Here are my predictions for trends in information security and cyber security for year 2016.
Year 2015 was bad for information security was pretty, and I would say that the trend is worrying. So I expect the year 2016 will have many information security challenges. If you want to keep yourself up at night, spend some time reading about the latest developments in cybersecurity. In 2015 there was Airplanes hacked, cars hacked, vulnerabilities in a breathtaking range of sensitive equipment from TSA locks to voting booths to medical devices. The big picture is even scarier. Former NSA Director Mike McConnell suspects China has hacked “every major corporation” in the US. Those problems will continue in 2016 and some new targets for attacks will be found. The system is broken. It isn’t keeping us, our companies, or our government safe. Worse yet, no one seems to know how to fix it.
Attacks through networks are becoming more common all the time. It will be hard to protect against targeted attacks. Hackers will not only customize malware, but they will increasingly use sophisticated phishing and social engineering tricks to gain access to sensitive data. Attackers usually cover their tracks carefully, and in the identification of target can be very difficult. Behind targeted attacks are usually professional criminals. Criminals do not respect geographical borders and hence attacks are spread evenly everywhere. Companies will struggle to absorb the security threats of combined PC and mobile devices in 2016.
EU information security decisions made in late 2015 will have impact on what comes in 2016: New EU data protection legislation package approved and EU Court of Justice decision in which it noted the Safe Harbor procedure is invalid. This means that transfers of personal data from EU countries to the United States under the Safe Harbor violation of law – you need some other agreement for this. The situation for this will probably get clarified during 2016. Data protection legislation changes will lead to increased fines for the unprepared. Legal uncertainty and big fines are a toxic cocktail for some companies. The combination of stiff penalties and ambiguously worded provisions in the new EU-wide data-protection law, which would replace a patchwork of 28 national laws, raises daunting prospects for companies operating in Europe.
After huge amount of user information leaks in 2015 from all kinds of Internet services, there will the challenges for cloud companies to gain trust in their security. You might have just dared to trust “the right cloud services,” since in principle the traditional information security point of view, they seem to be the main things okay, rising this privacy issues raised.
New environments will bring new threats. New operating systems versions means that administrators and users are less familiar with the environments. IPv6 will get more widely used, and the security of IPv6 networks is different from IPv4. Organizations are moving to virtualized environments, which are complex and create network layers that can become an attack vector. Growing network virtualization functionality and programmability are both an opportunity and a threat to security. Cyber security research will be important important in 2016 as 5G networks will be critical infrastructure, on top of which for example. transport, industry, health and the new operators set up their business around 2020.
The huge amount of information security information is becoming harder and harder to manage in 2016. A key problem in revelations as all other news coverage is the exponential growth of knowledge. There are variety of news summaries produced a daily basis, but they are not enough to get good picture of what is happening. There are bigger and smaller news, the impact of which is at times very difficult to assess. SMBs will become a bigger target for cybercriminals. Network and security professionals continue to be among the toughest IT talent to find and hire.
Old way network security focused on perimeter defense is not enough in 2016. Old mantras “encrypt everything” and “secure the perimeter,” are not enough. One deceptive truth seems to drive much of the cybersecurity industry down a rabbit hole: If you keep bad actors and bad software out of your system, you have nothing to worry about. It does not work like that anymore. As perimeter security gets stronger, malicious actors are looking for easier entry points to compromise an organisation through the breadth of its digital attack surface. Now malicious actors target “endpoints”—any device or sensor connected to a network—to break into that network. Traditional sandboxing will no longer protect against the growing malware landscape. Today, most private networks have far too many endpoints to properly secure. In an age of “Bring Your Own Device,” the cloud, remote access, and the Internet of Things, there are too many vulnerabilities hackers can exploit. Keep in mind that everything connected to the Internet can, and will be hacked. To address those threats in 2016, security experts should assume compromise – that hackers and malware already have breached their defenses, or soon will – and instead classify and mitigate threats. In addition to public key infrastructure lock-and-key system you will need also an integrity solution that acts like an alarm. To protect against advanced threats, security professionals will increase their reliance on centralized security management solutions. You need to have prioritization and response plans to various kinds of breaches – with a strong focus on integrity.
Law enforcement versus Silicon Valley tension will continue to be strong throughout year 2016. In 2015 Law enforcement and politicians on both sides of the Atlantic lined up to repeatedly complain that the web was “going dark” as the result of end-to-end encryption and that this was hampering the investigation of terrorism and other serious crimes.Technologists and cryptographers argue that governments are trying to weaken encryption by demanding some form of privileged access for government. It’s not clear how much encryption the NSA can break. With renewed focus on how encrypted messages can be used to plot terrorist attacks, President Barack Obama’s administration is stepping up pressure on the tech sector to help in the battle. Privacy remains a major counter-argument. It seems that Governments Lie About Encryption Backdoors. Encryption systems weakened by mandated backdoors would not be effective in fighting the terrorists that governments invoke as their reason for wanting those backdoors in the first place.
But this does not stop some government officials to demand such thing with varying success on different countries. Another fact is that The existence of coded communications is a reality and the U.S. may not be able to do much about it because nearly everyone living in modern society uses it: Encryption protects your bank information, prevents your password from being stolen when you log into a website, and allows all e-commerce transactions to take place securely. Encryption weakened by mandated backdoors would put all of us at an enormous risk of exposure from data breaches and associated online risks. The truth in 2016 is that any form of privileged access to government – ie, a backdoor – would inevitably weaken crypto-systems and make them more vulnerable to attacks by foreign governments’ intelligence agencies as well as criminals - Juniper’s VPN security hole is proof that govt backdoors are bonkers. Encryption backdoors would be a gleeful win-win for terrorists and a horrific lose-lose for you – the bad guys having strong protections for their data, and the rest of us not. The poorly thought-out and crude surveillance technique could have a devastating effect on the country’s internet security- as for example Kazakhstan will force its citizens to install internet backdoors by requiring all Internet users install state-issued root certificate by January 1, 2016.
Google, Mozilla and Microsoft are pushing for early SHA-1 crypto cutoff that can happen in 2016 instead of earlier planned Jan 1st, 2017. Due to recent research showing that SHA-1 is weaker than previously believed, because it’s been cracked without enormous effort. Mozilla, Microsoft and now Google are all considering bringing the deadline forward by six months to July 1, 2016. SHA-2 is going to be used as the replacement function for SHA-1. Websites like Facebook and those protected by CloudFlare have implemented a SHA-1 fallback mechanism for those systems that do not support SHA-2. Chrome will start display errors if SHA-1 certificates are employed in early 2016 and will completely stop supporting SHA-1 certificates in the end of 2016.
The use of Blockchain technology, permissionless distributed database based on the bitcoin protocol that runs across a global network of independent computers, will get used more widely than for just Bitcoin virtual money. With bitcoin, Blockchain tracks the exchange of money. But it can also track the exchange of anything else that holds value, including stocks, bonds, and other financial securities. Overstock has already used the blockchain to issue private bonds. The Securities and Exchange Commission has approved a plan from online retailer Overstock.com to issue company stock via the Internet, signaling a significant shift in the way financial securities will be distributed and traded in the years to come. Overstock built its technology under the aegis of a subsidiary called TØ.com, and it plans to offer this “cryptosecurity” tech as a service to other businesses. Nasdaq OMX—the company behind the Nasdaq stock exchange—is using the blockchain to oversee the exchange of private stock. Also several major companies from across both the technology and financial industries—including IBM, Intel, and Cisco as well as the London Stock Exchange Group and big-name banks JP Morgan, Wells Fargo, and State Street—have joined forces to create an alternative to the blockchain with Linux Foundation.
The use of disk encryption will increase and there are different ways to do it with different security levels. Microsoft has introduced Windows 10 disk encryption keys are uploaded to Microsoft. This approach has some advantages and disadvantages. The gold standard in disk encryption is end-to-end encryption, where only you can unlock your disk. This is what most companies use, and it seems to work well. It protects data in case your device is lost or stolen. But what if you forget or loose your key? There are certainly cases where it’s helpful to have a backup of your key or password – so keeping a backup of your recovery key in your Microsoft account could be genuinely useful for probably the majority of users that don’t have high security neeeds. The disadvantage of this approach is that Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.
Weak leaking passwords are still huge security problem still in 2016. Passwords are often the weakest parts when it comes to securing users’ accounts, as many don’t use complex passwords or they reuse the same password across services. Two-factor authentication – like using a USB stick with a secret token or entering in a code sent via text method to your phone – can help to increase security, but many users also find this to be a hassle as it introduces an additional step to the login process.
Google begins testing login system that uses phone notifications for authentication instead of passwords: authenticate by responding to a notification sent to their smartphone. The idea is similar to Yahoo’s recently launched “Account Key,” which also offers a password-free means of signing in involving a push notification sent to your phone that then opens an app where you approve the log-in.
Smart phone will become more and more security critical part of your life. “Increasingly, individuals and organisations are adopting password managers and multi-factor authentication technologies to plug some of the holes in password-based authentication. “We foresee a world where practically everyone uses their smartphone as a multi-factor authentication element. In this world, the smartphone becomes your most valuable asset: something that enables you to unlock your life online and a target for attackers seeking to access your services.”
