Here are my predictions for trends in information security and cyber security for year 2016.
Year 2015 was bad for information security was pretty, and I would say that the trend is worrying. So I expect the year 2016 will have many information security challenges. If you want to keep yourself up at night, spend some time reading about the latest developments in cybersecurity. In 2015 there was Airplanes hacked, cars hacked, vulnerabilities in a breathtaking range of sensitive equipment from TSA locks to voting booths to medical devices. The big picture is even scarier. Former NSA Director Mike McConnell suspects China has hacked “every major corporation” in the US. Those problems will continue in 2016 and some new targets for attacks will be found. The system is broken. It isn’t keeping us, our companies, or our government safe. Worse yet, no one seems to know how to fix it.
Attacks through networks are becoming more common all the time. It will be hard to protect against targeted attacks. Hackers will not only customize malware, but they will increasingly use sophisticated phishing and social engineering tricks to gain access to sensitive data. Attackers usually cover their tracks carefully, and in the identification of target can be very difficult. Behind targeted attacks are usually professional criminals. Criminals do not respect geographical borders and hence attacks are spread evenly everywhere. Companies will struggle to absorb the security threats of combined PC and mobile devices in 2016.
EU information security decisions made in late 2015 will have impact on what comes in 2016: New EU data protection legislation package approved and EU Court of Justice decision in which it noted the Safe Harbor procedure is invalid. This means that transfers of personal data from EU countries to the United States under the Safe Harbor violation of law – you need some other agreement for this. The situation for this will probably get clarified during 2016. Data protection legislation changes will lead to increased fines for the unprepared. Legal uncertainty and big fines are a toxic cocktail for some companies. The combination of stiff penalties and ambiguously worded provisions in the new EU-wide data-protection law, which would replace a patchwork of 28 national laws, raises daunting prospects for companies operating in Europe.
After huge amount of user information leaks in 2015 from all kinds of Internet services, there will the challenges for cloud companies to gain trust in their security. You might have just dared to trust “the right cloud services,” since in principle the traditional information security point of view, they seem to be the main things okay, rising this privacy issues raised.
New environments will bring new threats. New operating systems versions means that administrators and users are less familiar with the environments. IPv6 will get more widely used, and the security of IPv6 networks is different from IPv4. Organizations are moving to virtualized environments, which are complex and create network layers that can become an attack vector. Growing network virtualization functionality and programmability are both an opportunity and a threat to security. Cyber security research will be important important in 2016 as 5G networks will be critical infrastructure, on top of which for example. transport, industry, health and the new operators set up their business around 2020.
The huge amount of information security information is becoming harder and harder to manage in 2016. A key problem in revelations as all other news coverage is the exponential growth of knowledge. There are variety of news summaries produced a daily basis, but they are not enough to get good picture of what is happening. There are bigger and smaller news, the impact of which is at times very difficult to assess. SMBs will become a bigger target for cybercriminals. Network and security professionals continue to be among the toughest IT talent to find and hire.
Old way network security focused on perimeter defense is not enough in 2016. Old mantras “encrypt everything” and “secure the perimeter,” are not enough. One deceptive truth seems to drive much of the cybersecurity industry down a rabbit hole: If you keep bad actors and bad software out of your system, you have nothing to worry about. It does not work like that anymore. As perimeter security gets stronger, malicious actors are looking for easier entry points to compromise an organisation through the breadth of its digital attack surface. Now malicious actors target “endpoints”—any device or sensor connected to a network—to break into that network. Traditional sandboxing will no longer protect against the growing malware landscape. Today, most private networks have far too many endpoints to properly secure. In an age of “Bring Your Own Device,” the cloud, remote access, and the Internet of Things, there are too many vulnerabilities hackers can exploit. Keep in mind that everything connected to the Internet can, and will be hacked. To address those threats in 2016, security experts should assume compromise – that hackers and malware already have breached their defenses, or soon will – and instead classify and mitigate threats. In addition to public key infrastructure lock-and-key system you will need also an integrity solution that acts like an alarm. To protect against advanced threats, security professionals will increase their reliance on centralized security management solutions. You need to have prioritization and response plans to various kinds of breaches – with a strong focus on integrity.
Law enforcement versus Silicon Valley tension will continue to be strong throughout year 2016. In 2015 Law enforcement and politicians on both sides of the Atlantic lined up to repeatedly complain that the web was “going dark” as the result of end-to-end encryption and that this was hampering the investigation of terrorism and other serious crimes.Technologists and cryptographers argue that governments are trying to weaken encryption by demanding some form of privileged access for government. It’s not clear how much encryption the NSA can break. With renewed focus on how encrypted messages can be used to plot terrorist attacks, President Barack Obama’s administration is stepping up pressure on the tech sector to help in the battle. Privacy remains a major counter-argument. It seems that Governments Lie About Encryption Backdoors. Encryption systems weakened by mandated backdoors would not be effective in fighting the terrorists that governments invoke as their reason for wanting those backdoors in the first place.
But this does not stop some government officials to demand such thing with varying success on different countries. Another fact is that The existence of coded communications is a reality and the U.S. may not be able to do much about it because nearly everyone living in modern society uses it: Encryption protects your bank information, prevents your password from being stolen when you log into a website, and allows all e-commerce transactions to take place securely. Encryption weakened by mandated backdoors would put all of us at an enormous risk of exposure from data breaches and associated online risks. The truth in 2016 is that any form of privileged access to government – ie, a backdoor – would inevitably weaken crypto-systems and make them more vulnerable to attacks by foreign governments’ intelligence agencies as well as criminals - Juniper’s VPN security hole is proof that govt backdoors are bonkers. Encryption backdoors would be a gleeful win-win for terrorists and a horrific lose-lose for you – the bad guys having strong protections for their data, and the rest of us not. The poorly thought-out and crude surveillance technique could have a devastating effect on the country’s internet security- as for example Kazakhstan will force its citizens to install internet backdoors by requiring all Internet users install state-issued root certificate by January 1, 2016.
Google, Mozilla and Microsoft are pushing for early SHA-1 crypto cutoff that can happen in 2016 instead of earlier planned Jan 1st, 2017. Due to recent research showing that SHA-1 is weaker than previously believed, because it’s been cracked without enormous effort. Mozilla, Microsoft and now Google are all considering bringing the deadline forward by six months to July 1, 2016. SHA-2 is going to be used as the replacement function for SHA-1. Websites like Facebook and those protected by CloudFlare have implemented a SHA-1 fallback mechanism for those systems that do not support SHA-2. Chrome will start display errors if SHA-1 certificates are employed in early 2016 and will completely stop supporting SHA-1 certificates in the end of 2016.
The use of Blockchain technology, permissionless distributed database based on the bitcoin protocol that runs across a global network of independent computers, will get used more widely than for just Bitcoin virtual money. With bitcoin, Blockchain tracks the exchange of money. But it can also track the exchange of anything else that holds value, including stocks, bonds, and other financial securities. Overstock has already used the blockchain to issue private bonds. The Securities and Exchange Commission has approved a plan from online retailer Overstock.com to issue company stock via the Internet, signaling a significant shift in the way financial securities will be distributed and traded in the years to come. Overstock built its technology under the aegis of a subsidiary called TØ.com, and it plans to offer this “cryptosecurity” tech as a service to other businesses. Nasdaq OMX—the company behind the Nasdaq stock exchange—is using the blockchain to oversee the exchange of private stock. Also several major companies from across both the technology and financial industries—including IBM, Intel, and Cisco as well as the London Stock Exchange Group and big-name banks JP Morgan, Wells Fargo, and State Street—have joined forces to create an alternative to the blockchain with Linux Foundation.
The use of disk encryption will increase and there are different ways to do it with different security levels. Microsoft has introduced Windows 10 disk encryption keys are uploaded to Microsoft. This approach has some advantages and disadvantages. The gold standard in disk encryption is end-to-end encryption, where only you can unlock your disk. This is what most companies use, and it seems to work well. It protects data in case your device is lost or stolen. But what if you forget or loose your key? There are certainly cases where it’s helpful to have a backup of your key or password – so keeping a backup of your recovery key in your Microsoft account could be genuinely useful for probably the majority of users that don’t have high security neeeds. The disadvantage of this approach is that Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.
Weak leaking passwords are still huge security problem still in 2016. Passwords are often the weakest parts when it comes to securing users’ accounts, as many don’t use complex passwords or they reuse the same password across services. Two-factor authentication – like using a USB stick with a secret token or entering in a code sent via text method to your phone – can help to increase security, but many users also find this to be a hassle as it introduces an additional step to the login process.
Google begins testing login system that uses phone notifications for authentication instead of passwords: authenticate by responding to a notification sent to their smartphone. The idea is similar to Yahoo’s recently launched “Account Key,” which also offers a password-free means of signing in involving a push notification sent to your phone that then opens an app where you approve the log-in.
Smart phone will become more and more security critical part of your life. “Increasingly, individuals and organisations are adopting password managers and multi-factor authentication technologies to plug some of the holes in password-based authentication. “We foresee a world where practically everyone uses their smartphone as a multi-factor authentication element. In this world, the smartphone becomes your most valuable asset: something that enables you to unlock your life online and a target for attackers seeking to access your services.”
Expect that number of mobile vulnerabilities will only grow in 2016. In 2016 we will see increasing numbers of cyber criminals using mobile applications to spread malware. Mobile presents an easy target for cyber criminals, because it is an attack surface that is open and extremely difficult to defend once an app has been released. Android threats will become more than just headline-grabbers. Will 2016 be the year iOS malware goes mainstream?
Critical infrastructures will be highly targeted in 2015. SCADA and ICS networks were not designed for security. Attacks against these systems have increased in recent years. I expect this trend to only get worse. There are still many companies that run their critical systems on Windows XP as “There are some people who don’t have an option to change.” Many times the OS is running in automation and process control systems that run business and mission-critical systems, both in private sector and government enterprises. For example US Navy is using obsolete operating system Microsoft Windows XP to run critical tasks. It all comes down to money and resources, but if someone is obliged to keep something running on an obsolete system, it’s the wrong approach to information security completely.
Cars were hacked at record rate in 2015, and they will be hacked at least at the same rate in 2016. Modern cars are featuring more gadgetry and connected systems, and this will make vehicles just as vulnerable to today’s threats and attacks. I Am The Cavalry has published a five star Cyber Safety Framework to mitigate this threat in cars, hopefully car component makers study it.
