Here are my predictions for trends in information security and cyber security for year 2016.
Year 2015 was bad for information security was pretty, and I would say that the trend is worrying. So I expect the year 2016 will have many information security challenges. If you want to keep yourself up at night, spend some time reading about the latest developments in cybersecurity. In 2015 there was Airplanes hacked, cars hacked, vulnerabilities in a breathtaking range of sensitive equipment from TSA locks to voting booths to medical devices. The big picture is even scarier. Former NSA Director Mike McConnell suspects China has hacked “every major corporation” in the US. Those problems will continue in 2016 and some new targets for attacks will be found. The system is broken. It isn’t keeping us, our companies, or our government safe. Worse yet, no one seems to know how to fix it.
Attacks through networks are becoming more common all the time. It will be hard to protect against targeted attacks. Hackers will not only customize malware, but they will increasingly use sophisticated phishing and social engineering tricks to gain access to sensitive data. Attackers usually cover their tracks carefully, and in the identification of target can be very difficult. Behind targeted attacks are usually professional criminals. Criminals do not respect geographical borders and hence attacks are spread evenly everywhere. Companies will struggle to absorb the security threats of combined PC and mobile devices in 2016.
EU information security decisions made in late 2015 will have impact on what comes in 2016: New EU data protection legislation package approved and EU Court of Justice decision in which it noted the Safe Harbor procedure is invalid. This means that transfers of personal data from EU countries to the United States under the Safe Harbor violation of law – you need some other agreement for this. The situation for this will probably get clarified during 2016. Data protection legislation changes will lead to increased fines for the unprepared. Legal uncertainty and big fines are a toxic cocktail for some companies. The combination of stiff penalties and ambiguously worded provisions in the new EU-wide data-protection law, which would replace a patchwork of 28 national laws, raises daunting prospects for companies operating in Europe.
After huge amount of user information leaks in 2015 from all kinds of Internet services, there will the challenges for cloud companies to gain trust in their security. You might have just dared to trust “the right cloud services,” since in principle the traditional information security point of view, they seem to be the main things okay, rising this privacy issues raised.
New environments will bring new threats. New operating systems versions means that administrators and users are less familiar with the environments. IPv6 will get more widely used, and the security of IPv6 networks is different from IPv4. Organizations are moving to virtualized environments, which are complex and create network layers that can become an attack vector. Growing network virtualization functionality and programmability are both an opportunity and a threat to security. Cyber security research will be important important in 2016 as 5G networks will be critical infrastructure, on top of which for example. transport, industry, health and the new operators set up their business around 2020.
The huge amount of information security information is becoming harder and harder to manage in 2016. A key problem in revelations as all other news coverage is the exponential growth of knowledge. There are variety of news summaries produced a daily basis, but they are not enough to get good picture of what is happening. There are bigger and smaller news, the impact of which is at times very difficult to assess. SMBs will become a bigger target for cybercriminals. Network and security professionals continue to be among the toughest IT talent to find and hire.
Old way network security focused on perimeter defense is not enough in 2016. Old mantras “encrypt everything” and “secure the perimeter,” are not enough. One deceptive truth seems to drive much of the cybersecurity industry down a rabbit hole: If you keep bad actors and bad software out of your system, you have nothing to worry about. It does not work like that anymore. As perimeter security gets stronger, malicious actors are looking for easier entry points to compromise an organisation through the breadth of its digital attack surface. Now malicious actors target “endpoints”—any device or sensor connected to a network—to break into that network. Traditional sandboxing will no longer protect against the growing malware landscape. Today, most private networks have far too many endpoints to properly secure. In an age of “Bring Your Own Device,” the cloud, remote access, and the Internet of Things, there are too many vulnerabilities hackers can exploit. Keep in mind that everything connected to the Internet can, and will be hacked. To address those threats in 2016, security experts should assume compromise – that hackers and malware already have breached their defenses, or soon will – and instead classify and mitigate threats. In addition to public key infrastructure lock-and-key system you will need also an integrity solution that acts like an alarm. To protect against advanced threats, security professionals will increase their reliance on centralized security management solutions. You need to have prioritization and response plans to various kinds of breaches – with a strong focus on integrity.
Law enforcement versus Silicon Valley tension will continue to be strong throughout year 2016. In 2015 Law enforcement and politicians on both sides of the Atlantic lined up to repeatedly complain that the web was “going dark” as the result of end-to-end encryption and that this was hampering the investigation of terrorism and other serious crimes.Technologists and cryptographers argue that governments are trying to weaken encryption by demanding some form of privileged access for government. It’s not clear how much encryption the NSA can break. With renewed focus on how encrypted messages can be used to plot terrorist attacks, President Barack Obama’s administration is stepping up pressure on the tech sector to help in the battle. Privacy remains a major counter-argument. It seems that Governments Lie About Encryption Backdoors. Encryption systems weakened by mandated backdoors would not be effective in fighting the terrorists that governments invoke as their reason for wanting those backdoors in the first place.
But this does not stop some government officials to demand such thing with varying success on different countries. Another fact is that The existence of coded communications is a reality and the U.S. may not be able to do much about it because nearly everyone living in modern society uses it: Encryption protects your bank information, prevents your password from being stolen when you log into a website, and allows all e-commerce transactions to take place securely. Encryption weakened by mandated backdoors would put all of us at an enormous risk of exposure from data breaches and associated online risks. The truth in 2016 is that any form of privileged access to government – ie, a backdoor – would inevitably weaken crypto-systems and make them more vulnerable to attacks by foreign governments’ intelligence agencies as well as criminals - Juniper’s VPN security hole is proof that govt backdoors are bonkers. Encryption backdoors would be a gleeful win-win for terrorists and a horrific lose-lose for you – the bad guys having strong protections for their data, and the rest of us not. The poorly thought-out and crude surveillance technique could have a devastating effect on the country’s internet security- as for example Kazakhstan will force its citizens to install internet backdoors by requiring all Internet users install state-issued root certificate by January 1, 2016.
Google, Mozilla and Microsoft are pushing for early SHA-1 crypto cutoff that can happen in 2016 instead of earlier planned Jan 1st, 2017. Due to recent research showing that SHA-1 is weaker than previously believed, because it’s been cracked without enormous effort. Mozilla, Microsoft and now Google are all considering bringing the deadline forward by six months to July 1, 2016. SHA-2 is going to be used as the replacement function for SHA-1. Websites like Facebook and those protected by CloudFlare have implemented a SHA-1 fallback mechanism for those systems that do not support SHA-2. Chrome will start display errors if SHA-1 certificates are employed in early 2016 and will completely stop supporting SHA-1 certificates in the end of 2016.
The use of Blockchain technology, permissionless distributed database based on the bitcoin protocol that runs across a global network of independent computers, will get used more widely than for just Bitcoin virtual money. With bitcoin, Blockchain tracks the exchange of money. But it can also track the exchange of anything else that holds value, including stocks, bonds, and other financial securities. Overstock has already used the blockchain to issue private bonds. The Securities and Exchange Commission has approved a plan from online retailer Overstock.com to issue company stock via the Internet, signaling a significant shift in the way financial securities will be distributed and traded in the years to come. Overstock built its technology under the aegis of a subsidiary called TØ.com, and it plans to offer this “cryptosecurity” tech as a service to other businesses. Nasdaq OMX—the company behind the Nasdaq stock exchange—is using the blockchain to oversee the exchange of private stock. Also several major companies from across both the technology and financial industries—including IBM, Intel, and Cisco as well as the London Stock Exchange Group and big-name banks JP Morgan, Wells Fargo, and State Street—have joined forces to create an alternative to the blockchain with Linux Foundation.
The use of disk encryption will increase and there are different ways to do it with different security levels. Microsoft has introduced Windows 10 disk encryption keys are uploaded to Microsoft. This approach has some advantages and disadvantages. The gold standard in disk encryption is end-to-end encryption, where only you can unlock your disk. This is what most companies use, and it seems to work well. It protects data in case your device is lost or stolen. But what if you forget or loose your key? There are certainly cases where it’s helpful to have a backup of your key or password – so keeping a backup of your recovery key in your Microsoft account could be genuinely useful for probably the majority of users that don’t have high security neeeds. The disadvantage of this approach is that Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.
Weak leaking passwords are still huge security problem still in 2016. Passwords are often the weakest parts when it comes to securing users’ accounts, as many don’t use complex passwords or they reuse the same password across services. Two-factor authentication – like using a USB stick with a secret token or entering in a code sent via text method to your phone – can help to increase security, but many users also find this to be a hassle as it introduces an additional step to the login process.