Expect that number of mobile vulnerabilities will only grow in 2016. In 2016 we will see increasing numbers of cyber criminals using mobile applications to spread malware. Mobile presents an easy target for cyber criminals, because it is an attack surface that is open and extremely difficult to defend once an app has been released. Android threats will become more than just headline-grabbers. Will 2016 be the year iOS malware goes mainstream?
Critical infrastructures will be highly targeted in 2015. SCADA and ICS networks were not designed for security. Attacks against these systems have increased in recent years. I expect this trend to only get worse. There are still many companies that run their critical systems on Windows XP as “There are some people who don’t have an option to change.” Many times the OS is running in automation and process control systems that run business and mission-critical systems, both in private sector and government enterprises. For example US Navy is using obsolete operating system Microsoft Windows XP to run critical tasks. It all comes down to money and resources, but if someone is obliged to keep something running on an obsolete system, it’s the wrong approach to information security completely.
Cars were hacked at record rate in 2015, and they will be hacked at least at the same rate in 2016. Modern cars are featuring more gadgetry and connected systems, and this will make vehicles just as vulnerable to today’s threats and attacks. I Am The Cavalry has published a five star Cyber Safety Framework to mitigate this threat in cars, hopefully car component makers study it.
IoT and smart devices are still at risk. The Internet of Things will continue to emerge, and businesses will need to think about how to protect their smart devices and prepare for the wider adoption of IoT. IoT platforms – not yet the weapon of choice for commercial malware authors – but business beware. Wearables won’t be safe, either, as they are built using largerly same too often vulnerable technologies as other IoT system. IoT security is still in in infancy in 2016.
Cyber criminals have become more active in 2015 particularly in the malicious the ransom fabrications. The ransom-malware problem will continue to be big in 2016. Commercial malware authors will continue to invest heavily and Exploit kits will continue to dominate on the web. Ransomware today is big business. Ransomware takes control of a computer and holds it hostage until the victim pays, usually in the digital currency Bitcoin. As a remedy against ransom-malware I recommend to ensure IT Support or your service provider the data back-up and restoring procedure operational, practiced and tested. You can need it in 2016 to get your data back without considering paying to criminals. To date ransomware has hit Windows users hardest, although Android and MacOS users are now also facing similar extortion.
Ransomware will continue to dominate in 2016 and it is only a question of time before we see things beyond data being ransomed. We have already seen websites being held ransom to DDoS. Intel’s McAfee Labs also noted a huge spike in ransomware in early 2015, and worries about ransomware in the IoT space—including medical devices. And Kaspersky predicts the “nightmare of ransomware” to continue and “spread to new frontiers” in 2016. Ransomware Is Coming to Medical Devices article tells that according to a report released recently week by Forrester Research the number one cybersecurity prediction for 2016: “We’ll see ransomware for a medical device or wearable.” “It’s definitely feasible from a technical standpoint”. Networked medical devices save lives. Despite the hacking risk, it’s an informed trade-off. Medical device ransomware would be a modern form of highway robbery with lives at stake.
Keep in mind that everything connected to the Internet can, and will be hacked. In 2016 If You’re Not Paranoid, You’re Crazy. As government agencies and tech companies develop more and more intrusive means of watching and influencing people, how can we live free lives? Unfortunately I don’t have solution for that.
2,232 Comments
Tomi Engdahl says:
Jim Finkle / Reuters:
Microsoft says Fancy Bear exploited the recently reported Windows flaw; patch coming November 8 — Microsoft Corp (MSFT.O) said on Tuesday that a hacking group previously linked to the Russian government is behind recent cyber attacks that exploit a newly discovered flaw in its Windows operating system.
Microsoft says Russia-linked hackers exploiting Windows flaw
http://www.reuters.com/article/us-microsoft-cyber-russia-idUSKBN12W4ZK
Microsoft Corp (MSFT.O) said on Tuesday that a hacking group previously linked to the Russian government and U.S. political hacks was behind recent cyber attacks that exploited a newly discovered Windows security flaw.
The software maker said in an advisory on its website there had been a small number of attacks using “spear phishing” emails from a hacking group known Strontium, which is more widely known as “Fancy Bear,” or APT 28. Microsoft did not identify any victims.
Microsoft’s disclosure of the new attacks and the link to Russia came after Washington accused Moscow of launching an unprecedented hacking campaign aimed at disrupting and discrediting the upcoming U.S. election.
Tomi Engdahl says:
Google discloses actively exploited Windows vulnerability just 10 days after reporting it to Microsoft
http://venturebeat.com/2016/10/31/google-discloses-actively-exploited-windows-vulnerability-just-10-days-after-reporting-it-to-microsoft/
Google today shared details about a security flaw in Windows, just 10 days after disclosing it to Microsoft on October 21. To make matters worse, Google says it is aware that this critical Windows vulnerability is being actively exploited in the wild. That means attackers have already written code for this specific security hole and are using it to break into Windows systems.
Tomi Engdahl says:
There is a lurking malice in cloud hosting services
A team of researchers from the Georgia Institute of Technology, Indiana University Bloomington, and the University of California Santa Barbara has found — as part of a study of 20 major cloud hosting services — that as many as 10 percent of the repositories hosted by them had been compromised, with several hundred of the ‘buckets’ actively providing malware.
Source: http://semiengineering.com/system-bits-nov-1/
More:
Study Finds “Lurking Malice” in Cloud Hosting Services
http://www.news.gatech.edu/2016/10/19/study-finds-lurking-malice-cloud-hosting-services
A study of cloud hosting services has found that as many as 10 percent of the repositories hosted by them have been compromised.
Believed to be the first systematic study of cloud-based malicious activity, the research will be presented October 24 at the ACM Conference on Computer and Communications Security in Vienna, Austria. The work was supported in part by the National Science Foundation.
Overall, the researchers scanned more than 140,000 sites on 20 cloud hosting sites and found about 700 active repositories for malicious content. In total, about 10 percent of cloud repositories the team studied had been compromised in some way. The researchers notified the cloud hosting companies of their findings before publication of the study.
Tomi Engdahl says:
Questions arise regarding AT&T’s domestic spy practices: Report
http://www.cablinginstall.com/articles/pt/2016/10/questions-arise-regarding-at-t-s-domestic-spy-practices-report.html?cmpid=enl_CIM_CablingInstallationMaintenanceDataCenterNewsletter_2016-11-01&eid=289644432&bid=1573930
When Edward Snowden released documents revealing that U.S. citizens were being spied on by their own government, many hoped it would signal a serious change in how personal information is handled in the U.S. Apparently, it did nothing of the sort. According to recent documents published by The Daily Beast, AT&T has been involved in spying on citizens under a program called Project Hemisphere. Project Hemisphere was first uncovered by the New York Times in 2013. At the time, it was described as a partnership between AT&T and the U.S. government solely for investigating drug trafficking. Now, it seems as though the project was used for a range of different things
Tomi Engdahl says:
Finnish company sold millions of users’ data?
Browser add-ons are developing firms have sold millions of users’ browsing history to advertisers, argues a German television program Panorama . Telling reporters that they had reached accessed by at least 3 million Germans user data.
A total of 10 billion data on the web address is collected, inter alia, Chrome and Firefox browser add-ons. Reporters designate only one of them, the ethnically Finnish Web of Trust (WOT).
WoT: in the purpose is to offer to provide security and privacy. It allows users to score the reliability of Web sites.
problem is in particular the fact that the user data is not sufficiently anonymized.
Source: http://www.tivi.fi/Kaikki_uutiset/suomalaisfirma-myynyt-miljoonien-kayttajien-tietoja-tunnuksia-huumeita-prostituoituja-6595805
More:
Nackt im Netz: Millionen Nutzer ausgespäht
http://www.ndr.de/nachrichten/netzwelt/Nackt-im-Netz-Millionen-Nutzer-ausgespaeht,nacktimnetz100.html
Tomi Engdahl says:
Despite Its Nefarious Reputation, New Report Finds Majority of Activity On Dark Web is Totally Legal and Mundane
https://tech.slashdot.org/story/16/11/01/1549240/despite-its-nefarious-reputation-new-report-finds-majority-of-activity-on-dark-web-is-totally-legal-and-mundane
According to a study published by dark web data intelligence provider Terbium Labs, the bulk of activity appearing on the dark web is much like the content and commerce found on the clear web. In fact, researchers found that nearly 55 percent of dark web content is legal.
Tomi Engdahl says:
Let’s Automate Let’s Encrypt
http://www.linuxjournal.com/content/lets-automate-lets-encrypt
HTTPS is a small island of security in this insecure world, and in this day and age, there is absolutely no reason not to have it on every Web site you host. Up until last year, there was just a single last excuse: purchasing certificates was kind of pricey. That probably was not a big deal for enterprises; however, if you routinely host a dozen Web sites, each with multiple subdomains, and have to pay for each certificate out of your own dear pocket—well, that quickly could become a burden.
