renewed focus on how encrypted messages can be used to plot terrorist attacks, President Barack Obama’s administration is stepping up pressure on the tech sector to help in the battle. Privacy remains a major counter-argument. It seems that Governments Lie About Encryption Backdoors. Encryption systems weakened by mandated backdoors would not be effective in fighting the terrorists that governments invoke as their reason for wanting those backdoors in the first place.
But this does not stop some government officials to demand such thing with varying success on different countries. Another fact is that The existence of coded communications is a reality and the U.S. may not be able to do much about it because nearly everyone living in modern society uses it: Encryption protects your bank information, prevents your password from being stolen when you log into a website, and allows all e-commerce transactions to take place securely. Encryption weakened by mandated backdoors would put all of us at an enormous risk of exposure from data breaches and associated online risks. The truth in 2016 is that any form of privileged access to government – ie, a backdoor – would inevitably weaken crypto-systems and make them more vulnerable to attacks by foreign governments’ intelligence agencies as well as criminals - Juniper’s VPN security hole is proof that govt backdoors are bonkers. Encryption backdoors would be a gleeful win-win for terrorists and a horrific lose-lose for you – the bad guys having strong protections for their data, and the rest of us not. The poorly thought-out and crude surveillance technique could have a devastating effect on the country’s internet security- as for example Kazakhstan will force its citizens to install internet backdoors by requiring all Internet users install state-issued root certificate by January 1, 2016.
Google, Mozilla and Microsoft are pushing for early SHA-1 crypto cutoff that can happen in 2016 instead of earlier planned Jan 1st, 2017. Due to recent research showing that SHA-1 is weaker than previously believed, because it’s been cracked without enormous effort. Mozilla, Microsoft and now Google are all considering bringing the deadline forward by six months to July 1, 2016. SHA-2 is going to be used as the replacement function for SHA-1. Websites like Facebook and those protected by CloudFlare have implemented a SHA-1 fallback mechanism for those systems that do not support SHA-2. Chrome will start display errors if SHA-1 certificates are employed in early 2016 and will completely stop supporting SHA-1 certificates in the end of 2016.
The use of Blockchain technology, permissionless distributed database based on the bitcoin protocol that runs across a global network of independent computers, will get used more widely than for just Bitcoin virtual money. With bitcoin, Blockchain tracks the exchange of money. But it can also track the exchange of anything else that holds value, including stocks, bonds, and other financial securities. Overstock has already used the blockchain to issue private bonds. The Securities and Exchange Commission has approved a plan from online retailer Overstock.com to issue company stock via the Internet, signaling a significant shift in the way financial securities will be distributed and traded in the years to come. Overstock built its technology under the aegis of a subsidiary called TØ.com, and it plans to offer this “cryptosecurity” tech as a service to other businesses. Nasdaq OMX—the company behind the Nasdaq stock exchange—is using the blockchain to oversee the exchange of private stock. Also several major companies from across both the technology and financial industries—including IBM, Intel, and Cisco as well as the London Stock Exchange Group and big-name banks JP Morgan, Wells Fargo, and State Street—have joined forces to create an alternative to the blockchain with Linux Foundation.
The use of disk encryption will increase and there are different ways to do it with different security levels. Microsoft has introduced Windows 10 disk encryption keys are uploaded to Microsoft. This approach has some advantages and disadvantages. The gold standard in disk encryption is end-to-end encryption, where only you can unlock your disk. This is what most companies use, and it seems to work well. It protects data in case your device is lost or stolen. But what if you forget or loose your key? There are certainly cases where it’s helpful to have a backup of your key or password – so keeping a backup of your recovery key in your Microsoft account could be genuinely useful for probably the majority of users that don’t have high security neeeds. The disadvantage of this approach is that Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.
Weak leaking passwords are still huge security problem still in 2016. Passwords are often the weakest parts when it comes to securing users’ accounts, as many don’t use complex passwords or they reuse the same password across services. Two-factor authentication – like using a USB stick with a secret token or entering in a code sent via text method to your phone – can help to increase security, but many users also find this to be a hassle as it introduces an additional step to the login process.
Google begins testing login system that uses phone notifications for authentication instead of passwords: authenticate by responding to a notification sent to their smartphone. The idea is similar to Yahoo’s recently launched “Account Key,” which also offers a password-free means of signing in involving a push notification sent to your phone that then opens an app where you approve the log-in.
Smart phone will become more and more security critical part of your life. “Increasingly, individuals and organisations are adopting password managers and multi-factor authentication technologies to plug some of the holes in password-based authentication. “We foresee a world where practically everyone uses their smartphone as a multi-factor authentication element. In this world, the smartphone becomes your most valuable asset: something that enables you to unlock your life online and a target for attackers seeking to access your services.”
Expect that number of mobile vulnerabilities will only grow in 2016. In 2016 we will see increasing numbers of cyber criminals using mobile applications to spread malware. Mobile presents an easy target for cyber criminals, because it is an attack surface that is open and extremely difficult to defend once an app has been released. Android threats will become more than just headline-grabbers. Will 2016 be the year iOS malware goes mainstream?
Critical infrastructures will be highly targeted in 2015. SCADA and ICS networks were not designed for security. Attacks against these systems have increased in recent years. I expect this trend to only get worse. There are still many companies that run their critical systems on Windows XP as “There are some people who don’t have an option to change.” Many times the OS is running in automation and process control systems that run business and mission-critical systems, both in private sector and government enterprises. For example US Navy is using obsolete operating system Microsoft Windows XP to run critical tasks. It all comes down to money and resources, but if someone is obliged to keep something running on an obsolete system, it’s the wrong approach to information security completely.
Cars were hacked at record rate in 2015, and they will be hacked at least at the same rate in 2016. Modern cars are featuring more gadgetry and connected systems, and this will make vehicles just as vulnerable to today’s threats and attacks. I Am The Cavalry has published a five star Cyber Safety Framework to mitigate this threat in cars, hopefully car component makers study it.
IoT and smart devices are still at risk. The Internet of Things will continue to emerge, and businesses will need to think about how to protect their smart devices and prepare for the wider adoption of IoT. IoT platforms – not yet the weapon of choice for commercial malware authors – but business beware. Wearables won’t be safe, either, as they are built using largerly same too often vulnerable technologies as other IoT system. IoT security is still in in infancy in 2016.
Cyber criminals have become more active in 2015 particularly in the malicious the ransom fabrications. The ransom-malware problem will continue to be big in 2016. Commercial malware authors will continue to invest heavily and Exploit kits will continue to dominate on the web. Ransomware today is big business. Ransomware takes control of a computer and holds it hostage until the victim pays, usually in the digital currency Bitcoin. As a remedy against ransom-malware I recommend to ensure IT Support or your service provider the data back-up and restoring procedure operational, practiced and tested. You can need it in 2016 to get your data back without considering paying to criminals. To date ransomware has hit Windows users hardest, although Android and MacOS users are now also facing similar extortion.
Ransomware will continue to dominate in 2016 and it is only a question of time before we see things beyond data being ransomed. We have already seen websites being held ransom to DDoS. Intel’s McAfee Labs also noted a huge spike in ransomware in early 2015, and worries about ransomware in the IoT space—including medical devices. And Kaspersky predicts the “nightmare of ransomware” to continue and “spread to new frontiers” in 2016. Ransomware Is Coming to Medical Devices article tells that according to a report released recently week by Forrester Research the number one cybersecurity prediction for 2016: “We’ll see ransomware for a medical device or wearable.” “It’s definitely feasible from a technical standpoint”. Networked medical devices save lives. Despite the hacking risk, it’s an informed trade-off. Medical device ransomware would be a modern form of highway robbery with lives at stake.
Keep in mind that everything connected to the Internet can, and will be hacked. In 2016 If You’re Not Paranoid, You’re Crazy. As government agencies and tech companies develop more and more intrusive means of watching and influencing people, how can we live free lives? Unfortunately I don’t have solution for that.
2,232 Comments
Tomi Engdahl says:
Electronic Surveillance Up 500% In DC Area Since 2011, Almost All Sealed Cases
https://yro.slashdot.org/story/16/10/24/2040252/electronic-surveillance-up-500-in-dc-area-since-2011-almost-all-sealed-cases
Secret law enforcement requests to conduct electronic surveillance in domestic criminal cases have surged in federal courts for Northern Virginia and the District, but only one in a thousand of the applications ever becomes public, newly released data show. The bare-bones release by the courts leaves unanswered how long, in what ways and for what crimes federal investigators tracked individuals’ data
U.S. courts: Electronic surveillance up 500 percent in D.C.-area since 2011, almost all sealed cases
https://www.washingtonpost.com/local/public-safety/us-courts-electronic-surveillance-up-500-percent-in-dc-area-since-2011-almost-all-sealed-cases/2016/10/22/48693ffa-8f10-11e6-9c52-0b10449e33c4_story.html
Unsealing basic docket information “is an important first step for courts to recognize that they have been enabling a kind of vast, secret system of surveillance that we now know to be so pervasive,” said Brett Max Kaufman, a staff attorney at the American Civil Liberties Union’s Center for Democracy.
“It’s hard to understand whether this surveillance is necessary or whether there is overreach without basic information about how often these orders are sought or granted, or who is granting them. Even judges themselves do not know,” Kaufman said.
