Security trends for 2016

Here are my predictions for trends in information security and cyber security for year 2016.

Year 2015 was bad for information security was pretty, and I would say that the trend is worrying. So I expect the year 2016 will have many information security challenges. If you want to keep yourself up at night, spend some time reading about the latest developments in cybersecurity. In 2015 there was Airplanes hacked, cars hacked, vulnerabilities in a breathtaking range of sensitive equipment from TSA locks to voting booths to medical devices. The big picture is even scarier. Former NSA Director Mike McConnell suspects China has hacked “every major corporation” in the US. Those problems will continue in 2016 and some new targets for attacks will be found. The system is broken. It isn’t keeping us, our companies, or our government safe. Worse yet, no one seems to know how to fix it.

Attacks through networks are becoming more common all the time. It will be hard to protect against targeted attacks. Hackers will not only customize malware, but they will increasingly use sophisticated phishing and social engineering tricks to gain access to sensitive data. Attackers usually cover their tracks carefully, and in the identification of target can be very difficult. Behind targeted attacks are usually professional criminals. Criminals do not respect geographical borders and hence attacks are spread evenly everywhere. Companies will struggle to absorb the security threats of combined PC and mobile devices in 2016.

 

cadenas

EU information security decisions made in late 2015 will have impact on what comes in 2016: New EU data protection legislation package approved and EU Court of Justice decision in which it noted the Safe Harbor procedure is invalid. This means that transfers of personal data from EU countries to the United States under the Safe Harbor violation of law – you need some other agreement for this. The situation for this will probably get clarified during 2016. Data protection legislation changes will lead to increased fines for the unprepared. Legal uncertainty and big fines are a toxic cocktail for some companies. The combination of stiff penalties and ambiguously worded provisions in the new EU-wide data-protection law, which would replace a patchwork of 28 national laws, raises daunting prospects for companies operating in Europe.

After huge amount of user information leaks in 2015 from all kinds of Internet services, there will the challenges for cloud companies to gain trust in their security. You might have just dared to trust “the right cloud services,” since in principle the traditional information security point of view, they seem to be the main things okay, rising this privacy issues raised.

New environments will bring new threats. New operating systems versions means that administrators and users are less familiar with the environments. IPv6 will get more widely used, and the security of IPv6 networks is different from IPv4. Organizations are moving to virtualized environments, which are complex and create network layers that can become an attack vector. Growing network virtualization functionality and programmability are both an opportunity and a threat to security. Cyber security research will be important important in 2016 as 5G networks will be critical infrastructure, on top of which for example. transport, industry, health and the new operators set up their business around 2020.

The huge amount of information security information is becoming harder and harder to manage in 2016. A key problem in revelations as all other news coverage is the exponential growth of knowledge. There are variety of news summaries produced a daily basis, but they are not enough to get good picture of what is happening. There are bigger and smaller news, the impact of which is at times very difficult to assess. SMBs will become a bigger target for cybercriminals. Network and security professionals continue to be among the toughest IT talent to find and hire.

Old way network security focused on perimeter defense is not enough in 2016. Old mantras “encrypt everything” and “secure the perimeter,” are not enough. One deceptive truth seems to drive much of the cybersecurity industry down a rabbit hole: If you keep bad actors and bad software out of your system, you have nothing to worry about. It does not work like that anymore. As perimeter security gets stronger, malicious actors are looking for easier entry points to compromise an organisation through the breadth of its digital attack surface. Now malicious actors target “endpoints”—any device or sensor connected to a network—to break into that network.  Traditional sandboxing will no longer protect against the growing malware landscape.  Today, most private networks have far too many endpoints to properly secure. In an age of “Bring Your Own Device,” the cloud, remote access, and the Internet of Things, there are too many vulnerabilities hackers can exploit. Keep in mind that everything connected to the Internet can, and will be hacked. To address those threats in 2016, security experts should assume compromise – that hackers and malware already have breached their defenses, or soon will – and instead classify and mitigate threats. In addition to public key infrastructure lock-and-key system you will need also an integrity solution that acts like an alarm. To protect against advanced threats, security professionals will increase their reliance on centralized security management solutions. You need to have prioritization and response plans to various kinds of breaches – with a strong focus on integrity.

Law enforcement versus Silicon Valley tension will continue to be strong throughout year 2016. In 2015 Law enforcement and politicians on both sides of the Atlantic lined up to repeatedly complain that the web was “going dark” as the result of end-to-end encryption and that this was hampering the investigation of terrorism and other serious crimes.Technologists and cryptographers argue that governments are trying to weaken encryption by demanding some form of privileged access for government. It’s not clear how much encryption the NSA can break. With renewed focus on how encrypted messages can be used to plot terrorist attacks, President Barack Obama’s administration is stepping up pressure on the tech sector to help in the battle. Privacy remains a major counter-argument. It seems that Governments Lie About Encryption Backdoors. Encryption systems weakened by mandated backdoors would not be effective in fighting the terrorists that governments invoke as their reason for wanting those backdoors in the first place.

But this does not stop some government officials to demand such thing with varying success on different countries. Another fact is that The existence of coded communications is a reality and the U.S. may not be able to do much about it because nearly everyone living in modern society uses it: Encryption protects your bank information, prevents your password from being stolen when you log into a website, and allows all e-commerce transactions to take place securely. Encryption weakened by mandated backdoors would put all of us at an enormous risk of exposure from data breaches and associated online risks. The truth in 2016 is that any form of privileged access to government – ie, a backdoor – would inevitably weaken crypto-systems and make them more vulnerable to attacks by foreign governments’ intelligence agencies as well as criminalsJuniper’s VPN security hole is proof that govt backdoors are bonkers.  Encryption backdoors would be a gleeful win-win for terrorists and a horrific lose-lose for you – the bad guys having strong protections for their data, and the rest of us not. The poorly thought-out and crude surveillance technique could have a devastating effect on the country’s internet security- as for example Kazakhstan will force its citizens to install internet backdoors by requiring all Internet users install state-issued root certificate by January 1, 2016.

Google, Mozilla and Microsoft are pushing for early SHA-1 crypto cutoff that can happen in 2016 instead of earlier planned Jan 1st,  2017. Due to recent research showing that SHA-1 is weaker than previously believed, because it’s been cracked without enormous effort. Mozilla, Microsoft and now Google are all considering bringing the deadline forward by six months to July 1, 2016. SHA-2 is going to be used as the replacement function for SHA-1. Websites like Facebook and those protected by CloudFlare have implemented a SHA-1 fallback mechanism for those systems that do not support SHA-2. Chrome will start display errors if SHA-1 certificates are employed in early 2016 and will completely stop supporting SHA-1 certificates in the end of 2016.

The use of Blockchain technology, permissionless distributed database based on the bitcoin protocol that runs across a global network of independent computers, will get used more widely than for just Bitcoin virtual money. With bitcoin, Blockchain tracks the exchange of money. But it can also track the exchange of anything else that holds value, including stocks, bonds, and other financial securities. Overstock has already used the blockchain to issue private bonds. The Securities and Exchange Commission has approved a plan from online retailer Overstock.com to issue company stock via the Internet, signaling a significant shift in the way financial securities will be distributed and traded in the years to come. Overstock built its technology under the aegis of a subsidiary called TØ.com, and it plans to offer this “cryptosecurity” tech as a service to other businesses. Nasdaq OMX—the company behind the Nasdaq stock exchange—is using the blockchain to oversee the exchange of private stock.  Also several major companies from across both the technology and financial industries—including IBM, Intel, and Cisco as well as the London Stock Exchange Group and big-name banks JP Morgan, Wells Fargo, and State Street—have joined forces to create an alternative to the blockchain with Linux Foundation.