Now you have no more excuses. Enter Let’s Encrypt a free Certificate Authority that officially left Beta status in April 2016.
Aside from being totally free, there is another special thing about Let’s Encrypt certificates: they don’t last long. Currently all certificates issued by Let’s Encrypt are valid for only 90 days, and you should expect that someday this term will become even shorter. Although this short lifespan definitely creates a much higher level of security, many people consider it as an inconvenience, and I’ve seen people going back from using Let’s Encrypt to buying certificates from commercial certificate authorities for this very reason.
If you are using Apache under a Debian-based distribution, Let’s Encrypt already has you covered with the libaugeas0 package, and it is capable of both issuing and renewing certificates.
Tomi Engdahl says:
From https://blogs.technet.microsoft.com/mmpc/2016/11/01/our-commitment-to-our-customers-security/
Recently, the activity group that Microsoft Threat Intelligence calls STRONTIUM conducted a low-volume spear-phishing campaign. Customers using Microsoft Edge on Windows 10 Anniversary Update are known to be protected from versions of this attack observed in the wild. This attack campaign, originally identified by Google’s Threat Analysis Group, used two zero-day vulnerabilities in Adobe Flash and the down-level Windows kernel to target a specific set of customers.
We have coordinated with Google and Adobe to investigate this malicious campaign and to create a patch for down-level versions of Windows. Along these lines, patches for all versions of Windows are now being tested by many industry participants, and we plan to release them publicly on the next Update Tuesday, Nov 8.
We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure. Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk.
Microsoft says Russia-linked hackers exploiting Windows flaw
http://www.reuters.com/article/us-microsoft-cyber-russia-idUSKBN12W4ZK
Microsoft Corp (MSFT.O) said on Tuesday that a hacking group previously linked to the Russian government and U.S. political hacks was behind recent cyber attacks that exploited a newly discovered Windows security flaw.
The software maker said in an advisory on its website there had been a small number of attacks using “spear phishing” emails from a hacking group known Strontium, which is more widely known as “Fancy Bear,” or APT 28. Microsoft did not identify any victims.
Tomi Engdahl says:
Hackers hustle to hassle un-patched Joomla! sites
If you didn’t patch, you’ve probably been p0wned already
http://www.theregister.co.uk/2016/11/02/hurried_crims_target_30000_sites_to_pop_unpatched_joomla/
Attackers are already exploiting a dangerous privileged account creation hole in the Joomla! content management system attempting, with attempts made on about 30,000 sites in the days days after a patch for the flaw landed.
The vulnerability, which allows anyone to create privileged accounts on Joomla! sites, was first flagged in a scant Joomla! pre-release notice warning administrators to prepare for a then un-described but critical patch.
Tomi Engdahl says:
Admiral to price car insurance based on Facebook posts
https://www.theguardian.com/technology/2016/nov/02/admiral-to-price-car-insurance-based-on-facebook-posts
Insurer’s algorithm analyses social media usage to identify safe drivers in unprecedented use of customer data
One of the biggest insurance companies in Britain is to use social media to analyse the personalities of car owners and set the price of their insurance.
The unprecedented move highlights the start of a new era for how companies use online personal data and will start a debate about privacy.
Tomi Engdahl says:
Datto launches backup and disaster recovery technology to combat ransomware
http://www.theregister.co.uk/2016/10/27/datto_tech_to_combat_ransomware/
Datto’s SIRIS 3 data protection platform includes what it claims is the industry’s first ramsomware detection capability.
Ransomware is the noxious malware that captures your files and walls them off from access by encrypting them. The perpetrator demands payment – possibly by anonymous Bitcoin – to release the encryption key so you can recover your data. Known examples of Ransomware are CryptoLocker, CryptoWall, Locky, Cerber, KeyRanger, SamSam, TeslaCrypt, TorrentLocker, and Reveton.
When ransomware is detected, SIRIS 3 notifies admins so they can roll back to a pre-ransomware state, saving businesses from downtime and avoiding the ransom.
Tomi Engdahl says:
VTT: centralized security for all devices
Securing devices is currently difficult and, in fact, quite stupid. Need to install security software separately for each device, and take care of it, SOFTWARE, that is up to date. A better solution would be to manage the security of all devices centrally.
Such an idea has been worked out of the EU research project under SECIRED (Security at the Edge network). The project was also involved in VTT whose share of the recently completed three-year project was mainly the development and integration of environmental security software (so-called. Personal Security Application).
developed in the project solutions and personal security software based on the software virtualization. In practice, control of consumer equipment, security exported in the near future further away from individual devices to your home network “frontier” location information in a safe and reliable node, for example, a suitable router or modem.
This has a number of advantages. potential security gaps and weaknesses equipment would not be too easily exposed to attacks. In addition, the consumer could determine for themselves all their devices themselves the appropriate security settings, say, a home computer or a mobile phone.
- The idea is to move the device key information security in a user-centered information security. Thus all the user’s devices are using the same security wherever they are and on the performance of a single device or to the available security software.
Security settings can be defined for different users, so that all users and devices are available for the same level of protection, for example, phishing and other malware. Environment can be installed in the home, the company’s own premises or premises of an operator in each case. When the user is connected to the Internet from outside the home – for example, through an open wireless network or mobile network – on their device can connect securely to the system and be protected also outside the home.
Source: http://etn.fi/index.php?option=com_content&view=article&id=5320:vtt-kaikille-laitteille-keskitetty-tietoturva&catid=13&Itemid=101
Tomi Engdahl says:
Firefox disables loophole that allows sites to track users via battery status
https://www.theguardian.com/technology/2016/nov/01/firefox-disable-battery-status-api-tracking
Search company cuts access to feature, called battery status API, which allows websites to request information about the capacity of a visitor’s device
Mozilla Firefox is dropping a feature that lets websites see how much battery life a visitor has left, following research showing that it could be used to track browsers.
The feature, called the battery status API, allows websites to request information about the capacity of a visitor’s device, such as whether or not it’s plugged in and charging, how long it will last until it is empty, and the percentage of charge remaining.
It was intended to allow websites to offer less energy-intensive versions of their sites to visitors with little battery power left: for instance, a mapping site could download less information, or a social network could disable autoplaying video.
But in 2015, the Guardian reported that researchers had discovered that it was easy to abuse the feature to track browsing on the internet.
How your smartphone’s battery life can be used to invade your privacy
https://www.theguardian.com/technology/2015/aug/03/privacy-smartphones-battery-life
A group of researchers have demonstrated how to track users with nothing more than their remaining battery power, which could compromise privacy
Tomi Engdahl says:
Recently, the activity group that Microsoft Threat Intelligence calls STRONTIUM conducted a low-volume spear-phishing campaign. Customers using Microsoft Edge on Windows 10 Anniversary Update are known to be protected from versions of this attack observed in the wild. This attack campaign, originally identified by Google’s Threat Analysis Group, used two zero-day vulnerabilities in Adobe Flash and the down-level Windows kernel to target a specific set of customers.
We have coordinated with Google and Adobe to investigate this malicious campaign and to create a patch for down-level versions of Windows. Along these lines, patches for all versions of Windows are now being tested by many industry participants, and we plan to release them publicly on the next Update Tuesday, Nov 8.
Source: https://blogs.technet.microsoft.com/mmpc/2016/11/01/our-commitment-to-our-customers-security/
Tomi Engdahl says:
Why Monitoring Control Plane Activity is a Requirement for Securing Industrial Networks
http://www.securityweek.com/why-monitoring-control-plane-activity-requirement-securing-industrial-networks
Monitoring network activity is key to securing any production environment. Keeping tabs on the activities of the users, applications and the devices enables operators to ensure expected and normal operations. Monitoring also allows problems to be detected and corrected before damage can occur.
However, not all networks are created equal. Monitoring industrial control system activity is difficult for two reasons. First, they use different protocols than IT networks. Second, separate protocols are used for performing data-plane and control-plane activities:
Data-Plane: sometimes referred to as the user plane, carries the user-data traffic. The data-plane is used by the HMI and SCADA applications to communicate process parameters and physical measurements between the human operator and the industrial equipment (I/Os).
Control Plane: carries the control information. In industrial networks the control-plane activities including all the engineering activity related to the maintenance lifecycle of industrial controllers, such as any read/change of: controller firmware, control-logic, configuration settings, or state. It also includes the administration and operations traffic. [Note that the term ‘control-plane’ is a general networking term, and isn’t related to the control layer of the Purdue Model or controllers in ICS networks]
The protocols used for data-plane activities, are those used by HMI/SCADA applications to communicate with control-devices. These protocols which include MODBUS, PROFINET, DNP3 and more, are well known and fully documented.
However, many are unaware of the fact that in ICS networks the control-plane activities use different protocols – a separation that does not exist in IT networks!
Unlike the data-plane protocols, control-plane protocols are vendor specific proprietary protocols that are mostly unknown, undocumented and often unnamed. This is because they were designed to be used only by the vendor’s engineering software tools. But over the years, other tools that utilize these protocols have been developed and can be used for control-plane activities and changing critical industrial controllers.