Tomi Engdahl says:
Joomla! readies patch for core vulnerability so critical it isn’t talking
Patch to drop 1400 UTC, Tuesday. And the haste of its release suggests this is scary
http://www.theregister.co.uk/2016/10/25/joomla_readies_patch_for_core_vulnerability_so_critical_it_isnt_talking/
The world’s second-favourite content management system, Joomla!, is warning of a critical security hole so bad its developers aren’t saying what it fixes.
The Register understands a patch for the mystery hole will take the name of version 3.6.4 and will be published around 1400 UTC today, October 25th.
Joomla! has been downloaded more than 75 million times and runs on big ticket sites including McDonalds, Ikea, General Electric, Linux.com, and major news sites.
WordPress leads the open-source content management pack with some 140 million downloads.
The Joomla! security strike team says only that it was “informed of a critical security issue in the Joomla! core” which is a “very important security fix”.
“Until the release is out, please understand that we cannot provide any further information,” the security team says.
Tomi Engdahl says:
MedSec’s St Jude pacemaker hacks confirmed by pen-tester
Bishop Fox report says Merlin@Home vulns are real and deadly
http://www.theregister.co.uk/2016/10/25/medsec_vs_st_jude_indy_pentester_report_lands/
St Jude Medical has suffered another setback in its lawsuit against Muddy Waters and security company MedSec.
St Jude launched a defamation action against Muddy Waters and MedSec after their August revelation of vulnerabilities in its devices.
Rather than following what’s by now an industry-accepted disclosure process (contact the manufacturer, and give them time to make a fix before publishing), MedSec partnered with Muddy Waters to short St Jude’s stock.
Last week, MedSec published videos demonstrating its attacks, but St Jude dismissed the videos as “unverified claims”.
In a new court filing, an independent security research might make “unverified” harder to sustain.
The report, written by Carl Livitt, a partner in security and penetration testing firm Bishop Fox, replicated first-hand “many of the attacks” first made public in August.
In particular, Livitt says Bishop Fox found the St Jude Merlin@Home system could be exploited to interfere with pacemaker function, stop ICDs (implantable cardioverter defibrillators) from delivering therapy, drain device batteries, and get administrative access to the systems.
http://medsec.com/stj_expert_witness_report.pdf
Tomi Engdahl says:
Verizon boss: Yahoo! email hack ‘is a big deal to us’, we’ll decide new price next month
http://www.theregister.co.uk/2016/10/24/verizon_to_decide_yahoo_price_nov/
Verizon is going to decide how much it is willing to pay for Yahoo! next month when an investigation into its massive security breach is completed.
Speaking at Intel Capital’s Global Summit in San Diego on Monday, Verizon CEO Lowell McAdam said that the breach last month, which saw 500 million people’s email accounts compromised, was “a big deal. A big deal to Yahoo! management and a big deal to us.”
He dismissed the notion that Verizon could walk away from the deal however – something that the company’s general counsel had publicly pondered earlier this month – saying that the acquisition of Yahoo! was “a part of our digital strategy.”
He did lend weight to the suggestion that Verizon is going to ask for a significant discount on its agreed $4.8bn purchase, however. Once the investigation was over, “then we can make a determination” as to the purchase price, McAdam said, adding: “The impact on the overall deal will be decided in the next few weeks.”
Tomi Engdahl says:
Every LTE call, text, can be intercepted, blacked out, hacker finds
Emergency fail over provisions abused
http://www.theregister.co.uk/2016/10/23/every_lte_call_text_can_be_intercepted_blacked_out_hacker_finds/
Ruxcon Hacker Wanqiao Zhang of Chinese security house Qihoo 360 has blown holes in 4G LTE networks by detailing how to intercept and make calls, send text messages and even force phones offline.
The still-live vulnerabilities were documented and discussed at the Ruxcon hacking confab in Melbourne, Australia, this weekend, including a demonstration of recording a call on a live network. To do this, an attacker must exploit fall-back mechanisms designed to ensure continuity of phone services in the event of overloads.
The team tested their work against Frequency Division Duplexing (FDD) LTE networks, which are more popular than Time Division Duplexing (TDD) LTE and are used in Britain, the US, and Australia. The competing TDD-LTE design is more common in Asian countries and in regions where population densities are higher.
To exploit the LTE network, an attacker exchanges a series of messages between malicious base stations and targeted phones. This results in miscreants gaining a man-in-the-middle position from where they can listen to calls or read SMS, or force phones back to 2G GSM mode where any voice and basic data services can be intercepted.
Tomi Engdahl says:
CIA Election AntiCheat Control malware preys on the fear of Voter Fraud
http://www.bleepingcomputer.com/news/security/cia-election-anticheat-control-malware-preys-on-the-fear-of-voter-fraud/
Criminals love to to prey on people based on current news topics and there are few topics right now that are bigger than the 2016 United States presidential election. This can be seen in a new malware discovered by MalwareHunterTeam called CIA Election AntiCheat Control – 2016. This computer infection pretends to be a notice from the CIA that requires people to send $50 or their upcoming vote will not count.
Tomi Engdahl says:
The Phone Hackers At Cellebrite Have Had Their Firmware Leaked Online
https://tech.slashdot.org/story/16/10/25/201224/the-phone-hackers-at-cellebrite-have-had-their-firmware-leaked-online
Cellebrite, an Israeli company that specializes in digital forensics, has dominated the market in helping law enforcement access mobile phones. But one apparent reseller of the company’s products is publicly distributing copies of Cellebrite firmware and software for anyone to download. Although Cellebrite keeps it most sensitive capabilities in-house, the leak may still give researchers, or competitors, a chance to figure out how Cellebrite breaks into and analyzes phones by reverse-engineering the files.
The Phone Hackers at Cellebrite Have Had Their Firmware Leaked Online
https://motherboard.vice.com/read/the-phone-hackers-at-cellebrite-have-had-their-firmware-leaked-online
Cellebrite, an Israeli company that specialises in digital forensics, has dominated the market in helping law enforcement access mobile phones. But one apparent reseller of the company’s products is publicly distributing copies of Cellebrite firmware and software for anyone to download.
Although Cellebrite keeps it most sensitive capabilities in-house, the leak may still give researchers, or competitors, a chance to figure out how Cellebrite breaks into and analyzes phones by reverse-engineering the files.
The apparent reseller distributing the files is McSira Professional Solutions, which, according to its website, “is pleased to serve police, military and security agencies in the E.U. And [sic] in other parts of the world.”
McSira is hosting software for various versions of Cellebrite’s Universal Forensic Extraction Device (UFED), hardware that investigators can use to bypass the security mechanisms of phones, and then extract data from them. McSira allows anyone to download firmware for the UFED Touch, and a PC version called UFED 4PC. It is also hosting pieces of Cellebrite forensic software, such as the UFED Cloud Analyzer. This allows investigators to further scrutinize seized data.
Tomi Engdahl says:
Nuclear Plants Leak Critical Alerts In Unencrypted Pager Messages
https://science.slashdot.org/story/16/10/26/0523212/nuclear-plants-leak-critical-alerts-in-unencrypted-pager-messages
A surprisingly large number of critical infrastructure participants — including chemical manufacturers, nuclear and electric plants, defense contractors, building operators and chip makers — rely on unsecured wireless pagers to automate their industrial control systems. According to a new report, this practice opens them to malicious hacks and espionage. Earlier this year, researchers from security firm Trend Micro collected more than 54 million pages over a four-month span using low-cost hardware. In some cases, the messages alerted recipients to unsafe conditions affecting mission-critical infrastructure as they were detected. A heating, venting, and air-conditioning system, for instance, used an e-mail-to-pager gateway to alert a hospital to a potentially dangerous level of sewage water. Meanwhile, a supervisory and control data acquisition system belonging to one of the world’s biggest chemical companies sent a page containing a complete “stack dump” of one of its devices. Other unencrypted alerts sent by or to “several nuclear plants scattered among different states
Nuclear plants leak critical alerts in unencrypted pager messages
A surprising number of critical infrastructure participants do, too, study finds.
http://arstechnica.com/security/2016/10/nuclear-plants-leak-critical-alerts-in-unencrypted-pager-messages/
A surprisingly large number of critical infrastructure participants—including chemical manufacturers, nuclear and electric plants, defense contractors, building operators and chip makers—rely on unsecured wireless pagers to automate their industrial control systems. According to a new report, this practice opens them to malicious hacks and espionage.
Earlier this year, researchers from security firm Trend Micro collected more than 54 million pages over a four-month span using low-cost hardware.
Other unencrypted alerts sent by or to “several nuclear plants scattered among different states” included:
Reduced pumping flow rate
Water leak, steam leak, radiant coolant service leak, electrohydraulic control oil leak
Fire accidents in an unrestricted area and in an administration building
Loss of redundancy
People requiring off-site medical attention
A control rod losing its position indication due to a data fault
Nuclear contamination without personal damage
The researchers also demonstrated that it’s trivial to inject counterfeit messages into the paging systems used by many of the organizations they monitored. The spoofed messages worked on systems using both the Post Office Code Standardization Advisory Group protocol and another one known as FLEX. The spoofing simulation was performed in a secure environment to ensure the bogus messages weren’t received by real pager systems.
It’s ironic that light-weight text messaging programs such as Signal or WhatsApp contain more privacy controls than the alert mechanisms used by many nuclear plants and other critical infrastructure providers.