The use of disk encryption will increase and there are different ways to do it with different security levels. Microsoft has introduced Windows 10 disk encryption keys are uploaded to Microsoft. This approach has some advantages and disadvantages. The gold standard in disk encryption is end-to-end encryption, where only you can unlock your disk. This is what most companies use, and it seems to work well. It protects data in case your device is lost or stolen. But what if you forget or loose your key? There are certainly cases where it’s helpful to have a backup of your key or password – so keeping a backup of your recovery key in your Microsoft account could be genuinely useful for probably the majority of users that don’t have high security neeeds. The disadvantage of this approach is that Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.

cadenas

Weak leaking passwords are still huge security problem still in 2016. Passwords are often the weakest parts when it comes to securing users’ accounts, as many don’t use complex passwords or they reuse the same password across services. Two-factor authentication – like using a USB stick with a secret token or entering in a code sent via text method to your phone – can help to increase security, but many users also find this to be a hassle as it introduces an additional step to the login process.

Google begins testing login system that uses phone notifications for authentication instead of passwords: authenticate by responding to a notification sent to their smartphone. The idea is similar to Yahoo’s recently launched “Account Key,” which also offers a password-free means of signing in involving a push notification sent to your phone that then opens an app where you approve the log-in.

Smart phone will become more and more security critical part of your life. “Increasingly, individuals and organisations are adopting password managers and multi-factor authentication technologies to plug some of the holes in password-based authentication. “We foresee a world where practically everyone uses their smartphone as a multi-factor authentication element. In this world, the smartphone becomes your most valuable asset: something that enables you to unlock your life online and a target for attackers seeking to access your services.”

Expect that number of mobile vulnerabilities will only grow in 2016. In 2016 we will see increasing numbers of cyber criminals using mobile applications to spread malware. Mobile presents an easy target for cyber criminals, because it is an attack surface that is open and extremely difficult to defend once an app has been released. Android threats will become more than just headline-grabbers. Will 2016 be the year iOS malware goes mainstream?

cadenas

Critical infrastructures will be highly targeted in 2015. SCADA and ICS networks were not designed for security. Attacks against these systems have increased in recent years. I expect this trend to only get worse. There are still many companies that run their critical systems on Windows XP as “There are some people who don’t have an option to change.” Many times the OS is running in automation and process control systems that run business and mission-critical systems, both in private sector and government enterprises. For example US Navy is using obsolete operating system Microsoft Windows XP to run critical tasks. It all comes down to money and resources, but if someone is obliged to keep something running on an obsolete system, it’s the wrong approach to information security completely.

Cars were hacked at record rate in 2015, and they will be hacked at least at the same rate in 2016. Modern cars are featuring more gadgetry and connected systems, and this will make vehicles just as vulnerable to today’s threats and attacksI Am The Cavalry has published a five star Cyber Safety Framework to mitigate this threat in cars, hopefully car component makers study it.

IoT and smart devices are still at risk. The Internet of Things will continue to emerge, and businesses will need to think about how to protect their smart devices and prepare for the wider adoption of IoT. IoT platforms – not yet the weapon of choice for commercial malware authors – but business beware. Wearables won’t be safe, either, as they are built using largerly same too often vulnerable technologies as other IoT system. IoT security is still in in infancy in 2016.

Cyber criminals have become more active in 2015 particularly in the malicious the ransom fabrications. The ransom-malware problem will continue to be big in 2016. Commercial malware authors will continue to invest heavily and Exploit kits will continue to dominate on the web. Ransomware today is big business. Ransomware takes control of a computer and holds it hostage until the victim pays, usually in the digital currency Bitcoin. As a remedy against ransom-malware I recommend to ensure IT Support or your service provider the data back-up and restoring procedure operational, practiced and tested. You can need it in 2016 to get your data back without considering paying to criminals. To date ransomware has hit Windows users hardest, although Android and MacOS users are now also facing similar extortion.

Ransomware will continue to dominate in 2016 and it is only a question of time before we see things beyond data being ransomed. We have already seen websites being held ransom to DDoS. Intel’s McAfee Labs also noted a huge spike in ransomware in early 2015, and worries about ransomware in the IoT space—including medical devices. And Kaspersky predicts the “nightmare of ransomware” to continue and “spread to new frontiers” in 2016. Ransomware Is Coming to Medical Devices article tells that according to a report released recently week by Forrester Research the number one cybersecurity prediction for 2016: “We’ll see ransomware for a medical device or wearable.” “It’s definitely feasible from a technical standpoint”. Networked medical devices save lives. Despite the hacking risk, it’s an informed trade-off. Medical device ransomware would be a modern form of highway robbery with lives at stake.

2,232 Comments

  1. Tomi Engdahl says:

    ATMs are ‘spitting out’ cash after being infected with malware
    https://www.neowin.net/news/atms-are-spitting-out-cash-after-being-infected-with-malware

    It seems like every single week we hear of a new major security breach, or data dump, or record-setting DDoS attack, all of which highlight the important role of cyber security in our online world. Today, a new attack is in the news, though it seems to have been inspired by movies: hackers are attacking ATMs and making them “spit money”.

    Though the security researchers haven’t named the actual institutions affected, they claim attacks like these have taken place in the UK, Russia, Spain, Poland, the Netherlands, Romania, Estonia, Armenia, Bulgaria and others.

    Two of the biggest cash machine manufacturers, Diebold Nixdorf and NCR Corp, have confirmed that they are aware of the threat.

    Reply
  2. Tomi Engdahl says:

    Israeli Firm Can Steal Phone Data in Seconds
    http://www.securityweek.com/israeli-firm-can-steal-phone-data-seconds

    Petah Tikva, Israel – It only takes a few seconds for an employee of one of the world’s leading hacking companies to take a locked smartphone and pull the data from it.

    The company has contracts in more than 115 countries, many with governments, and it shot to global prominence in March when it was reported the FBI used its technology to crack the iPhone of one of the jihadist-inspired killers in San Bernardino, California.

    There have since been reports that Cellebrite was in fact not involved, and the company itself refuses to comment.

    Regardless, it is recognized as one of the world’s leaders in such technology.

    ‘Cat and mouse’

    Cellebrite’s technology is not online hacking. It only works when the phone is physically connected to one of the firm’s devices.

    The company recently demonstrated its capabilities for an AFP journalist.

    The password on a phone was disabled and newly taken photos appeared on a computer screen, complete with the exact location and time they were taken.

    The phone in the demonstration, an LG G4 run on Google’s Android operating system, is a model Cellebrite had already cracked, so the extraction did not take long.

    In the firm’s lab they have 15,000 phones — with around 150-200 new models added each month.

    When a new phone is launched, Ben-Peretz said, their 250-person research team races against competitors to find a chink in its armor, a process that can range from a few days to months.

    Legitimate means?

    According to Ben-Peretz, there is no phone on the market that is impossible to crack.

    “Yes it is getting harder, it is getting more complex,” he said. “But we still deliver results and they are results on the latest devices and latest operating systems.”

    Among the data the firm claims to be able to access are text messages deleted years previously.

    “Any company, including Cellebrite, has a responsibility to ensure their business activities don’t contribute to or benefit from serious human rights violations,” said Sari Bashi, Israel advocacy director at Human Rights Watch.