IoT and smart devices are still at risk. The Internet of Things will continue to emerge, and businesses will need to think about how to protect their smart devices and prepare for the wider adoption of IoT. IoT platforms – not yet the weapon of choice for commercial malware authors – but business beware. Wearables won’t be safe, either, as they are built using largerly same too often vulnerable technologies as other IoT system. IoT security is still in in infancy in 2016.
Cyber criminals have become more active in 2015 particularly in the malicious the ransom fabrications. The ransom-malware problem will continue to be big in 2016. Commercial malware authors will continue to invest heavily and Exploit kits will continue to dominate on the web. Ransomware today is big business. Ransomware takes control of a computer and holds it hostage until the victim pays, usually in the digital currency Bitcoin. As a remedy against ransom-malware I recommend to ensure IT Support or your service provider the data back-up and restoring procedure operational, practiced and tested. You can need it in 2016 to get your data back without considering paying to criminals. To date ransomware has hit Windows users hardest, although Android and MacOS users are now also facing similar extortion.
Ransomware will continue to dominate in 2016 and it is only a question of time before we see things beyond data being ransomed. We have already seen websites being held ransom to DDoS. Intel’s McAfee Labs also noted a huge spike in ransomware in early 2015, and worries about ransomware in the IoT space—including medical devices. And Kaspersky predicts the “nightmare of ransomware” to continue and “spread to new frontiers” in 2016. Ransomware Is Coming to Medical Devices article tells that according to a report released recently week by Forrester Research the number one cybersecurity prediction for 2016: “We’ll see ransomware for a medical device or wearable.” “It’s definitely feasible from a technical standpoint”. Networked medical devices save lives. Despite the hacking risk, it’s an informed trade-off. Medical device ransomware would be a modern form of highway robbery with lives at stake.
Keep in mind that everything connected to the Internet can, and will be hacked. In 2016 If You’re Not Paranoid, You’re Crazy. As government agencies and tech companies develop more and more intrusive means of watching and influencing people, how can we live free lives? Unfortunately I don’t have solution for that.
2,232 Comments
Tomi Engdahl says:
Anti-Drone Fence: Science or Snakeoil?
http://hackaday.com/2016/11/09/anti-drone-fence-science-or-snakeoil/
Remember when it was laser pointers? Well, now it’s drones.
[Thinkerer] sent us this link to what’s essentially a press release for a company called Sensofusion that makes a UAV detector and (they claim) smart jammer, and apparently one is being installed at Denver International airport.
We buy that the “Airfence” system will be able to detect known systems by signature, and possibly even take them over. We’ve seen two exploits of quadcopter radio protocols (one a timing attack and the other a controller ID spoof) that would allow them to do just that. But is that the problem? Don’t most of the major manufacturers fence off airports in software these days anyway?
They also make some claims about being able to detect and stop DIY copters, but we don’t see how.
Drone fence arriving in Denver
https://www.aopa.org/news-and-media/all-news/2016/november/03/drone-fence-arriving-in-denver
Drones approaching sensitive facilities can be instantly identified and tracked; their operators located; and, if need be, the defense system developed by a company called Sensofusion can even force the offending drone to land at a location designated in advance—all without need for human intervention. The essential equipment is roughly the size of a wireless router commonly found in homes and offices, or a set-top cable television box. Add an antenna and a computer, and you’re up and running. Soon there will be an Airfence at Denver International Airport.
Tomi Engdahl says:
OAuth 2.0 Vulnerability Leads to Account Takeover
http://www.securityweek.com/oauth-20-vulnerability-leads-account-takeover
A vulnerability in OAuth 2.0 could result in an attacker being able to sign into a victim’s mobile app account and take control of it, security researchers have discovered.
In a recently published research paper (PDF) that was also detailed at the Black Hat Europe security conference, three researchers from the Chinese University of Hong Kong demonstrate the prevalence and severe impact of the vulnerability. According to researchers, 41.21% of the 600 top-ranked Android apps that use the OAuth2.0-based authentication service from Facebook, Google, and Sina, are vulnerable.
Because of the widespread use of OAuth 2.0-based Single-Sign-On (SSO) services for 3rd party websites, the security researchers say, major Identity Providers (IdPs) such as Facebook, Google, and Sina, have adapted OAuth 2.0 to support SSO for 3rd-party mobile apps on their social-media platforms. However, because of differences in system environments, “the original OAuth 2.0 protocol becomes under-specified.”
Signing into One Billion Mobile App Accounts Effortlessly with OAuth2.0
https://www.blackhat.com/docs/eu-16/materials/eu-16-Yang-Signing-Into-Billion-Mobile-Apps-Effortlessly-With-OAuth20-wp.pdf
Tomi Engdahl says:
Merkel Warns of Possible Russian Interference in German Vote
http://www.securityweek.com/merkel-warns-possible-russian-interference-german-vote
Chancellor Angela Merkel on Tuesday said Russia could try to influence Germany’s general elections next year through cyber attacks or disinformation campaigns, after Washington accused the Kremlin of similar meddling in the US vote.
“We are already, even now, having to deal with information out of Russia or with internet attacks that are of Russian origin or with news which sows false information,” Merkel, said at a press conference alongside Norwegian Prime Minister Erna Solberg.
Dealing with that was already “a daily task”, she told reporters in Berlin.
Tomi Engdahl says:
Deserted Island, InfoSec Edition: What One Security Product Should You Choose?
http://www.securityweek.com/deserted-island-infosec-edition-what-one-security-product-should-you-choose
As information security professionals, we spend a lot of time thinking about what security products are the highest priority. But as most of these decisions are mired in the nuances and details of the modern enterprise, I’d like to simplify things by bringing us back to a favorite childhood game: What would you bring on a deserted island?
It’s not an easy question to answer in a time when security threats are changing every day in the cat-and-mouse game we’re playing with attackers. For every new threat and attack vector, there is a new company promising the “solution.” This cycle incurs the need for security decision-makers to think about hypothetical scenarios like the “deserted island” in order to prioritize where their budget will provide the most value.
So in choosing just one of these products, we must consider what will protect the widest variety of information in the most effective way—technology that can span a wide, distributed network to block multiple kinds of attacks. There are a few ways to go about this, so security practitioners will always have multiple options when choosing their “deserted island” product.
End-to-end encryption
Securing the largest quantity of information possible means starting with the data itself. Whether the data in question is stored in your physical data center, the cloud or a third-party storage service, effective encryption and its management are central elements to shading it from attackers
Robust endpoint protection
Vendors across the security industry continue touting the end of the traditional perimeter. Amid this noise, it’s hard to pinpoint who has the best understanding of this issue and, as a result, can provide the best solution for organizations’ ever-growing attack surfaces.
Interconnected safety measures
Web services and SaaS applications (e.g. Dropbox, Gmail and Slack) have become key pieces of a company’s culture and business operations. Almost every company now relies on them, which means they can also be a point of vulnerability – simply because they become the point at which you lose control over the applications that have access to your business’s information. There’s always the chance that the third-party companies providing web services can be compromised, putting your business at risk in the process.
In this situation, security tools are great and encryption, essential. However, with the growing number of data and endpoints moving freely throughout the enterprise, it is becoming increasingly difficult for security solutions to protect a perimeter with firewalls, IPS/IDS, sandboxes, etc. Endpoint protection and end-to-end encryption are not the end-all to network security issues on their own.
It is impossible to find the cure-all for security issues as we battle creative, intelligent malicious actors. But employing encryption, endpoint protection and ensuring security professionals have a clear understanding of the products available to them is a strong start. There’s a difference between “nice-to-have” security products and “must-have” security products. The “must-haves” are critical to protecting organizations from cyber attacks.
Tomi Engdahl says:
Jonathan Shieber / TechCrunch:
A look at how Donald Trump’s nascent policy platform on tech-related issues, such as immigration, trade, and cybersecurity will affect Silicon Valley — Donald J. Trump is now the President-elect of the United States after one of the most surreal and unlikely campaign victories in American history.
What does a President-elect Trump mean for Silicon Valley? Nothing very good.
https://techcrunch.com/2016/11/09/what-does-a-president-elect-trump-mean-for-silicon-valley-nothing-very-good/
Cybersecurity
Given all of the attention that hacking and U.S. cybersecurity has received during the election campaign, the Trump plan to address the issue is incredibly and perhaps dangerously vague.
From the 2014 Sony hack to last month’s DDoS attack that shut down a broad swath of the Internet for much of the United States, U.S. internet infrastructure seems to be dangerously exposed, and is definitely critically important. Meanwhile, the Trump campaign’s position on the issue seemed to be nothing more than a way to throw shade at Secretary Clinton for her email mismanagement.
For Silicon Valley companies, there are probably few issues as critical as the protection of the networks that are their lifeblood. And to transform one of their key concerns into a political football whose only purpose is to score a few cheap points on an opponent seems.. like a flawed strategy. Especially when those networks are vital to support companies that are among the top 10 most valuable in the global economy.
Tomi Engdahl says:
Adobe Patches 9 Flash Player Flaws Reported via ZDI
http://www.securityweek.com/adobe-patches-9-flash-player-flaws-reported-zdi
Security updates released by Adobe on this Patch Tuesday address one vulnerability in Connect for Windows and nine arbitrary code execution flaws in Flash Player.
Tomi Engdahl says:
Google Washes Dirty COW From Android
http://www.securityweek.com/google-washes-dirty-cow-android
Google’s Android Security Bulletin for November 2016 patched a total of 83 vulnerabilities in the operating system, one of which was the Dirty COW flaw in Linux kernel that was disclosed a few weeks back.
Tracked as CVE-2016-5195, the bug was found to impact Android devices as well, and security researchers even published exploit codes to prove that. The Dirty COW vulnerability could be exploited to gain root access on affected Android products, and all devices running a Linux kernel higher than 2.6.22 are believed to be affected by the issue, especially with many of them not being patched in due time.
Only a few weeks after the flaw was publicly disclosed, Google released a patch for it as part of the Android Security Bulletin for November 2016, which came out on Monday. According to Google, the vulnerability is resolved on devices running the security patch level of 2016-11-06, which was the third security patch level in the new set of updates.
One of these flaws was a Denial of service vulnerability in Proxy Auto Config (CVE-2016-6723), which could enable a remote attacker to use a specially crafted file to cause a device hang or reboot. Considered only of Moderate severity, the bug was found to affect devices running Android 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, and 7.0.
Tomi Engdahl says:
Microsoft Patches Windows Zero-Day Exploited by Russian Hackers
http://www.securityweek.com/microsoft-patches-windows-zero-day-exploited-russian-hackers
The 14 security bulletins released on Tuesday by Microsoft address many serious issues, including a couple of Windows vulnerabilities actively exploited by malicious actors and bugs for which exploits are already publicly available.