Google begins testing login system that uses phone notifications for authentication instead of passwords: authenticate by responding to a notification sent to their smartphone. The idea is similar to Yahoo’s recently launched “Account Key,” which also offers a password-free means of signing in involving a push notification sent to your phone that then opens an app where you approve the log-in.
Smart phone will become more and more security critical part of your life. “Increasingly, individuals and organisations are adopting password managers and multi-factor authentication technologies to plug some of the holes in password-based authentication. “We foresee a world where practically everyone uses their smartphone as a multi-factor authentication element. In this world, the smartphone becomes your most valuable asset: something that enables you to unlock your life online and a target for attackers seeking to access your services.”
Expect that number of mobile vulnerabilities will only grow in 2016. In 2016 we will see increasing numbers of cyber criminals using mobile applications to spread malware. Mobile presents an easy target for cyber criminals, because it is an attack surface that is open and extremely difficult to defend once an app has been released. Android threats will become more than just headline-grabbers. Will 2016 be the year iOS malware goes mainstream?
Critical infrastructures will be highly targeted in 2015. SCADA and ICS networks were not designed for security. Attacks against these systems have increased in recent years. I expect this trend to only get worse. There are still many companies that run their critical systems on Windows XP as “There are some people who don’t have an option to change.” Many times the OS is running in automation and process control systems that run business and mission-critical systems, both in private sector and government enterprises. For example US Navy is using obsolete operating system Microsoft Windows XP to run critical tasks. It all comes down to money and resources, but if someone is obliged to keep something running on an obsolete system, it’s the wrong approach to information security completely.
Cars were hacked at record rate in 2015, and they will be hacked at least at the same rate in 2016. Modern cars are featuring more gadgetry and connected systems, and this will make vehicles just as vulnerable to today’s threats and attacks. I Am The Cavalry has published a five star Cyber Safety Framework to mitigate this threat in cars, hopefully car component makers study it.
IoT and smart devices are still at risk. The Internet of Things will continue to emerge, and businesses will need to think about how to protect their smart devices and prepare for the wider adoption of IoT. IoT platforms – not yet the weapon of choice for commercial malware authors – but business beware. Wearables won’t be safe, either, as they are built using largerly same too often vulnerable technologies as other IoT system. IoT security is still in in infancy in 2016.
Cyber criminals have become more active in 2015 particularly in the malicious the ransom fabrications. The ransom-malware problem will continue to be big in 2016. Commercial malware authors will continue to invest heavily and Exploit kits will continue to dominate on the web. Ransomware today is big business. Ransomware takes control of a computer and holds it hostage until the victim pays, usually in the digital currency Bitcoin. As a remedy against ransom-malware I recommend to ensure IT Support or your service provider the data back-up and restoring procedure operational, practiced and tested. You can need it in 2016 to get your data back without considering paying to criminals. To date ransomware has hit Windows users hardest, although Android and MacOS users are now also facing similar extortion.
Ransomware will continue to dominate in 2016 and it is only a question of time before we see things beyond data being ransomed. We have already seen websites being held ransom to DDoS. Intel’s McAfee Labs also noted a huge spike in ransomware in early 2015, and worries about ransomware in the IoT space—including medical devices. And Kaspersky predicts the “nightmare of ransomware” to continue and “spread to new frontiers” in 2016. Ransomware Is Coming to Medical Devices article tells that according to a report released recently week by Forrester Research the number one cybersecurity prediction for 2016: “We’ll see ransomware for a medical device or wearable.” “It’s definitely feasible from a technical standpoint”. Networked medical devices save lives. Despite the hacking risk, it’s an informed trade-off. Medical device ransomware would be a modern form of highway robbery with lives at stake.
Keep in mind that everything connected to the Internet can, and will be hacked. In 2016 If You’re Not Paranoid, You’re Crazy. As government agencies and tech companies develop more and more intrusive means of watching and influencing people, how can we live free lives? Unfortunately I don’t have solution for that.
2,232 Comments
Tomi Engdahl says:
Cryptsetup Flaw Exposes Linux Systems to Attacks
http://www.securityweek.com/cryptsetup-flaw-exposes-linux-systems-attacks
A vulnerability in the disk encryption utility Cryptsetup can expose some Linux systems to local and remote attacks, but the developers of the affected distributions see it as a low-risk issue.
The weakness, identified as CVE-2016-4484, can be exploited by an attacker with physical access to the targeted system simply by holding down the “Enter” key for roughly 70 seconds at boot.
The vulnerability exists when the system partition is encrypted using the Linux Unified Key Setup (LUKS) disk encryption standard. Due to incorrect handling of password checks, on x86 systems, users are allowed to attempt 93 LUKS passwords at boot. Once this limit is reached, the system opens a BusyBox shell.
Simply put, if the attacker enters a blank password 93 times – or holds down the “Enter” key for roughly 70 seconds – they gain access to a root shell.
“The vulnerability is very reliable because it doesn’t depend on specific systems or configurations,” the researchers said. “Attackers can copy, modify or destroy the hard disc as well as set up the network to exfiltrate data.”
Tomi Engdahl says:
Microsoft Details Anti-Ransomware Protection in Windows 10
http://www.securityweek.com/microsoft-details-anti-ransomware-protection-windows-10
Microsoft’s latest desktop operating system release, which started rolling out to users in early August in the form of Windows 10 Anniversary Update, is packing improved ransomware resilience, the Redmond-based tech giant says.
Numerous new ransomware variants have emerged over the past 12 months alone, swith popular threats including Locky, CryptXXX, and Cerber, which target Windows, and Microsoft appears determined to tackle them at the OS level. Other platforms aren’t safe from ransomware either, as variants such as Linux.Encoder, KeRanger, and Lockdroid have shown.
Microsoft decided to make Windows more ransomware-resilient because the number of such threats spotted in the wild in the past 12 months has more than doubled
Some of the enhanced security features in the latest platform update include email protection that blocks malware sent through suspicious URLs or attachments, along with anti-exploit protection in Microsoft Edge, meant to block malicious code from silently downloading and executing an additional payload on the victim’s system.
Ransomware Protection in Windows 10 Anniversary Update
http://wincom.blob.core.windows.net/documents/Ransomware_protection_in_Windows_10_Anniversary_Update.pdf
Tomi Engdahl says:
ImageWare Launches Multi-modal Biometric Authentication for Enterprises
http://www.securityweek.com/imageware-launches-multi-modal-biometric-authentication-enterprises
Today’s security consensus is that password-based authentication and access is insecure, and that some form of two- or multi-factor authentication is necessary. The simplest and easiest second factor is an SMS-based soft token, and that is the route already adopted by many organizations. However, NIST’s recently published concern over some implementations of SMS-based 2FA has provided new impetus for biometric authentication.
ImageWare has today launched what it describes as the “first ever multimodal biometric authentication solution for the Microsoft ecosystem.” Called GoVerifyID Enterprise Suite (no connection to the UK’s Gov.uk Verify system), the system combines ImageWare’s Biometric Engine and its GoMobile Interactive products to provide true multi-factor biometric authentication.
The database stores only anonymized biometric information. If there were ever a compromise, the biometric data would be unusable because it is unattributable.
NIST Denounces SMS 2FA – What are the Alternatives?
http://www.securityweek.com/nist-denounces-sms-2fa-what-are-alternatives
Towards the end of July 2016, the National Institute of Standards and Technology (NIST) started the process of deprecating the use of SMS-based out-of-band authentication. This became clear in the issue of the DRAFT NIST Special Publication 800-63B, Digital Authentication Guideline.
Tomi Engdahl says:
The Intercept:
Snowden docs shed light on NSA’s BLARNEY initiative that leverages “commercial partnerships” for spying; AT&T has surveillance equipment in at least 59 US sites
Titanpointe
The NSA’s Spy Hub in New York, Hidden in Plain Sight
https://theintercept.com/2016/11/16/the-nsas-spy-hub-in-new-york-hidden-in-plain-sight/
Tomi Engdahl says:
Post-outage King’s College London orders staff to never make their own backups
Trust us. It’s not like we had a fortnight-long… um. Trust us
http://www.theregister.co.uk/2016/11/15/after_kcl_kills_uniwide_backups_staff_get_order_to_never_make_their_own/
Exclusive Despite losing a lot of user data from shared folders in October’s mega-outage, King’s College London is asking staff not to save work independently of the university’s IT facilities.
A month ago, departments across the university suffered “irretrievable data loss” when a 3PAR’s one-fault-tolerant RAID Array kicked the bucket. Almost every system at the university, from payroll to shared drive access, went down in the TITSUP — total inability to support usual performance.
A week later the issue was still interrupting business, and continued to do so a fortnight post-borkage.