    Reply
  3. Tomi Engdahl says:

    Several DoS Vulnerabilities Patched in NTP
    http://www.securityweek.com/several-dos-vulnerabilities-patched-ntp

    The CERT Coordination Center and the Network Time Foundation announced on Monday the availability of NTP 4.2.8p9, which includes nearly 40 security patches, bug fixes and improvements.

    The latest version of the Network Time Protocol daemon (ntpd) addresses a total of ten security holes. The most serious of them, tracked as CVE-2016-9312 and rated “high severity,” has been described as an oversized UDP packet denial-of-service (DoS) issue that only affects Windows.

    “If a vulnerable instance of ntpd on Windows receives a crafted malicious packet that is ‘too big’, ntpd will stop working,” CERT and NTF wrote in their advisories.

    NTP 4.2.8p9 also patches two medium, two medium-low, and five low severity vulnerabilities. One of the medium severity flaws (CVE-2016-9310) affects the control mode (mode 6) functionality of ntpd and it can be exploited by a remote, unauthenticated attacker.

    “If, against long-standing BCP recommendations, ‘restrict default noquery’ is not specified, a specially crafted control mode packet can set ntpd traps, providing information disclosure and DDoS amplification, and unset ntpd traps, disabling legitimate monitoring,” reads a description of the vulnerability.

    The second medium severity flaw (CVE-2016-7431) is related to a regression in the handling of some Zero Origin timestamp checks.

    Reply
  4. Tomi Engdahl says:

    Hacker Explains How He Hacked Into Tel Aviv’s Public Wi-Fi Network In Three Days
    https://mobile.slashdot.org/story/16/11/22/2132255/hacker-explains-how-he-hacked-into-tel-avivs-public-wi-fi-network-in-three-days

    Israeli hacker Amihai Neiderman needed three days to hack into Tel Aviv’s free public Wi-Fi. He only worked during the evenings, after he came home from his full-time job as a security researcher. The 26-year-old said the difficulty level was “a solid 5″ on a scale from 1 to 10. The hack, performed in 2014 and recently explained in detail during the DefCamp conference in Bucharest, Romania, shows how vulnerable public networks can be and why we should encrypt our web traffic while accessing them.

    A Hacker Took Over Tel Aviv’s Public Wi-Fi Network to Prove That He Could
    http://motherboard.vice.com/en_au/read/a-hacker-took-over-tel-avivs-public-wi-fi-network-to-prove-that-he-could

    He hacked his city out of curiosity. One day, he was driving home from work and he noticed the “FREE_TLV” displayed on his smartphone. He had no idea what it was, but got intrigued. It turned out to be Tel Aviv’s free municipal Wi-Fi network.

    The hacker connected to it and checked what his IP was, using http://whatismyip.com. This way, you usually find the address of the router that links you to the internet. To hack Tel Aviv, he needed to take control over this device.

    Neiderman got home and found out that the router had one port open. He tried it. This step allowed him to determine the manufacturer of the router. It turned out to be Peplink, a company he had never heard of. It made the mistake of having the administration interfaces online.

    He finally found out it was a high-end load balancing router.

    All he needed was a vulnerability to exploit.

    He tested the hack at home, emulating the city’s network, and it worked.

    The hacker notified Peplink. He was amazed by how fast they replied to his email, and how dedicated they were to patching the flaw.

    Reply
  5. Tomi Engdahl says:

    English FlexEnable plans to introduce the Cannes Trustech show next week in technology that can revolutionize the way we all used by the smart card. Enable tech has developed a highly accurate fingerprint sensor that can be implanted on the surface of the banking and credit card.
    the sensor is only 0.3 millimeters thick. This is less than half of the bank card standard 0.76 millimeter thickness.

    Biometric authentication is rapidly becoming, or in addition to the PIN codes in place, especially in the banking sector, where security is improved all the time.

    Source: http://etn.fi/index.php?option=com_content&view=article&id=5448:seuraava-pankkikorttisi-lukee-sormenjalkesi&catid=13&Itemid=101

    Reply
  6. Tomi Engdahl says:

    Europe Cracks Down on Money Mules: 178 Arrested in Global Operation
    http://www.securityweek.com/europe-cracks-down-money-mules-178-arrested-global-operation

    178 individuals have been arrested across Europe for money laundering activities. More specifically, the individuals were acting as money mules helping criminals move stolen money out of the country of theft to criminal bank accounts abroad. The action was coordinated by Europol and Eurojust with assistance from law enforcement agencies in 16 European countries, together with the FBI and the U.S. Secret Services.

    A total of 580 money mules were identified during the action week: 14-18 November 2016. Of these, 380 suspects were interviewed by the national law enforcement agencies. 106 banks and private partners supported the action.

    Reply
  7. Tomi Engdahl says:

    Proactive Security – Does It Exist?
    http://www.securityweek.com/proactive-security-does-it-exist

    For years, security experts have been struggling to create proactive security products and proactive cyber defense strategies. If we had them, would we have been better prepared for all the major attack campaigns the industry has experienced of late – from the Target breach in 2013 to the Sony hack in 2014 to the recent IoT DDoS hacks and the DNC-related attacks?

    What these “successful” attacks tell us is that we are more reactive than proactive. Sometimes we are quick enough to react in time and companies which are frequent targets of cyberattacks seem to be satisfied with their ability to swiftly minimize the damage. But the question remains – does proactivity exist or are we in search of an unattainable goal?

    First, we should consider whether proactive defense strategies exist in the realm of real battlefields. If we examine battlefield defense strategies, “proactive strategies” are a rarity.

    Rather, we usually encounter strategies quickly identifying the “main effort” which the attacker chooses to achieve their goals, and then organizing defense resources quickly enough to neutralize it.

    Instead of counting on proactive systems to significantly improve our chances of winning cybersecurity confrontations, there are two main questions we should consider, the answers to which will determine our odds of winning the battle:

    1. How nimble is our cybersecurity apparatus?

    2. How quickly can we collaborate with others in order to deploy new defense strategies?

    Reply
  8. Tomi Engdahl says:

    Five Reasons to be Thankful for IT Security
    http://www.securityweek.com/five-reasons-be-thankful-it-security

    After a year of a divisive political climate, Thanksgiving comes at a welcome time.

    Unlike the political arena, or even other divisions of the technology industry, when working in IT security, people rarely notice when everything is done perfectly.

    #1 IT security saves money

    Sticky NoteThis one might be controversial, as many see security expenses more like insurance – a line item in case something bad happens. But, in today’s threat environment, it’s not a matter of “if” but “when” a disruptive attack will occur.

    #2 IT security retains customers

    The same 2016 Ponemon Institute study revealed that “churn” (loss of customers as a result of a data breach) was highest in the financial, health and service organizations, and lowest in public sector and education organizations.

    #3 IT security improves productivity

    While cat videos and social media have been disruptive to the productivity of many office workers, they are nothing compared to the attention that a data breach investigation and recovery effort can command from IT teams, communications teams, and even executive leadership.
    “In almost all cases, repairing damaged systems, rolling back to a pre-breach state and replacing/repairing the data were consistently mentioned as high-cost items.”