One of the zero-days has been patched with MS16-135, a bulletin rated important. MS16-135 fixes two information disclosure and three privilege escalation flaws, one of which is a Windows kernel bug exploited in attacks by a Russia-linked cyber espionage group to elevate privileges and escape the browser sandbox.
The zero-day, tracked as CVE-2016-7255, was reported to Microsoft by Google researchers on October 21 and it was disclosed by the search giant ten days later. Google typically gives vendors a few months to patch vulnerabilities, but the deadline is only 7 days for flaws exploited in the wild.
While Google decided that it would be in the best interest of users to disclose the vulnerability, Microsoft disagreed and criticized the company for putting its customers at risk. Microsoft said the vulnerability had been exploited in a low-volume spear-phishing campaign by the threat group known as Pawn Storm, APT28, Fancy Bear, Sednit, Sofacy and Tsar Team.
Tomi Engdahl says:
Security Industry Could Light Path for Data Analytics
http://www.securityweek.com/security-industry-could-light-path-data-analytics
A new survey and report shows strong faith but poor confidence in current data analytics. For example, 70% of respondents to the survey believe that analytics are integral to understanding how products are used; 71% to understanding business performance, and 70% to understanding fraud. But at the same time, only 43% are confident in the analytics insights for risk and security; 38% for customer insights; and just 38% for business operations.
“Failing to master analytics will not only make it increasingly hard for organisations to compete,” comments Paul Tombleson, UK head of data & analytics at KPMG, “but will expose their brands to new and growing risks. Seventy percent of UK executives believe that by using data and analytics they expose their organisations to reputational risk.”
KPMG beleives that the low levels of trust might be filtering down from the top of the organization, since nearly half of the respondents do not believe their C-suite executives fully support their organization’s data analytics strategy.
Missing from the report is any indication of the effect of a shortage in skilled data scientists. Data scientists differ from statisticians by requiring experience in machine learning and algorithms; and without them the essential step towards automated data analytics cannot be made. As long ago as 2012, Gartner predicted a shortage of more than 100,000 data scientists by 2020.
Tomi Engdahl says:
USAF Academy Works With Cybersecurity Developer
http://mwrf.com/services/usaf-academy-works-cybersecurity-developer?NL=MWRF-001&Issue=MWRF-001_20161110_MWRF-001_744&sfvc4enews=42&cl=article_1_b&utm_rid=CPG05000002750211&utm_campaign=8446&utm_medium=email&elq2=d63e861c1d2a4830917bbbf370e324e2
The United States Air Force Academy (USAFA) is collaborating with root9B to develop intrusion detection tools for industrial control systems (ICS). It is hoped that the efforts will advance the available knowledge of ICS Intrusion Detection and Prevention Systems (IDS/IPS), and work to recognize and protect ICS systems from malicious threats.
Earl Eiland, root9B’s senior cybersecurity engineering and ICS expert, notes: “By improving IDS/IPS assessments, we are improving the overall IDS/IPS R&D process. By extension, ICS system attack resistance and mission assurance are increased.”
https://www.root9b.com/
Tomi Engdahl says:
Yahoo Reveals More Details About Massive Hack
http://www.securityweek.com/yahoo-reveals-more-details-about-massive-hack
Yahoo provided more details on Wednesday about an epic hack of its services, including that the culprits may have planted software “cookies” for ongoing access to users’ accounts.
In revelations that could jeopardize the company’s pending $4.8 billion acquisition by US telecom giant Verizon, the internet pioneer said it was trying to pin down when it first knew its system had been breached and whether hackers gave themselves a way to get back into accounts whenever they wished.
“Forensic experts are currently investigating certain evidence and activity that indicates an intruder, believed to be the same state-sponsored actor responsible for the security Incident, created cookies that could have enabled such intruder to bypass the need for a password to access certain users’ accounts or account information,” Yahoo said in a filing with the US Securities and Exchange Commission.
There is no evidence the state-sponsored actor is still active in the California-based company’s network, Yahoo told regulators.
Investigators are also trying to figure out how much people at Yahoo knew about the hack in late 2014, when the breach took place, according to the filing.
Yahoo announced the breach in September, saying it affected at least 500 million customers.
A Verizon executive overseeing the purchase of Yahoo said last month that the deal was moving ahead pending the outcome of an investigation into the hack.
The company said earlier this month that the breach affecting Yahoo customers could have a “material” effect on the acquisition. Yahoo also warned of the possibility in its filing.
Yahoo Confirms Massive Data Breach of 500 Million Accounts
http://www.securityweek.com/yahoo-confirms-massive-data-breach-500-million-accounts
Following rumors that an announcement was soon to come, Yahoo! said Thursday that hackers managed to access data from at least 500 million user accounts in a cyberattack dating back to 2014.
In early August, a hacker claimed to possess 200 million Yahoo user accounts that he offered for sale on a dark web cybercrime marketplace for a just few Bitcoins.
Tomi Engdahl says:
Cyberspies Ramped Up Attacks After Exposure of Zero-Days
http://www.securityweek.com/cyberspies-ramped-attacks-after-exposure-zero-days
The Russia-linked threat actor known as Pawn Storm ramped up its attacks against governments and embassies after seeing that researchers discovered the Windows and Flash Player zero-day exploits it had been using.
In late October, Google disclosed a serious Windows kernel vulnerability that had been exploited in the wild. Microsoft was informed about the issue on October 21, but it only managed to release a patch this week. Microsoft was unhappy with Google’s decision, but it quickly provided some mitigations.
Microsoft revealed in early November that the Pawn Storm group, which it calls Strontium, exploited the Windows flaw (CVE-2016-7255) in combination with a Flash Player vulnerability (CVE-2016-7855). Google also reported the Flash Player bug to Adobe on October 21, but unlike Microsoft, Adobe released a patch after only a few days.
Trend Micro has been monitoring Pawn Storm, which is also known as APT28, Fancy Bear, Sednit, Sofacy and Tsar Team. According to the security firm, Pawn Storm initially used the two zero-days only against very high-profile targets.
Tomi Engdahl says:
Hackers Can Abuse iOS WebView to Make Phone Calls
http://www.securityweek.com/hackers-can-abuse-ios-webview-make-phone-calls
The iOS applications of Twitter, LinkedIn and possibly other major vendors can be abused by hackers to initiate phone calls to arbitrary numbers. The attacker can also prevent the victim from ending the call.
Security researcher Collin Mulliner said the cause of the flaw is related to WebView and how the component is handled by some iOS applications. WebView is a browser integrated into mobile apps. It allows developers to build their apps with web technologies, and it’s often used to display web pages inside an application without the need for third-party browsers.
According to Mulliner, an attacker who can convince a user to open a specially crafted webpage via a vulnerable app can make phone calls from the victim’s device. The attack website needs to redirect the victim to a TEL URI, which initiates a call to a specified number. This part of the attack involves only one line of HTML code, but the victim can easily end the call once the number is dialed.
Applications such as Safari, Dropbox and Yelp warn the user that a phone call is about to be made and prompts them to confirm the action, and the researcher believes other apps should do the same. In addition to app developers, Apple should take steps to prevent this type of WebView abuse.
“DoSing 911 is pretty terrible but there are other examples such as expensive 900 numbers where the attacker can actually make money. A stalker can make his victim dial his phone number so he gets his victim’s number. Altogether things you don’t want to happen,”
Tomi Engdahl says:
Attackers Exploited Chrome Zero-Day to Deliver Android Trojan
http://www.securityweek.com/attackers-exploited-chrome-zero-day-deliver-android-trojan
Cybercriminals delivered the Svpeng Trojan to Android users via Google AdSense and a zero-day vulnerability in the Android version of the Chrome web browser.
The existence of the Svpeng Trojan was first brought to light by Kaspersky in July 2013. Malicious actors have mainly used the malware to target Android users in Russia, but some campaigns were also aimed at devices in the United States and elsewhere.
Last year, authorities in Russia arrested the alleged creator of Svpeng and several other individuals suspected of using the Trojan. However, cybercriminals have continued to improve the malware since.
Cybercriminals delivered the Svpeng Trojan to Android users via Google AdSense and a zero-day vulnerability in the Android version of the Chrome web browser.
The existence of the Svpeng Trojan was first brought to light by Kaspersky in July 2013. Malicious actors have mainly used the malware to target Android users in Russia, but some campaigns were also aimed at devices in the United States and elsewhere.
Last year, authorities in Russia arrested the alleged creator of Svpeng and several other individuals suspected of using the Trojan. However, cybercriminals have continued to improve the malware since.
Tomi Engdahl says:
The great number of cyber-attacks and break-ins to companies means more business to insurance companies that sell cyber-security-insurance services:
Aon beefs up its cyber insurance portfolio with acquisition
http://www.cio.com/article/3137256/cio-role/aon-beefs-up-its-cyber-insurance-portfolio-with-acquisition.html
The risk management firm has acquired Stroz Friedberg, which AON says will help it better meet clients’ requirements for managing their responses to cyberattacks.
Cyberattacks against Target, Home Depot, Sony and several other large companies have galvanized what was a formerly niche cyber insurance market. As a result of those high-profile breaches, corporate demand for policies that hedge against hackers has soared.
Seizing on this opportunity, Aon last month acquired Stroz Friedberg, adding incident response and other capabilities to its portfolio of cybersecurity assessment and risk transfer services. Aon further plans to round its portfolio with risk analytics, sentiment analysis and vendor partnerships.
“[Stroz’] incident response capabilities are the gold standard in the market,”
Stroz, perhaps best known for helping the likes of Sony and Yahoo mitigate damage from breaches, will enable Aon to help clients mitigate cyber incidents more rapidly, which has a direct correlation on reducing claims.
“Those that practice the best in hygiene, preparation and response have an opportunity to reduce the severity of the incident because they reduce the time in which an attacker is inside,” Bruno says.
Why it’s important to hedge against cyber risk
Aon’s bid for Stroz comes in a market that is maturing rapidly because of the increased intensity of attacks, which have triggered mandatory data-breach reporting laws. Allianz forecasts that cyber insurance premiums will grow globally from $2 billion annually to over $20 billion over the next decade.
Although 60 vendors offer cyber insurance of some sort, none currently account for every type of intrusion, data loss or contingency associated with a cyberattack. Forrester Research says organizations will need to “build towers of insurance,” establishing relationships with several carriers to build sufficient coverage.