A TrendLabs Research Paper
Leaking Beeps: Unencrypted Pager Messages in Industrial Environments
https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_leaking-beeps-industrial.pdf
Tomi Engdahl says:
BIND Flaw Patched in 2013 Affects Linux Distros
http://www.securityweek.com/bind-flaw-patched-2013-affects-linux-distros
A vulnerability patched by the Internet Systems Consortium (ISC) in the BIND DNS software several years ago has been found to affect Linux distributions that use packages derived from BIND releases prior to the security hole being fixed.
The high severity vulnerability, tracked as CVE-2016-2848, was discovered by Toshifumi Sakaguch and disclosed by ISC last week. The issue can be exploited remotely to cause a denial-of-service (DoS) condition on both authoritative and recursive servers by sending them malformed DNS packets.
The vulnerability was patched in ISC-distributed versions with the change tracked as #3548, first included in BIND 9 releases in May 2013. The problem is that some software vendors, including several OS distributions, have been using repackaged versions forked from ISC’s source code before the fix was implemented.
Tomi Engdahl says:
Russia unveils ‘Satan 2′ missile powerful enough to ‘wipe out UK, France or Texas’
http://www.telegraph.co.uk/news/2016/10/25/russia-unveils-satan-2-missile-powerful-enough-to-wipe-out-uk-fr/
Russia has released the first image of its new nuclear missile, a weapon so powerful that it could wipe out nearly all of the United Kingdom or France.
The RS-28 Sarmat thermonuclear-armed ballistic missile was commissioned in 2011 and is expected to come into service in 2018.
Russian media report that the missile will weigh up to 10 tons with the capacity to carry up to 10 tons of nuclear cargo.
Tomi Engdahl says:
‘Non-state actors*’ likely to blame for Dyn mega-attack – US intel chief
Pesky kids
http://www.theregister.co.uk/2016/10/26/clapper-dyn-attack/
A senior US intelligence chief has said that “non-state actors” – bored kids or crooks* – are likely behind the high-profile attack on DNS provider Dyn last week.
A massive DDoS attack against Dyn resulted in multiple high-profile websites – including Twitter, Amazon and Netflix – to be unavailable last Friday. US director of National Intelligence James Clapper said that preliminary indications suggested that “non-state actors” rather than spies had launched the assault.
Clapper offered the assessment, which he hedged with caveats, in an interview with CBS television host Charlie Rose at the Council on Foreign Relations in New York.
Asked if the internet attack was done by a non-state actor, Clapper said: “Yes, but I wouldn’t want to be conclusively definitive about that yet,” adding, “That’s an early call.”
A group called New World Hackers has claimed responsibility for a DDoS attack. The same group previously took credit for a DDoS attack on the BBC late last year.
“We’ve had this disparity or contrast between the capability of the most sophisticated cyber actors, nation-state cyber actors, which are clearly Russia and China, but have to this point perhaps more benign intent,” Clapper said. “And then you have other countries who have a more nefarious intent. And then even more nefarious are non-nation-state actors,” he added.
Tomi Engdahl says:
Akamai rides on the botnet’s back to US$584 million quarter
Security biz up, content distribution down
http://www.theregister.co.uk/2016/10/26/akamai_q3_2016_results/
Cloud computing security has driven a 6 per cent year-on-year revenue growth for Akamai, up from $US551 million last year to $584 million for Q3 2016.
The company’s third quarter financial report shows its performance and security business unit turned in $345 million in revenue, 19 per cent higher than for the same quarter in 2015.
Its cloud security unit shot up 46 per cent year-on-year, from $65 million in Q3 2015 to $95 million.
Not everybody hate botnets, it seems: CEO Dr Tom Leighton said fighting off DDoS attacks like those that hammered Dyn is “an area where Akamai’s unique architecture and ongoing investments in global scale and security innovation continue to make a critical difference”.
Tomi Engdahl says:
AT&T Is Spying on Americans for Profit, New Documents Reveal
http://www.thedailybeast.com/articles/2016/10/25/at-t-is-spying-on-americans-for-profit.html?via=desktop&source=Reddit
The telecom giant is doing NSA-style work for law enforcement—without a warrant—and earning millions of dollars a year from taxpayers.
Hemisphere is a secretive program run by AT&T that searches trillions of call records and analyzes cellular data to determine where a target is located, with whom he speaks, and potentially why.
In 2013, Hemisphere was revealed by The New York Times and described only within a Powerpoint presentation made by the Drug Enforcement Administration. The Times described it as a “partnership” between AT&T and the U.S. government; the Justice Department said it was an essential, and prudently deployed, counter-narcotics tool.
However, AT&T’s own documentation—reported here by The Daily Beast for the first time—shows Hemisphere was used far beyond the war on drugs to include everything from investigations of homicide to Medicaid fraud.
Hemisphere isn’t a “partnership” but rather a product AT&T developed, marketed, and sold at a cost of millions of dollars per year to taxpayers. No warrant is required to make use of the company’s massive trove of data, according to AT&T documents, only a promise from law enforcement to not disclose Hemisphere if an investigation using it becomes public.
These new revelations come as the company seeks to acquire Time Warner in the face of vocal opposition saying the deal would be bad for consumers.
While telecommunications companies are legally obligated to hand over records, AT&T appears to have gone much further to make the enterprise profitable, according to ACLU technology policy analyst Christopher Soghoian.
“Companies have to give this data to law enforcement upon request, if they have it. AT&T doesn’t have to data-mine its database to help police come up with new numbers to investigate,” Soghoian said.
AT&T has a unique power to extract information from its metadata because it retains so much of it. The company owns more than three-quarters of U.S. landline switches, and the second largest share of the nation’s wireless infrastructure and cellphone towers, behind Verizon.
Documents show AT&T secretly sells customer data to law enforcement
https://www.theguardian.com/business/2016/oct/25/att-secretly-sells-customer-data-law-enforcement-hemisphere
According to company documents revealed by the Daily Beast, data from Hemisphere program is sold to police departments for $100,000 to $1m a year
Telecommunications giant AT&T is selling access to customer data to local law enforcement in secret, new documents released on Monday reveal.
The program, called Hemisphere, was previously known only as a “partnership” between the company and the US Drug Enforcement Agency (DEA) for the purposes of counter-narcotics operations.
It accesses the trove of telephone metadata available to AT&T, who control a large proportion of America’s landline and cellphone infrastructure. Unlike other providers, who delete their stored metadata after a certain time, AT&T keeps information like call time, duration, and even location data on file for years, with records dating back to 2008.
But according to internal company documents revealed Monday by the Daily Beast, Hemisphere is being sold to local police departments and used to investigate everything from murder to Medicaid fraud, costing US taxpayers millions of dollars every year even while riding roughshod over privacy concerns.
Tomi Engdahl says:
Three LibTIFF bugs found, only two patched
Buffer overruns, remote code execution, you know the drill
http://www.theregister.co.uk/2016/10/27/three_libtiff_bugs_found_only_two_patched/
LibTIFF has three bugs that let booby-trapped files pwn a target – and only two of them have been patched.
Described by Cisco Talos’ Tyler Bohan, the bugs are a heap buffer overflow in compression tables (CVE-2016-5652), a parsing error (CVE-2016-8331), and a heap buffer overflow (CVE-2016-5875).
The Talos post says the company found the bugs in LibTiff – 4.0.6, released in September.
Tomi Engdahl says:
Joomla! squashes critical privileged account creation holes
Borked two factor authentication also fixed
http://www.theregister.co.uk/2016/10/27/joomla_squashes_critical_privileged_account_creation_holes/
Joomla! has been downloaded more than 75 million times and runs on big ticket sites including McDonalds, Ikea, General Electric, Linux.com, and major news sites.
WordPress leads the open-source content management pack with some 140 million downloads.
The revealed twin account creation (CVE-2016-8870) and elevated priveleges (CVE-2016-8869) vulnerabilities are still recommended for immediate patching.
Versions 3.4.4 through to 3.6.3 are affected.
“We strongly recommend that you update your sites immediately,” Joomla! security staff say.
Tomi Engdahl says:
Cyber-crooks menacing hospitals are put under the microscope
IT defense overall must be prioritized, says Intel Security’s Raj Samani
http://www.theregister.co.uk/2016/10/26/cybercrime_health_sector/
Cybercriminals are spreading into the healthcare sector even though the price per stolen medical record remains lower than for comparable financial account crime.
From hospitals becoming victims of hacking attacks to Olympic champions getting their health records leaked by hackers, the health sector has become a major target for cybercrime.
The most lucrative cybercrime targeting healthcare industry data is aimed at stealing industrial secrets from pharmaceutical or biotech firms. There’s a “concerted effort” by cybercriminals to recruit health care industry insiders as accomplices in these thefts. Efforts to recruit insiders are far from subtle and can brazen online ads and offers sent through social media, according to a new study (PDF) by Intel Security.
Doctored records
Away from the top end of the scale there’s even a market for the health records of ordinary people. Stolen medical records are available for sale from $0.03 to $2.42 per record, McAfee Labs reports. Comparable stolen financial account records are available for around $14.00 to $25.00. And credit and debit card account data is available for $4.00 to $5.00 per account record.