    #4 IT security will help you keep your job

    What do the breaches at the Office of Personnel Management (OPM), Target, and Sony Pictures all have in common? They all cost their CEOs

    # 5 IT security is ethical

    Regulations require compliance, and boards are interested in effective demonstration of policies and controls to satisfy auditors.
    But beyond compliance, much of the regulation we deal with as an industry is in place to protect customers, shareholders and employees. Doing the right things to protect their privacy and intellectual property

    Reply
  9. Tomi Engdahl says:

    Tech firms seek to frustrate internet history log law
    http://www.bbc.com/news/technology-38068078

    Plans to keep a record of UK citizens’ online activities face a challenge from tech firms seeking to offer ways to hide people’s browser histories.

    Internet providers will soon be required to record which services their customers’ devices connect to – including websites and messaging apps.

    The Home Office says it will help combat terrorism, but critics have described it as a “snoopers’ charter”.

    Critics of the law have said hackers could get access to the records.

    “It only takes one bad actor to go in there and get the entire database,”

    “You can try every conceivable thing in the entire world to [protect it] but somebody will still outsmart you.

    “Mistakes will happen. It’s a question of when. Hopefully it’s in tens or maybe a hundred years. But it might be next week.”

    Now, several virtual private network (VPN) operators have seized on its introduction to promote their offerings.

    VPNs digitally scramble a user’s internet traffic and send it to one of their own servers before passing it on to a site or app in a form they can make sense of. A similar process happens in reverse, helping mask the person’s online activity.

    As a result, instead of ISPs having a log of everywhere a customer has visited, the only thing they can provide to the authorities is the fact that a subscriber used a VPN.

    “We saw a boom in Australia last year correlated to when its data retention law went into effect,”

    “Our biggest advantage is we have a zero log policy,”

    “And even in the worst-case scenario that our servers are confiscated, there would be nothing on them because of the way they are configured.”

    One of the UK’s smaller internet providers, Andrews & Arnold, is looking into other ways to help its users circumvent the law.

    “Customers can install a Tor browser, which encrypts traffic to one of thousands of different internet connections throughout the world hiding what they are doing,” said managing director Adrian Kennard.

    “We are also working with a company called Brass Horn, which is planning to sell Tor-only internet access.

    Reply
  10. Tomi Engdahl says:

    Surveillance Firm ‘Geofeedia’ Cuts Half of Staff After Losing Access To Twitter, Facebook
    https://yro.slashdot.org/story/16/11/22/2146252/surveillance-firm-geofeedia-cuts-half-of-staff-after-losing-access-to-twitter-facebook

    In mid-October, an American Civil Liberties Union issued a report accusing police of using Geofeedia — a CIA-backed social-media monitoring platform — to track protests and other large gatherings. As a result, Instagram, Facebook and eventually, Twitter cut the company off from its valuable data stream, causing them to cut half of their staff to “focus on a variety of innovations”

    Geofeedia cuts half of staff after losing access to Twitter, Facebook
    http://www.chicagotribune.com/bluesky/originals/ct-geofeedia-cuts-jobs-surveillance-bsi-20161121-story.html

    Reply
  11. Tomi Engdahl says:

    FBI Hacked Over 8,000 Computers In 120 Countries Based on One Warrant
    https://yro.slashdot.org/story/16/11/23/153212/fbi-hacked-over-8000-computers-in-120-countries-based-on-one-warrant?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29

    In January, Motherboard reported on the FBI’s “unprecedented” hacking operation, in which the agency, using a single warrant, deployed malware to over one thousand alleged visitors of a dark web child pornography site. Now, it has emerged that the campaign was actually several orders of magnitude larger. In all, the FBI obtained over 8,000 IP addresses, and hacked computers in 120 different countries,

    The FBI’s ‘Unprecedented’ Hacking Campaign Targeted Over a Thousand Computers
    https://motherboard.vice.com/read/the-fbis-unprecedented-hacking-campaign-targeted-over-a-thousand-computers

    Reply
  12. Tomi Engdahl says:

    No super-kinky web smut please, we’re British
    UK ISPs will be asked to block streams of stuff it’s legal to do, but too dirtty to watch
    http://www.theregister.co.uk/2016/11/24/internet_censors_to_block_certain_acts/

    Film censors in the United Kingdom will be able to ban Brits from accessing websites that stream especially kinky X-rated videos, if a proposed change in the law gets up.

    The Digital Economy bill, which is due to hit the statute books in early 2017, is set to include a provision that will allow the British Board of Film Classification to order internet service providers to block webpages that feature non-conventional sex acts – basically anything that you can’t sell on a porno DVD in the UK, you won’t be able to watch online either.

    Reply
  13. Tomi Engdahl says:

    Men overboard! US Navy spills data on 134k sailors
    In the Navy, we sink thanks to HPE! In the Navy, we leak data with much ease!
    http://www.theregister.co.uk/2016/11/24/in_the_navy_we_sink_thanks_hpe_in_the_navy_we_lose_data_with_ease/

    The United States Navy has revealed that the names and social security numbers on 134,386 current and former has leaked, thanks to the compromise of a laptop used by a Hewlett Packard Enterprise Services staffer.

    The IT contractor and the Naval Criminal Investigative Service probed the data loss finding that “unknown individuals” accessed the records.

    The Navy says there is as yet no evidence the data was misused.

    No information was released on the detail of the incident, so we’re uncertain if the laptop was stolen, infected with malware or otherwise compromised.

    Reply
  14. Tomi Engdahl says:

    J. Alex Halderman / Medium:
    UMich security expert says Clinton should petition for recount in PA, MI, WI given the insecurity of voting machines and sophistication of state-sponsored hacks — You may have read at NYMag that I’ve been in discussions with the Clinton campaign about whether it might wish to seek recounts in critical states.

    Want to Know if the Election was Hacked? Look at the Ballots
    https://medium.com/@jhalderm/want-to-know-if-the-election-was-hacked-look-at-the-ballots-c61a6113b0ba#.c9xfwlqiq

    How might a foreign government hack America’s voting machines to change the outcome of a presidential election? Here’s one possible scenario. First, the attackers would probe election offices well in advance in order to find ways to break into their computers. Closer to the election, when it was clear from polling data which states would have close electoral margins, the attackers might spread malware into voting machines in some of these states, rigging the machines to shift a few percent of the vote to favor their desired candidate. This malware would likely be designed to remain inactive during pre-election tests, do its dirty business during the election, then erase itself when the polls close. A skilled attacker’s work might leave no visible signs — though the country might be surprised when results in several close states were off from pre-election polls.

    Could anyone be brazen enough to try such an attack? A few years ago, I might have said that sounds like science fiction, but 2016 has seen unprecedented cyberattacks aimed at interfering with the election.

    Russia is not the only country with the ability to pull off such an attack on American systems — most of the world’s military powers now have sophisticated cyberwarfare capabilities.

    Were this year’s deviations from pre-election polls the results of a cyberattack? Probably not. I believe the most likely explanation is that the polls were systematically wrong, rather than that the election was hacked. But I don’t believe that either one of these seemingly unlikely explanations is overwhelmingly more likely than the other.

    There is one absolutely essential security safeguard that protects most Americans’ votes: paper.

    I know I may sound like a Luddite for saying so, but most election security experts are with me on this: paper ballots are the best available technology for casting votes. We use two main kinds of paper systems in different parts of the U.S.

    Reply
  15. Tomi Engdahl says:

    Hacked or Not, Audit This Election (And All Future Ones)
    https://www.wired.com/2016/11/hacked-not-audit-election-rest/

    After an election marred by hacker intrusions that breached the Democratic National Committee and the email account of one of Hillary Clinton’s top staffers, Americans are all too ready to believe that their actual votes have been hacked, too. Now those fears have been stoked by a team of security experts, who argue that voting machine vulnerabilities mean Clinton should demand recounts in key states.