Tomi Engdahl says:
Windows Zero-Day Exploited by Russia-Linked Cyberspies
http://www.securityweek.com/windows-zero-day-exploited-russia-linked-cyberspies
The Windows zero-day vulnerability disclosed this week by Google has been exploited by the Russia-linked cyberespionage group known as Strontium. Microsoft has been working on a patch and expects to release it on November 8.
Google informed Adobe and Microsoft on October 21 that malicious actors had been actively exploiting previously unknown vulnerabilities in Flash Player (CVE-2016-7855) and the Windows kernel. The companies were given 7 days to patch the flaws or publish workarounds that would help users protect themselves against attacks.
Adobe released a patch for Flash Player on October 26, but since Microsoft had not come up with a fix or a workaround, Google decided that it would be in the best interest of users to disclose the Windows flaw. Microsoft does not agree and accused Google of putting its customers at risk.
In a blog post published on Tuesday, Microsoft revealed that the Windows vulnerability has been exploited by the group tracked by the company as Strontium. The threat actor is also known as Pawn Storm, APT28, Fancy Bear, Sednit, Sofacy and Tsar Team.
The group, which many believe is sponsored by the Russian government, has been linked to numerous high-profile attacks, including ones aimed at the U.S. Democratic Party, the World Anti-Doping Agency (WADA), investigators of the flight MH17 crash, and government organizations in Germany and Turkey.
Tomi Engdahl says:
Electronic Voting: The Greatest Threat to Democracy
http://www.securityweek.com/electronic-voting-greatest-threat-democracy
The dumpster fire that is the 2016 presidential election is thankfully almost behind us. But in its final throes, it is currently belching a peculiar pollution. The claims of election rigging coming directly from Donald Trump have raised a serious question about the legitimacy of our elections – the foundation of the legitimacy of our government, as governing in a democracy requires the consent of the governed.
While Mr. Trump may be more concerned with the role of non-citizens, election officials and the media in the manipulation of the outcome, he’s missing the greater threat to the future of democracy – Internet voting. Or rather, the likelihood of Internet voting fraud.
Don’t we already use electronic voting?
Today’s voting technology is largely a decentralized paper-based process. After the Bush v. Gore “hanging chad” issues in 2000, Congress passed the Help America Vote Act in 2002, supplying almost 4 billion federal dollars to help states upgrade their voting machines. All 50 states took the money, most of which was used to purchase electronic voting machines.
But by 2007, problems with the machines, including security concerns, led to decline in use of electronic systems. Only five states today use paperless touch screens exclusively – South Carolina, Georgia, Louisiana, New Jersey and Delaware. Many states, such as Maryland, Florida and Virginia, have banned their use in future elections.
How do Internet and electronic voting differ?
The key difference between electronic and Internet voting, from a security perspective, is decentralization and the lack of connection to the Internet. While electronic voting machines can be hacked, it requires physical access to the machines in most cases, which is made more difficult by the fact that all 50 states have their own means of securing the devices.
Tomi Engdahl says:
Google to Distrust WoSign, StartCom Certificates
http://www.securityweek.com/google-distrust-wosign-startcom-certificates
Google announced on Monday that it has decided to distrust certificates from WoSign and StartCom due to their failure to maintain the high standards expected of certificate authorities (CAs).
Google joins Apple and Mozilla, which also decided to revoke trust in WoSign and StartCom certificates after the Chinese CA and its subsidiary were involved in more than a dozen incidents since January 2015. Web browser vendors are mainly unhappy that the companies backdated some certificates to bypass restrictions, and they did not inform them about StartCom’s acquisition by WoSign.
“For both CAs, we have concluded there is a pattern of issues and incidents that indicate an approach to security that is not in concordance with the responsibilities of a publicly trusted CA,” said Google’s Andrew Whalley.
Tomi Engdahl says:
PCI 3.2 Compliant Organizations Are Likely GDPR Compliant
http://www.securityweek.com/pci-32-compliant-organizations-are-likely-gdpr-compliant
PCI DSS version 3.1 will be retired on October 31, 2016, with version 3.2 being the only valid version beginning the 1st of November. From that date, any new validation of PCI compliance will have to be against version 3.2. The new requirements will, however, be considered ‘best practices’ until Feb. 1, 2018 when they will be mandatory.
One of the most important requirements is completion of the migration from SSL and early TLS to the more secure later versions of TLS.
The SSL migration was originally introduced in PCI 3.1. However, large service providers with thousands of international customers with different SSL and TLS configurations had problems meeting the deadline. The PCI Security Standards Council (PCI SSC), the body that defines PCI DSS, took a decision to extend the deadline by re-introducing the requirement into version 3.2 — effectively pushing the deadline back until February 2018.
SSL migration is not, however, the only new requirement — and since some of these (particularly around multi-factor authentication and penetration testing) will require planning and budgetary approval, it is important to get the ball rolling as soon as possible.
PCI DSS 3.2 is not the only major standard coming into force in early 2018 — GDPR will also be required by spring 2018. Both are designed to improve security — one for card and cardholder details, and the other for European personally identifiable information. There is clearly an overlap; but there is a big difference in the way the two standards are phrased. GDPR describes its requirements by what must be achieved; PCI DSS explains how achievement is expected. There is much more hands-on guidance in PCI DSS.
“People come to me and say, ‘How do I achieve GDPR compliance?’” commented King. His reply is to say, “Start with PCI DSS.” Any company that fully and successfully implements PCI DSS 3.2 is likely to be fully GDPR compliant — it’s a case of buy one and get one free.
Tomi Engdahl says:
How Do You Define Prevention?
http://www.securityweek.com/how-do-you-define-prevention
In discussions about cybersecurity, a word that gets used a lot is “prevention.” How do you prevent cyberattacks before they succeed? Will the cybersecurity measures currently in place offer the prevention of losses due to a cyberattack? What part of an attacker’s playbook does prevention actually stop? These are important questions that security teams continue to struggle with, as security vendors of all stripes have been promising their particular approach to cybersecurity will prevent cyberattacks for years.
But cyberattacks continue to plague organizations, and the number of successful breaches is rising. According to the New York State Attorney General’s office, breach notifications issued in 2016 are already 40 percent higher this year than they were at the same time last year. So if the security marketplace is full of solutions that are supposed to “prevent” cyberattacks, why are so many attacks still succeeding?
In my opinion, it’s a question of evolution. Cybersecurity is an area that requires constant change from a defense perspective, with novel malware, attack techniques and vulnerabilities attempting to evade ever-advancing security controls. This back-and-forth game has played itself out for years now, but the number, scale and sophistication of attacks has sped up in the past four years.
Furthermore, most legacy cybersecurity solutions were developed to address one specific security issue. As new threats arose, vendors would create and market other single point solutions to address it, resulting in most customers having an ad hoc collection of security devices from multiple vendors, each working independently of the others, to identify and stop inbound cyberattacks. This approach leaves many gaps in an organization’s security posture that adversaries can take advantage of, as well as requiring more resources to orchestrate the different, competing technologies.
Tomi Engdahl says:
KEEPING THEM OUT OF YOUR MAINFRAME
How To Not Get Hacked, According To Expert Hackers
http://digg.com/2016/how-to-not-get-hacked
Recently, I got hacked. Not like normal, everyday, steal-your-Twitter-password hacked. I got mega-ultra-super-hacked. My hack was so bad that several security experts have told me it’s the worst one they’ve ever seen. For two weeks, a group of expert hackers burrowed into my digital life and stole everything — all my passwords, my credit cards, bank accounts, personal emails, work emails, access to my social media accounts, my Dropcam, my wireless account. They installed malware on my computer that secretly took photos of me out of my own webcam every 2 minutes, and uploaded them to a remote server. They spied on my work Slack. They logged every keystroke I made, and accessed any file they wanted to. They owned my entire digital life.
Guy challenges hackers to destroy his life – regrets it
Read more: http://metro.co.uk/2016/03/03/guy-challenges-hackers-to-destroy-his-life-regrets-it-5730354/#ixzz4Ox7Txs9d
Challenging Hackers Is Never A Good Idea
A tale of how supposedly ‘security conscious people’ can still be easily hacked
https://gadgtecs.com/2016/03/02/challenging-hackers-never-good-idea/
In spite of all the big breaches reported last year, Real Future’s Kevin Roose wished to find out how nicely he would fare in a personal pen-test. Issuing such a “hack me” challenge is never sensible as New York University Professor and PandoDaily editor Adam Penenberg found out a couple of years ago after asking TrustWave to hack him if they could. Kevin posted a video exhibiting what can occur whenever you dare professional hackers to hack you, and the ensuing pwnage was epic!
Tomi Engdahl says:
Real Future: What Happens When You Dare Expert Hackers To Hack You (Episode 8)
https://www.youtube.com/watch?v=bjYhmX_OUQQ
Last year, after reporting on the hacks of Sony Pictures, JPMorgan Chase, Ashley Madison, and other major companies, REAL FUTURE’s Kevin Roose got curious about what it felt like to be on the victim’s side of a giant data breach.