“There will be lessons to be learnt from this incident,”
Unfortunately, those lessons don’t seem to have extended to the value of independent backups, which have saved an awful lot of expensive research from being written off, because they are being prohibited by institution.
Tebbett’s email reiterated to staff that an “independent external review” will be conducted of the inciden
Tomi Engdahl says:
Experts to Congress: You must act on IoT security. Congress: Encourage industry to develop best practices, you say?
Schneier crap-storm warning falls on deaf ears
http://www.theregister.co.uk/2016/11/16/experts_to_congress_you_must_act_on_iot_security_congress_encourage_industry_to_develop_best_practices_you_say/
Congress provided a masterclass in selective hearing Wednesday when urged by experts to do something about the increasing risk posed by poor IoT security.
At a session of the House’s Energy and Commerce Committee into last month’s attack on DNS provider Dyn that caused widespread disruption to online services, several security experts highlighted the main problem as a lack of security standards and urged Congress to act. Their pleas were repeatedly rebuffed.
Chief security officer of Level 3, Dale Drew, warned [PDF] representatives that “the current lack of any security standards for IoT devices” was a big part of the problem, and said IoT manufacturers needed to “embrace and abide by additional security practices to prevent harm to users and the internet.”
He argued that “there may be a role for the government to provide appropriate guidance.”
Likewise, CEO of Virta Labs, Dr Kevin Fu, said [PDF] that “IoT security remains woefully inadequate, and the Dyn attack is a sign of worse pains to come.” Fu took a stronger line on government intervention, arguing that it needs to actively support agencies that were developing solutions to IoT security issues, including looking at establishing “an independent, national embedded cybersecurity testing facility.”
But it fell to security guru Bruce Schneier to argue outright [PDF] for legislation. “Like pollution, the only solution is to regulate,” he stressed. “The government could impose minimum security standards on IoT manufacturers, forcing them to make their devices secure even though their customers don’t care.”
Benign – but not for long
In order to stress the importance of the issue, Schneier noted that the DDoS attack on Dyn, as disruptive as it was, was still largely “benign.”
“Some websites went offline for a while. No one was killed. No property was destroyed. But computers have permeated our lives. The Internet now affects the world in a direct physical manner. The Internet of Things is bringing computerization and connectivity to many tens of millions of devices worldwide. We are connecting cars, drones, medical devices, and home thermostats. What was once benign is now dangerous.”
Yeah whatever, expert
His arguments continued to fall on deaf ears.
Faced with all three experts saying that it was possible to encode some principles into law that would help fix the problem, Walden continued to stress he was worried about the possible impact on “innovation,” and again noted many IoT products are not made in the US.
“We don’t want this to be an innovation killer,” he said. “I don’t think I want my refrigerator talking to some food police.” Which is a response just mad enough to illustrate that any action beyond talking about how terrible the problem is will never get through a Republican Congress.
When Schneier tried for a third time to argue for a new agency, Democrat Eshoo told him flat out it was never going to happen. “They’re not great fans of that,”
In the meantime, government agencies continue to fight among themselves over who should be in charge of IoT and security. So far, we have:
The NTIA (part of the Department of Commerce) and its five working groups it created last month.
NIST and its new Special Publication 800-160 [PDF].
The Department of Homeland Security insisting it is the best source, despite having done literally nothing besides give a speech.
The Federal Trade Commission.
The Department of Transportation.
There may be others.
http://docs.house.gov/meetings/IF/IF17/20161116/105418/HHRG-114-IF17-Wstate-SchneierB-20161116.pdf
Tomi Engdahl says:
British politicians sign off on surveillance law, now it’s over to the Queen
Monarch’s rubber stamp expected to turn bill into law within weeks
http://www.theregister.co.uk/2016/11/16/british_pols_sign_off_on_surveillance_law/
The UK’s Investigatory Powers Bill has completed its passage through parliament and now only awaits Her Majesty’s stamp of approval before becoming law.
Also known as the Snoopers’ Charter, the legislation has been criticised as being among the most onerous in the world upon the civilian population, and will require British ISPs to retain a curtailed form of their customers’ internet browsing histories – including what websites they had visited – for 12 months so that various authorities could request it for investigative purposes.
Additional powers are legislated for, including offensive hacking, despite concerns about the State finding an appropriate balance between creating and patching exploits, and the collection of bulk personal data by government spies for the sake of running enormous queries on surveillance data sets.
Tomi Engdahl says:
Hacker’s Mac pwning expedition: ‘Help, I’ve got too many shells!’
Hacked hack’s Mac yaps, Nest cam slapped
http://www.theregister.co.uk/2016/11/17/hackers_mac_pwning_expedition_help_ive_got_too_many_shells/
When Dan Tentler hacked writer Kevin Roose’s Mac, his chief problem wasn’t trying to pop the shell; it was trying to rein in the hundreds of shells he spawned.
Tentler had been tasked with breaching Roose’s computer for a documentary showcasing penetration testers’ ability to compromise users.
Tentler, also known as “Viss”, told the Kiwicon hacking conference in Wellington today how he manually wrote exploits to gain access to Roo’s laptop after discovering it was a Mac, but soon had access to his webcam, email, and Nest CCTV cameras.
“Shells were spawning everywhere, hundreds, so I had to write some scripts to shut them down,” Tentler told the conference.
“You can do a lot of damage, but a lot of it is manual [hacking].”
Tomi Engdahl says:
‘FIFA’ hackers guilty of ‘mining’ $16 million from EA
https://www.engadget.com/2016/11/17/fifa-hackers-guilty-of-mining-16-million-from-ea/
The leader of a group of ‘FIFA’ hackers has been convicted in a scheme to fraudulently obtain in-game currency.
We tend to think of ‘wire fraud’ as a white collar crime perpetrated against a banking institution, but in a world with virtual currencies and online marketplace, the reality can be a bit more complex. Take the case of Anthony Clark, a 24-year-old man from Whittier, CA, who was found guilty of a conspiracy to commit wire fraud. He didn’t defraud a major US bank — he and three others mined $16 million worth of FIFA Coins from EA Sports’ popular series of soccer games.
This isn’t the first time there have been legal charges surrounding the EA games’ digital currency — earlier this year some popular YouTube streamers got in trouble for violating the UK Gambling Act by creating online lotteries with FIFA Coins.
Tomi Engdahl says:
Boy, 17, admits TalkTalk hacking offences
http://www.bbc.com/news/uk-37990246
A 17-year-old boy has admitted hacking offences linked to a data breach at the communications firm TalkTalk, claiming he was “just showing off” to friends.
Norwich Youth Court was told he had used hacking tool software to identify vulnerabilities on target websites.
The data haul netted email addresses, names and phone numbers, as well as 21,000 unique bank account numbers and sort codes.
The boy pleaded guilty to seven charges and will be sentenced next month.
The cyber attack on the company in October 2015 prompted fears thousands of people may have had their online details stolen.
Six other people were arrested in connection with the attack.
‘Relentless focus’
TalkTalk was fined a record £400,000 last month for security failings which allowed customers’ data to be accessed “with ease”.
The company claimed the hack cost the firm £42m but has since reported a surge in half-year profits.
It said it also lost 98,000 broadband customers in the first half of the year, though this was largely offset by 69,000 new customers signing up.
Dido Harding, chief executive of TalkTalk, said: “One year on we have maintained a relentless focus on looking after our existing customers and keeping up the pace across a wide range of operational improvements.”
Tomi Engdahl says:
PoisonTap – siphons cookies, exposes internal router & installs web backdoor on locked computers
https://samy.pl/poisontap/
Tomi Engdahl says:
These are 5 tricks with your cell phone contaminates
Android is the world’s most popular operating system, and the devices that use is really a lot. Therefore, the cyber criminal will see a lot of effort to find ways in which malicious code can be forced its devices.
Camouflage: A security solution, such as a Google Play Apps Store guarding Bouncer, going fooled when a malicious program part is converted to ciphertext
Drip: Malicious introduced through the Google Play store dropping. The app store is loaded harmless application, but when the user downloads the app to their phones, it can connect to the attacker’s server and download malicious code from the component to the user’s device.
Blocks: The malware may include separate parts. If one block harmless – combine two and get nasty results.
Longevity: The application icon may be hidden or malicious activity can be programmed to start until weeks or months later.
Extended rights: to obtain extensive access to malware are a number of ways. They can ask the user, or can take advantage of software vulnerabilities.
Source: http://www.tivi.fi/Kaikki_uutiset/nama-ovat-5-kikkaa-joilla-kannykkasi-saastutetaan-6599847
Tomi Engdahl says:
When millions of devices linked to the internet, but also their information security becomes far more critical issue than before the Internet of Things era.