Protected health information could include family names, mothers’ maiden names, social security or pension numbers, payment card and insurance data, and patient address histories. Easier-to-monetize credit card information commands a greater price on black markets, at least for the immediate future
“In one case, a relatively non-technically proficient cyber thief purchased tools to exploit a vulnerable organization, leveraged free technical support to orchestrate his attack, and then extracted more than 1,000 medical records that the service provider said could net him about $15,564, Intel Security reports.
http://www.mcafee.com/us/resources/reports/rp-health-warning.pdf
Tomi Engdahl says:
Data ethics in IoT? Pff, you and your silly notions of privacy
Children will die, companies will shout ‘sue me then,’ and you’ll still be using Facebook
http://www.theregister.co.uk/2016/10/26/iot_data_ethics_talk/
IoT World Congress The future of personal data sharing is that “everything will become as-a-service” and nobody will own any property outright ever again, a gloomy lawyer told a wide-ranging data ethics discussion at IoT Solutions World Congress this afternoon in Barcelona.
Painting this cheery picture was Giulio Coraggio of international law firm DLA Piper. He was sitting on a panel discussion about data ethics, along with half a dozen other speakers who all disagreed about the ethics of data use and privacy within the Internet of Things.
“With the digital innovation we will not own anything. We will not own our car, there will be car sharing; we will not own our house. Everything will become as-a-service,” cried Coraggio. “People who now don’t care much about their privacy, they will see their privacy as their main asset.”
Uplifting stuff, for sure. He makes a good point: the old adage about the user himself being the saleable product of free-to-use services holds true today, looking at social media networks.
“We should think about data ethics as an industry-wide obligation,” countered David Blaszkowski, a former regulator and the MD of the Financial Services Collaborative. “The IoT industry has the chance from the beginning to do the right thing.”
Tomi Engdahl says:
Schneider Electric plugs gaping hole in industrial control kit
Provider Schneider would’ve had hackers inside ‘er
http://www.theregister.co.uk/2016/10/27/schneider_plugs_gaping_industrial_control_security_flaw/
A vulnerability in Schneider Electric’s industrial controller management software created a possible mechanism for hackers to plant malicious code on industrial networks.
Industrial cybersecurity firm Indegy discovered the recently resolved flaw in Schneider Electric’s flagship industrial controller management software, Unity Pro. “The vulnerability in Unity Pro allows any user to remotely execute code directly on any computer on which this product is installed, in debug privileges,” Indegy warned in an advisory.
“It is good that cybersecurity companies are disclosing these vulnerabilities and following good ethical disclosure practices, but no one should be surprised that such vulnerabilities exist,” Zahn said. “This is tip of the iceberg stuff as most control systems in the field today were designed without cybersecurity as even a consideration.”
New SCADA Vulnerability Enables Remote Control of ICS Networks
https://www.indegy.com/blogs/new-scada-vulnerability-enables-remote-control-of-ics-networks/
As part of our ongoing R&D efforts we occasionally discover vulnerabilities in industrial controllers (PLCs, RTUs, DCS etc.) and software tools. Recently, Indegy Labs team discovered a vulnerability in Unity Pro, Schneider Electric’s flagship software application for managing and programing industrial controllers.. Before we get into the specifics, it’s important to point out that unlike in IT networks, a vulnerability is not necessarily required to compromise controllers in an ICS network. That’s because:
Industrial controllers lack authentication
Industrial communication protocols lack encryption
Surprising as it might sound, anyone who has access to the control network, also has unfettered access to all of its industrial controllers. This means that anyone who can ping a controller, can probably send a it stop command or reprogram the device to cause operational disruptions.
Nonetheless, some vulnerabilities can pose exceptional risk to ICS networks.
The vulnerability in Unity Pro allows any user to remotely execute code directly on any computer on which this product is installed, in debug privileges. The vulnerable software tool is present in every control network in the world that uses Schneider-Electric controllers. Regardless of the SCADA/DCS applications in use, if Schneider Electric controllers are deployed, this software will be used on the engineering workstations. This makes this attack relevant across virtually any process controlled by these PLCs. Since Schneider Electric is one of the largest industrial control equipment providers, this vulnerability is a major concern.
Our Recommendations
The vulnerability in the simulator component of Unity Pro enables attackers to natively access industrial controllers and use a manipulated .apx file to execute malicious code. Since the delivery of the .apx file is an engineering control-plane activity, executed over a proprietary protocol, it is difficult to identify and detect.
The use of proprietary protocols for control-plane activities is a common yet misunderstood practice in ICS networks. Unlike IT networks where data-plane and control-plane activities are executed over the same communication protocols, in ICS networks different protocols are used for these activities.
Widely known protocols like MODBUS, PROFINET and DNP3, are all data-plane protocols. However, this is not where dangerous manipulations to ICS/SCADA networks and industrial controllers take place. The control-plane activities, which include all engineering and management activities performed on controllers (PLCs, RTUs) are executed over proprietary, vendor specific protocols which are unnamed, undocumented, and unmonitored.
To identify such attacks and ensure the integrity of critical control devices, the proprietary control-plane protocols of ICS networks must be monitored.
Tomi Engdahl says:
Cyber criminal will open new doors
Cyber criminal will be reached quickly attack new channels, but also the protection means to diversify.
IoT one side effect is that the cyber criminal opens the door speed increases. It is based on the fact that, for example, Gartner estimates that the number of devices on the network will triple by 2020.
In many device security is very weak level, or it may be missing altogether. Unprotected devices are the perfect tool for, among other things, denial of service attacks . In September, revealed a denial of service attack kept the world’s largest, with unconfirmed reports utilized by nearly 150 000 web camera and digital video recorder.
Targeted attacks, in turn, are carefully tailor-made operations designed to move in silence information of the organization’s internal network.
Services are becoming more common in the defense.
For example, operators provide a service that detects and automatically reduces denial of service attacks and malicious software, or filtering, for example.
Source: http://www.iltasanomat.fi/dna-business/art-2000001934678.html
Tomi Engdahl says:
Nixu acquires Swedish security consultant – “We want to grow rapidly in Sweden”
Nixu security company to buy the Swedish computer security consulting company Safeside Solutions AB.
Net debt-free acquisition price is approximately EUR 1.75 million
Safesiden of 2015, net sales amounted to approximately EUR 2.4 million and Nixu according to the company to grow profitably.
“We want to grow in Sweden rapidly to become one of the largest service providers in the cyber security and then find the already existing teams and integration is a quick way to boost growth equal”, Nixu CEO Petri Kairinen says.
Source: http://www.tivi.fi/Kaikki_uutiset/nixu-ostaa-ruotsalaisen-tietoturvakonsultin-haluamme-kasvaa-ruotsissa-nopeasti-6594825
Tomi Engdahl says:
Web Bluetooth Opens New Abusive Channels
https://it.slashdot.org/story/16/10/27/154229/web-bluetooth-opens-new-abusive-channels
Recently, browsers are starting to ship Web Bluetooth API, soon to become a component of Web of Things. Web Bluetooth will allow to connect local user devices with remote web sites. While offering new development and innovation possibilities, it may also open a number of frightening security and privacy risks such as private data leaks, abuses and complexity. Web Bluetooth as currently defined by W3C may introduce unexpected data leaks such as location, and personally-identifiable data.
The fascinating and frightening future of the Internet of Things
http://www.dailydot.com/layer8/web-bluetooth-api-privacy-security/
The Internet of Things is about to get more powerful—and potentially more dangerous.
Earlier this year, developers began rolling out the Web Bluetooth API, which is a foundational component of the evolving Web of Things, the application layer of the IoT. With Web Bluetooth, any Bluetooth Low Energy device—think smart lightbulbs, appliances, health monitors, door locks, and more—will be able to connect to the web through your browser.
Web Bluetooth enables you to control your Bluetooth devices directly from your browser without the need for a special app. But it also also lets you give websites permission to connect to your IoT devices.
Integrating Bluetooth with the web means developers can make apps that work across platforms (like iOS, Android, or Windows), and users can even avoid having to download apps at all.
“It’s going to democratize development,” Steve Hegenderfer, director of Developer Programs at the Bluetooth Special Interest Group, told the Daily Dot in a phone interview. “From a developer’s perspective,” he added, “it opens up a lot of different new scenarios.”
Easier app development is only one part of why the tech world is buzzing with excitement about Web Bluetooth. The second part—allowing websites to connect with your IoT devices—may open virtually endless possibilities.
W3C Web Bluetooth API Privacy
https://blog.lukaszolejnik.com/w3c-web-bluetooth-api-privacy/
Web of Things
https://en.wikipedia.org/wiki/Web_of_Things
The Web of Things (WoT) is a term used to describe approaches, software architectural styles and programming patterns that allow real-world objects to be part of the World Wide Web. Similarly to what the Web (Application Layer) is to the Internet (Network Layer),[1] the Web of Things provides an Application Layer that simplifies the creation of Internet of Things applications.