So he decided to stage an experiment: he invited two expert hackers (neither of whom he’d ever met) to spend two weeks hacking him as deeply and thoroughly as they could, using all of the tools at their disposal. His only condition was that the hackers had to promise not to steal money or any other assets, reveal any private information, or do any irreversible damage to him or anyone else. And when they were finished wrecking his life, they had to help him put it back together.
In this episode of REAL FUTURE, we go to DefCon, a hacker convention in Las Vegas, to see the results of this dangerous experiment, and learn just how easy it is for hackers to do serious damage to a person’s life.
Tomi Engdahl says:
Multiple Critical Remotely Exploitable Flaws Discovered in Memcached Caching System
Tuesday, November 01, 2016 Swati Khandelwal
http://thehackernews.com/2016/11/memcached-hacking.html?m=1
Hey Webmasters, are you using Memcached to boost the performance of your website?
Beware! It might be vulnerable to remote hackers.
Three critical Remote Code Execution vulnerabilities have been reported in Memcached by security researcher Aleksandar Nikolich at Cisco Talos Group that expose major websites, including Facebook, Twitter, YouTube, Reddit, to hackers.
Patch your Memcached Server Now!
The integer overflow flaws in Memcached affect Memcached version 1.4.31 and earlier.
The researcher notified Memcached of the flaws and the company only took two days to build a patch on 31st October.
Memcached says the critical remote code execution flaws “are related to the binary protocol as well as SASL authentication of the binary protocol,” but has been fixed in the latest release.
Vulnerability Spotlight: Remotely Exploitable Bugs in Memcached Identified and Patched
http://blog.talosintel.com/2016/10/memcached-vulnerabilities.html
The following is a list of vulnerabilities Talos has identified in Memcached:
TALOS-2016-0219 – Memcached Server Append/Prepend Remote Code Execution Vulnerability
TALOS-2016-0220 – Memcached Server Update Remote Code Execution Vulnerability
TALOS-2016-0221 – Memcached Server SASL Authentication Remote Code Execution Vulnerability
Tomi Engdahl says:
Red Cross Data Leak; Personal Data of 550,000 Blood Donors Stolen
https://www.hackread.com/red-cross-blood-donors-data-leak/
Australia Blood Donors data has been stolen — It is Australia’s largest security breach ever.
Lately, the International Red Cross has been surrounded by controversy but in the latest, the organization has suffered a massive leak in which personal details of 550,000 blood donors in Australia have been stolen.
The organization has acknowledged the hack and confirmed that due to a human error an unknown hacker was able to steal 1.74GB SQL file that contained personal details of blood donors in Australia including name, gender, date of birth, addresses of blood donors from between 2010 and 2016.
According to a report by ABC, a third party responsible for maintaining the Red Cross website had mistakenly posted donors’ data on a website that allowed the “unauthorized person” to download it without any restrictions but the most concerning thing is that the data also includes “at-risk sexual behavior” or “Risky sexual behavior,” commonly defined as behavior that increases one’s risk of contracting sexually transmitted infections and experiencing unintended pregnancies.
Red Cross Blood Service admits to personal data breach affecting half a million donors
http://www.abc.net.au/news/2016-10-28/red-cross-blood-service-admits-to-data-breach/7974036
Red Cross Blood Service chief executive Shelly Park said “due to human error” the unsecured data had been posted on a website by a contractor who maintains and develops the Red Cross website.
“As an organisation, we are still in the process of completing our investigation and we have engaged forensic experts to help us with this,” she said.
“We apologise and we acknowledge that this is unacceptable.”
Tomi Engdahl says:
Facial recognition still can’t beat a 22 cent pair of sunglasses
http://thenextweb.com/artificial-intelligence/2016/11/02/facial-recognition-still-cant-beat-a-22-cent-pair-of-sunglasses/
As the future veers toward artificial intelligence, robotics, and biometric security measures ripped straight from a Sci-Fi novel, you might be amused to know plastic sunglasses are the key to their undoing.
Researchers at Carnegie Mellon University developed a 3D-printed pair of sunglasses that cost all of 22 cents to manufacture. The sunglasses, according to an accompanying study, fools advanced facial recognition software by altering small bits of color information in a face.
Overall, the system achieved a 90 percent success rate in foiling facial recognition software.
Tomi Engdahl says:
Andy Weir / Neowin:
LastPass expands cloud password storage on tablets, PCs, and smartphones to all users for free; the feature was previously only for premium users
https://www.neowin.net/news/lastpass-makes-password-management-free-across-all-of-your-pcs-tablets-and-phones
Tomi Engdahl says:
Ongoing Use of Windows Vista, IE8 Pose Huge Enterprise Threat
http://www.securityweek.com/ongoing-use-windows-vista-ie8-threaten-enterprises
A new report highlights the high number of users still operating outdated Windows operating systems and unsupported browsers. This represents a huge threat to the organizations whose users access company networks from insecure laptops and home computers within the growing adoption of BYOD policies.
Duo Security reports that 65% of its clients’ Windows users are still running Vista, and that tens of thousands are still on XP (now 15 years old, unsupported, and with around 700 known vulnerabilities of which 200 are rated as high to critical). On top of this, while Chrome is the most popular browser, 20% of Internet Explorer users are running a version that has reached end-of-life status and do not receive security patches. For the XP users, as many as 88% are still using Internet Explorer 8.
He used the out-of-box settings of Vista as an example. “Windows 7 does not set you up as securely as does Windows 10. Users tend to start from a secure configuration with 10; but not with 7 — and the danger is that users have never configured 7 to be secure. My opinion is that a lot of people aren’t doing the basics — like automatic updates (or else they’d be on 10 or at least a more secure browser)”
To illustrate the effect he suggests looking at healthcare and ransomware. “From our own studies, healthcare customers have 4 times as many XP boxes as the financial sector. That illustrates why ransomware attacks have been so successful against healthcare. The bad guys go where they know they will succeed without a lot of effort.”
Tomi Engdahl says:
Belkin WeMo Devices Expose Smartphones to Attacks
http://www.securityweek.com/belkin-wemo-devices-expose-smartphones-attacks
Researchers from Invincea have identified serious vulnerabilities in Belkin WeMo home automation devices and their associated Android application. The vendor has fixed the mobile app and will soon release firmware updates to patch the device flaws.
Belkin WeMo products are designed to allow users to control their home electronics from anywhere. The product line includes smart switches, cameras, coffeemakers, lightbulbs, humidifiers, heaters and even slow cookers.
Researchers disclosed several serious vulnerabilities in this Belkin product line back in 2013 and 2014. Due to the popularity and significant market share of these devices, Invincea Labs researchers Scott Tenaglia and Joe Tanen decided to take another look at WeMo products and discovered two serious flaws that can be exploited for various types of malicious activities.
One of the issues found by Tenaglia and Tanen can be exploited to remotely gain root access to a WeMo gadget. When users program these Internet of Things (IoT) devices — for example, setting a switch to turn off at a specified hour, or changing a slow cooker’s heat setting after a certain time — they actually create a set of rules. These rules, created and managed via the WeMo Android application, are stored in a SQLite database that is uploaded to the device. The device unpacks the file, pulls the rule information via SQL queries, and updates the rules stored in its memory.
The problem is that the value of a column in the rule database is not sanitized, allowing an attacker to insert a specially crafted value.
Interestingly, once the attacker gains root access to the WeMo device, they actually have more privileges than a legitimate user. The only way for the user to remove the malware is through a firmware update from the vendor, but experts warned that the attacker can easily break the firmware update process and prevent the victim from regaining access to their device.
The second vulnerability found by Invincea researchers, the one affecting the WeMo Android app, is a cross-site scripting (XSS) issue. An attacker who has network access to a vulnerable WeMo device can execute arbitrary JavaScript code in the context of the Android application.
Tomi Engdahl says:
UK in $2.3 Billion Plan to ‘Strike Back’ at Hackers
http://www.securityweek.com/uk-23-billion-plan-strike-back-hackers
Finance minister Philip Hammond on Tuesday warned Britain will “strike back” against states hacking into strategic networks in order to avoid a military showdown, as part of a new cyber-defense plan.
Unveiling the £1.9 billion ($2.3 billion, 2.1 billion euro) National Cyber Security Strategy, Hammond said hackers were trying to capitalize on the increasing connectivity of devices to target homes, cars, air traffic control networks and power grids.
“A small number of hostile foreign actors have developed and deployed offensive cyber-capabilities. These capabilities threaten the security of the UK’s critical national infrastructure,” he said at the London launch.
Tomi Engdahl says:
Microsoft extends support for EMET security tool
Windows Vista, 7 and 8 users can keep using code Redmond says has ‘serious limits’
http://www.theregister.co.uk/2016/11/04/happy_hack_hardening_emet_helmet_to_guard_users_past_win_8_death/
Microsoft has extended the support life of its enhanced mitigation toolkit (EMET) affording Windows 8 laggards an extra 18 months of protection.
EMET adds extra defences to older versions of Windows, dating all the way back to Vista. Among the improvements it offers are address space layout randomisation and data execution prevention. Both make it harder to compromise systems.