“The first refrigerators, baby monitors and microwave ovens have already participated in cyber attacks. What’s more devices connected to the network, the more complex their Information security organization should be, ”
“Organization of security of devices will become a significant own industry,”
Cinia is just about to open the Finnish market the security cloud: Cinia Lioncloud. It is not directed at the mass market public cloud, but the company’s self-developed high-security solution that met the requirements.
Security cloud solutions aimed at Knaapila by close to one hundred percent security.
“When you are 99 per cent level, so after each decimal to achieve cost as much as the achievement of the previous level,”
Source: http://www.tivi.fi/Kaikki_uutiset/merikaapeliyhtio-rakensi-turvapilven-avoimen-netin-voi-ohittaa-kokonaan-6600012
Tomi Engdahl says:
UNKNOWN MALWARE CONTINUES TO RISE
https://www.checkpoint.com/resources/security-report/
Last year, unknown malware downloads rose over 900% with more than 970 downloads per hour compared to 106 previously. Known and unknown malware, bots and mobile vulnerabilities
Tomi Engdahl says:
Internet of Things control system optimizes plants and factories
http://www.controleng.com/single-article/internet-of-things-control-system-optimizes-plants-and-factories/559b6d5adb26b2fbd390f81722dd7174.html
Technology Update: The Industrial Internet Control System (IICS) from GE Automation and Controls can enable a 7% increase in performance, 22% increase in productivity, and 40% decrease in maintenance costs, GE said. Here’s how this helps Industrial Internet of Things (IIoT).
The Industrial Internet Control System (IICS) from GE Automation & Controls, launched in September 2016, is what the company called, at the time of introduction, “the world’s first out-of-the-box Internet of Things for the heavy machines in plants and factories around the world.”
The company has built on promising beta demonstrations and one-off installations
IICS enables users to optimize asset and process performance, maximize productivity, generate new revenue opportunities, and transform the equipment lifecycle. GE, which has applied these tools in its facilities, cites a 7% increase in performance, 22% increase in productivity, and 40% decrease in maintenance costs.
The company said its GE Industrial Internet Control System “enables users to improve operational efficiency through optimizing assets, process performance, and productivity, unlocking new revenue opportunities and transforming equipment lifecycles through connected controls, transforming a company’s operations.
GE’s Industrial Internet Control System
http://www.geautomation.com/industrial-internet-control-system-iics
Tomi Engdahl says:
Meet Erik – The cyber security manager at Westermo
http://www.westermo.com/web/web_en_idc_com.nsf/alldocuments/F224418CD9D4F379C1257F3B0030E9D6
How do we find the cyber security vulnerabilities?
We find most of them by tracking the available communities. We look at public disclosures. We do not do much internal assessments ourselves today. That is something that we want to strengthen and work more proactively with.
What is the biggest challenge with cyber security?
Being one step ahead is one thing we will never be able to be. So the answer is try to raise a general awareness, for example, to make sure we don’t open attachments in our emails that will infect our computers with malwares of different kinds. We try to make our customers understand the threats and to help them use our products in sensible ways in production environments.
We are all the same, but the major difference between the home-user and our customers is the perseverance of the attacker. We have threats where groups of individuals have the time, the resources and the skills to go for specific, critical infrastructure targets. They can attack a target for years. 2015, in Ukraine three substations were taken out using malware. The way they did it was exactly the same way we all get infected. It all begins with an infected email attachment, but the difference is this will not happen to you at home. At home you are generally attacked, but the methodology and the technology are the same.
It is not the technology that is the problem, it is the way people behave. It is nice to have good technology like our products, but focusing on people and their behaviours is more important. What will protect you is your knowledge.
Tomi Engdahl says:
Qualcomm Bug Bounty Program Offers $15,000 Payouts
http://www.securityweek.com/qualcomm-bug-bounty-program-offers-15000-payouts
Semiconductor and telecommunications giant Qualcomm Technologies, Inc. (QTI) announced on Thursday the launch of a bug bounty program with rewards of up to $15,000 for each vulnerability found in its products.
Hundreds of millions of Android devices have been exposed to attacks in the past months due to vulnerabilities in Qualcomm components, including the recently disclosed security bugs known as QuadRooter.
The company is hoping that researchers can find these types of flaws faster than the bad guys so it has launched a new HackerOne-powered bug bounty program that promises both money and recognition.
The program covers several Snapdragon chipset families used in smartphones and tablets from Google, LG, Motorola, Sony, Asus, HTC, Samsung, Microsoft, BlackBerry and others.
Qualcomm is particularly interested in vulnerabilities affecting the Linux kernel code in “Android for MSM” (version 3.14 or newer), the bootloader, cellular modems, WLAN and Bluetooth firmware, programs running with root or system privileges, and the Qualcomm Secure Execution Environment (QSEE) on Trustzone.
The highest reward, up to $15,000, can be earned for critical vulnerabilities in cellular modems. Critical flaws in QSEE and the bootloader can earn hackers $9,000, while application processor software weaknesses are rewarded with up to $8,000.
Qualcomm Vulnerability Rewards Program
https://hackerone.com/qualcomm
Tomi Engdahl says:
U.S. Intel Chief: Russia ‘Curtailed’ Hacking of U.S. Targets
http://www.securityweek.com/us-intel-chief-russia-curtailed-hacking-us-targets
Russian cyber attacks on US political and commercial targets, including hacks of internal Democratic Party emails, have been “curtailed” since Washington publicly accused Moscow, US intelligence chief James Clapper said Thursday.
Clapper told a congressional hearing that the formal accusation and threat of retaliation by senior US officials on October 7 appeared to have achieved the goal of cutting off the activity.
“It may have had the desired effect, since after the issue of the statement and the communication took place between our government and the Russian government, it seemed to curtail the cyber activity that the Russians previously were engaged in,” he said.
Russian hacking came to the forefront after Wikileaks began publishing in July emails from the Democratic National Committee that embarrassed presidential nominee Hillary Clinton as she battled now President-elect Donald Trump ahead of the November 8 election.
Tomi Engdahl says:
1/3 of Websites Use SHA-1 Certificates Despite Looming Deadline
http://www.securityweek.com/13-websites-use-sha-1-certificates-despite-looming-deadline
In 45 days, Certificate Authorities (CAs) will no longer issue certificates using the SHA-1 cryptographic hash function, but 35% of websites still use such certificates today, a new research from Venafi reveals.
Last year, security researchers revealed that new collision attacks have significantly lowered the cost of breaking the two decade-old SHA-1 algorithm that became an Internet security standard. This prompted an industry-wide move away from the insecure crypto function and toward the much more secure SHA-2 or SHA-3, after researchers have been urging this change for years.
Starting on Jan 1, 2017, most CAs will migrate to SHA-2 certificates, and major browser makers have already announced plans to adopt the change, including Microsoft, Google, and Mozilla. Their browsers will no longer trust sites that use SHA-1 starting with that date, and they will mark these websites as insecure.
Tomi Engdahl says:
Hackers Access Private Details of Three Mobile Customers
http://www.securityweek.com/hackers-access-private-details-three-mobile-customers
Computer hackers have broken into a database of Three Mobile customers and accessed their personal details in order to steal smartphones, the UK network said on Thursday.
A spokesman for the company said there had been an uptick in attempted phone fraud over the past four weeks, both through burglaries of Three retail stores and intercepting customer phone upgrades.
Tomi Engdahl says:
The Answer is Right in Front of You
http://www.securityweek.com/answer-right-front-you
I have lost count of the number of conversations I’ve either observed or been involved in where people simply aren’t listening to one another. Whether it’s in a meeting, at a conference, in a social setting, or elsewhere, sometimes I take a step back and marvel at the complete breakdown in communication.
In this particular session, a guest speaker was brought in to speak to the group about the importance of listening to customers.
I’m sure you can imagine my surprise when, after an hour and near the end of the presentation, someone raised their hand and asked the following question: “What is the point of arranging all of these customer conversations? They won’t yield anything! That time would be better spent on product development!”
Prioritizing Risks
As many of you are aware, I have written several times about the importance of understanding and prioritizing risks as part of a successful security program.
the winning approach is relatively low-tech. Talk to people. Have a dialogue with the business. Understand the business needs and priorities and how security can be a partner in those efforts. Granted, this can be a fairly complicated undertaking that is often more art than science, but it works.
Being Attuned To Market Needs
One thing that I’ve always found fascinating is how people assess market needs and market direction. This is something I’ve observed both inside and outside of the security space. More often than not, people use a number of different techniques, which can include such things as gut feelings, fingers in the wind, and hunches.