    Dig into their argument, however, and it’s less alarmist than it might appear. If anything, it’s practical. There’s no evidence that the outcome of the presidential election was shifted by compromised voting machines. But a statistical audit of electronic voting results in key states as a routine safeguard—not just an emergency measure—would be a surprisingly simple way to ease serious, lingering doubts about America’s much-maligned electoral security. “Auditing ought to be a standard part of the election process,” says Ron Rivest, a cryptographer and computer science professor at MIT. “It ought to be a routine thing as much as a doctor washing his hands.”

    Electronic Elections Need Audits

    On Wednesday, University of Michigan computer security researcher Alex Halderman published a blog post arguing that Wisconsin, Michigan, and Pennsylvania should perform recounts due to risks that the election was hacked. The article followed a far more sensational report from New York Magazine the evening before stating that Halderman and a team of experts tried to persuade Clinton staffers to request that recount

    Want to Know if the Election was Hacked? Look at the Ballots
    https://medium.com/@jhalderm/want-to-know-if-the-election-was-hacked-look-at-the-ballots-c61a6113b0ba#.40v5oeim2

    Reply
  16. Tomi Engdahl says:

    CERT tells Microsoft to keep EMET alive because it’s better than Win 10′s own security
    Vuln seeker saus EMET has 13 protections Win 10 doesn’t
    http://www.theregister.co.uk/2016/11/24/cert_no_microsoft_even_win_7_emet_is_better_than_solo_win_10/

    Microsoft should reverse its planned axing of the lauded Enhanced Mitigation Toolkit (EMET) as Windows 10 cannot yet match its level of security, according to Carnegie Mellon University CERT furniture Will Dormann.

    The vulnerability analyst, who has pushed out security alerts and advice from the world’s first CERT for around a decade, says even a Windows 7 machine running EMET trumps Windows 10′s native defences.

    Redmond plans to rid the world of the exploit mitigation toolkit in mid 2018, after recently extending its end of life date by 18 months.

    Reply
  17. Tomi Engdahl says:

    Conviction by computer: Ministry of Justice wants defendants to plead guilty online
    Do you really trust prosecutors to upload all their evidence
    http://www.theregister.co.uk/2016/09/19/ministry_of_justice_conviction_by_computer_plans/

    Train fare and telly licence dodgers will be invited to plead guilty from the comfort and convenience of their phones, according to court reform plans unveiled by the Ministry of Justice.

    In a paper issued jointly last week by Lord Chancellor Liz Truss MP, the Lord Chief Justice, Lord Thomas of Cwmgiedd, and the senior president of tribunals, Lord Justice Ryder, are plans to allow the justice system to take advantage of brand spanking new technologies such as the internet.

    The paper, titled Transforming Our Justice System (PDF, 20 pages), sets out how the ministry wants to move England and Wales’ court system away from 15th-century paper-based filing systems and to adopt long-overdue digital document handling processes.

    https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/553261/joint-vision-statement.pdf

    Reply
  18. Tomi Engdahl says:

    How to confuse a Euro-cop: Survey reveals the crypto they love to hate
    Bits of Freedom research discovers unsavoury continental back-door preferences
    http://www.theregister.co.uk/2016/11/24/foi_sparks_backdoor_debate_in_europe/

    European Union (EU) citizens can now get an idea of what their governments want – and are doing about – cryptography regulation.

    The new opprtunity comes courtesy of an freedom of information request by Bits of Freedom, summarised by privacy researcher Lukas Olejnik here.

    The news is bleak: the responses to a survey sent to EU governments indicate widespread support for restricting citizens’ access to encrypted communications.

    It’s quite accurate, for example, for the Italian response to note that it’s seeing HTTPS all over the place, given the concerted push by ‘net luminaries to persuade site operators to employ it and therefore offer better protection to sensitive data.

    However, even other countries that say their law enforcement often encounters encryption didn’t nominate HTTPS as something they encountered in the course of their investigations (Finland and Poland, for example). It’s feasible, even likely, that such countries didn’t tick the “HTTPS” box because peoples’ day-to-day banking isn’t the topic of investigation – rather, it’s the communications over Tor, or in comms apps like Skype and WhatsApp, that they want to crack.

    There is, as Olejnik notes, a common complaint among EU countries that they don’t have the money, technology, or skills to fight cybercrime (reading the responses we have to agree there’s a lack of skills).

    Which is probably why if Sweden wants to decrypt a device, its approach is to question the user [Hopefully not using rubber-hose decryption

    Reply
  19. Tomi Engdahl says:

    Evaluating Risks to Identity and Access When Moving to the Cloud
    http://www.securityweek.com/evaluating-risks-identity-and-access-when-moving-cloud

    Are Too Many Companies Putting Identity and Access at Unnecessary Risk in Their Move to the Cloud?

    “I know you guys don’t do cloud,” I began, “but are you moving to Office 365?”

    “Probably. Eventually. I think we’re going to get dragged there whether we want to go or not,”

    Microsoft Office has long been the most popular business productivity software suite. Now the Redmond-based giant is aggressively promoting their cloud-based version, Office 365, to organizations of all sizes.

    For small businesses particularly, the lure of a few dollars each month for the cloud version instead of hundreds of dollars per employee for the desktop suite is a huge temptation and given the choice, they’ll just go with it. I would, skinflint that I am.

    most Office 365 deployments result in user credentials (including C-level usernames and passwords) going to the cloud whether they mean to or not.

    Don’t believe me? Let’s look at the three identity and access management models used by Office 365.

    Cloud Identity Model – All your passwords belong to Microsoft.
    Synchronized Identity Model – Passwords hashed on-premises and in the cloud.
    Federated Identity Model—The most secure, but still sees mobile user passwords.

    What’s the Threat Model Here, Anyway?

    Here’s a short list of possible threat vectors you’d consider if you were doing a threat model assessment for any of cloud passwords management models (including the three above):

    · Cloud breach
    · Man-in-the-middle attack
    · Rogue cloud employee
    · Nation-state (subpoena)
    · Accidental credential logging
    · Phishing attack

    Many organizations have decided that they are comfortable with this gap. No model is 100 percent secure, right? But a few CSOs want to close the gap before they make the switch. Right now, the way to do it is to intercept and proxy ActiveSync connections from the client to an on-premises proxy which then encrypts the passwords before they transit to Azure AD.

    The final step is to implement adaptive multi-factor authentication (MFA). Adaptive MFA is risk-based authentication and can include certificate checks and context-aware, one-time passwords (OTP) via email.

    Reply
  20. Tomi Engdahl says:

    Office 365 identity and Azure Active Directory
    https://support.office.com/en-us/article/Understanding-Office-365-identity-and-Azure-Active-Directory-06a189e7-5ec6-4af2-94bf-a22ea225a7a9#BK_Sync

    Office 365 uses the cloud-based user authentication service Azure Active Directory to manage users. You can choose from three main identity models in Office 365 when you set up and manage user accounts:

    Cloud identity. Manage your user accounts in Office 365 only. No on-premises servers are required to manage users; it’s all done in the cloud.

    Synchronized identity. Synchronize on-premises directory objects with Office 365 and manage your users on-premises. You can also synchronize passwords so that the users have the same password on-premises and in the cloud, but they will have to sign in again to use Office 365.