Rather than re-inventing completely new standards, the Web of Things reuses existing and well-known Web standards[3][4] used in the programmable Web (e.g., REST, HTTP, JSON), semantic Web (e.g., JSON-LD, Microdata, etc.), the real-time Web (e.g., Websockets) and the social Web (e.g., oauth or social networks).[6]
Research in the Web of Things usually considers things in the broad sense of physical objects. Things can include (but is not limited to) tagged objects (RFID, NFC, QR codes, Barcodes, Image Recognition)[9] to Wireless Sensor Networks (WSN), machines, vehicles and consumer electronics.[5]
Tomi Engdahl says:
Web devs want to make the Internet of S**t worse. Much worse
The W3C wants to hook your bluetooth s**t to Websites, because shiny
http://www.theregister.co.uk/2016/10/28/web_devs_want_to_make_the_internet_of_st_worse/
Vendors including Google have spent a few years crafting an API they hope to push into browsers that will make this month’s Internet of Things conflagrations pale by comparison.
There’s not been much noise about the Web Bluetooth API, and thankfully it’s not yet accepted as a standard.
First, the API itself.
“It will enable a web browser to contact the user’s connected devices such as smartphones, kettles, toasters, TVs, thermostats, heart rate monitors, and so on. Imagine a world where every web site can connect to devices near you – or on you.”
Surely, given the dire state of IoT security, that paragraph alone should be sufficient, but Olejnik is thorough, so there’s much, much more.
His first issue is the simple question of permission: the boffins driving the API believe users will know the difference between pairing two devices and pairing a device with a Web site; Olenjik isn’t so sanguine.
Such is the extent of the API’s collection capabilities, Olejnik suggests the Web site owner could be subject to laws like Europe’s General Data Protection Regulation.
And then there’s hacking: the API “will decrease the entry barrier” for attackers, he writes, and if an attacker hijacks a user’s browser, “might even become channels for attacks directed by someone else.”
Tomi Engdahl says:
Troy Hunt:
Health data of 550K Australian blood donors made public in Red Cross data breach, believed to be Australia’s largest ever leak of personal data — I don’t give blood as much as I should. My wife has a much better track record than me, regularly donating not just blood but plasma and platelets as well.
The Red Cross Blood Service: Australia’s largest ever leak of personal data
https://www.troyhunt.com/the-red-cross-blood-service-australias-largest-ever-leak-of-personal-data/
I frequently have people contact me with data breaches. Often this is after they’ve received the data from someone else as part of a trade, sometimes it’s provided by the individual who hacked into the system itself and occasionally, it’s because they simply found the data lying exposed somewhere.
On Tuesday morning, I was contacted by someone who fell into that last category. He claimed to have data from donateblood.com.au and he provided me with a snippet to prove it – a snippet of my own data. There was my name, my email, gender, date of birth, phone number and the date I’d last donated. He then provided me with the entire data set, a 1.74GB file with 1,286,366 records in a “donor” table which was just one out of a total of 647 different tables.
I queried the sender of the information about how he’d come across the data, expecting it to be as a result of an attack using a technique such as SQL injection, widely regarded as the most serious risk to web security today and frequently the “vector” which leads to the disclosure of data like this. But it actually turned out to be much simpler than that to the point where I initially had trouble grasping what he was saying.
What he’d actually been doing is simply scanning internet IP addresses and looking for publicly exposed web servers returning directory listings. This is literally as simple as going to an address such as http://127.0.0.1 and seeing a list of all the files on the system (sample address only).
It can be difficult to know how to proceed after making a discovery like this. I could go direct to the Red Cross who runs the website but there’s always the risk of it being swept under the carpet
I could go to the Australian Federal Police but frankly, they’ve got enough really serious crime to deal with as it is. I could go to the media and it would certainly get immediate attention, but it would catch the Red Cross off guard and particularly given the fantastic work they do for the community, that’s not something I wanted to see happen.
Ultimately, I elected to reach out to a contact at AusCERT. Many countries have their own CERT (Computer Emergency Response Team) and our local one was a channel I trusted to both take the incident seriously and handle it ethically.
I spoke to AusCERT Tuesday afternoon and outlined the situation. They reached out immediately to the Red Cross and got back in touch with me Wednesday morning.
Tomi Engdahl says:
Charles Bovaird / CoinDesk:
Zcash, a cryptocurrency based on Zerocash protocol that promises anonymous transactions using zero-knowledge proofs, launches October 28 — “Deafening.” — That’s how market analyst Arthur Hayes describes the enthusiasm ahead of the upcoming launch of a new digital currency called Zcash – and he’s not alone.
Investors Are Going Wild for a Digital Currency Called Zcash (And It’s Not Even Out Yet)
http://www.coindesk.com/investors-going-crazy-new-digital-currency-called-zcash/
Tomi Engdahl says:
Jacob Kastrenakes / The Verge:
FCC approves privacy rules requiring ISPs get customer permission before sharing sensitive data like location, financial information, and browsing history
Internet providers will soon need permission to share your web browsing history
New privacy rules require opting-in to sensitive sharing
http://www.theverge.com/2016/10/27/13428976/fcc-passes-isp-privacy-rules
In a win for privacy advocates, the FCC voted this morning to place new restrictions on internet providers that limit the information they can share about their subscribers.
When the rules go into place, likely sometime early next year, internet providers will be required to get explicit permission from subscribers before sharing “sensitive” information about them, such as their browsing history, their app usage, their location, and the content of emails and other communications.
This is all particularly revealing data, and none of it has been governed by FCC privacy rules until now. That means internet providers have been able to share or sell it to their partners, who might have used the information to advertise their own products and services to those customers.
Tomi Engdahl says:
Do Automakers Still See Hackers as a Hoax?
http://www.eetimes.com/document.asp?doc_id=1330684&
Earlier this week, when the federal government’s automotive safety regulator laid out cybersecurity guidelines for carmakers, U.S. Transportation Secretary Anthony Foxx said that cybersecurity is “a safety issue and a top priority at the department.”
Clearly, the government’s agency hopes to get ahead of potential attacks on vehicles, well before cybersecurity blows up in the face of connected cars. There is fear among regulators that a cybersecurity failure could irreparably damage the future of highly automated vehicles.
But never mind the fed’s concerns.
As it turns out, some of the best minds in the automotive industry don’t believe hackers are interested in cars.
This perception is clear in survey results released Thursday by Ponemon Institute, the leading independent security research organization.
U.S. DOT issues Federal guidance to the automotive industry for improving motor vehicle cybersecurity
http://www.nhtsa.gov/About-NHTSA/Press-Releases/nhtsa_cybersecurity_best_practices_10242016
Guidance covers cybersecurity best practices for all motor vehicles, individuals and organizations manufacturing and designing vehicle systems and software
Tomi Engdahl says:
The cloud will be a risk for users: The cloud becoming insecure – extortion and IoT openings
Security company Check Point predict that the tightening of malware will be as big a threat to security as denial of service attacks are now. Attacks have also cloud services users. Security problems can make objects Internet safer and more insecure.
Critical infrastructure came under attack, for example in Ukraine, where the power plant side iskeneelle program was called Black Energy. Warsaw was bombed the airport information system denial of service attack, the United States was attacked Bowman dam SCADA system.
Cybercriminals took advantage of the IoT as a network connection or utilize the spread of home electronics and small appliances. Millions security cameras and other equipment were harnessed to a very large-scale denial of service attacks this autumn
Sources:
http://www.uusiteknologia.fi/2016/10/28/pilvesta-tulossa-turvaton-kiristysta-iot-aukkoja/
http://etn.fi/index.php?option=com_content&view=article&id=5308:pilvesta-tulee-riski-kayttajille&catid=13&Itemid=101
Tomi Engdahl says:
Security Becomes A Multi-System Issue
http://semiengineering.com/security-becomes-a-multi-system-issue/
Design teams will have to bake strategies in from the start, no matter how insignificant the device.
The fallout from the Mirai malware attack last week was surprising, given that it was published on the Internet several months ago as open-source. Despite numerous warnings, it still managed to cause denial of service attacks at Amazon, Netflix, and a slew of other companies that are supposed to be able to fend off these kinds of attacks.
The good news is that it more people talking about the issue. But the real challenge isn’t stopping one attack. It’s packing enough security features into designs to prevent security breaches of every sort, including those that can come from other electronics that weren’t even considered as part of the design process.
Just as devices get more sophisticated, so do hackers. Being able to stop attacks with a thumbprint or a password isn’t realistic anymore. It now requires a rethinking of the fundamental architecture for any connected device, which is basically everything with a power supply these days. The good and bad of a connected world is that everything and everyone is connected. And the best way to deal with that effectively is at the system design level.
The reality is that security breaches can cause the same kinds of physical harm as a faulty wiring scheme, even with devices that in themselves are benign. Those risks increase significantly when they are connected together into systems of systems that are also connected to safety-critical systems. It’s time to look at this at a multi-system, multi-disciplinary level and to tackle it with the same kind of innovation that made complex semiconductor design a reality. Otherwise, we literally could be playing with fire.
Tomi Engdahl says:
Alan Yuhas / Guardian:
“Celebgate” hacker Ryan Collins sentenced to 18 months in prison after pleading guilty to federal hacking charges and admitting to a two-year phishing scam
Hacker who stole nude photos of celebrities gets 18 months in prison
https://www.theguardian.com/technology/2016/oct/27/nude-celebrity-photos-hacker-prison-sentence-ryan-collins
Ryan Collins ran a two-year phishing scam to gain the passwords of more than 100 people, including Jennifer Lawrence, Rihanna and Avril Lavigne
Collins tricked celebrities into handing him their usernames and passwords by sending his targets fake emails that appeared to be from Apple and Google, Pennsylvania US attorney Bruce Brandler said in a statement. Collins then stole personal information, including nude photos, from his targets, most of whom work in the entertainment industry.