And as companies purchase more cyber policies it will launch a reinsurance market, generating a new revenue stream for Aon, which could offer cyber bonds, similar to how reinsurers offer catastrophe bonds to mitigate risk from natural disasters.
Next stop: real-time analytics
Bruno says Aon may acquire more companies as it seeks to add real-time data analytics capabilities to anticipate attacks or address them as they are happening, automating what has traditionally been a manual assessment process. Bruno says this will become more critical as the internet of things expands into more industries.
Another big focus for Aon includes using sentiment analysis capabilities to anticipate actions of a rogue employees who may show patterns of becoming disgruntled over time. Perhaps no incident is more famous than former NSA contractor Edward Snowden pilfering classified documents and sharing them online.
“People don’t wake up one-day and decide to go rogue,”
Bruno also says Aon aims to partner with large vendors such as Symantec, Hewlett Packard Enterprise, Cisco, IBM and Microsoft, to certify their technology for insurability.
Tomi Engdahl says:
What your cyber risk profile tells insurers
http://www.cio.com/article/3102182/security/what-your-cyber-risk-profile-tells-insurers.html#tk.drr_mlt
The purpose of a cyber risk profile is to assess your organization’s insurability. The work you do upfront can go a long way toward ensuring you get adequate cyber insurance coverage and a better rate to boot.
A cyber risk profile is a complex measure of an organization’s security posture. It paints a picture of your risk related to technical aspects such as network and system security liability and network interruption, as well as more organizational aspects such as cyber defense maturity.
Although many organizations develop their own risk profiles for internal uses — like improving security — cyber insurance carriers use cyber risk profiles as a tool to determine risk when writing policies. A carrier takes the results of an organization’s assessments and creates its own profile, incorporating additional information that develops a deeper understanding of that organization’s risk.
Tomi Engdahl says:
Russian banks hit by cyber-attack
http://www.bbc.com/news/technology-37941216
Five Russian banks have been under intermittent cyber-attack for two days, said the country’s banking regulator.
The state-owned Sberbank was one target of the prolonged attacks, it said.
Hackers sought to overwhelm the websites of the banks by deluging them with data in what is known as a Distributed Denial of Service (DDoS) attack.
Security firm Kaspersky said the attacks were among the largest it had seen aimed at Russian banks.
The data floods began on 8 November and have continued intermittently ever since, it added.
Most of the data deluges lasted about 60 minutes but the most persistent attack went on for almost 12 hours, the security firm said.
Sberbank
The names of the other banks that were hit have not been released but all are believed to be among the 10 biggest in Russia.
The hackers behind the DDoS attacks are believed to have generated the huge amounts of data by taking over smart devices such as webcams and digital video recorders that use easy to guess passwords.
Tomi Engdahl says:
President Obama Should Shut Down the NSA’s Mass Spying Before It’s Too Late
http://time.com/4565149/obama-trump-nsa-surveillance/
Modern surveillance programs would be a disaster under President Trump
President Obama has just 71 days until Donald Trump is inaugurated as our next commander-in-chief. That means he has a matter of weeks to do one thing that could help prevent the United States from veering into fascism: declassifying and dismantling as much of the federal government’s unaccountable, secretive, mass surveillance state as he can — before Trump is the one running it.
During the Obama administration, warrantless spying programs have vastly expanded, giving the government more power than ever before to constantly monitor all of us by collecting our emails, texts, phone records, chats, real-time locations, purchases, and other private information en masse. This indiscriminate spying isn’t just happening in some National Security Agency bunker. It has reportedly spread throughout dozens of agencies, from local police departments to the Drug Enforcement Administration, Internal Revenue Service, and more.
Trump has repeatedly called for more government surveillance. And he has made it very clear exactly how he would use such powers: to target Muslims, immigrant families, marginalized communities, political dissidents, and journalists.
The surveillance apparatus that has grown in this country since 9/11 has always been wrong. Surveillance technology, often used without a warrant, has been repeatedly abused to target specific racial, ethnic, and religious groups.
In Trump’s hands, these programs could become more dangerous than ever before.
Mass surveillance has already had a statistically measurable chilling effect on freedom of expression.
The future of our most basic rights and freedoms is at risk.
This is exactly why unfettered government spying programs are so dangerous. No matter what their creators’ intentions may be, their use can quickly spiral out of control. The recent prosecutions of whistleblowers under the Espionage Act, which the Obama administration has normalized over the last decade
The country is now counting on President Obama.
He should shut down the NSA and related mass surveillance programs. He should physically destroy the databases where the sensitive personal information of hundreds of millions of people are illegally stored. He should release Chelsea Manning and pardon Edward Snowden. He should support efforts in Congress to curtail location-tracking and other dangerous data collection.
He should bulldoze the data centers, computers and all, if he has to. He alone has the power to dismantle the U.S. surveillance state
Tomi Engdahl says:
Unsealed Court Docs Show FBI Used Malware Like ‘A Grenade’
http://motherboard.vice.com/read/unsealed-court-docs-show-fbi-used-malware-like-a-grenade
In 2013, the FBI received permission to hack over 300 specific users of dark web email service TorMail. But now, after the warrants and their applications have finally been unsealed, experts say the agency illegally went further, and hacked perfectly legitimate users of the privacy-focused service.
“That is, while the warrant authorized hacking with a scalpel, the FBI delivered their malware to TorMail users with a grenade,” Christopher Soghoian, principal technologist at the American Civil Liberties Union (ACLU), told Motherboard in an email.
In 2013, the FBI seized Freedom Hosting, a service that hosted dark web sites, including a large number of child pornography sites and the privacy-focused email service TorMail. The agency then went on to deploy a network investigative technique (NIT)—a piece of malware—designed to obtain the real IP address of those visiting Freedom Hosting sites. According to the new documents, the NIT was used against users of 23 separate websites.
Now, we do know that to be true: recently unsealed affidavits include a total of over 300 redacted TorMail accounts that the FBI wanted to target. All of these accounts were allegedly linked to child pornography-related crimes, according to court documents.
Importantly, the affidavits say that the NIT would only be used to “investigate any user who logs into any of the TARGET ACCOUNTS by entering a username and password.”
But, according to sources who used TorMail and previous reporting, the NIT was deployed before the TorMail login page was even displayed, raising the question of how the FBI could have possibly targeted specific accounts.
“The warrant that the FBI returned to the court makes no mention of the fact that the FBI ended their operation early because they were discovered by the security community, nor does it acknowledge that the government delivered their malware to innocent TorMail users. This strongly suggests that the FBI kept the court in the dark about the extent to which they botched the TorMail operation,”
“What remains unclear is if the court was ever told that the FBI had exceeded the scope of the warrant, or whether the FBI agents who hacked innocent users were ever punished,”
Tomi Engdahl says:
Russian Hackers Launch Targeted Cyberattacks Hours After Trump’s Win
https://politics.slashdot.org/story/16/11/10/1959212/russian-hackers-launch-targeted-cyberattacks-hours-after-trumps-win
Merely a few hours after Donald Trump declared his stunning victory, a group of hackers that is widely believed to be Russian and was involved in the breach of the Democratic National Committee launched a wave of attacks
Around 9 a.m. ET on Wednesday, the hackers sent a series of phishing emails trying to trick dozens of victims into opening booby-trapped attachments containing malware, and clicking on malicious links
Russian Hackers Launch Targeted Cyberattacks Hours After Trump’s Win
http://motherboard.vice.com/read/russian-hackers-launch-targeted-cyberattacks-hours-after-trumps-win
Merely a few hours after Donald Trump declared his stunning victory, a group of hackers that is widely believed to be Russian and was involved in the breach of the Democratic National Committee launched a wave of attacks against dozens of people working at universities, think tank tanks, NGOs, and even inside the US government.
Around 9 a.m. ET on Wednesday, the hackers sent a series of phishing emails trying to trick dozens of victims into opening booby-trapped attachments containing malware, and clicking on malicious links, according to security firm Volexity, which observed and reported the five attack waves. The targets work for organizations such as Radio Free Europe / Radio Liberty, the Atlantic Council, the RAND Corporation, and the State Department, among others.
Adair, who investigated these attacks and analyzed the malware, said the hackers are from the group known by the aliases of APT29 or Cozy Bear, one of the two Russian-linked groups who broke into the DNC.
The organizations targeted, Adair told me, use all kinds of anti-virus protections and yet, “these emails, for the most part—not 100 percent, but for the most part—went right through all these filters.”
“They’re not getting detected, they’re not getting flagged,”
Tomi Engdahl says:
Recruitment giant PageGroup hacked, Capgemini dev server blamed for info leak
Someone’s definitely looking for a new job, ironically
http://www.theregister.co.uk/2016/11/11/capgemini_pagegroup_leak/
Global recruitment giant PageGroup says a hacker infiltrated its network and accessed job applicants’ personal information.
The miscreant broke into a development system run by IT outsourcer Capgemini for PageGroup, and was able to look up job hunters’ names, email addresses, hashed passwords and more. UK-headquartered PageGroup and Capgemini both told The Register they believe the miscreant who slipped into its system had no malicious intent.
In alerts emailed to customers on Thursday – messages seen by El Reg – PageGroup warned that their records were obtained illegally by an unauthorized third party.
PageGroup learned that it was compromised on November 1, and it took more than a week to admit it was hacked. It appears some people are affected more than others
According to PageGroup, no CVs were accessed by the hacker. Of course, if this person could snatch people’s details, anyone with the right skills could have done so, too.
“We have ensured the website is secure,” PageGroup said in the aforementioned FAQ.
“Capgemini fully manage our PageGroup websites and is regarded as a global leader in consulting, technology and outsourcing services. It has all the appropriate security certificates and ISO certifications in place, which we believed would ensure that the website environments would be secure and safe in their hands.”
A spokesperson for PageGroup told us the unnamed hacker has since promised they have destroyed the data and the company is “confident that they have done so.” To us it sounds like someone discovered a vulnerable server, found out they could exploit it to extract people’s information, and then reported it to PageGroup.
Tomi Engdahl says:
Panicked WH Smith kills website to stop sales of how-to terrorism manuals
One title bought by MP Jo Cox murder suspect
http://www.theregister.co.uk/2016/11/11/brit_bookseller_w_h_smith_kills_own_website_to_stop_sales_of_howto_terrorism_manuals/
Prominent British bookseller W H Smith voluntarily shut its website for emergency “maintenance” last night after being warned by The Register that it was selling a range of DIY terror manuals – such as the Improvised Munitions Handbook that offer procedures for making bombs and explosive booby-traps.