    Federated identity. Synchronize on-premises directory objects with Office 365 and manage your users on-premises. The users have the same password on-premises and in the cloud, and they do not have to sign in again to use Office 365. This is often referred to as single sign-on.

    Reply
  21. Tomi Engdahl says:

    Gatak Trojan Continues to Target Healthcare Organizations
    http://www.securityweek.com/gatak-trojan-continues-target-healthcare-organizations

    Organizations in the healthcare sector continue to be the main targets of the Gatak Trojan, a piece of malware that can steal information and perform backdoor functions, Symantec researchers warn.

    Also known as Stegoloader and targeting mainly enterprise networks, Gatak (Trojan.Gatak) has been around since 2011, primarily focusing on organizations in the United States. Spreading through websites that promise licensing keys for pirated software, the malware hasn’t spared international organizations either, and the healthcare sector has suffered the most.

    Gatak spreads bundled with product keys for pirated software, via dedicated websites. The attackers lure victims by supposedly offering product keys for software usually used in professional environments, but the keys don’t work and users end up infected.

    The malware has two main components: a lightweight deployment module that gathers information on the infected machine and can install additional payloads; and the main module, a fully-fledged backdoor Trojan designed to steal information from the infected computer and achieve persistence.

    Reply
  22. Tomi Engdahl says:

    Six in Philippines May Face Charges Over Bangladesh Bank Heist Charges
    http://www.securityweek.com/six-philippines-may-face-charges-over-bangladesh-bank-heist-charges

    The Philippines said Wednesday it has launched criminal proceedings against six bankers accused of failing to stop the laundering of tens of millions of dollars stolen by cyber-criminals from Bangladesh’s central bank.

    The electronic thieves in February shifted $81 million from the bank’s account with the US Federal Reserve in New York to the Rizal Commercial Banking Corp. (RCBC) in Manila in one of the world’s biggest bank heists.

    The money was transferred to four accounts at an RCBC branch from where it was funnelled into local casinos, according to regulators who fined the bank a record $21 million in August.

    No one has been arrested in the Philippines over the heist but the government has recovered about $15 million, some of it from a Manila-based casino operator who has pledged to cooperate with the criminal enquiry.

    Reply
  23. Tomi Engdahl says:

    Meet Matrix, an Open Standard for De-centralized Encrypted Communications
    http://www.securityweek.com/meet-matrix-open-standard-de-centralized-encrypted-communications

    In the early days of the internet, communication was by email. Originally siloed by companies like Compuserve, AT&T and Sprint so that messages could only be exchanged with others on the same system, email is now ubiquitous. Pretty much anyone can communicate with anyone else without worrying about app or device or browser.

    Today there are additional methods of communicating via the internet, such as chat and voice. These new methods, however, are currently similar to early email: siloed by different vendors so that users can communicate only with other users on the same system. Matrix.org aims to change this, so that any user on one system can communicate with any user on a different system; just like email today.

    Matrix is an open standard for interoperable, decentralized, real-time communication over IP. It can be used for any type of IP communication: IM, VoIP, or IoT data.

    To this end, Matrix has announced and launched the formal beta of the new Olm end-to-end encryption implementation across Web, iOS and Android. “With Matrix.org and Olm,” commented Hodgson, “we have created a universal end-to-end encrypted communication fabric — we really consider this a key step in the evolution of the Internet.”

    Olm is the Matrix implementation of the Double Ratchet algorithm designed by Trevor Perrin and Moxie Marlinspike.

    http://matrix.org/

    Reply
  24. Tomi Engdahl says:

    The block chain market is divided now

    Block chains seem to be years operated the largest trends. During the autumn, we have seen a number of initiatives on cooperation between the financial sector and consulting companies, and appearances by celebrities in the news, if some kind of product ideas related to the block chains and launch startups.

    The chain block, for example, refers to the underlying Bitcoin virtual currency technology. It is infinitely long cryptographic data structure that records up money transfers between users. Ethereum has extended the original model, so that the block chain is suitable for addition to money transfers Other Uses book keeping and even the signing of agreements.

    the main feature of the block chains is their decentralization among all users. The data structure is not held by any single party.

    The financial sector can not imagine the attitude towards the block a little chains in the same way as the Internet media companies. Internet was believed to be the early stages of a big moneymaker. On the other hand it is also feared and belittled because of its effects are not yet known.

    During the first few years will also be distributed block chain infrastructure market.

    Microsoft has chosen a platform for Ethereum-block chain and offers it to the Azure cloud service. IBM, in turn, has jumped Hyperledger consortium bandwagon and offering their own lblock chains to Bluemix service.

    Google and Amazon still shine by their absence from this market. Apparently, neither of them do not want to be bound to any particular technology too early.

    Microsoft’s Azure-block chain is still in its infancy.
    IBM Block Chain again is taken more seriously product.

    Amateurs – and suffering from paranoia – can drive a block chains in their own servers. It is likely to be tinkering with a relatively small group. Who would like today to invest in new servers and maintenance personnel?

    Even banks may prefer to see the use of cloud case, the block chains. They would otherwise need to open the fire walls to fairly low-level access to the block chain applications.

    Also, end users are shifting a growing share of data processing to the cloud. Block chains require a lot of capacity and electric current, so they perform poorly in cell phones.

    Source: http://www.tivi.fi/blogit/lohkoketjujen-markkinat-jaetaan-nyt-6601722

    Reply
  25. Tomi Engdahl says:

    Andy Greenberg / Wired:
    Experts say election results should be audited to ease lingering doubts about voting systems — After an election marred by hacker intrusions that breached the Democratic National Committee and the email account of one of Hillary Clinton’s top staffers, Americans are all too ready to believe …

    Hacked or Not, Audit This Election (And All Future Ones)
    https://www.wired.com/2016/11/hacked-not-audit-election-rest/

    Electronic Elections Need Audits

    Reply
  26. Tomi Engdahl says:

    Dan Goodin / Ars Technica:
    Google has been warning prominent journalists and professors that their accounts are under attack from “government-backed attackers”

    Google warns journalists and professors: Your account is under attack
    A flurry of social media reports suggests a major hacking campaign has been uncovered.
    http://arstechnica.com/security/2016/11/google-warns-journalists-and-professors-your-account-is-under-attack/

    Google is warning prominent journalists and professors that nation-sponsored hackers have recently targeted their accounts, according to reports delivered in the past 24 hours over social media.

    The people reportedly receiving the warnings include Nobel Prize-winning economist and New York Times columnist Paul Krugman, Stanford University professor and former US diplomat Michael McFaul, GQ correspondent Keith Olbermann, and according to this tweet, Politico, Highline, and Foreign Policy contributor/columnist Julia Ioffe; New York Magazine reporter Jonathan Chait; and Atlantic magazine writer Jon Lovett. Reports of others receiving the warnings are here and here.

    One of the red banners included large white text that stated: “Warning: Google may have detected government-backed attackers trying to steal your password.” It included a link that led to advice for securing accounts

    It’s not certain that the PowerDuke campaign and the flurry of Google warnings are connected, but there are enough similarities to entertain the possibility.

    Reply
  27. Tomi Engdahl says:

    McKenzie Funk / New York Times:
    How Cambridge Analytica, which was hired by the Trump and Brexit “Leave” campaigns, builds psychological profiles of Facebook users with personality quizzes

    The Secret Agenda of a Facebook Quiz
    http://www.nytimes.com/2016/11/20/opinion/the-secret-agenda-of-a-facebook-quiz.html

    Do you panic easily? Do you often feel blue? Do you have a sharp tongue? Do you get chores done right away? Do you believe in the importance of art?