Microsoft baked those features and more into Windows 10, giving users of Microsoft’s latest platform few reasons to run EMET.
EMET nonetheless added support for Windows 10 last February in version 5.5.
The tool, borne of Microsoft’s defensive platform-building competition BlueHat, is not infallible; ransomware scum have wormed around it as have a regular barrage of researchers who have found complex ways to bypass every version of EMET.
Tomi Engdahl says:
‘Bustling’ web attack market closed down
http://www.bbc.com/news/technology-37859674
A “bustling” marketplace that offered tools and services to mount massive web attacks has been shut by its owners.
The marketplace, on the Hack Forums website, was notorious for making it easy it launch attacks that knocked servers offline.
The section was “permanently shut down” because several attacks known to be co-ordinated via the forum caused web-wide disruption.
One regular victim of attacks arranged via Hack Forums welcomed the closure.
“Unfortunately once again the few ruin it for the many,” wrote Jesse LaBrocca, founder of Hack Forums, in a message explaining why the section was being closed.
Mr LaBrocca hinted that the whole site could be shuttered if the web attack section was not closed, adding a reference to “recent events” that had prompted the decision.
An attack tool called Mirai is known to have launched the tidal waves of data that made sites hard to reach.
Source code for this tool was shared on Hack Forums shortly before the attacks took place.
Mirai helped malicious hackers launch what are known as distributed denial of service (DDoS) attacks by hijacking insecure webcams and digital video recorders and using them to send endless data requests to targets.
As well as the big attacks, the Hack Forums marketplace also gave people access to so-called “booter” and “stresser” services.
Tomi Engdahl says:
How to Block the Ultrasonic Signals You Didn’t Know Were Tracking You
https://www.wired.com/2016/11/block-ultrasonic-signals-didnt-know-tracking/
Dystopian corporate surveillance threats today come at us from all directions. Companies offer “always-on” devices that listen for our voice commands, and marketers follow us around the web to create personalized user profiles so they can (maybe) show us ads we’ll actually click. Now marketers have been experimenting with combining those web-based and audio approaches to track consumers in another disturbingly science fictional way: with audio signals your phone can hear, but you can’t. And though you probably have no idea that dog whistle marketing is going on, researchers are already offering ways to protect yourself.
The technology, called ultrasonic cross-device tracking, embeds high-frequency tones that are inaudible to humans in advertisements, web pages, and even physical locations like retail stores. These ultrasound “beacons” emit their audio sequences with speakers, and almost any device microphone—like those accessed by an app on a smartphone or tablet—can detect the signal and start to put together a picture of what ads you’ve seen, what sites you’ve perused, and even where you’ve been. Now that you’re sufficiently concerned, the good news is that at the Black Hat Europe security conference on Thursday, a group based at University of California, Santa Barbara will present an Android patch and a Chrome extension that give consumers more control over the transmission and receipt of ultrasonic pitches on their devices.
Tomi Engdahl says:
Google’s Chrome Hackers Are About to Upend Your Idea of Web Security
https://www.wired.com/2016/11/googles-chrome-hackers-flip-webs-security-model/
In a show of hacker team spirit in August of last year, Parisa Tabriz ordered hoodies for the staff she leads at Google, a group devoted to the security of the company’s Chrome browser. The sweatshirts were emblazoned with the words “Department of Chromeland Security,” along with Chrome’s warning to users when they visit insecure websites that leave them open to surveillance or sabotage: a red padlock crossed out with an X.
For Tabriz’s team, the mistaken assumption that an average person on the internet can tell the difference between the symbol for a purse and a padlock has come to represent a fundamental problem with modern browsers.
They’re responsible for helping billions of people gauge the security of the sites they visit, but there’s only an inscrutable icon to signal the difference between an encrypted site that locks its connections and unprotected sites that leave them vulnerable to threats
The confusing collection of hieroglyphics used by most browsers today to draw that line are misleading at best; at worst they’re negligently silent or even dishonest about a site’s lack of security.
That’s why, for the first time, the Chrome team is about to start naming and shaming the nearly half of the world’s websites that don’t use strong encryption, putting a clear “Not secure” warning next to thousands of popular online destinations that use unencrypted HTTP connections rather than encrypted HTTPS connections. In the process, they may just change the standard for security online.
“People say we can’t make half the web look scary, that people will be afraid of it,” Tabriz says. “But for us, it’s a problem of trying to be honest with users. Without HTTPS, a user or web service can have no expectation that anything on a site hasn’t been tampered with or eavesdropped. And that’s crazy.”
Tomi Engdahl says:
Chrome’s Certificate Transparency to Become Mandatory
http://www.securityweek.com/chromes-certificate-transparency-become-mandatory
Google has announced its plans to make the Certificate Transparency policy in Chrome mandatory starting in October 2017.
Announced last week, the move will affect publicly trusted website certificates issued starting in October 2017, as they will have to comply with Chrome’s Certificate Transparency (CT) policy to be trusted by the browser. The announcement comes roughly three years after the open source framework for monitoring and auditing domain certificates was proposed by Google.
The framework has been already widely recognized and has become an Internet Engineering Task Force (IETF) open standard. Following the change, all certificates should be in compliance with the new requirement by 2020, considering the life-cycle of these certificates.
“The Chrome Team believes that the Certificate Transparency ecosystem has advanced sufficiently that October 2017 is an achievable and realistic goal for this requirement,” Google software engineer Ryan Sleevi said.
Tomi Engdahl says:
Why Light Bulbs May Be the Next Hacker Target
http://www.nytimes.com/2016/11/03/technology/why-light-bulbs-may-be-the-next-hacker-target.html?_r=1
The so-called Internet of Things, its proponents argue, offers many benefits: energy efficiency, technology so convenient it can anticipate what you want, even reduced congestion on the roads.
Now here’s the bad news: Putting a bunch of wirelessly connected devices in one area could prove irresistible to hackers. And it could allow them to spread malicious code through the air, like a flu virus on an airplane.
Researchers report in a paper to be made public on Thursday that they have uncovered a flaw in a wireless technology that is often included in smart home devices like lights, switches, locks, thermostats and many of the components of the much-ballyhooed “smart home” of the future.
The researchers focused on the Philips Hue smart light bulb and found that the wireless flaw could allow hackers to take control of the light bulbs
That may not sound like a big deal. But imagine thousands or even hundreds of thousands of internet-connected devices in close proximity. Malware created by hackers could be spread like a pathogen among the devices by compromising just one of them.
And they wouldn’t have to have direct access to the devices to infect them: The researchers were able to spread infection in a network inside a building by driving a car 229 feet away.
Just two weeks ago, hackers briefly denied access to whole chunks of the internet by creating a flood of traffic that overwhelmed the servers of a New Hampshire company called Dyn, which helps manage key components of the internet.
The new risk comes from a little-known radio protocol called ZigBee.
The researchers found that the ZigBee standard can be used to create a so-called computer worm to spread malicious software
So what could hackers do with the compromised devices? For one, they could create programs that help in attacks like the one that hit Dyn. Or they could be a springboard to steal information, or just send spam.
They could also set an LED light into a strobe pattern that could trigger epileptic seizures or just make people very uncomfortable. It may sound far-fetched, but that possibility has already been proved by the researchers.
The researchers showed that by compromising a single light bulb, it was possible to infect a large number of nearby lights within minutes.
“We have assessed the security impact as low given that specialist hardware, unpublished software and close proximity to Philips Hue lights are required to perform a theoretical attack,” Beth Brenner, a Philips spokeswoman, said in an emailed statement.
Tomi Engdahl says:
Ukraine hackers claim huge Kremlin email breach
http://www.bbc.com/news/world-europe-37857658
Two Ukrainians have given details of emails they helped to hack belonging to top Russian officials at the Kremlin.
Several emails they claim to have cracked are linked to Vladislav Surkov, one of the architects of Russia’s current political system.
He is also a key Kremlin figure in Moscow’s intervention in Ukraine.
The self-styled “hactivists” claim they have no link to the Ukrainian state or security services but refuse to say how they hacked into Mr Surkov’s inboxes.
Could they be forgeries?
Analysts argue that the sheer volume of mundane material contained in the emails adds to the hack’s authenticity.
A more colourful confirmation of the emails’ credibility comes from an invitation sent to Mr Surkov in 2014, to a party at which singer Robbie Williams performed.
For Ruslan Deynychenko, from the Ukrainian website Stopfake.org, the number of documents and the number of events and people mentioned make it “hard to imagine” that is has been faked.
“It is beyond reasonable doubt that the emails come from Mr Surkov’s office,” said Mr Deynychenko.
The Russian government denies all the allegations contained in the emails and made in this article.
Tomi Engdahl says:
Hackers attacked the Lappeenranta based property boiler room
Denial of service via a network cut off the heat distribution in at least two premises in Lappeenranta Finland. Attack poured both properties of heat distribution of the supervisory computer. Denial of Service Attack (distributed denial of service attack, DDoS) is knocked down in Lappeenranta two properties of heat distribution cared computer, Etelä Saimaa (Southern Saimaa) magazine reported on.