“In some cases,” Brandler’s office said, “Collins would use a software program to download the entire contents of the victims’ Apple iCloud backups. In addition, Collins ran a modeling scam in which he tricked his victims into sending him nude photographs.”
Investigators found that Collins had gained access to at least 50 Apple iCloud accounts and 72 Gmail accounts, many of which belonged to famous women.
In August 2014 images of more than 100 actors, singers and other well known women were posted online, which were variously confirmed and condemned by some of the celebrities and called fakes by others.
On Thursday the US attorney noted, however, that FBI investigators did not uncover evidence linking him to the actual release of private information or photos “or that Collins shared or uploaded the information he obtained”.
Tomi Engdahl says:
All Windows versions potentially exposed to cyberattacks thanks to new code injection Atom Bombing
Alarmingly, the issue cannot be patched since it doesn’t rely on ‘broken or flawed code’, say researchers.
http://www.ibtimes.co.uk/all-windows-versions-potentially-exposed-cyberattacks-thanks-new-code-injection-atom-bombing-1588719
Hackers can potentially target and attack all Windows versions thanks to a new attack mechanism uncovered by security researchers in the Windows OS (operating system). Threat actors could leverage the new technique to inject malicious code onto users’ PCs.
According to security researchers at cybersecurity firm enSilo, a new code injection technique called “Atom Bombing”, which exploits an underlying Windows mechanism called atom tables, can be leveraged to bypass security protocols. Researchers also uncovered that since the issue does not rely on “broken or flawed code”, instead manipulates the operating system mechanisms’ designs, the issue cannot be patched.
enSilo researcher Tal Liberman said: “AtomBombing affects all Windows versions. In particular, we tested this against Windows 10.
“AtomBombing is performed just by using the underlying Windows mechanisms. There is no need to exploit operating system bugs or vulnerabilities. What we found is that a threat actor can write malicious code into an atom table and force a legitimate program to retrieve the malicious code from the table. We also found that the legitimate program, now containing the malicious code, can be manipulated to execute that code.”
New code injection method exposes all versions of Windows to cyberattack
Updated: To make matters worse, there is no fix
http://www.zdnet.com/article/code-injection-exposes-all-versions-of-windows-to-cyberattack/
Researchers have disclosed a fresh attack against Microsoft’s Windows operating system which can be used to inject malicious code and compromise user PCs.
On October 27, cybersecurity company enSilo’s research team disclosed a practice called “AtomBombing” that can be launched against every version of Windows to bypass current security solutions which protect such systems from malware infections.
The enSilo research team says that by writing malicious code into an atom table and forcing a legitimate program to retrieve this code, security software would not be able to detect attacks using this method.
In addition, legitimate programs which have retrieved this code can then be manipulated to execute malicious functions.
If an attacker used the AtomBombing technique, they would be able to bypass security products, extract sensitive information, take screenshots, and access encrypted passwords.
There are a handful of code injection techniques which are already known and once established, antivirus software vendors update their signatures to prevent endpoint compromise. However, as a new technique, enSilo says this method is able to bypass current antivirus software, alongside all current endpoint infiltration prevention solutions.
As noted by the research team, the only way to potentially mitigate attacks using this tool is to dive deeply into the API and monitor for any suspicious changes.
Tomi Engdahl says:
AtomBombing: Brand New Code Injection for Windows
https://breakingmalware.com/injection-techniques/atombombing-brand-new-code-injection-for-windows/
Here’s a new code injection technique, dubbed AtomBombing, which exploits Windows atom tables and Async Procedure Calls (APC). Currently, this technique goes undetected by common security solutions that focus on preventing infiltration.
Code injection has been a strong weapon in the hacker’s arsenal for many years. For background on code injection and its various uses in APT type attack scenarios please take a look at:
http://blog.ensilo.com/atombombing-a-code-injection-that-bypasses-current-security-solutions
Tomi Engdahl says:
Mozilla pushes the White House to do more to prevent cyberattacks
http://www.zdnet.com/article/mozilla-calls-on-white-house-to-do-more-to-prevent-cyberattacks/
Two senators are also calling on the government for new policies to ensure the discovery, review, and sharing of security vulnerabilities.
Mozilla is pressing the White House to do more to prevent cyberattacks by revealing details of security vulnerabilities, in an effort to prevent another massive internet outage which last week left millions unable to access major websites and services.
The browser maker’s public policy chief Heather West said in a blog post that governments, companies and users alike “all need to work together to protect Internet security.”
West said that the government should formalize the vulnerabilities equities process (VEP), a system that reviews security flaws and ensures that, when appropriate, flaws are disclosed. In some cases, flaws aren’t disclosed because they can be useful for intelligence purposes. The FBI and NSA uses exploits for undisclosed flaws to target computers and networks as part of its foreign intelligence missions.
The drawback is that if those flaws aren’t fixed and are exploited by someone else, that could lead to a massive cyberattack.
Mozilla said that all vulnerabilities should go through the process to ensure that they’re fixed by manufacturers. This includes Mozilla, which makes the Firefox browser, and is used by hundreds of millions of users around the world.
Tomi Engdahl says:
Duckhunting – Stopping Rubber Ducky Attacks
http://hackaday.com/2016/10/28/duckhunting-stopping-rubber-ducky-attacks/
One morning, a balaclava-wearing hacker walks into your office. You assume it’s a coworker, because he’s wearing a balaclava. The hacker sticks a USB drive into a computer in the cube next door. Strange command line tools show up on the screen. Minutes later, your entire company is compromised. The rogue makes a quick retreat carrying a thumb drive in hand.
This is the scenario imagined by purveyors of balaclavas and USB Rubber Duckys, tiny USB devices able to inject code, run programs, and extract data from any system. The best way — and the most common — to prevent this sort of attack is by filling the USB ports with epoxy. [pmsosa] thought there should be a software method of defense against these Rubber Duckys, so he’s created Duckhunter, a small, efficient daemon that can catch and prevent these exploits.
The Rubber Ducky attack is simply opening up a command line and spewing an attack from an emulated USB HID keyboard. If the attacker can’t open up cmd or PowerShell, the attack breaks.
DuckHunter
Prevent RubberDucky (or other keystroke injection) attacks
https://github.com/pmsosa/duckhunt
Tomi Engdahl says:
Jenna McLaughlin / The Intercept:
Sources shed light on how Dubai-based surveillance firm DarkMatter is helping the UAE government track, locate, and hack its citizens
https://theintercept.com/2016/10/24/darkmatter-united-arab-emirates-spies-for-hire/
Tomi Engdahl says:
Bloomberg:
At least 17 firms have marketed surveillance products to law enforcement agencies and oppressive regimes using Twitter’s Firehose data — If you ignore all the self-promotion, ranting, and frog memes, it’s possible to see the Twitter that Jack Dorsey likes to talk about.
How Despots Use Twitter to Hunt Dissidents
Twitter’s ‘firehose’ of a half billion tweets a day is incredibly valuable—and just as dangerous.
https://www.bloomberg.com/news/articles/2016-10-27/twitter-s-firehose-of-tweets-is-incredibly-valuable-and-just-as-dangerous
If you ignore all the self-promotion, ranting, and frog memes, it’s possible to see the Twitter that Jack Dorsey likes to talk about. It’s a “people’s news network,” he wrote in a memo earlier this year—a digital town square that connects voices from around the world. Taken together, the hundreds of billions of tweets that have been created over the past 10 years represent a constantly updating corpus of human conversation.
Nowhere was the promise of Twitter more fully realized than in Saudi Arabia, where the service was embraced as a way to get around government censors. “People do not trust the official media,”
“The only way for us to discuss these issues is through social networks like Twitter,” Aldosari says. “It allows us to create groups of like-minded people.”
But if Twitter provides a rare outlet for criticism of repressive regimes, it’s also useful to those regimes for tracking down and punishing critics. In September 2012 a Saudi Twitter user named Bader Thawab was arrested for tweeting “down with the House of Saud.”
For years, Twitter has offered access to its “Firehose”—the global deluge of tweets, half a billion a day—to a number of companies that monitor social media. Some of those companies resell the information—mostly to marketers, but also to governments and law enforcement agencies around the world. Some of these authorities use the data to track dissidents, as Bloomberg Businessweek has learned through dozens of interviews with industry insiders and more than 100 requests for public records from law enforcement agencies in the U.S.
Tomi Engdahl says:
Bloomberg:
Heads of EU country data protection authorities, Article 29 Working Party, ask Facebook to stop using WhatsApp data
Facebook Told to Stop Exploiting WhatsApp Data During EU Probe
https://www.bloomberg.com/news/articles/2016-10-28/facebook-told-to-stop-exploiting-whatsapp-data-during-eu-probe
EU privacy chiefs say use isn’t in line with terms of service
Yahoo also gets warning over breach of accounts in 2014
Tomi Engdahl says:
Nuclear power plants are still using pagers to communicate, and that’s a big problem
http://www.sciencealert.com/nuclear-power-plants-are-still-using-pagers-to-communicate-and-that-could-be-a-big-problem
Nuclear power plants and other critical infrastructure could be vulnerable to hacking or attacks due to their continued reliance on a technology most young people today wouldn’t even recognise: pagers.