    If ever you’ve answered questions like these on one of the free personality quizzes floating around Facebook, you’ll have learned what’s known as your Ocean score: How you rate according to the big five psychological traits of Openness, Conscientiousness, Extraversion, Agreeableness and Neuroticism. You may also be responsible the next time America is shocked by an election upset.

    For several years, a data firm eventually hired by the Trump campaign, Cambridge Analytica, has been using Facebook as a tool to build psychological profiles that represent some 230 million adult Americans.

    Cambridge Analytica worked on the “Leave” side of the Brexit campaign. In the United States it takes only Republicans as clients

    No data point is very informative on its own, but profiling voters, says Cambridge Analytica, is like baking a cake. “It’s the sum of the ingredients,”

    The explosive growth of Facebook’s ad business has been overshadowed by its increasing role in how we get our news, real or fake.

    One recent advertising product on Facebook is the so-called “dark post”: A newsfeed message seen by no one aside from the users being targeted.

    Imagine the full capability of this kind of “psychographic” advertising.

    In the immediate wake of Mr. Trump’s surprise election, so many polls and experts were so wrong that it became fashionable to declare that big data was dead. But it isn’t, not when its most obvious avatar, Facebook, was so crucial to victory.

    Reply
  28. Tomi Engdahl says:

    Craig Timberg / Washington Post:
    Experts: a Russian propaganda campaign to undermine Clinton helped spread fake news during election using botnets, networks of sites, paid human “trolls”, more

    Russian propaganda effort helped spread ‘fake news’ during election, experts say
    https://www.washingtonpost.com/business/economy/russian-propaganda-effort-helped-spread-fake-news-during-election-experts-say/2016/11/24/793903b6-8a40-4ca9-b712-716af66098fe_story.html

    The flood of “fake news” this election season got support from a sophisticated Russian propaganda campaign that created and spread misleading articles online with the goal of punishing Democrat Hillary Clinton, helping Republican Donald Trump and undermining faith in American democracy, say independent researchers who tracked the operation.

    Russia’s increasingly sophisticated propaganda machinery — including thousands of botnets, teams of paid human “trolls,” and networks of websites and social-media accounts — echoed and amplified right-wing sites across the Internet as they portrayed Clinton as a criminal hiding potentially fatal health problems and preparing to hand control of the nation to a shadowy cabal of global financiers. The effort also sought to heighten the appearance of international tensions and promote fear of looming hostilities with nuclear-armed Russia.

    Two teams of independent researchers found that the Russians exploited American-made technology platforms to attack U.S. democracy at a particularly vulnerable moment

    The sophistication of the Russian tactics may complicate efforts by Facebook and Google to crack down on “fake news,” as they have vowed to do after widespread complaints about the problem.

    There is no way to know whether the Russian campaign proved decisive in electing Trump, but researchers portray it as part of a broadly effective strategy of sowing distrust in U.S. democracy and its leaders.

    “They want to essentially erode faith in the U.S. government or U.S. government interests,”

    “This was their standard mode during the Cold War. The problem is that this was hard to do before social media.”

    more than 200 websites as routine peddlers of Russian propaganda during the election season, with combined audiences of at least 15 million Americans. On Facebook, PropOrNot estimates that stories planted or promoted by the disinformation campaign were viewed more than 213 million times.

    Some players in this online echo chamber were knowingly part of the propaganda campaign, the researchers concluded, while others were “useful idiots”

    harnessing the online world’s fascination with “buzzy” content that is surprising and emotionally potent

    Some of these stories originated with RT and Sputnik

    On other occasions, RT, Sputnik and other Russian sites used social-media accounts to amplify misleading stories already circulating online, causing news algorithms to identify them as “trending” topics that sometimes prompted coverage from mainstream American news organizations.

    The speed and coordination of these efforts allowed Russian-backed phony news to outcompete traditional news organizations for audience.

    The final weeks of the campaign featured a heavy dose of stories about supposed election irregularities, allegations of vote-rigging and the potential for Election Day violence should Clinton win, researchers said.

    “The way that this propaganda apparatus supported Trump was equivalent to some massive amount of a media buy,”

    He and other researchers expressed concern that the U.S. government has few tools for detecting or combating foreign propaganda.

    The Kremlin has repeatedly denied interfering in the U.S. election or hacking the accounts of election officials.

    “They use our technologies and values against us to sow doubt,” said Robert Orttung, a GWU professor who studies Russia. “It’s starting to undermine our democratic system.”

    “For them, it’s actually a real war, an ideological war, this clash between two systems,” said Sufian Zhemukhov, a former Russian journalist conducting research at GWU. “In their minds, they’re just trying to do what the West does to Russia.”

    Reply
  29. Tomi Engdahl says:

    Mozilla hackers audit cURL file transfer toolkit, give it a tick for security
    Four remote code execution holes patched along the way
    http://www.theregister.co.uk/2016/11/25/mozilla_hackers_give_curl_security_audit_tick/

    Mozilla has given the widely-used cURL file transfer library a thumbs up in a security audit report that uncovered nine vulnerabilities.

    Of those found in the free security review were four high severity vulnerabilities leading to potential remote code execution, and the same number of medium risk bugs. One low risk man-in-the-middle TLS flaw was also uncovered.

    Audit vulnerabilities:

    CRL -01-021 UAF via insufficient locking for shared cookies ( High)
    CRL -01-005 OOB write via unchecked multiplication in base 64_ encode () ( High)
    CRL -01-009 Double – free in krb 5 read _ data () due to missing realloc () check ( High)
    CRL -01-014 Negative array index via integer overflow in unescape _ word () ( High)
    CRL -01-001 Malicious server can inject cookies for other servers ( Medium)
    CRL -01-007 Double – free in aprintf () via unsafe size _t multiplication ( Medium)
    CRL -01-013 Heap overflow via integer truncation ( Medium)
    CRL -01-002 ConnectionExists () compares passwords with strequal () ( Medium)
    CRL -01-011 FTPS TLS session reuse ( Low)

    https://curl.haxx.se/changes.html#7_51_0

    Reply
  30. Tomi Engdahl says:

    IBM pays up after ‘clearly failing’ DDoS protection for Australia’s #censusfail
    Two reports suggest this is what happens when government agencies hollow out
    http://www.theregister.co.uk/2016/11/25/ibm_clearly_failed_ddos_protection_for_australias_censusfail/

    Australia’s census all-but failed due to a combination of poor design, bad operational decisions, human error and numerous lazy and/or bad decisions that could have been avoided had warnings about corporate culture been heeded and Australian government agencies properly educated about what it takes to deliver digital services.

    That’s The Register’s summary of two reports into the contentious events of August 9th, when Australia’s online census went down after a suspected denial of service attack saw a router rebooted, but fail to restart because IBM had never tested what would happen if it turned it on and off again. IBM has claimed it would never have had to touch the power button if ISPs it hired did their jobs properly.

    Enough back story for now: to the reports

    That worries MacGibbon as much as anything else: his report says the failure of the census shows that beyond a couple of dedicated agencies, Australia’s government just doesn’t know what it takes to run digital services.
    Dud DDoS defences

    The organisational issues both reports identify led to the adoption of what proved to be a dud DDoS defence.