So what should they be doing instead? Talking to customers in the space, and lots of them. Ask them what problems they’re looking to solve in the next 12-36 months, along with other issues and challenges that they expect to encounter. Sure, you’ll get a wide variety of answers, but you’ll most likely also get quite a bit of overlap. That should help you assess market forces far better than a crystal ball will.
Moving In The Right Direction
I often find myself in a conversation with new entrepreneurs. Any conference, meetup, or group function you go to in the security field is bound to have several of them. Most of them are extremely bright, determined, motivated, and hardworking. At the same time, most of them do not have experience on the customer side, nor do they understand the problems that customers are looking to solve.
While some entrepreneurs excel at managing relationships with customers and leveraging those to zero in on the right problems and challenges, many do not. Even the best intentions, brightest minds, and most energetic teams need to be focused in the right direction.
No one ever said that prioritizing risk, meeting the needs of a complex market, or starting a technology company were easy.
Tomi Engdahl says:
Firefox 50 Patches 27 Vulnerabilities
http://www.securityweek.com/firefox-50-patches-27-vulnerabilities
Mozilla this week released Firefox 50 in the stable channel to patch 27 vulnerabilities and to provide users with improved Download Protection.
Three of the resolved issues in the popular Web browser were Critical flaws, 12 were considered High risk, 10 were rated Moderate severity, and two were Low risk issues. In addition to resolving all of them, Mozilla packed Firefox 50 with other security improvements as well.
Tomi Engdahl says:
Disgruntled Gamer ‘Likely’ Behind October US Hacking: Expert
http://www.securityweek.com/disgruntled-gamer-likely-behind-october-us-hacking-expert
The hacker who shut down large parts of the US internet last month was probably a disgruntled gamer, said an expert whose company closely monitored the attack Wednesday.
Dale Drew, chief security officer for Level 3 Communications, which mapped out how the October 21 attack took place, told a Congressional panel that the person had rented time on a botnet — a network of web-connected machines that can be manipulated with malware — to level the attack.
Using a powerful malware known as Mirai, the attacker harnessed some 150,000 “Internet of Things” (IoT) devices such as cameras, lightbulbs and appliances to overwhelm the systems of Dynamic Network Services Inc, or Dyn, which operates a key hub in the internet, according to Drew.
The so-called distributed denial of service attack jammed up traffic routing the Dyn’s servers to major websites like Amazon, Twitter and Netflix for hours before the attack could be overwhelmed.
“We believe that in the case of Dyn, the relatively unsophisticated attacker sought to take offline a gaming site with which it had a personal grudge and rented time on the IoT botnet to accomplish this,” he said.
Drew said the ability of hackers to make use of mundane home electronics to mount such an attack signalled a huge new risk in the global internet circuitry.
He said IoT devices often have easily hackable passwords, including hard-wired passwords that owners cannot change.
“IoT devices also are particularly attractive targets because users often have little way to know when they have been compromised. Unlike a personal computer or phone, which has endpoint protection capabilities and the user is more likely to notice when it performs improperly, compromised IoT devices may go unnoticed for longer periods of time.”
Tomi Engdahl says:
Security Segmentation and Flexibility? Yes, They Can Go Together
http://www.securityweek.com/security-segmentation-and-flexibility-yes-they-can-go-together
In today’s world we expect flexibility without compromising security.
So what happens when we apply a similar mindset to our business? Building new digital processes, moving equipment around, deploying a new application, acquiring another organization, or closing facilities shouldn’t make us more vulnerable to attacks. But it can. Organizations are struggling to identify, contain, and respond resiliently to cyber attacks. At the same time, they need to support increased business innovation and change. Being able to flexibly build new digital processes and adapt to other business changes securely is what we should expect and require for success.
For many years we’ve relied on network segmentation to isolate different parts of the network, using firewalls and virtual local area networks (VLANs) to mitigate the risk of attacks. But this approach lacks the flexibility to respond to changing business requirements. To overcome this limitation we open up the firewall to allow connections, which decreases the extent of control the firewall was designed to provide and leads to increasingly complex rule sets to manage. As such, many organizations have retreated on segmentation, using it only in a few select areas of their network where required for compliance reasons such as PCI.
To compensate for the lack of flexibility inherent in network segmentation, we need a model that lets us think about segmentation independent of the underlying technology. This requires we step back and take a new, strategic approach to segmentation that begins by asking: what is the ultimate business goal, the digital model to achieve it, and the requirements for protection? This allows us to think about segmentation more holistically to include data, user, application, and business process considerations.
So how do we go about this? To develop your segmentation strategy you need to look at both your specific business goals and your risk landscape. A framework that considers identity and trust, visibility, policy enforcement, availability, and resiliency will allow you to move beyond the network layer.
Hospitals need to protect clinical data and devices from the general hospital population and patient population that have access to the network. But the environment in which they operate is extremely complex. Equipment moves around; an array of devices are connecting to the network; patients and care givers need network access; electronic medical records must be protected; campuses and regional clinics need to be connected; and new and acquired facilities must be added while other facilities may be closing.
You need to start by understanding all the systems on the network that generate data and the various individuals who need to communicate and have access to that data. From there you can assign permission-level access based on hospital policies and compliance mandates. With levels of trust established you can apply policy enforcement, not just in the network but also within systems and applications.
Organizations in other industries need to follow a similar process but key considerations vary by industry.
In each of these examples, defining a strategic approach to segmentation begins by looking at the business in a way that transcends a particularly technology or environment or even process. Business leaders must engage with IT to help define the requirements.
Tomi Engdahl says:
U.S. Intelligence Chief James Clapper Resigns
http://www.securityweek.com/us-intelligence-chief-clapper-resigns
US intelligence chief James Clapper, whose 2013 denial that the US collects personal communications data on millions of citizens led to the stunning Snowden spying expose, on Thursday announced his resignation.
After six years as Director of National Intelligence, Clapper told a congressional hearing that he would step down on January 20, the day Donald Trump is to be sworn in as US president.
Tomi Engdahl says:
iOS Lockscreen Bypass Gives Access to Contacts, Photos
http://www.securityweek.com/ios-lockscreen-bypass-gives-access-contacts-photos
Apple’s upcoming updates for iOS will likely include a fix for a new lockscreen bypass technique that can be used to access contact information and photos on locked iPhones and iPads.
The method, discovered by the individuals behind the EverythingApplePro and iDeviceHelp channels on YouTube, requires physical access to the targeted device and Siri enabled on the lockscreen.
First, the attacker needs to figure out the device’s phone number, which can easily be obtained by asking Siri “Who am I?” from the lockscreen. Once Siri provides the number, the attacker initiates a voice or FaceTime call to the targeted device from another phone.
Tomi Engdahl says:
IBM Opens New Security HQ and Cyber Range in Cambridge
http://www.securityweek.com/new-ibm-cyber-range-helps-organizations-respond-attacks
IBM Security on Wednesday unveiled its brand new global headquarters in Cambridge, Massachusetts, which features a physical Cyber Range designed to allow organizations in the private sector to prepare for and respond to cyber threats.
IBM says the new facility is part of a $200 million investment made this year in its security business, which includes expansion of its incident response capabilities, including new facilities, services and software.
The company believes the facility can be highly useful not only to CISOs and their security teams, but also to other C-level executives, board members and students.
Tomi Engdahl says:
Several Vulnerabilities Patched in Drupal 7, 8
http://www.securityweek.com/several-vulnerabilities-patched-drupal-7-8
Drupal developers have released updates for versions 7 and 8 to address security flaws that can lead to information disclosure, cache poisoning, redirection to third-party sites and a denial-of-service (DoS) condition.
Drupal 7.52 and Drupal 8.2.3 patch a total of four vulnerabilities rated “moderately critical” and “less critical.”
Tomi Engdahl says:
What Makes a Good Exploit Kit
http://www.securityweek.com/what-makes-good-exploit-kit
So if exploit kits aren’t new, what makes them successful year after year? As in many industries – and there’s no denying cybercrime is a global industry – innovation, features and ease of use win the day. Taking a look at two of the most prominent exploit kits, the Angler and Nuclear exploit kits, quickly reveals three main characteristics that define a good exploit kit.
1. They exploit a large number of vulnerabilities quickly. The Angler exploit kit set a high bar, exploiting the largest number of vulnerabilities – 26 – when compared to other exploit kits. The Nuclear exploit kit is also quite advanced with at least 19 vulnerabilities at its disposal.
2. They incorporate a wide variety of delivery methods for malicious payloads. Again, the Angler exploit kit set the standard with 10 different payloads including: ransomware, banking trojans, credential harvesters, and click fraud malware (malware used to generate revenue by clicking on a pay-per-click advertisement).