- In these houses apartments heating and hot water heating went off
- The unit’s own internal control system seeks to correct such jamming launching unit to the controlling computer again. Now devices increasingly started again and again, which switched heating control off, Rounela says.
- This kind of problem is easy to fix once you know what it is about.
Attack continued last week, several days until Thursday.
Sources:
http://www.tivi.fi/Kaikki_uutiset/verkkoisku-kylmensi-useita-taloja-suomessa-es-lammitys-ja-kuuma-vesi-pois-paalta-6597180?utm_source=Tivi_Uutiskirje&utm_medium=email&utm_campaign=Tivi_Uutiskirje
http://www.esaimaa.fi/Online/2016/11/06/Hakkerit%20iskiv%C3%A4t%20lappeenrantalaisen%20kiinteist%C3%B6n%20pannuhuoneeseen/2016121454255/4?utm_source=dlvr.it&utm_medium=twitter
Tomi Engdahl says:
Facebook should have removed sex video, Italian court rules
http://www.euronews.com/2016/11/05/facebook-should-have-removed-sex-video-italian-court-rules
Facebook should have removed a sex video of a woman who later committed suicide, with or without a court order, judges in Italy have ruled.
The tape of Tiziana Cantone, who killed herself in September, was uploaded last year without her consent. The 31-year-old made the explicit video with her new partner and then sent it to her ex-boyfriend.
It later went viral after being posted on Facebook and other social media sites, prompting a tide of online abuse.
While Facebook said it accepted the ruling of the Naples court, it is thought the judgement could open the door to a wave of further legal action, notably criminal proceedings against Facebook users who shared the video.
Tomi Engdahl says:
Joseph Bernstein / BuzzFeed:
Virtual reality industry is ill-prepared to tackle looming abuse and harassment problems
Virtual Reality Isn’t Ready To Handle Abusive Trolls
For the booming VR industry, a major harassment problem looms. Who will be responsible for it?
https://www.buzzfeed.com/josephbernstein/virtual-reality-isnt-ready-to-handle-abusive-trolls?utm_term=.ypnY2XmjG#.cp0RdlQzv
Last month, Jordan Belamire unwittingly — and unwillingly — found herself the first public victim of a new kind of abuse. While visiting her brother-in-law, she tried out the new head-mounted virtual reality system HTC Vive — specifically, a multiplayer archery game called QuiVR.
Belamire’s experience raised a dreadful prospect: That the connected spaces in the booming field of virtual reality will suffer the same plague of anonymous harassment and abuse that has come to define the social internet in 2016.
Or, worse. The story suggested that anonymous abuse, in the context of a medium defined by the suspension of disbelief, would take on new and frightening contours.
Tomi Engdahl says:
Maria Sheahan / Reuters:
Report: Deutsche Telekom plans to launch defense system to fend off drones from airports, stadiums, car test tracks, and critical infrastructure — Germany’s Deutsche Telekom plans to launch a drone defense system this year designed to guard airports, stadiums, car test tracks and critical infrastructure …
Deutsche Telekom to launch drone defense system: report
http://www.reuters.com/article/us-deutsche-telekom-drones-idUSKBN131060
Germany’s Deutsche Telekom plans to launch a drone defense system this year designed to guard airports, stadiums, car test tracks and critical infrastructure, German weekly Welt am Sonntag reported on Sunday.
The increasing use of drones for commercial and leisure purposes has led to a rise in the number of near-misses with aircraft and infringements into no-fly zones, prompting companies and public institutions to seek ways to fend them off.
Car manufacturers have asked Deutsche Telekom to provide anti-drone systems to prevent their use to snap photos of prototypes they test on race tracks, Welt am Sonntag reported.
Tomi Engdahl says:
NBC News:
Senior US intelligence official told NBC News US military hackers have penetrated, can now launch attacks against Russia’s electric grid, telecom networks, more — Exclusive: US Military Hackers Ready if Russia Disrupts US Election 2:25 — U.S. military hackers have penetrated Russia’s electric grid …
U.S. Govt. Hackers Ready to Hit Back If Russia Tries to Disrupt Election
http://www.nbcnews.com/news/us-news/u-s-hackers-ready-hit-back-if-russia-disrupts-election-n677936
U.S. military hackers have penetrated Russia’s electric grid, telecommunications networks and the Kremlin’s command systems, making them vulnerable to attack by secret American cyber weapons should the U.S. deem it necessary, according to a senior intelligence official and top-secret documents reviewed by NBC News.
American officials have long said publicly that Russia, China and other nations have probed and left hidden malware on parts of U.S critical infrastructure, “preparing the battlefield,” in military parlance, for cyber attacks that could turn out the lights or turn off the internet across major cities.
It’s been widely assumed that the U.S. has done the same thing to its adversaries. The documents reviewed by NBC News — along with remarks by a senior U.S. intelligence official — confirm that, in the case of Russia.
The cyber weapons would only be deployed in the unlikely event the U.S. was attacked in a significant way, officials say.
U.S. military officials often say in general terms that the U.S. possesses the world’s most advanced cyber capabilities, but they will not discuss details of highly classified cyber weapons.
Tomi Engdahl says:
EU to offer big money for cyber research
The EU will invest over EUR 450 million for cyber security R & D and innovation programs in the years 2018-2020. Finnish Information Security Cluster FISC is coordinated by Finland’s participation in European research complex business collaboration in a panoramic position. VTT promotes a member of the European kyberturvallisuusjärjestön ECSOn domestic growth companies access to international RDI programs in close cooperation with FISCin.
VTT has a direct view of the Commission, as well as programs through various instruments managed RDI funding opportunities.
Source: http://etn.fi/index.php?option=com_content&view=article&id=5363:eu-sta-tarjolla-isoa-rahaa-kybertutkimukseen&catid=13&Itemid=101
Tomi Engdahl says:
Kate Conger / TechCrunch:
China passes controversial cybersecurity law that restricts online anonymity, requires local data storage, and vague “technical support” to aid law enforcement — The Chinese government has passed new cybersecurity regulations Nov. 7 that will put stringent new requirements on technology companies operating in the country.
China’s new cybersecurity law is bad news for business
https://techcrunch.com/2016/11/06/chinas-new-cybersecurity-law-is-bad-news-for-business/
The Chinese government has passed new cybersecurity regulations Nov. 7 that will put stringent new requirements on technology companies operating in the country. The proposed Cybersecurity Law comes with data localization, surveillance, and real-name requirements.
The regulation would require instant messaging services and other internet companies to require users to register with their real names and personal information, and to censor content that is “prohibited.” Real name policies restrict anonymity and can encourage self-censorship for online communication.
The law also includes a requirement for data localization, which would force “critical information infrastructure operators” to store data within China’s borders.
Tomi Engdahl says:
Microsoft Delays Retirement of EMET
http://www.securityweek.com/microsoft-delays-retirement-emet
Microsoft has announced that it will retire the Enhanced Mitigation Experience Toolkit (EMET) 18 months later than initially planned.
Designed to help prevent the exploitation of vulnerabilities in software, EMET was initially released in 2009, when the 3-4 year gap between major Windows releases prompted the launch of a solution to deliver mitigation against certain zero-day software vulnerabilities. Seven years later, Microsoft feels that EMET is no longer fitted for the job and says that Windows 10 can do a better job at protecting users.
In February 2016, Microsoft released EMET 5.5 with Windows 10 compatibility and a variety of other enhancements, but also pointed out that the security features in Windows 10 make EMET unnecessary.
Over time, EMET helped the tech giant disrupt common exploit kits employed by attackers, and keep customers safe without a new Windows release. Additionally, Microsoft says, EMET helped assess new security features, which led to innovations in Windows 7, 8, 8.1, and 10.
With customers requesting the inclusion of EMET-like security protection, Microsoft decided to do exactly that starting with Windows 10, when they moved to Windows as a Service. The operating system packs features such as Device Guard, Credential Guard, and Windows Defender Application Guard in Microsoft Edge, Windows Defender Advanced Threat Protection (ATP), and options such as DEP, ASLR, and Control Flow Guard (CFG), along with mitigations to prevent bypasses in UAC, with make EMET unnecessary.
Tomi Engdahl says:
20,000 Lose Money in Tesco Bank Hack
http://www.securityweek.com/20000-lose-money-tesco-bank-hack
Tesco Bank, wholly owned by the UK’s largest supermarket chain Tesco, has admitted the “some of its customers’ current accounts have been subject to online criminal activity, in some cases resulting in money being withdrawn fraudulently.” Nothing more specific about the fraud has been made known, although some reports suggest as many as 20,000 customers may have lost money.
Benny Higgins, the bank’s chief executive, said 40,000 of current accounts had experienced suspicious transactions and about half had money taken from their account. Tesco Bank has now blocked all on-line transactions, although customers can still use their bank card for cash withdrawals and purchases within shops. The bank has just under 8 million customers and around $10 billion in saving deposits. The thefts were from among its 136,000 current accounts.
Higgins believes that relatively small amounts will have been stolen from individual accounts, but that the details are not yet clear.