According to a new report, these archaic precursors to mobile phones are still in regular use by workers at nuclear plants, who use them to send messages and alerts about plant operations.
But the danger is that most of these communications have zero security, meaning they can easily be intercepted.
Researchers at tech security firm Trend Micro collected almost 55 million pager messages – called pages – sent over US airwaves during a four-month sting earlier in the year, intercepting sensitive communications from nuclear (and other power) plants, plus chemical plants, defence contractors, and more.
https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_leaking-beeps-industrial.pdf
Tomi Engdahl says:
Cyber – The Latest Front on the Election Battlefield
http://www.securityweek.com/cyber-latest-front-election-battlefield
To say that the 2016 U.S. Presidential election cycle has been unusual would be an understatement for a number of reasons. As a security professional, what stands out is the steady stream of cyber security-related incidents, particularly when compared to the U.S. elections of 2012 and 2008. We’ve all read multiple reports of high-profile compromises of party systems, numerous public data leaks, suspected nation-state interference, low-level hacktivism, and fears over the potential compromise of voting systems on Election Day.
Amidst all the noise and sensationalism it can be difficult to understand the true impact and implications of this activity. Mapping cyber events to polling statistics in an attempt to reveal direct correlations between activities intended to weaken a particular candidate’s position and reality is speculative at best. Opinion polls are notoriously volatile and vary greatly depending on the data consulted. It is difficult to know how widely or quickly leaked information reaches the voting public. And, of course, there can be a variety of reasons for polling fluctuations.
Tomi Engdahl says:
Teen Arrested for Cyberattack on 911 Emergency System
http://www.securityweek.com/teen-arrested-cyberattack-911-emergency-system
An 18-year-old teen from Arizona was arrested this week after one of his iOS exploits caused serious disruption to 911 emergency systems.
According to the Maricopa County Sheriff’s Office, Meetkumar Hiteshbhai Desai was booked on three counts of Computer Tampering, which in this case is a Class 2 felony, considered an extremely serious crime in Arizona and other states, due to the fact that it involved critical infrastructure.
The Maricopa County Sheriff’s Office Cyber Crimes Unit launched an investigation after being notified of disruption to the 911 service in the Phoenix metro area and possibly in other states.
Desai apparently learned of an iOS bug that can be exploited to manipulate devices, including trigger pop-ups, open email, and abuse phone features. The teen created several exploits and published one of them on a website, linking to it from his Twitter account in an effort to prank his followers.
Researchers revealed last month that 911 emergency services in a U.S. state can be disrupted by a botnet powered by only 6,000 smartphones.
Hackers Can Disrupt 911 Services With Small Smartphone Botnet
http://www.securityweek.com/hackers-can-disrupt-911-services-small-smartphone-botnet
Researchers have demonstrated that a botnet powered by only 6,000 smartphones is enough to cause serious disruption to the 911 emergency services of a U.S. state via what is known as a telephony denial-of-service (TDoS) attack.
When people in the United States dial the 911 emergency number, their telecom provider connects them to the enhanced 911 (E911) network, which routes the call to the nearest public safety answering point (PSAP), the call center responsible for dispatching police, firefighting and ambulance services.
According to researchers of the Cyber-Security Research Center at the Ben-Gurion University of the Negev in Israel, emergency services can be easily disrupted by malicious actors with a fairly small distributed denial-of-service (DDoS) botnet.
One major problem is that the FCC requires wireless carriers to forward 911 calls to PSAP centers without going through the regular process of identifying callers and determining their subscriber status. This makes TDoS attacks launched from mobile devices more difficult to mitigate as attackers can randomize the phone’s identifiers in an effort to prevent blacklisting.
Tomi Engdahl says:
What’s the Fix for IoT DDoS Attacks?
http://www.securityweek.com/whats-fix-iot-ddos-attacks
DynDNS (or just Dyn now) got blasted with #DDoS twice last Friday. Since Dyn is the major DNS provider for Twitter, Github, and Spotify, the knock-on effects have had a global reach.
But seriously, Dyn is a big provider, and their being offline has real impact. PagerDuty is one of the affected sites, and many people rely on alerts from their service. No one knows many details about the Dyn attacks yet.
No one has claimed responsibility, and Dyn has been somewhat quiet about the attack vectors, but has said that possibly 100,000 hijacked connected devices could have been used in the attack.
The attacks could be fallout from the Mirai IoT Botnet assault against Brian Krebs earlier this month. As Krebs himself notes, the attacks started within hours of a DynDNS researcher, Doug Madory, presenting a talk (video link here) at NANOG about DDoS attacks. Also, according to Krebs, the 620GB Mirai attack against krebsonsecurity.com came just hours after he and Madory released an article looking into some of the shady dealings in the DDoS-for-hire industry.
Of course everyone is wondering if the IoT botnet, Mirai, is playing a part in the Dyn attack. Even if it is, the attacker could be anyone, as the Mirai source code and helpful readme post were released to the world a week ago, and are still available on Github (if you can get there right now).
Nastier HTTP GET Floods
HTTP GET floods were already pernicious. For years, attackers have been able to disable web sites by sending a flood of HTTP requests for large objects or slow database queries. Typically, these requests flow right through a standard firewall because hey, they look just like normal HTTP requests to most devices with hardware packet processing. The Mirai attack code takes it a step further by fingerprinting cloud-based DDoS scrubbers and then working around some of their HTTP DDoS mitigation techniques (such as redirection).
DNS Water Torture
The Mirai bot includes a “water torture” attack against a target DNS server. This technique is different from the regular DNS reflection and amplification attacks as it requires significantly less queries to be sent by the bot, letting the ISP’s recursive DNS server perform the attack on the target’s authoritative DNS server. In this attack, the bot sends a well-formed DNS query containing the target domain name to resolve, while appending a randomly generated prefix to the name. The attack is effective when the target DNS server becomes overloaded and fails to respond. The ISP’s DNS servers then automatically retransmit the query to try another authoritative DNS server of the target organization, thus attacking those servers on behalf of the bot.
Tunneled Attacks
GRE (Generic Routing Encapsulation) is a tunneling protocol that can encapsulate a wide variety of network-layer protocols inside virtual point-to-point links over an IP network. Ironically, GRE tunnels are often used by DDoS scrubbing providers as part of the mitigation architecture to return clean traffic directly to the protected target.
The Mirai botnet code includes GRE attacks with and without Ethernet encapsulation.
Updated Layer 4 Attacks
According to Mirai’s creator, the so-called “TCP STOMP” attack is a variation of the simple ACK flood intended to bypass mitigation devices.
So, Doc, is there a fix?
At a SecureLink conference last week in Brussels, Mikko Hypponen, Chief Risk Officer of F-Secure, was asked how the IoT botnet should be stopped. His answer was, while he himself is not a huge fan of more regulation, regulation will likely be the fix for IoT security. He pointed out that consumer devices are already regulated for safety and efficiency. No one wants their refrigerator exploding on them (or their smartphone, ahem). If only Internet security could be regulated like other manufacturing processes, we could solve this problem.
Best Practices for DNS?
One of the reasons DDoS attacks keep evolving is that defenders keep evolving as well. You can bet that by next week, companies will be doing a better job with DNS redundancy.
NANOG 68 BackConnects Suspicious BGP Hijacks
https://www.youtube.com/watch?v=LFJzu0AFDpU
Tomi Engdahl says:
NANOG 68 The Current Economics of Cyber Attacks
https://www.youtube.com/watch?v=szwSlFAsexU
Tomi Engdahl says:
‘Hacker’ accused of idiotic plan to defraud bank out of $1.5 million
Home IP, check. Own email, check. Arrest, certain
http://www.theregister.co.uk/2016/10/28/hacker_bank_arrest/
A newly unsealed indictment has detailed accusations of what appears to be one of the most inept pieces of computer crime in recent history.
Tomi Engdahl says:
Obey Google, web-masters, or it will say you can’t be trusted
Certificate Transparency for Chrome will ruin phishing spots by Oct 2017
http://www.theregister.co.uk/2016/10/31/google_certificate_transparency/
Criminals are about to lose a reliable attack vector for malware infection and phishing, thanks to Google’s Certificate Transparency initiative that will force websites to enforce proper certificate security within a year.
Stolen and mis-issued SSL certificates allow attackers to spin up malicious sites that pass browser security checks, allowing for near-perfect replica sites to be created. When those sites fake services like online banking or other services that see punters hand over credentials or credit card details, unpleasant occurrences aren’t far behind.
Google’s Certificate Transparency initiative, adopted as a standard by the Internet Engineering Taskforce, helps to shutter the attack vector by flagging sites with unauthorised certificates and labelling those that do not subscribe to the initiative as untrusted.
Certificate Authorities must comply with the scheme to avoid their customers’ sites being labelled as untrusted.
Those authorities that sign on will demonstrate that certificates are legitimate, and not incorrectly issued for the wrong domains.
Tomi Engdahl says:
Elections Have Always Been Rigged, But Not Like Trump Says
https://www.wired.com/2016/10/elections-always-rigged-not-like-trump-says/
Despite Donald Trump’s recent claims, it’s pretty impossible to rig an election via voter fraud. To have any impact, you’d need a labyrinthine network of local election officials to collude against a candidate and then bamboozle the bipartisan poll watchers tasked with keeping them honest.