3. They make it easy for users. The very basis for exploit kits is that they are a user-friendly way for unsophisticated attackers to infect victims. Available for sale or rent in the black market, many kits even come with support services – much like products in other industries. More than that, they also incorporate capabilities designed for simplicity.
To focus on how exploit kits may impact your organization, you need to understand your digital shadow, a subset of your digital footprint that consists of exposed personal, technical or organizational information that is often highly confidential, sensitive or proprietary. Cyber situational awareness can help you turn that “attacker’s eye view” into insights that you can use to prevent, detect and contain attacks from exploit kits.
If it isn’t obvious by now, patching is also an important part of your defense strategy.
Tomi Engdahl says:
The Dangers of Public Company Valuations and Security Breaches
http://www.securityweek.com/dangers-public-company-valuations-and-security-breaches
All companies should uphold a certain standard of ethics for security, protecting their customers, employees and shareholders from personal or company valuation damage – a Hippocratic oath of sorts. Legal legislation is dangerous as it spurns activity that is only focused on compliance and not the safety of individuals. There needs to be a general collective desire for security teams to want to work together to protect the public at large.
The recent Saint Jude issue with Muddy Waters, in which cybersecurity firm MedSec partnered with investment firm Muddy Waters to short-sell medical device company Saint Jude, sets a dangerous new precedent in terms of security research and vulnerability. It raises new ethical questions regarding the responsibilities of both security researchers and vendors when sharing their findings. We haven’t previously seen independent security researchers using the potential existence of zero day vulnerabilities in a product to short a stock for their financial gain.
While it’s reasonable to think that independent researchers should be rewarded for their efforts
The interests of the researchers should be to make the world more secure, not profit from a corporation’s vulnerabilities.
One could argue that working with an investment firm puts more pressure on a company to do the right thing. However, this kind of behavior forces a company to act solely on shareholder protection, rather than balancing the needs of shareholders with those of customers or employees. You now have a company trying to protect their valuation instead of addressing the security problem, or even denying the security problem in order to not cause a widespread panic over a potential security issue.
While not technically illegal, this is an example of a very dangerous activity that puts the wider community at risk in the interest of profits.
If the security industry is going to be successful, we need to stand on two key pillars: the desire to do good and the ability to do good.
The desire to do good means we need to be uniting the good guys against the bad guys, not pretending to be good guys in order to make a buck.
The ability to do good falls on the sophistication of the products themselves. Many security products and solutions today are focused on continuing to silo security information that cannot be easily leveraged across platforms. We need to be able to share security intelligence across organizations for the good of the industry as a whole. Once we have that intelligence, we also need to be able to effectively make it actionable, so we can react to any incoming threats and stop attackers in their tracks.
We need to advocate for the security community to push towards responsible disclosure. We need to find ways to incentivize good behavior while taking a stand against using security as a way to “pump or dump” a stock.
Tomi Engdahl says:
DHS Publishes Principles, Best Practices for Securing IoT
http://www.securityweek.com/dhs-publishes-principles-best-practices-securing-iot
The Department of Homeland Security recently published (PDF) its Strategic Principles for Securing the Internet of Things. It comprises six non-binding principles designed to provide security across the design, manufacturing and deployment of connected devices. It quotes, “there is a small — and rapidly closing — window to ensure that IoT is adopted in a way that maximizes security and minimizes risk. If the country fails to do so, it will be coping with the consequences for generations.”
STRATEGIC PRINCIPLES FOR SECURING THE INTERNET OF THINGS (IoT)
https://www.dhs.gov/sites/default/files/publications/Strategic_Principles_for_Securing_the_Internet_of_Things-2016-1115-FINAL_v2-dg11.pdf
Tomi Engdahl says:
The encryption conundrum: Should tech compromise or double down?
Just wait for FBI versus Apple: The Revenge
http://www.theregister.co.uk/2016/11/18/encryption_conundrum_should_tech_compromise_or_doubledown/
Versus16 Silicon Valley should work with the US government in Washington to arrive at a solution that gives law enforcement access to encrypted comms, but that respects individual privacy.
That’s according to former White House counterterrorism and cybersecurity official Daniel Rosenthal, who was debating where the issue of encryption should go next.
Nonsense, responded Cindy Cohn of the Electronic Frontier Foundation (EFF), on stage at the Versus conference in San Francisco. If the tech sector offers some form of compromise now, the government will only come asking for more later.
In the week since Donald Trump was elected president, tech companies have reported a 25 per cent spike in people encrypting their communications.
The reason why is not hard to discern: on the campaign trail the Republican nominee repeatedly stated that he would be prepared to use the full power of the federal government to carry out his policy goals, which includes the forced deportation of millions of people, the surveillance of millions of others, and the pursuit of terrorism above all else.
Tomi Engdahl says:
NSA Chief: Nation-State Made ‘Conscious Effort’ To Sway US Presidential Election
https://politics.slashdot.org/story/16/11/17/2022213/nsa-chief-nation-state-made-conscious-effort-to-sway-us-presidential-election
The head of the US National Security Agency has said that a “nation-state” consciously targeted presidential candidate Hillary Clinton’s presidential campaign, in order to affect the US election. From an AOL article:
Adm. Michael Rogers, who leads both the NSA and US Cyber Command, made the comments in response to a question about Wikileaks’ release of nearly 20,000 internal DNC emails during a conference presented by The Wall Street Journal. “There shouldn’t be any doubt in anybody’s minds,” Rogers said. “This was not something that was done casually. This was not something that was done by chance. This was not a target that was selected purely arbitrarily. This was a conscious effort by a nation-state to attempt to achieve a specific effect.”
NSA Chief: Nation-state made ‘conscious effort’ to sway US presidential election
http://www.aol.com/article/2016/11/16/nsa-chief-nation-state-made-conscious-effort-to-sway-us-presi/21607615/
Adm. Michael Rogers, who leads both the NSA and US Cyber Command, made the comments in response to a question about Wikileaks’ release of nearly 20,000 internal DNC emails during a conference presented by The Wall Street Journal.
“There shouldn’t be any doubt in anybody’s minds,” Rogers said. “This was not something that was done casually. This was not something that was done by chance. This was not a target that was selected purely arbitrarily. This was a conscious effort by a nation-state to attempt to achieve a specific effect.”
Rogers did not specify the nation-state or the specific effect, though US intelligence officials suspect Russia provided the emails to Wikileaks, after hackers stole them from inside DNC servers and the personal email account of Hillary Clinton’s campaign manager, John Podesta.
At least two different hacker groups associated with the Russian government were found inside the networks of the DNC over the past year, reading emails, chats, and downloading private documents. Many of those files were later released by Wikileaks.
“The US intelligence community is confident that the Russian Government directed the recent compromises of emails,” read a statement from the Department of Homeland Security. “These thefts and disclosures are intended to interfere with the US election process.”
Tomi Engdahl says:
Three CEO confirms hack, 133,827 customers were exposed
Database was breached for handset update scam
http://www.theregister.co.uk/2016/11/18/three_ceo_admits_hack/
The CEO of UK carrier Three Mobile has confirmed that a customer database was compromised by hackers and more than 130,000 customers have had their account data exposed.
David Dyson says that the hackers, believed to be two men from Kent and Manchester, had indeed accessed the customer directory and used the information – including names, addresses, and dates of birth – to order new phones for accounts that were eligible for hardware upgrade. They then intercepted the packages.
Three says that the hackers managed to order and steal eight phones using the lifted customer account details.
Tomi Engdahl says:
Lorenzo Franceschi-Bicchierai / Motherboard:
Mike Pompeo, Trump’s pick for CIA director, is a strong supporter of mass surveillance, but opposes mandating backdoors in encryption
Trump’s CIA Director Pick Thinks Using Encryption ‘May Itself Be A Red Flag’
http://motherboard.vice.com/read/trumps-cia-director-pick-thinks-using-encryption-may-itself-be-a-red-flag
Donald Trump announced on Friday that he’s chosen Congressman Mike Pompeo to run the Central Intelligence Agency (CIA), the premiere spy agency of the United States. .
Pompeo, a Republican lawmaker from Kansas and a former Army officer, has little-to-no experience in the world of intelligence (other than being part of the House Intelligence Committee), but he’s distinguished himself for being a strong supporter of mass surveillance and for thinking that using encryption, by itself, might be a sign that you’re a terrorist.
“Forcing terrorists into encrypted channels, however, impedes their operational effectiveness by constraining the amount of data they can send and complicating transmission protocols, a phenomenon known in military parlance as virtual attrition,” Pompeo wrote in an op-ed published in January by The Wall Street Journal. “Moreover, the use of strong encryption in personal communications may itself be a red flag.”