The site also offered two companion titles, Boobytraps and Explosives and Demolitions.
According to the Crown Prosecution Service, “the manual was originally written for US experts and contained diagrams and drawings as well as bomb recipes involving ordinary chemicals and products such as fertiliser.”
In January 2007, a Birmingham bookshop, Maktabah, was raided and forced to close after selling the handbook and a large range of related titles. And in September 2007, an 18-year-old London student was jailed for six months for possessing similar publications.
Britain’s Terrorism Act, 2006, makes dissemination of “terrorist publications” a crime
The books originated as training manuals created by the US Army in the 1960s and have been widely distributed since, often by right-wing groups.
After The Register discovered the books – which include instructions for making bombs and explosive booby-traps – were being promoted online without checks on their legality and without any vetting of purchasers or their intentions, we ordered copies to see if they were the real deal.
After the titles turned up, we tried again using the name of a convicted British terrorist, using PayPal and assumed identities. No alarm bells rang at retailers.
One of the manuals on sale was the Improvised Munitions Handbook, which is thought to have been purchased from a US source by the alleged killer of Brit MP Jo Cox.
Tomi Engdahl says:
Security Exercises
http://www.linuxjournal.com/content/security-exercises
Regular security exercises are, bar none, the most powerful, cost-effective tool for maturing a project’s information security operations—when done well. Unfortunately, courses and certifications on InfoSec tend to focus on how to implement specific controls or how to select some baseline best practices when starting from scratch. Little to no attention tends to be paid on how to test what you have and iterate on it. Prepare for a crash course.
A security exercise is a drill designed to propel a team or teams through the steps they would take in the case of a real or suspected information security problem in their organization or project. For example:
Tell your ops team that the server hosting your internal bug tracker has experienced data loss due to a critical RAID controller failure. Have them rebuild the server from backups on spare hardware to show that the backups are viable, spare hardware available and the process known and workable.
Start running an otherwise innocuous, but memory-intensive, piece of unauthorized software on a development server. See how long it takes for someone to notice and what he or she does about it.
Isn’t This Dangerous?
Security exercises are not the first step in running an InfoSec program for a project of any size. The first step is coming up with a plan or set of policies appropriate to the size and complexity of the project. For a very small, all-volunteer open-source project, this may be as simple as “Our project manager, $name, accepts risk on behalf of the project and our information security officer, $name, is in charge in the case of a suspected security incident; the integrity of our code base will be prioritized first, confidentiality of yet-undisclosed vulnerability information second and availability of services third.”
Scheduling exercises at a predictable time and reminding others when it will happen prevents confusion among staff. It is wise to begin with low-impact exercises (more on this below) that don’t leverage production systems, and move on to higher-potential-impact exercises only when the organization’s infrastructure and personnel have had most of the bugs shaken out.
Why Are Security Exercises Important?
When I respond to a security incident that’s gone disproportionately bad—that is, far worse than the incident should have gone given the resources and security needs of the organization—it tends to be true that more than one thing has gone wrong.
“Death by supposition” is when we make decisions based on “facts” that are supposed to be true, but have not been tested by us.
Security exercises, done right, will do the following:
Reveal whether systems and technical controls (still) work as expected.
Ensure that security, ops, leadership and other team members are on the same page.
Reveal holes in procedures and policies.
Provide your team with vital practice at operations that may someday need to be done quickly and/or under stress, especially disaster recovery and incident response procedures.
Provide your team with stress inoculation. This is something that SWAT teams, martial artists, search-and-rescue teams, firefighters, military and so on already know is an essential part of their live drills: getting used to something so it doesn’t register as such a large stressor any more.
Provide non-security personnel and security personnel alike with valuable hands-on security training.
Improve the relationships needed to make security improvements and incident response go more smoothly.
Most important, well-executed security exercises take your organization from the land of supposition to actually knowing where your weaknesses are, where your resources should be going, and what you are doing right. Don’t guess. Know.
Tomi Engdahl says:
F-Secure was surprised IoT miracle protection system complicated device – “There was no precise understanding of the problems”
F-Secure first device project, IoT security appliance Sense surprised the complexity, says the company responsible for consumer business director Kristian Järnefelt.
Sense is designed to solve the security problems in poorly protected IoT devices in the home network traffic guards at. F-Secure said last week that the Sense published until next summer, ie more than one year from the original schedule of late.
“Hindsight is always easier to wisdom. When looking back on when there are schedules, we have not had quite an accurate understanding of how the complex and demanding project is concerned, “says Järnefelt.
“When it started at, some time went to the fact that the entire project will grow and grow. Now we are in a situation where the open ends of yarn tied together, ”
Sense system is one of the last tests almost ready. Now the work is done the device security features, as well as terminal repertoire.
“We have strict standards in that kind of level of security, quality and reliability have to be.”
Sense is designed to protect the home network from connected devices against abuse.
It acts as a wireless local area network routers and firewalls, which analyzes the traffic passing through. It learns to recognize what are the actual network requests are and prevent malicious traffic that is different from expected.
Source: http://www.tivi.fi/Kaikki_uutiset/f-secure-yllattyi-iot-ihmelaitteen-tyolaydesta-ei-ollut-tarkkaa-ymmarrysta-6598069
Tomi Engdahl says:
Facebook buys black market passwords to keep your account safe
The company’s security chief says account safety is about more than just building secure software.
https://www.cnet.com/news/facebook-chief-security-officer-alex-stamos-web-summit-lisbon-hackers/
For a data-saturated company of its size and scope, Facebook has markedly managed to avoid the kind of security scandals, breaches and hacks that have affected many other major web companies.
Keeping Facebook safe and keeping it secure are two different things, the social network’s chief security officer, Alex Stamos, said Wednesday at Web Summit in Lisbon. Security is about building walls to keep out threats and shore up defenses, but according to Stamos, safety is bigger than that.
“It turns out that we can build perfectly secure software and yet people can still get hurt,”
Stamos came to Facebook in summer 2015 from Yahoo and now leads a team at the social network that tries to get ahead of hackers and other threats and head off trouble before it strikes. The biggest headache he deals with is caused by the humble password.
“The reuse of passwords is the No. 1 cause of harm on the internet,” said the security chief.
When passwords are stolen en masse and traded on the black market, it becomes apparent just how many of them are the same — “123456″ and its consecutive numerical brethren are the main culprits. If you’re using one of these passwords, that automatically makes your account more vulnerable to being compromised. This is something Facebook is keen to help you avoid.
To check that Facebook members are not choosing these commonly used passwords for their accounts, Stamos revealed, the social network buys passwords hackers are selling on the black market and cross-references them with encrypted passwords used on the site.
“Usernames and passwords are an idea that came out of 1970s mainframe architectures,” said Stamos. “They were not built for 2016.”
Tomi Engdahl says:
Kaspersky accuses Microsoft of anticompetitive bundling of antivirus software
In some situations, Windows 10 will disable third party anti-malware products.
http://arstechnica.com/information-technology/2016/11/kaspersky-accuses-microsoft-of-anticompetitive-bundling-of-antivirus-software/
Billionaire Russian anti-virus developer Eugene Kaspersky has penned an angry blog post titled “That’s It. I’ve Had Enough!” to complain about Microsoft and Windows 10. Specifically, Kaspersky argues that the way Microsoft bundled Defender with Windows 10 is anti-competitive: he says that Microsoft has created obstacles to third-party products and is acting against the interests of the developers of third-party security software.
Accordingly, Kaspersky says that he has filed complaints with competition authorities in the EU and Russia. He asks that they force Microsoft to cease the behavior he feels is anti-competitive.
Microsoft has integrated anti-malware software to ensure that every Windows system has a basic level of protection without requiring any additional third-party purchases or installations. Here’s how the Microsoft setup works, and the way it has worked since Windows 8: built-in MS anti-malware software automatically disables itself if it detects a third-party product is installed and up-to-date. Microsoft chose this behavior to keep its OEM partners happy, since many of them depend on kickbacks from pre-installed third-party antivirus software.
If the third-party product expires, Windows will show warnings for a few days. If the user does nothing after this period, the expired product gets disabled, and Defender turns on.
In his post, Kaspersky complains about a number of specific Windows 10 behaviors that he views as problematic.
Kaspersky argues that when Windows 10 and its subsequent major updates were released, antivirus developers had no real opportunity to develop compatible software.
Second, Kaspersky wants the install/upgrade behavior to change. He wants Windows to be more explicit that installation will remove incompatible third-party anti-malware software.
The final MS behavior that Kaspersky criticizes is a subtlety of the way Windows defaults to Defender. Windows’ method has two prongs. The first: Windows warning screens encourage users to enable Defender—an act that disables third-party products—even if the third-party product is currently active and up-to-date.
Regardless of how regulators respond, one thing is clear: they won’t move fast enough to change anything any time soon, because they never do.
One of Kaspersky’s proposed remedies—delaying the release of major Windows updates to give antivirus developers more time to update—feels positively anti-consumer, as it means delaying the availability of bug fixes, security updates, and new features.
Even requiring explicit user confirmation before enabling Defender seems hard to justify
As well as calling for regulators to take action, Kaspersky calls for independent software developers to “form a united front and all fight together” against Microsoft.
Tomi Engdahl says:
Sexual secrets for hundreds of millions exposed in largest hack of 2016
https://www.leakedsource.com/blog/friendfinder
What happened?
Friend Finder Network Inc is a company that operates a wide range of 18+ services and was hacked in October of 2016 for over 400 million accounts representing 20 years of customer data which makes it by far the largest breach we have ever seen — MySpace gets 2nd place at 360 million. This event also marks the second time Friend Finder has been breached in two years, the first being around May of 2015.
How did it happen? They were hacked via a Local File Inclusion exploit and you can read more about the situation when it was initially reported from this link.
Passwords were stored by Friend Finder Network either in plain visible format or SHA1 hashed (peppered). Neither method is considered secure
Tomi Engdahl says:
Researcher says Adult Friend Finder vulnerable to file inclusion vulnerabilities
LFI vulnerabilities used to expose sensitive files and a database schema
http://www.csoonline.com/article/3132533/security/researcher-says-adult-friend-finder-vulnerable-to-file-inclusion-vulnerabilities.html
A researcher known for exposing application flaws posted screenshots showing Local File Inclusion vulnerabilities on Adult Friend Finder. The incident marks the second time in just over a year that the internet hook-up destination has had security problems.