The bank has stressed that all stolen money will be refunded to customers. “Any financial loss that results from this fraudulent activity will be borne by the bank,” Higgins told BBC radio. “Customers are not at financial risk.” He believes the cost to the bank will be ‘a big number but not a huge number’.
20,000 Defrauded as UK’s Tesco Bank Hit by Hack Attack
http://www.securityweek.com/20000-defrauded-uks-tesco-bank-hit-hack-attack
Britain’s Tesco Bank temporarily froze all online transactions Monday after around 20,000 customers had money stolen from their accounts in a hack attack.
The bank, a subsidiary of British supermarket giant Tesco, the kingdom’s biggest retailer, said it was trying to refund accounts as quickly as possible.
“Tesco Bank can confirm that, over the weekend, some of its customer current accounts have been subject to online criminal activity, in some cases resulting in money being withdrawn fraudulently,” chief executive Benny Higgins said in a statement.
The bank confirmed that of its 136,000 current account holders, 40,000 had seen suspicious transactions over the weekend, while money had been fraudulently withdrawn from around 20,000 accounts.
No figure was given for the total amount of money involved.
Tomi Engdahl says:
Critical Privilege Escalation Flaws Found in MySQL
http://www.securityweek.com/critical-privilege-escalation-flaws-found-mysql
Database management systems MySQL, MariaDB and PerconaDB are affected by a couple of serious privilege escalation vulnerabilities. The developers of the vulnerable software have released updates to address the flaws.
The researcher who discovered the security holes is Dawid Golunski. The expert revealed in September that he had discovered a serious arbitrary code execution vulnerability in MySQL (CVE-2016-6662), which Oracle had failed to patch in more than 40 days after being notified of its existence. Golunski noted at the time that he had also found another flaw, tracked as CVE-2016-6663, which made exploitation of CVE-2016-6662 easier.
Last week, the researcher disclosed the details of CVE-2016-6663, which Oracle tracks as CVE-2016-5616. The weakness is a race condition that allows a local user with low-privilege access to escalate privileges and execute arbitrary code with the permissions of the database system user (e.g. “mysql”).
Once this vulnerability is exploited, the attacker can escalate privileges even further by leveraging CVE-2016-6662 or a new flaw tracked as CVE-2016-6664, or CVE-2016-5617 by Oracle.
Tomi Engdahl says:
Extending the Perimeter: Protecting Employees to Protect the Enterprise
http://www.securityweek.com/extending-perimeter-protecting-employees-protect-enterprise
In the early days of computing the cyber-security perimeter and the physical security perimeter were one and the same. Access to data implied access to the actual computer or storage media. From there we graduated to closed networks where computers only talked to each other within a building or private network but quickly modems started to allow access by people outside those controlled spaces. The age of the hacker had begun.
The internet and the web blew things wide open with PCs talking to servers, servers to servers, and PCs to PCs in an exponential web of complexity. The walls are full of gates, holes, and tunnels resembling swiss cheese more than an impenetrable barrier.
Today we add to that extreme mobility, smart phones, tablets, and the trend towards employees using their own devices for work (BYOD). People may be working on hardwired desktop computers one moment and working on a laptop at starbucks the next. They use VPNs, public WiFi, and open corporate networks in quick succession as they move through the world. The result is our old security model based around a castle like formation with a bastion wall surrounding the crown jewels no longer bears any resemblance to reality. Now the jewels are spread out in people’s pockets all over the countryside. People take these devices in and out of corporate environments and networks all the time passing constantly in and out of the remaining notional perimeter.
Just as an attacker might try to penetrate an organization by hacking in through the firewall, they might instead compromise a browser which is (or will be) inside that network. The perimeter becomes a membrane separating the sphere of valuable data, infrastructure, or capabilities from the realm of the attackers.
To focus our security efforts we need to consider where this new perimeter is weakest and where it is relatively strong. Many vulnerabilities can only be attacked indirectly.
Conventionally a security perimeter protects a small vulnerable region from a much larger dangerous one. An old joke got me thinking about how we can invert that situation:
A mathematician, a physicist, and an engineer are told to build the smallest possible fence around a flock of sheep. The engineer puts a loose fence around the sheep, pulls it as tight as possible, crowding them all in, and calls that the answer. The physicist assumes spherical sheep and calculates the ideal circular fence. The mathematician takes a completely different strategy. She builds a tiny fence around herself and defines that as “outside.”
Similarly we can look at something like a browser and define it as “outside” then build a security perimeter around just that one application. This enables perimeters within perimeters
Tomi Engdahl says:
Was IoT DDoS attack just a dry run for election day hijinks?
Internet of things influencing important things
http://www.theregister.co.uk/2016/11/08/was_iot_ddos_attack_just_a_dry_run_for_election_day/
Comment The distributed denial of service attack that took down DNS provider Dyn, and with it access to a chunk of the internet, was one of the largest such assaults seen.
The attack exploited Internet of Things devices – notably webcams built by XiongMai Technologies. The gadgets had default login passwords that allowed them to be infected with the Mirai botnet malware, which commandeered the gizmos to overwhelm Dyn’s servers.
The attack was claimed by New World Hackers, previously believed to have brought down sites run by the BBC, Donald Trump and NASA as well as Islamic State controlled websites and Twitter accounts. But the US Department of Homeland Security said it was not clear who was responsible but that investigations were continuing.
But even though this is one of the largest attacks seen to date, it has also raised fears that there is worse to come. The Mirai malware source code is now freely available for anyone to use to create massive botnets of vulnerable devices.
Most non-PC devices such routers, modems, cellular modems, digital video recorders and IoT sensors are almost perfect weapons for attackers – they don’t typically run antivirus software; they don’t get updated regularly or can’t be updated; and they are often left switched on 24-hours a day.
Even if IoT devices are deployed with security in mind, checking the hundreds or even thousands of individual devices used in a factory or office environment control system is a daunting task.
DDoS specialist Corero claims it has found a new DDoS vector which has an amplification factor of up to 55x. The company has only seen short duration attacks against a handful of its customers exploiting LDAP – the Lightweight Directory Access Protocol. One recent attack reach 70Gbps in volume, we’re told.
Easily infected IoT devices could be used to unleashed an LDAP-amplified attack on servers.
Dave Larson, chief technology officer at Corero Network Security, said: “This new vector may represent a substantial escalation in the already dangerous DDoS landscape, with potential for events that will make recent attacks that have been making headlines seem small by comparison…With attackers combining legacy techniques with new DDoS vectors and botnet capabilities, terabit-scale attacks could soon become a common reality and could significantly impact the availability of the Internet– at least degrading it in certain regions.”
Given the fevered and febrile atmosphere of the US presidential election, no one will be surprised if the next major assault is politically motivated.
Tomi Engdahl says:
‘Trust it’: Results of Signal’s first formal crypto analysis are in
Crypto connoisseurs finds favourite chat app protocol up to scratch
http://www.theregister.co.uk/2016/11/08/trust_it_results_of_signals_first_formal_crypto_analysis_are_in/
Encrypted SMS and voice app Signal has passed a security audit with flying colours.
As explained in a paper titled A Formal Security Analysis of the Signal Messaging Protocol (PDF) from the International Association for Cryptologic Research, Signal has no discernible flaws and offers a well-designed and compromise-resistant architecture.
Signal uses a double rachet algorithm that employs ephemeral key exchanges continually during each session, minimising the amount of text that can be decrypted at any point should a key be compromised.
A Formal Security Analysis of the Signal Messaging Protocol
https://eprint.iacr.org/2016/1013.pdf
Tomi Engdahl says:
Electronica – Safety and security was the subject of a panel discussion Electronica Governors, which traditionally opens this three-day professional electronics giant Fair. Security will rise to an unprecedented value of the robot cars and 5G connections. The old way to develop networks will no longer work.
Soon to move into Qualcomm NXP’s CEO Rick Clemmer pointed out that the Internet was not originally designed right. – Security was not originally built as part of the Internet, so applications had to develop secure.
STMicroelectronics President and CEO Carlo Bozotti pointed out that the IoT’s the problem will only grow worse. – By adding a billions of devices, therefore, billions of micro-controllers, any of them can act as a door to the attacker.
Dresden Technical University communications professor Frank Fitzek accused the developers of laziness. – In the cloud and mobile devices are fast, but in the intermediate network technology has been developed. SDN, or through software defined network and virtualized network functions are slightly improving these problems.
Smart chips to develop Giesecke + Devrient Stefan Auerbach pointed out that the individual devices can be yes data safe. – Every year we deliver 5 billion SIM cards, of which an increasing proportion is embedded.
NXP’s Clemmer, part of the problem is that the attitude towards data security varies in different countries. Or actually cultures. – Europe requires the protection of privacy, the United States and the prevention of hacking their data in China, the most important is the use of services comfort.
Network data security should be treated as a SIM card security. It is always already in place, part of the product.
Source: http://etn.fi/index.php?option=com_content&view=article&id=5370:internet-suunniteltiin-vaarin&catid=13&Itemid=101