Tomi Engdahl says:
Fortune:
Inside New York City’s $10M digital crime lab, where analysts and researchers crack devices, use big data, and more to gather evidence to help solve crimes
http://fortune.com/vance-crime-lab/
Tomi Engdahl says:
Nokia: 4G mobile phones can be captured to a denial of service attack
Computer Capturing a variety of criminal purposes is not news, but smartphones do not guess you can do the same? Nokia’s Bell Labs researchers showed at Black Hat -tietoturvaseminaarissa how the LTE phones signaling protocol security is inadequate.
Already in the past it has been shown that parents’ mobile networks, SS7 signaling protocol to leak. SS7 is the protocol that allows for voice, SMS and data connections between the operators of the networks are formed. Generally, operators do not protect the SS7 network, thus giving hackers free reign, in principle, users’ location and tracking billing information and in the worst cases, the monitoring of telephone and data traffic.
LTE networks of terminals signaling has changed the Diameter protocol, which includes, in principle, IPSec encryption. However, there is no way to determine that the operators use encryption. This can lead to problems.
Source: http://etn.fi/index.php?option=com_content&view=article&id=5429:nokia-4g-kannykat-voi-kaapata-palvelunestohyokkayksiin&catid=13&Itemid=101
More:
https://www.blackhat.com/docs/eu-16/materials/eu-16-Holtmanns-Detach-Me-Not.pdf
Tomi Engdahl says:
Ransoc Ransomware Blackmails Victims
http://www.securityweek.com/ransoc-ransomware-blackmails-victims
A newly observed piece of ransomware isn’t targeting files to encrypt as most threats in this category do, but rather scrapes Skype and social media profiles for personal information to encourage victims to pay the ransom.
Dubbed Ransoc, the malware connects to social network accounts found on the infected computer, including LinkedIn, Facebook, Skype, and others. Next, the malware searches for torrent files and other content that could point to illegal activity and then displays a ransom note tailored to the findings.
The Ransoc malware, security researchers say, is targeting Windows computers, but it is related to a browser locker that functions cross-platform.
the malware displays a Penalty Notice only if potential evidence of child pornography or media files downloaded via torrents is found on the infected machine
Because it connects to the victim’s social network accounts, the malware customizes the ransom message with accurate data, including profile photos. Victims are threatened that the collected “evidence” would be exposed to the public, and the legitimate social profile information serves as social engineering lure to trick users into believing that sensitive information might actually be at risk.
Ransoc’s code also revealed the ability to access webcams connected to the infected machine, but the security researchers say that the function wasn’t seen active.
Fortunately, Proofpoint discovered that Ransoc only uses a registry autorun key for persistency. As a result, user can remove the infection by rebooting the computer in Safe Mode.
“This fairly bold approach to ransom payments suggests the threat actors are quite confident that people paying the ransom have enough to hide that they will probably not seek support from law enforcement.”
Tomi Engdahl says:
Over-the-Air Update Mechanism Exposes Millions of Android Devices
http://www.securityweek.com/over-air-update-mechanism-exposes-millions-android-devices
The insecure implementation of the OTA (Over-the-air) update mechanism used by numerous Android phone models exposes nearly 3 million phones to Man-in-the-Middle (MitM) attacks and allows adversaries to execute arbitrary commands with root privileges.
The vulnerable OTA update mechanism is associated with Chinese software company Ragentek Group, which didn’t use an encrypted channel for transactions from the binary to the third-party endpoint. According to security researchers at AnubisNetworks, this bug not only exposes user-specific information to attackers, but also creates a rootkit, allowing an adversary to issue commands that could be executed on affected systems.
The issue, tracked as CVE-2016-6564, is that a remote, unauthenticated attacker capable of performing a MitM attack could replace the server responses with their own and execute arbitrary commands as root on the affected devices.
Similar to the issue found in Android devices running firmware coming from Shanghai ADUPS Technology Co. Ltd., the bug in Ragentek’s Android OTA update mechanism is included out of the box. The two issues aren’t related, but they are similar to a certain point, as both allow for code execution on smartphones. The ADUPS firmware was found to siphon user and device information in addition to allowing the remote installation of apps.
The CERT advisory associated with this vulnerability reveals that multiple smartphones from BLU Products are affected, along with over a dozen devices from other vendors, namely Infinix Mobility, DOOGEE, LEAGOO, IKU Mobile, Beeline, and XOLO
Tomi Engdahl says:
Moxa, Vanderbilt Surveillance Products Affected by Serious Flaws
http://www.securityweek.com/moxa-vanderbilt-surveillance-products-affected-serious-flaws
Surveillance products from Moxa and Vanderbilt are affected by several critical and high severity flaws that can be exploited by remote hackers to take control of vulnerable systems.
ICS-CERT has published an advisory describing three serious vulnerabilities affecting Moxa SoftCMS, a central management software designed for large-scale surveillance systems. Gu Ziqiang from Huawei Weiran Labs and Zhou Yu have been credited for finding the security holes.
The most severe of the flaws, with a CVSS score of 9.8, is a SQL injection (CVE-2016-9333) that can be exploited by a remote attacker to access SoftCMS with administrator privileges.
ICS-CERT said in its advisory that Moxa patched these security holes with the release of SoftCMS 1.6 on November 10, but the vendor’s release notes show that the latest version only addresses the SQL Injection issue.
Vulnerabilities in Siemens-branded Vanderbilt CCTV cameras
Siemens and ICS-CERT informed users that several Siemens-branded Vanderbilt IP cameras are affected by a vulnerability (CVE-2016-9155) that allows an attacker with network access to obtain administrative credentials using specially crafted requests. Updates have been released by Vanderbilt for each of the affected products.
Tomi Engdahl says:
Recruitment Site Scraped, Leaked 8 Million GitHub Profiles
http://www.securityweek.com/recruitment-site-scraped-leaked-8-million-github-profiles
A new tech recruitment project scraped user data from GitHub and other similar websites and inadvertently leaked it online through a misconfigured MongoDB database.
Australian security expert Troy Hunt, the owner of the Have I Been Pwned service, was recently provided a 600 Mb MongoDB backup file containing data from a tech recruitment website called GeekedIn. A closer analysis revealed that the file contained information on more than 8 million GitHub profiles, including names, email addresses, locations and other data.
8 million GitHub profiles were leaked from GeekedIn’s MongoDB – here’s how to see yours
https://www.troyhunt.com/8-million-github-profiles-were-leaked-from-geekedins-mongodb-heres-how-to-see-yours/
Tomi Engdahl says:
Arizona Teen Indicted Over 911 Cyberattacks
http://www.securityweek.com/arizona-teen-indicted-over-911-cyberattacks
Authorities said Desai’s exploit made hang-up calls to 911 emergency services in Maricopa, Surprise, Chandler and Avondale. These agencies received over 300 calls between October 24 and October 26. Some calls were also reportedly made to emergency services in Illinois, Texas and California.
Researchers determined recently that a botnet powered by only 6,000 smartphones would be enough to disrupt 911 emergency services in a U.S. state.
Desai told investigators that he was trying to find vulnerabilities that he could report to Apple for a reward.
“DoSing 911 is pretty terrible but there are other examples such as expensive 900 numbers where the attacker can actually make money.”
Tomi Engdahl says:
Symantec acquires LifeLock for $2.3 billion
http://www.zdnet.com/article/symantec-acquires-lifelock-for-2-3-billion/
Identity theft protection acquisition forms “world’s largest digital safety platform for consumers and families.”
“As we all know, consumer cybercrime has reached crisis levels. LifeLock is a leading provider of identity and fraud protection services, with over 4.4 million highly-satisfied members and growing. With the combination of Norton and LifeLock, we will be able to deliver comprehensive cyber defense for consumers,” said Greg Clark, Symantec’s CEO.
Symantec believes its Norton Security and LifeLock creates “the world’s largest consumer security business with over $2.3 billion in annual revenue based on last fiscal year revenues for both companies.” It believes there is an addressable market of 80 million people becoming more concerned with cybersecurity.
Tomi Engdahl says:
Researchers crack Oz Govt medical data in ‘easy’ attack with PCs
White hat efforts show up Govt’s proposed laws to criminalise research
http://www.theregister.co.uk/2016/09/29/researchers_crack_oz_govt_medical_data_in_easy_basic_pc_attack/
Australian researchers have laid waste to the Federal Government’s plan to criminalise the decryption of anonymised state data sets, just a day after it was announced, by ‘easily’ cracking government-held medical data.