LFI vulnerabilities allow an attacker to include files located elsewhere on the server into the output of a given application.
In most cases, the LFI results in data being printed to the screen – which is what is happening here – or they can be leveraged to perform more serious actions, including code execution. This vulnerability exists in applications that don’t properly validate user-supplied input, and leverage dynamic file inclusion calls in their code.
In his examples, 1×0123 shows a redacted image of the server’s
passwd file, as well as a database schema generated on September 7, 2016.
The database schema reveals the database names, internal IP details, and the generic six-character password used to access them. All of the listed databases share the same password. Among the databases listed are chat, ffibilling, memberlist, messages, photo, users, and video. In all, there are ninety databases listed.
This isn’t the first time 1×0123 has been in the news.
Tomi Engdahl says:
Why senior managers are the most dangerous negligent insiders
If you really want to move the needle on data security in your organization, start at the top.
http://www.csoonline.com/article/3137202/security-awareness/why-senior-managers-are-the-most-dangerous-negligent-insiders.html
Hardly a day goes by that there isn’t news of another vulnerability, another attack, another patch — and often the biggest, baddest of its kind.
You’d think we’d all be on hyper alert, but that is far from the case.
Instead, pleas for compliance with data security basics fall on deaf ears. Here’s why: employees, including senior managers and business owners, don’t assume personal responsibility for security.
Consider this: 43 percent of C-level executives say negligent insiders are the greatest risk to sensitive data in their organizations, according to data cited in an infographic compiled by the University of Alabama at Birmingham’s Online Master of Science in Management Information Systems program.
Promoting data security in the workplace
http://businessdegrees.uab.edu/resources/infographics/promoting-data-security-in-the-workplace/
No matter the workplace, data security is often a top concern for management professionals. Security breaches can end up threatening the livelihood of employees and entire companies alike, depending on how severe they are. There are solutions available to many common professional data security problems. However, understanding the surrounding statistics is often the first step.
Tomi Engdahl says:
Security News This Week: What Trump’s Win Means for Cybersecurity
https://www.wired.com/2016/11/security-news-week-trumps-win-means-cybersecurity/
Last month, we at WIRED posed the hypothetical: “Imagine if Donald Trump Controlled the NSA.” The notion at the time seemed unlikely but disturbing: A man who had called for his political opponent, Hillary Clinton, to be jailed; who casually stated, “I wish I had that power,” when asked about his invitation to Russian hackers to dig up her old emails; who even reportedly eavesdropped on calls between guests and staff at his Mar-a-lago hotel, would control the world’s most powerful surveillance capabilities.
We won’t have to imagine that scenario for much longer: In two months, it will be a reality.
As the shockwaves of Trump’s victory rippled across the world, WIRED has scrambled to capture what it means for the realm of hackers and spies: Security and foreign policy analysts warned that it would only embolden the Russian hackers who injected chaos into the presidential campaign and the Democratic party. Election day itself got a taste of alt-right hacking, as an anonymous poster on 4Chan appeared to target a Clinton get-out-the-vote phone bank—but inadvertently hamstrung both Democrat and Republican calling efforts. Edward Snowden and other privacy activists warned that the surveillance powers expanded under Obama could be abused by Trump and called for Americans to use encryption tools to protect themselves. And WIRED offered a primer on how Trump will reshape national security policy, including his likely support for the Syrian regime of dictator Bashar Al-Assad.
Silicon Valley Is Worried Trump Will Demand Their Data
Rudy Giuliani Eyes Cybersecurity Post in Trump Administration
Russian Hackers Follow Trump’s Win With More Cyberattacks
Trump Will Inherit Surveillance Powers Enshrined By Obama
How to Protect Yourself Online in Trump’s America
Given fears of increased domestic surveillance under Trump, privacy activists are advising that Americans adopt encryption and privacy tools—particularly journalists, activists, and anyone else who plans on opposing the administration’s policies.
Tomi Engdahl says:
Firewalls snuffed by ‘BlackNurse’ Ping of Death attack
Destination unreachable plus port unreachable equals router unreachable
http://www.theregister.co.uk/2016/11/14/its_2016_and_a_ping_of_death_can_still_be_a_thing/
A code artefact in a number of popular firewalls means they can be crashed by a mere crafted ping.
The low-rate “Ping of death” attack, dubbed BlackNurse, affects firewalls from Cisco, SonicWall, Zyxel, and possibly Palo Alto.
Unlike the old-fashioned ping-flood, the attack in question uses ICMP “Type 3, Code 3” (destination unreachable, port unreachable) packets.
In the normal course of events, a host would receive that packet in response to a message it had initiated – but of course, it’s trivial to craft that packet and send it to a target.
In devices susceptible to BlackNurse, the operating system gets indigestion trying to process even a relatively low rate of these messages – in the original report from Denmark’s TF-CSIRT, gigabit-capable routers could be borked by just 18 Mbps of BlackNurse traffic on their WAN interfaces.
The good news is that in most cases, the attack is trivial to block, by dropping ICMP traffic.
Tomi Engdahl says:
Electronic Voting: The Greatest Threat to Democracy
http://www.securityweek.com/electronic-voting-greatest-threat-democracy
The dumpster fire that is the 2016 presidential election is thankfully almost behind us. But in its final throes, it is currently belching a peculiar pollution. The claims of election rigging coming directly from Donald Trump have raised a serious question about the legitimacy of our elections – the foundation of the legitimacy of our government, as governing in a democracy requires the consent of the governed.
While Mr. Trump may be more concerned with the role of non-citizens, election officials and the media in the manipulation of the outcome, he’s missing the greater threat to the future of democracy – Internet voting. Or rather, the likelihood of Internet voting fraud.
The temptation of Internet voting
The appeal is obvious – so much of our everyday activity is an interaction with an Internet-connected app that voting would seem to be woefully behind in this regard. If we can securely conduct banking, interact with electronic healthcare records, or apply for travel visas online, why not cast a vote?
There are also cost savings and efficiencies to be gained for state officials with the use of Internet voting, as its use could reduce demand for physical polling places and voting by mail. But perhaps the best argument in favor of Internet voting is the potential to increase participation or turnout by voters due to its convenience
Don’t we already use electronic voting?
Today’s voting technology is largely a decentralized paper-based process. After the Bush v. Gore “hanging chad” issues in 2000, Congress passed the Help America Vote Act in 2002, supplying almost 4 billion federal dollars to help states upgrade their voting machines. All 50 states took the money, most of which was used to purchase electronic voting machines.
But by 2007, problems with the machines, including security concerns, led to decline in use of electronic systems. Only five states today use paperless touch screens exclusively
How do Internet and electronic voting differ?
The key difference between electronic and Internet voting, from a security perspective, is decentralization and the lack of connection to the Internet. While electronic voting machines can be hacked, it requires physical access to the machines in most cases, which is made more difficult by the fact that all 50 states have their own means of securing the devices.
Michigan offered Internet voting in 2004 in its Democratic primary, and West Virginia piloted Internet voting for military voters in 2009. Utah also used Internet voting for its 2016 primary.
A more troubling example is a 2010 Washington, D.C. pilot project for overseas voters that was hacked within 36 hours.
So what’s the risk behind Internet voting?
While it’s logical to ask why we can conduct banking safely online and not voting, the two aren’t as similar as one might believe. Yes, they both must authenticate the user and maintain a record of a transaction, but the voting system must do so anonymously. With banking, the victim at some point will recognize a theft – with voting, that’s unlikely.
The DDoS problem is particularly worrisome given last month’s attack on Dyn that demonstrated the weaponization of IoT devices. Although not an election, the first ever digital Australian census was subjected to a DDoS attack on August 9, 2016 that caused a premature shutdown of the website. When the stakes are higher in a national election, the motivation of attackers to disrupt it for personal fame or gain, coupled with the Internet of Things, could be a toxic combination for Internet voting.
Tomi Engdahl says:
Extending the Perimeter: Protecting Employees to Protect the Enterprise
http://www.securityweek.com/extending-perimeter-protecting-employees-protect-enterprise
In the early days of computing the cyber-security perimeter and the physical security perimeter were one and the same. Access to data implied access to the actual computer or storage media. From there we graduated to closed networks where computers only talked to each other within a building or private network but quickly modems started to allow access by people outside those controlled spaces. The age of the hacker had begun.
The internet and the web blew things wide open with PCs talking to servers, servers to servers, and PCs to PCs in an exponential web of complexity. The walls are full of gates, holes, and tunnels resembling swiss cheese more than an impenetrable barrier
Tomi Engdahl says:
File-Encrypting Ransomware “Telecrypt” Abuses Telegram
http://www.securityweek.com/file-encrypting-ransomware-telecrypt-abuses-telegram
A new file-encrypting ransomware dubbed by researchers “Telecrypt” abuses the instant messaging service Telegram for command and control (C&C) communications and to allow victims to send messages to the attackers.
The malware, detected by Kaspersky Lab as Trojan-Ransom.Win32.Telecrypt, only targets users in Russia. In order to avoid having to create their own service for communications between the malware and its server, Telecrypt creators decided to abuse Telegram’s communication protocol.
Tomi Engdahl says:
Cyberspies Launch U.S. Attacks Hours After Trump Elected
http://www.securityweek.com/cyberspies-launch-us-attacks-hours-after-trump-elected
Just hours after Donald Trump was elected president of the United States, researchers spotted a series of election-themed spear-phishing attacks aimed at think tanks and non-governmental organizations (NGOs) in the U.S.
According to security firm Volexity, the attacks were launched by a Russia-linked threat group known as The Dukes, APT29, Cozy Bear and Cozy Duke. This and another actor believed to be sponsored by the Russian government, known as Pawn Storm and Fancy Bear, are suspected of launching attacks against the U.S. Democratic Party before the presidential election.
Volexity said the Dukes sent out spear-phishing emails from Gmail accounts and compromised email accounts at Harvard’s Faculty of Arts and Sciences (FAS). The targeted users specialize in national security, international affairs, defense, public policy, and European and Asian studies.
Tomi Engdahl says:
Low-Bandwidth “BlackNurse” DDoS Attacks Can Disrupt Firewalls
http://www.securityweek.com/low-bandwidth-blacknurse-ddos-attacks-can-disrupt-firewalls
Researchers warn that certain types of low bandwidth distributed denial-of-service (DDoS) attacks can cause some widely used enterprise firewalls to enter a temporary DoS condition.
While analyzing DDoS attacks aimed at their customers, experts at the security operations center of Danish telecom operator TDC noticed that some attacks based on the Internet Control Message Protocol (ICMP) can cause serious disruptions even over low bandwidths.