But just because Trump’s fever dream of an election day conspiracy is highly (did we mention highly?) unlikely, doesn’t mean that American elections are always—if ever—fair and equitable.
in 2012, somewhere between 500,000 and 700,000 eligible voters decided not to vote because of problems at their polling places, including wait times.
“It has an economic cost,”
some $1 billion in productivity was lost in 2012 due to people waiting in lines. “But whatever the cost is, it lands disproportionately more on some people than others, and that’s unfair.”
So in a way, you could say elections have been rigged all along
The question is: Why does this kind of rigged system exist? Though much has been made about voter identification laws and the way they undermine the promise of the Voting Rights Act, there’s another insidious problem plaguing American elections, and that is the fact that the machines on which we vote are old and growing older, they’re allocated unevenly, and election officials lack both the funding and the data they need to update them.
Tomi Engdahl says:
Security News This Week: Ukrainian Group Leaks Emails From Top Putin Aides
https://www.wired.com/2016/10/security-news-week-ukrainian-group-leaks-emails-top-putin-aides/
A Ukrainian group calling itself Cyber Hunta released emails October 28 from aides close to Vladimir Putin that show Russia heavily influencing the separatist movement in Ukraine. The incident could be retaliation by the United States for Russian political hacking, which would be big enough news on its own, but there was lots more happening this week. The security community began intense debriefing in the wake of last week’s DDoS attack on the internet infrastructure company Dyn, which was powered largely by an Internet of Things botnet.
Tomi Engdahl says:
Serious Hacks Possible Through Inaudible Ultrasound
https://it.slashdot.org/story/16/10/30/1932216/serious-hacks-possible-through-inaudible-ultrasound
“High-frequency audio ‘beacons’ are embedded into TV commercials or browser ads,” reports New Scientist. “These sounds, which are inaudible to the human ear, can be picked up by any nearby device that has a microphone and can then activate certain functions on that device…Some shopping reward apps, such as Shopkick, already use it to let retailers push department or aisle-specific ads and promotions to customers’ phones as they shop.”
But now Fortune reports that some apps “often actively listen for ultrasound signals, even when the app itself is closed, creating a new and relatively poorly-understood pathway for hacking.”
Your home’s online gadgets could be hacked by ultrasound
https://www.newscientist.com/article/2110762-your-homes-online-gadgets-could-be-hacked-by-ultrasound/
This may have happened to you. You idly browse a pair of shoes online one morning, and for the rest of the week, those shoes follow you across the Internet, appearing in adverts across the websites you visit.
But what if those ads could pop out of your browser and hound you across different devices? This is the power of ultrasound technology, says Vasilios Mavroudis at University College London – and it offers a whole new way in for hacking attacks and privacy invasions. He and his colleagues will spell out their concerns at next week’s Black Hat cybersecurity conference in London.
Who is listening?
But the technology has been identified as a privacy risk. In March, the US Federal Trade Commission (FTC) rapped the knuckles of 12 app developers who used ultrasound for cross-device tracking – even when the apps weren’t turned on. This means that the apps could collect information about users without their awareness.
The software developer providing this code quickly withdrew it, but an FTC spokesperson says that the commission continues to be interested in cross-device tracking: “We’re continuing to look at the ways that can be achieved.”
And this is just one of the problems Mavroudis and his colleagues discovered when examining the vulnerabilities of ultrasound-based technologies.
Home invasion
Mavroudis says that these vulnerabilities do not affect many people yet, as ultrasound apps are still niche. But the simplicity of ultrasound could make it an attractive technology for use in applications across the Internet of Things (IoT), says Mu Mu, a lecturer at the University of Northampton, UK.
As more IoT devices become connected and interlinked, they could overwhelm a home’s Wi-Fi channel, and different technologies will need to step in. Ultrasound is a good candidate for pairing home-connected devices that have a speaker and microphone. For example,Google’s Chromecast app uses ultrasound to pair your mobile phone with its streaming dongle.
This creates a potential new channel for hacking attacks. Ultrasound can’t carry a lot of data, says Mu. “But if you know what you’re doing, just by sending a few bytes, you can hack a system and instruct it to do a lot of things. It doesn’t always take a lot of data to make something bad happen.”
Tomi Engdahl says:
TV shows could use ultrasound to send bonus extras to your phone
https://www.newscientist.com/article/mg23230952-900-tv-shows-could-use-ultrasound-to-send-bonus-extras-to-your-phone/
HEAR that high-pitched ringing? No, me neither. But such sounds at low volume can now be used to deliver bonus television content to your cellphone or tablet.
The system uses your TV’s speakers to play data-filled tones alongside whatever you are watching. You won’t notice a difference, but the microphone on your smartphone will, picking up additional content streamed alongside the main event. “This can make television interactive,” says Tae.
Tomi Engdahl says:
Emil Protalinski / VentureBeat:
Google discloses actively exploited Windows vulnerability just 10 days after reporting it to Microsoft — Google today shared details about a security flaw in Windows, just 10 days after disclosing it to Microsoft on October 21. To make matters worse, Google says it is aware …
Google discloses actively exploited Windows vulnerability just 10 days after reporting it to Microsoft
http://venturebeat.com/2016/10/31/google-discloses-actively-exploited-windows-vulnerability-just-10-days-after-reporting-it-to-microsoft/
Google today shared details about a security flaw in Windows, just 10 days after disclosing it to Microsoft on October 21. To make matters worse, Google says it is aware that this critical Windows vulnerability is being actively exploited in the wild. That means attackers have already written code for this specific security hole and are using it to break into Windows systems.
A 0-day vulnerability is a publicly disclosed security flaw that wasn’t known before. In other words, the company that makes the software has not yet issued a patch for it. Indeed, Microsoft has not released a fix nor issued an advisory for this flaw.
Also on October 21, Google shared a Flash vulnerability (CVE-2016-7855) with Adobe, which that company patched on October 26. That means users can simply update to the latest version of Flash. For the other security flaw, Google merely recommends “to apply Windows patches from Microsoft when they become available for the Windows vulnerability.”
Disclosing vulnerabilities to protect users
https://security.googleblog.com/2016/10/disclosing-vulnerabilities-to-protect.html
Tomi Engdahl says:
Google Security Engineer Claims Android Is Now As Secure As the iPhone
https://apple.slashdot.org/story/16/11/01/2256211/google-security-engineer-claims-android-is-now-as-secure-as-the-iphone
It’s a common assumption among tech geeks, and even cybersecurity experts, that if you are really paranoid, you should probably use an iPhone, and not Android. But the man responsible for securing the more than one billion Android users on the planet vehemently disagrees — but of course he would. “For almost all threat models,” Adrian Ludwig
Ludwig said that, “for sure,” there’s no doubt that a Google Pixel and an iPhone are pretty much equal when it comes to security. Android, he added, will soon be better though. ”
Android’s built-in security product called “Safety Net” scans 400 million devices per day and checks a stunning 6 billions apps per day.”
Google Security Engineer Claims Android Is Now As Secure as the iPhone
https://motherboard.vice.com/en_uk/read/google-security-engineer-claims-android-is-now-as-secure-as-the-iphone
It’s a common assumption among tech geeks, and even cybersecurity experts, that if you are really paranoid, you should probably use an iPhone, and not Android. But the man responsible for securing the more than one billion Android users on the planet vehemently disagrees—but of course he would.
“For almost all threat models,” Adrian Ludwig, the director of security at Android, referring to the level of security needed by most people, “they are nearly identical in terms of their platform-level capabilities.”
The result of these security checks, coupled with the exploit mitigation measures baked into Android, mean that a really small number of Android devices has malware or, as Google calls it, “Potentially Harmful Applications” or PHAs, according to Ludwig. In fact, Ludwig said showing a graph, less than 1% of Android smartphone contain malware.
As an example of Android’s misunderstood security, Ludwig used the infamous series of critical bugs known as Stagefright, which were found last year. Ludwig noted that despite the alarm and the potential danger to practically all Android users, they have yet to see a real-life hack on an Android phone done exploiting Stagefright.
“At this point we still don’t have any confirmed instances of exploitation in the wild,” he said.
Tomi Engdahl says:
Steve Dent / Engadget:
Updated DMCA exemptions provide legal cover to Americans who reverse engineer products or repair their own electronics, but are limited to a two-year trial run
You can now legally hack your own car or smart TV
The FTC’s “security research exemption” to the DMCA has kicked in.
https://www.engadget.com/2016/11/01/dmca-security-hacking-exemptions/
Researchers can now probe connected devices, computers and cars for security vulnerabilities without risking a lawsuit. Last Friday, the FTC authorized changes to the Digital Millennium Copyright Act (DMCA) that will allow Americans to do hack their own electronic devices. Researchers can lawfully reverse engineer products and consumers can repair their vehicle’s electronics, but the FTC is only allowing the exemptions for a two-year trial run.
The FTC and US Library of Congress enacted similar legislation in 2014 that allows you to unlock your own smartphone. Until today, however, it was illegal to mess with the programs in your car, thermostat or tractor, thanks to strict provisions in the DMCA’s Section 1201. That applied even to researchers probing the device security for flaws, a service that helps both the public and manufacturers. For example, researchers commandeered a Jeep on the road to show it could be done, an act that was technically illegal.
You could have also been sued just for trying to repair your own electronics.