Federal attorney-general George Brandis yesterday announced that it would accept recommendations from the Senate Select Committee on Health and make it an offence to de-anonymise data
The law would be part of amendments to the Australia’s Privacy Act.
Before the announcement of the new law, University of Melbourne researchers Dr Chris Culnane, Dr Benjamin Rubinstein, and Dr Vanessa Teague discovered dangerous failings in the way the government had protected the service provider ID numbers in a sample set representing 10 percent of claims under the country’s Medicare Benefits Schedule dating from 1984 to 2014.
Dr Vanessa Teague told The Register she did not want to reveal the specific failings of the security controls in place fearing the same subpar defences are used to protect other sensitive data sets published online by the Federal Government.
She says the Government’s amendments to the Privacy Act should be binned.
“The Government should be doing exactly the opposite,” Dr Teague says.
“[It] should be encouraging Australia security researchers to learn and investigate the math, and let the Government know when security vulnerabilities are identified.
The Federal Government notes decryption research and even the encouragement of it will be considered an offence under the pending laws.
“The amendment to the Privacy Act will create a new criminal offence of re-identifying de-identified government data. It will also be an offence to counsel, procure, facilitate, or encourage anyone to do this, and to publish or communicate any re-identified dataset.”
Tomi Engdahl says:
Intelligent Filters, the Modern Data Traffic Cop
http://www.securityweek.com/intelligent-filters-modern-data-traffic-cop
Modern Networks Need Smart Filtering Tools that Boost Performance of Monitoring, Analytics and Security
The popularity of Software-as-a-Service (SaaS) applications combined with continuous additions of newly networked devices have added a strain to the traditional data center making it crucial for businesses to better manage the growing volume of network traffic. According to Cisco, annual global data center IP traffic will reach 10.4 zettabytes by the end of 2019, up from 3.4 zettabytes per year in 2014—that’s a three-fold growth in five years. Overall, data center workloads are expected to more than double by 2019. This will surely raise problems within the organizations accessing them if not properly managed.
Organizations that establish a solid network foundation today will out-secure, out-perform and outgrow their competition. That foundation starts with better management, control and filtering of traffic within highly congested data centers. Like designing traffic control systems to avoid vehicle gridlock at rush hours, a proper network foundation does the same for your data. Technologies like network packet brokers (NPBs) have emerged to address these issues, but just like your experience on your commute to work, some traffic control approaches are more effective than others. Here’s how can you tell the difference.
Monitoring and securing modern network flows requires granular insight, only possible through sophisticated and automated analytics and security tools. It is no longer feasible to manually monitor and protect our networks without these tools, but each analysis, compliance and security appliance also add layers of complexity. That complexity could end up costing more than it contributes if it is not configured smoothly into the network. Enter smart filtering solutions.
Security and analytics tools can add a lot of value to your business—if they actually see the data they are supposed to see. But that’s no longer easy.
For out-of-band performance monitoring, intrusion detection systems or analytics, network taps are used to replicate data flowing across individual segment points and send it to the necessary tools. Depending on where the taps are placed, you could end up with as much as 50 percent or more duplicate packets that each tool would then need to sort through.
Distribution – the Foundation for Growth
We are all used to being forced to do more with less. One simple change at the foundation of your network could open a world of growth possibilities. If you could see more and secure more with less, why wouldn’t you?
Tomi Engdahl says:
Free ‘cyber hugs’ for all is the plan at New Zealand’s first CERT
Kiwis plan a CERT with heart, not just a shield for business
http://www.theregister.co.uk/2016/11/22/cert_nz_to_cyber_hug_breached_smbs_not_only_enterprises_natsec/
Kiwi security incident responders are gearing up to go live with New Zealand’s first computer emergency response team (CERT) next March. And in a change of tack for CERTs, New Zealand’s will help all businesses, not just the top end of town.
Declan Ingram, program manager and heavy lifter with CERT NZ says it will help small businesses all the way to enterprises and government with incident response, and will even supply security engineers from the private sector with intelligence.
The well-known former penetration tester told the Kiwicon hacker conference CERT NZ is running a ten-month sprint to start up after being announced in May 2016.
“It (CERT NZ) is really, really different to a lot of other CERTs which are focused on critical infrastructure, focused on their memberships,” Ingram says.
“A big part of what the CERT is going to be doing is connecting people.”
Its five core functions include:
Incident response and triage;
Situational awareness and information sharing;
International collaboration with a tight-bit network of global CERTs;
Advice and outreach, and;
Co-ordination of serious cyber incidents.
Tomi Engdahl says:
Microsoft plans St Valentine’s Day massacre for SHA‑1
End of the line for weak hash as web giants finally act
http://www.theregister.co.uk/2016/11/21/microsoft_to_massacre_sha1/
The death knell for the SHA‑1 cryptographic hash function will each around the web now that all the main browser builders have decided to cut off support – only 12 years after its flaws were first discovered.
On Friday, Mozilla and Microsoft both announced that support for SHA‑1 in HTTPS certificates would be dropped – Moz with build 51 of Firefox in January and Microsoft on February 14 for its Edge and Internet Explorer 11 browsers. Google has already said Chrome will shun SHA‑1-signed SSL/TLS certs from build 56, due out by the end of January.
“The SHA-1 hash algorithm is no longer secure. Weaknesses in SHA‑1 could allow an attacker to spoof content, execute phishing attacks, or perform man-in-the-middle attacks when browsing the web,” Redmond said. “Though we strongly discourage it, users will have the option to ignore the error and continue to the website.”
SHA-1 will still hang around, like a fart in a spacesuit, for many years to come because some people are lazy enough not to make the change. The delays have been driving some of the tech community up the wall, given that SHA‑1 was proven to be deeply flawed back in 2005 and has been getting progressively more insecure since then.
Tomi Engdahl says:
Donald Trump confirms TPP to be dumped, visa program probed
Doubles down on new cyber-defence plan, too, even though USA already has one
http://www.theregister.co.uk/2016/11/22/trump_confirms_tpp_to_be_dumped_visa_program_probe/
“I will ask the Department of Defence and the chair of the Joint Chiefs of Staff to develop a comprehensive plan to defend America’s infrastructure from cyber attacks and all other form of attacks.” The Department of Defence’s Cyber Strategy already lists “Defend the U.S. homeland and U.S. national interests against cyberattacks of significant consequence” as one of its three missions, so it is unclear exactly what new plans Trump expects.
Tomi Engdahl says:
FYI: The FBI is being awfully evasive about its fresh cyber-spy powers
Agents want to hack suspected Tor, VPN users at will – no big deal
http://www.theregister.co.uk/2016/11/23/fbi_rule_41/
Senior US senators have expressed concern that the FBI is not being clear about how it intends to use its enhanced powers to spy on American citizens.
Those are the spying powers granted by Congressional inaction over an update to Rule 41 of the Federal Rules of Criminal Procedure. These changes will kick in on December 1 unless they are somehow stopped, and it’s highly unlikely they will be challenged as we slide into the Thanksgiving weekend.
The rule tweak, which was cleared by the Supreme Court in April, will allow g-men to apply for a warrant to a nearby US judge to hack any suspect that’s using Tor, a VPN, or some other anonymizing software to hide their whereabouts, in order to find the target’s true location.
The rule change, which has never been voted on by Congress, has raised serious privacy concerns. The Stopping Mass Hacking Act is under consideration to change the rule back, and a Review the Rule Act has also been filed to extend the December 1 deadline.
Tomi Engdahl says:
WordPress auto-update server had flaw allowing anyone to add anything to websites worldwide
About 27 per cent of the entire WWW at risk, we’re told
http://www.theregister.co.uk/2016/11/23/wordpress_auto_update_flaw/
Up to a quarter of all websites on the internet could have been attacked through a since-patched vulnerability that allowed WordPress’ core update server to be compromised.
The since-shuttered remote code execution flaw was found in a php webhook within api.wordpress.org that allows developers to supply a hashing algorithm of their choice to verify code updates are legitimate.
Matt Barry, lead developer of WordPress security outfit WordFence, found attackers could supply their own extremely weak hashing algorithm as part of that verification process, allowing a shared secret key to be brute-forced over the course of a couple of hours.
The rate of guessing attempts would be small enough to fly under the radar of WordPress’ security systems.
Attackers could go further; once a backdoored or malicious update was pushed out, they could disable the default auto updates preventing WordPress from fixing compromised websites.
Barry says WordPress fails to use signature verification to check the updates to be installed and instead trusts all URLs and packages supplied by api.wordpress.org.
Barry reported the bug to WordPress creator Automattic on 2 September and a fix was delivered five days later.
Yet he still considers api.wordpress.org to be the single point of failure for the millions of WordPress sites that rely on the server for updates.