ICMP attacks, also known as ping flood attacks, are highly common, but they typically rely on Type 8 Code 0 packets. The attacks that caught TDC’s attention are based on ICMP Type 3 Code 3 packets.
The attacks, dubbed by the company “BlackNurse,” can be highly effective even at bandwidths as low as 15-18 Mbps and they can cause disruptions to firewalls even if the victim has an Internet connection of 1 Gbps.
“The impact we see on different firewalls is typically high CPU loads. When an attack is ongoing, users from the LAN side will no longer be able to send /receive traffic to/from the Internet. All firewalls we have seen recover when the attack stops,” TDC explained in a report detailing BlackNurse attacks.
Experts pointed out that this type of attack has been around for more than 20 years, but they believe organizations are not sufficiently aware of the risks. A scan of the Danish IP address space revealed that there were over 1.7 million devices responding to ICMP pings, which means these attacks can have a significant impact.
Researchers have so far confirmed that BlackNurse attacks work against Cisco ASA and SonicWall firewalls, but they likely also affect products from Palo Alto Networks and other vendors. The Iptables firewall utility for Linux, MikroTik products and OpenBSD are not affected.
While in some cases attacks might be possible due to a vulnerability in the firewall, some vendors blamed a configuration problem. Detection rules and proof-of-concept (PoC) code have been made available to allow users to identify attacks and test their equipment.
http://soc.tdc.dk/blacknurse/blacknurse.pdf
Tomi Engdahl says:
To Defend Against Cyber Threats, Expand Your Security Perspective Outside Your “Walls”
http://www.securityweek.com/defend-against-cyber-threats-expand-your-security-perspective-outside-your-walls
Defending your business and customers against cyber threats starts with understanding what you’re up against. That may sound pretty obvious; studying the adversary is a common practice. In sports it’s done all the time.
The attack perimeter is rapidly expanding largely due to mobility, the cloud, and the Internet of Things (IoT). Every new tablet, cloud-based app, or IoT device creates new opportunities for adversaries to use new techniques and new targets to launch attacks. In response we layer more defenses and, when we can, create another ‘perimeter’ around every new device. This focus on company boundaries keeps us looking inward, grappling with dozens of security tools while playing a game of whack-a-mole, seeing and reacting to events inside the network.
To help you understand your adversary, threat intelligence focuses on the world outside of the company perimeter. It sifts through an unlimited universe of threat data to help you see what is happening, analyze it, and take action. It allows you to become more proactive and anticipatory by profiling not only the attack, but attackers who rapidly change their tools, techniques, and procedures (TTPs) to evade defensive technologies.
There’s a lot of talk about threat intelligence. Security teams are either being told by their management to get it, or they’ve attended a conference and realize they need to add threat intelligence to their security program.
Tomi Engdahl says:
Avoiding the Insider Threat: How Not to Star in Snowden Part II
http://www.securityweek.com/avoiding-insider-threat-how-not-star-snowden-part-ii
In September, the film “Snowden” debuted to generally favorable reviews. Without a doubt, Oliver Stone’s depiction will have ample opportunity to spawn a Snowden Part II, since we’re are all still waiting to learn the former NSA contractor’s ultimate fate. If it ends with the fugitive’s return to the United States and a trial, that in itself would be grounds for a sequel at the very least, no?
The extended chain of events surrounding Snowden leading up to now has been the stuff of high drama and intrigue, but one of the most interesting aspects of this saga is, despite all we’ve learned from it, how frequently organizations still fall victim to the Insider Threat.
Evidence that the Insider Threat is alive and well abounds in the never-ending string of data breaches and systems compromises that took place before and since the documents Snowden stole and made public were first published in 2013. Most recently, the 2016 Verizon DBIR reported that Insider Threat was linked to more than 10,000 security incidents, with the public, healthcare and finance industries suffering the most.
Understand Your Data
To reduce the chances of falling victim to an insider-driven breach, security and risk professionals should start by learning what their available data can tell them. Most organizations with information and systems in need of defense likely already have effective ways to gather data that can point to any Insider Threat occurring. Unfortunately for most, it amounts to a collection of event logs and anomaly alerts that provide little to no insight or context, which allows bad guys to strike and vanish before anyone even realizes they were there.
Gain Visibility
How can organizations gain a holistic view? The simplest answer is through their data. More often than not, data to help organizations see their exposure to Insider Threats is often locked away in reams of logs siloed within different departments that are reviewed infrequently or worst yet, never. When SIEM and other signature-based detection tools spot anomalies, a lack of context often means no one knows there’s a problem until it’s too late or a lot of time and money are spent chasing false positives.
Verizon 2016 DBIR: What You Need to Know
http://www.securityweek.com/verizon-2016-dbir-what-you-need-know
Verizon has published its widely anticipated 2016 Data Breach Investigations Report (DBIR), compiled by Verizon with the support of 67 contributing partners. This year’s report includes analysis of more than 100,000 security incidents and 2,260 confirmed data breaches across 82 different countries.
Tomi Engdahl says:
Governments Show Contradictory Attitude Towards Privacy and Data Protection
http://www.securityweek.com/governments-show-contradictory-attitude-towards-privacy-and-data-protection
Governments across the world are showing a contradictory attitude towards privacy and data protection. On the one hand new legislation insists that business is minutely protective of personally identifiable information (PII), while at the same time PII must be more readily handed to law enforcement. This contradiction is exemplified in Europe, where the new EU General Data Protection Regulation (GRPR) strictly controls business use of personal data while many nation state members are simultaneously introducing new national surveillance laws.
Forrester’s 2016 Global Heat Map for privacy and data protection makes this point. The Netherlands and Finland are rated as ‘most restricted’ in their attitudes towards privacy; and yet both are drafting new laws that considerably increase government surveillance powers. Germany, also considered to be very protective towards personal privacy, is doing similar; while the UK — home to one of the more active intelligence agencies (GCHQ) — is close to passing its new Investigatory Powers Bill (IPB).
Forrester’s senior analyst Chris Sherman also makes the point that the EU’s new GDPR is setting a business standard that is being followed around the world. “The slow global convergence toward the requirements outlined in the regulation continued through 2016,” he writes.
Tomi Engdahl says:
Your body reveals your password by interfering with Wi-Fi
Wave goodbye to security if crims can pop a MIMO router
http://www.theregister.co.uk/2016/11/13/researchers_point_finger_at_handy_smartphone_exploit/
Modern Wi-Fi doesn’t just give you fast browsing, it also imprints some of your finger movements – swipes, passwords and PINs – onto the radio signal.
A group of researchers from the Shanghai Jaio Tong University, the University of Massachusetts at Boston, and the University of South Florida have demonstrated that analysing the radio signal can reveal private information, using just one malicious Wi-Fi hotspot.
In this paper, published by the Association of Computing Machinery, they claim covert password snooping as high as 81.7 per cent, once their system has enough training samples.
It’s an attack that wouldn’t work if you had a primitive Wi-Fi setup with just one antenna, because it relies on the sophisticated beam-forming implemented in Multiple-Input, Multiple-Output (MIMO) antenna configurations.
In a modern Wi-Fi setup, beam-forming is controlled by software that uses the small phase differences between antennas to reinforce signals in some directions, and cancel them out in other directions.
That’s what the researchers exploited: because the kit is designed to manage very small changes in signal, the researchers worked out the link state changes when the user’s hand is moving near the phone – such as when they’re using the screen input.
When CSI Meets Public WiFi: Inferring Your Mobile Phone Password via WiFi Signals
http://dl.acm.org/citation.cfm?id=2978397
In this study, we present WindTalker, a novel and practical keystroke inference framework that allows an attacker to infer the sensitive keystrokes on a mobile device through WiFi-based side-channel information. WindTalker is motivated from the observation that keystrokes on mobile devices will lead to different hand coverage and the finger motions, which will introduce a unique interference to the multi-path signals and can be reflected by the channel state information (CSI). The adversary can exploit the strong correlation between the CSI fluctuation and the keystrokes to infer the user’s number input. WindTalker presents a novel approach to collect the target’s CSI data by deploying a public WiFi hotspot.
Tomi Engdahl says:
Google Pixel hacked in under 60 seconds by Chinese team
http://thenextweb.com/security/2016/11/12/google-pixel-hacked-60-seconds-chinese-team/
Google’s new flagship just got hacked by a Chinese team at in under 60 seconds.
At PwnFest, a hacking competition in Seoul, South Korea, a team of white-hat hackers known as Qihoo 360 demonstrated an exploit that allowed for remote code execution on the Pixel. In under 60 seconds, the team used a zero-day vulnerability to remotely install code on Google’s sought after device.
Tomi Engdahl says:
Hackers cook god-mode remote exploits against Edge, VMware in world-first
PwnFest fells first tech giants – Google Pixel, Adobe next in line
http://www.theregister.co.uk/2016/11/10/hackers_remotely_pwn_win_10_microsoft_edge_gain_system_code_exec/
Hackers have twice completely compromised Microsoft Edge operating on Windows 10 Red Stone 1 and for the first time twice broken VMWare Workstation without user interaction.
The bugs landed via SYSTEM-level remote code execution while the second VMware hacks could also be performed remotely.
The four hacks were demonstrated at the PwnFest 2016 event held at the Power of Community security conference in Seoul on Thursday, with details to be provided to vendors and kept under wraps.
Tomi Engdahl says:
Hack Brief: 412M Accounts Breached on FriendFinder Sex Sites
https://www.wired.com/2016/11/hack-brief-412m-accounts-breached-friendfinder-sex-sites/
Any sizable breach of sensitive information like usernames and passwords represents a privacy catastrophe. But when those credentials link breach victims to sex sites, the consequences go beyond the risk of a hacked credit card or Twitter account and into the realm of humiliation and blackmail.
The Hack
On Sunday, the website Leaked Source, a repository of breached data, revealed that hackers had compromised the online hookup and dating firm FriendFinder and stolen 412 million users’ information, including usernames, passwords, and email addresses. The data includes more than 339 million accounts on AdultFriendFinder.com—which advertises itself as the “the world’s largest sex & swinger community”—as well as tens of millions accounts from Penthouse.com and Stripshow.com. Though Leaked Source reports that some of the leaked passwords were cryptographically hashed to protect them, others were left unencrypted, and even the protected ones were easily cracked in almost all cases. “Neither method is considered secure by any stretch of the imagination,” Leaked Source writes.
In an email to WIRED, a spokesperson for Leaked Source says it received the data from an “underground source who wishes to stay anonymous,”
Leaked Source chose not to publish FriendFinder’s leaked data. But the site’s spokesperson warns WIRED that there’s little question it’s been distributed elsewhere online
How Serious Is This?
Few forms of hacker compromise can be as damaging to victims as those that reach into their secret sex lives. When extramarital affairs site Ashley Madison was hacked last year, the public leak of 32 million users’ accounts reportedly led to at least three suicides.
FriendFinder’s data debacle represents nearly 13 times as many accounts as the Ashley Madison breach. FriendFinder users can only hope that the leaked data remains relatively hidden.In the Ashley Madison case, by contrast, data was widely circulated and even made searchable on a highly trafficked website.
For the breach’s victims, the usual post-hack advice applies: Immediately change your passwords on the affected sites
Tomi Engdahl says:
Researchers set to work on malware-detecting CPUs
https://www.helpnetsecurity.com/2016/11/11/malware-detecting-cpus/
Adding hardware protections to software ones in order to block the ever increasing onslaught of computer malware seems like a solid idea, and a group of researchers have just been given a $275,000 grant from the National Science Foundation to help them work on a possible solution: malware-detecting CPUs.
This project, titled “Practical Hardware-Assisted Always-On Malware Detection,” will be trying out a new approach: they will modify a computer’s central processing unit (CPU) chip to feature logic checks for anomalies that can crop up while software is running.
“The modified microprocessor will have the ability to detect malware as programs execute by analyzing the execution statistics over a window of execution,” Ponomarev noted. “Since the hardware detector is not 100-percent accurate, the alarm will trigger the execution of a heavy-weight software detector to carefully inspect suspicious programs. The software detector will make the final decision. The hardware guides the operation of the software; without the hardware the software will be too slow to work on all programs all the time.”
Yu’s contribution will be the low complexity machine learning used by the modified CPU to sort malware from legitimate software
Researchers want to use hardware to fight computer viruses
http://www.binghamton.edu/mpr/news-releases/news-release.html?id=2451
“The impact will potentially be felt in all computing domains, from mobile to clouds,” said Dmitry Ponomarev, professor of computer science at Binghamton University, State University of New York. Ponomarev is the principal investigator of a project titled “Practical Hardware-Assisted Always-On Malware Detection.”
More than 317 million pieces of new malware—computer viruses, spyware, and other malicious programs—were created in 2014 alone, according to work done by Internet security teams at Symantec and Verizon. Malware is growing in complexity, with crimes such as digital extortion (a hacker steals files or locks a computer and demands a ransom for decryption keys) becoming large avenues of cyber attack.
“This project holds the promise of significantly impacting an area of critical national need to help secure systems against the expanding threats of malware,”
Grant funding will support graduate students that will work on the project both in Binghamton and California, conference travel and the investigation itself. The three-year grant is for $275,000.
Tomi Engdahl says:
47 percent of smartphones that is, almost every one without security protection, says Kaspersky Lab. Tablets are protected by 57 per cent. Information is based on interviews of 12 thousand users in 21 different countries. The company launched last week a new security software for Android smartphones.
Kaspersky Lab announced the launch of its investigation as part of the European Cyber Security campaign, which takes place during November. Its goal is to increase people’s awareness of online threats, as well as knowledge of the different ways to protect yourself against these threats.
Users protect the already relatively well-PC from the PC, with 88 percent of those protected by one of the software. Instead, the mobile security devices to collapse. Tablet only 57 per cent is protected.
Source: http://etn.fi/index.php?option=com_content&view=article&id=5404:joka-toinen-alypuhelin-on-vaarassa&catid=13&Itemid=101
Tomi Engdahl says:
Windows 10 is a definite improvement on data security
Microsoft has been trying to use the old Windows upgrade to the new Windows 10, but the machines still run the old operating systems. Now, updating is recommended on the basis of security: the old Windows are much more susceptible to a variety of malware.
Windows justifies the issue in his blog. It tells you, for example, that the so-called. blackmail malicious software (ransomware) will take over Windows 10 machines, with 58 percent less likely than Windows 7 machines.
The problem is growing, because Windows will detect the number of extortion malware growth of 400 percent between December 2015 and July 2016 at the latest.
Source: http://etn.fi/index.php?option=com_content&view=article&id=5403:windows-10-on-selva-parannus-tietoturvaan&catid=13&Itemid=101
More: http://wincom.blob.core.windows.net/documents/Ransomware_protection_in_Windows_10_Anniversary_Update.pdf
Tomi Engdahl says:
Why Unidirectional Security Gateways can replace firewalls in industrial network environments
https://www.helpnetsecurity.com/2016/11/14/unidirectional-security-gateways-replace-firewalls/
In this podcast recorded at IoT Solutions World Congress Barcelona 2016, Andrew Ginter, VP of Industrial Security at Waterfall Security, talks about Unidirectional Security Gateways. They can replace firewalls in industrial network environments, providing absolute protection to control systems and operations networks from attacks originating on external networks.
Unidirectional Gateway solutions come in pairs: the TX appliance contains a laser, and the RX appliance contains an optical receiver. The Gateway pair can transmit information out of an operations network, but is incapable of propagating any virus, DoS attack, human error or any information at all back into the protected network.
Waterfall agent software gathers data in real time from operations servers inside the protected network. The software transmits that data to the external network, and populates replica servers with the data.
Waterfall provides out of the box replication capabilities for dozens of industrial applications, including process historians, process databases, control system servers, OPC servers, and low-level devices.
The server-replication process is transparent to external users, and has no effect on the original operations servers.
Tomi Engdahl says:
AdultFriendFinder network hack exposes 412 million accounts
http://www.zdnet.com/article/adultfriendfinder-network-hack-exposes-secrets-of-412-million-users/
Almost every account password was cracked, thanks to the company’s poor security practices. Even “deleted” accounts were found in the breach.
A massive data breach targeting adult dating and entertainment company Friend Finder Network has exposed more than 412 million accounts.
The hack includes 339 million accounts from AdultFriendFinder.com, which the company describes as the “world’s largest sex and swinger community.”
That also includes over 15 million “deleted” accounts that wasn’t purged from the databases.
On top of that, 62 million accounts from Cams.com, and 7 million from Penthouse.com were stolen, as well as a few million from other smaller properties owned by the company.
The data accounts for two decades’ worth of data from the company’s largest sites, according to breach notification LeakedSource, which obtained the data.
But it’s not known who carried out this most recent hack. When asked, Revolver denied he was behind the data breach, and instead blamed users of an underground Russian hacking site.
ZDNet obtained a portion of the databases to examine. After a thorough analysis, the data does not appear to contain sexual preference data unlike the 2015 breach, however.
The three largest site’s SQL databases included usernames, email addresses, and the date of the last visit, and passwords, which were either stored in plaintext or scrambled with the SHA-1 hash function, which by modern standards isn’t cryptographically as secure as newer algorithms.
LeakedSource said it was able to crack 99 percent of all the passwords from the databases.
But why Friend Finder Networks has held onto millions of accounts belonging to Penthouse.com customers is a mystery, given that the site was sold to Penthouse Global Media in February.
LeakedSource said breaking with usual tradition because of the kind of breach, it will not make the data searchable.
Sexual secrets for hundreds of millions exposed in largest hack of 2016
http://www.leakedsource.com/blog/friendfinder
What happened?
Friend Finder Network Inc is a company that operates a wide range of 18+ services and was hacked in October of 2016 for over 400 million accounts representing 20 years of customer data which makes it by far the largest breach we have ever seen — MySpace gets 2nd place at 360 million. This event also marks the second time Friend Finder has been breached in two years, the first being around May of 2015.
After much internal deliberation by the LeakedSource team and for various reasons, we have decided that this data set will not be searchable by the general public on our main page temporarily for the time being*.
*Due to these unique circumstances, understandably skeptical journalists can contact us for undeniable proof. Trust us but independently verify our claims.
Who are we?
LeakedSource is a breach notification website that specializes in bringing hacking incidents to the public eye. To accomplish this we offer a freemium tool to see if your information has been affected by any hacks we know about. We also offer a proactive FREE notification service where if we find your email in a future hack, we’ll tell you about it.
Tomi Engdahl says:
New York Times:
Adware in over 100K US Android phones made by BLU sent the full contents of text messages, contact lists, call logs, and location information to Chinese firm — WASHINGTON — For about $50, you can get a smartphone with a high-definition display, fast data service and, according to security contractors …
Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say
http://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html
For about $50, you can get a smartphone with a high-definition display, fast data service and, according to security contractors, a secret feature: a backdoor that sends all your text messages to China every 72 hours.
Security contractors recently discovered preinstalled software in some Android phones that monitors where users go, whom they talk to and what they write in text messages. The American authorities say it is not clear whether this represents secretive data mining for advertising purposes or a Chinese government effort to collect intelligence.
International customers and users of disposable or prepaid phones are the people most affected by the software. But the scope is unclear. The Chinese company that wrote the software, Shanghai Adups Technology Company, says its code runs on more than 700 million phones, cars and other smart devices. One American phone manufacturer, BLU Products, said that 120,000 of its phones had been affected and that it had updated the software to eliminate the feature.
Tomi Engdahl says:
A Linux Exploit That Uses 6502 Code
http://hackaday.com/2016/11/15/a-linux-exploit-that-uses-6502-code/
With ubiquitous desktop computing now several decades old, anyone creating an operating system distribution now faces a backwards compatibility problem. Each upgrade brings its own set of new features, but it must maintain compatibility with the features of the previous versions or risk alienating users. If you are a critic of Microsoft products for their bloat, this is one of the factors behind that particular issue.
As well as a problem of compatibility, this extra software overhead creates one of security.
Our subject today is a good example, just such a vulnerability hiding in an old piece of code whose purpose is to maintain an obscure piece of backward compatibility. [Chris Evans] has demonstrated a vulnerability in an Ubuntu version by playing an NES music file that contains exploit code emulated by the player on a virtual 6502 processor.
The NES Sound Format is a music file standard that packages Nintendo game music for playback. It contains a scripting language, and it is this that is used to trigger the vulnerability.
Rather unbelievably, his plugin works by emulating a real 6502 as found in a NES to derive the musical output, and it is somewhere here that the vulnerability exists.
[0day] [exploit] Compromising a Linux desktop using… 6502 processor opcodes on the NES?!
http://scarybeastsecurity.blogspot.fi/2016/11/0day-exploit-compromising-linux-desktop.html