    The Senate Committee report offers the observation that “It goes without saying that the eCensus website should have had the capacity to withstand what was a relatively minor attack.”

    “Further, the appropriateness of Island Australia must also be questioned given that some components of the eCensus—such as password resets—required access to international servers.”

    MacGibbon criticises IBM for its approach to implementing Island Australia, which saw it test the DDoS protection only once the census form was live and then only for ten minutes. Those tests did not consider the impact the “Island Australia” plan to block traffic from non-Australian IP addresses would have on other internet service providers (ISPs). IBM is also felt not to have issued proper instructions to one of its contracted ISPs. That ISP didn’t help matters by failing to configure its service for IBM’s data centre.

    Even if all the DDoS protection plans had worked, MacGibbon finds it the “Island Australia” plan is not a widely-accepted DDoS defence tactic. He also points out that geo-blocking had the potential to harm the census.

    Reply
  31. Tomi Engdahl says:

    Poison .JPG spreading ransomware through Facebook Messenger
    Cick-to-self-p0wn attack sneaks Locky ransomware past Zuck’s security model
    http://www.theregister.co.uk/2016/11/25/selfharming_jpg_hack_hole_may_be_key_to_lockys_fb_spread/

    Checkpoint has found an image obfuscation trick it thinks may be behind a recent massive phishing campaign on Facebook that’s distributing the dangerous Locky ransomware.

    The security firm has not released technical details as the flaw it relies on still impacts Facebook and LinkedIn, among other unnamed web properties.

    The flaw as described is, in this writer’s opinion, ultimately of little risk to El Reg’s tech savvy readers, but folks who can be conned into downloading and running unknown executables are at risk.

    The attack is also significant in that it breaks Facebook’s security controls.

    The victim must click the attachment, an act that generates a Windows save file prompt asking the victim for the save directory to which the now .hta file will be downloaded.

    They must then double-click the saved .hta file to unleash the Locky ransomware.

    While the attack is not automated and, it does break Facebook’s hypervigilant security model and is fairly regarded by Checkpoint as a Facebook “misconfiguration”.

    Reply
  32. Tomi Engdahl says:

    Russian Hacker Conspiracy Theory is Weak, But the Case For Paper Ballots is Strong
    https://politics.slashdot.org/story/16/11/24/178217/russian-hacker-conspiracy-theory-is-weak-but-the-case-for-paper-ballots-is-strong

    On Wednesday, J. Alex Halderman, the director of the University of Michigan’s Center for Computer Security & Society and a respected voice in computer science and information society, said that the Clinton Campaign should ask for a recount of the vote for the U.S. Presidential election. Later he wrote,

    The Outline, a new publication by a dozen of respected journalists, has published a post (on Facebook for now, since their website is still in the works), in which former Motherboard’s reporter Adrianne Jeffries makes it clear that we still don’t have concrete evidence that the vote was tampered with, but why still the case for paper ballots is strong.

    The Russian hacker conspiracy theory is weak, but the case for paper ballots is strong.
    https://www.facebook.com/notes/the-outline/the-russian-hacker-conspiracy-theory-is-weak-but-the-case-for-paper-ballots-is-s/708744602609346

    It would be very, very hard for Russia to hack the US vote, as The Outline reported last week, due to the way the US voting system works. However, a respected voice in computer science and information security has given new weight to the push for examining the voting results, hackers or not.
    J. Alex Halderman is the director of the University of Michigan’s Center for Computer Security & Society and the author of an online course on election technology. Halderman has been lobbying the Hillary Clinton campaign behind the scenes to ask for a recount of the vote, as first reported by New York magazine’s Gabriel Sherman. The professor wrote a post on Medium to clarify his views.

    Reply
  33. Tomi Engdahl says:

    Nearly 40% of Americans Would Give Up Sex For Better Online Security, Survey Finds
    https://yro.slashdot.org/story/16/11/23/2338221/nearly-40-of-americans-would-give-up-sex-for-better-online-security-survey-finds

    A recent survey of over 2,000 adults conducted by Harris Poll on behalf of Dashlane, a “leader in online identity and password management,” found that nearly 40 percent of Americans would give up sex for an entire year if it meant they’d never have to worry about being hacked.

    Nearly 40% of Americans Would Give Up Sex for a Year in Exchange for Better Online Security
    http://www.huffingtonpost.com/entry/58360acee4b050dfe6187992?timestamp=1479937849453

    Would you sacrifice sex as a trade for online security? Because 40 percent of Americans said they would do just that.

    According to a recent survey of over 2,000 adults conducted by Harris Poll on behalf of Dashlane, an online password management and identity service, almost 4 in 10 Americans (39% to be exact) would go without making love for one entire year if it meant they’d never have to worry about identity theft, being hacked, or losing an online account ever again.

    Over two-thirds of adults in the United States shop online at least once a month and many others use the internet to bank, pay bills, or conduct other important transactions. And when you consider that 87 percent of U.S. adults use the internet, it makes sense that cyber security is one of the biggest concerns today. But just how far some people would go if it meant they’d never have to deal with identify theft will probably surprise you may be surprising to many.

    And sex wasn’t all. 40 percent of people also said they’d give up their favorite food for one month in the name of peace of mind online.

    If all of this sounds drastic, the truth is that it probably is. The single biggest thing people can do to help keep their online identity safe is probably the easiest – a solid password.

    10 years ago, anti-virus was the primary method of online security. But since the Internet has left the desktop and is on laptops, tablets, and cell phones, and since so many people now use the cloud for backing up their sensitive data, following proper password protocol is critical.

    Of course, having a solid password doesn’t do a lot of good if you’re giving it out to people. And nearly 50% of people have shared a password to an e-mail account or to an account like Netflix with a friend or had a friend share theirs

    A look at the password habits of Americans showed that about 30% have used a pet’s name, almost 25% have used a family member’s name, 21% a birthday, and 10% each have used an anniversary, a sports team, an address, or a phone number.

    [Press Release] A New Study Reveals Extremes People Go To for Online Protection
    https://blog.dashlane.com/study-reveals-extremes-people-go-online-protection/

    Reply
  34. Tomi Engdahl says:

    Delete yourself from the internet by pressing this button
    http://thenextweb.com/apps/2016/11/24/delete-internet/

    The internet can be a beautiful and horrible place at the same time, and it isn’t weird to sometimes feel like you want to leave — there’s wasn’t an easy way out, until now.

    Swedish developers Wille Dahlbo and Linus Unnebäck created Deseat.me, which offers a way to wipe your entire existence off the internet in a few clicks.

    When logging into the website with a Google account it scans for apps and services you’ve created an account for, and creates a list of them with easy delete links.

    Every account it finds gets paired with an easy delete link pointing to the unsubscribe page for that service. Within in a few clicks you’re freed from it, and depending on how long you need to work through the entire list, you can be account-less within the hour.

    https://www.deseat.me/

    Reply
  35. Tomi Engdahl says:

    If You’re Only as Strong as Your Allies, Should You Trust Third-Party Code?
    http://www.securityweek.com/if-youre-only-strong-your-allies-should-you-trust-third-party-code

    Doing business is a highly interactive endeavor and software is increasingly at the heart of those interactions. Agility becomes a key component of staying competitive, so organizations are seeking allies to help them obtain the software they need to stay in the race. Notice I said “obtain” rather than “build” or “code,” because help from one’s allies may come in the form of software components or fully grown application code.

    Allies may bring software to the game, but they also bring risk. The vulnerabilities in your allies’ software now become the vulnerabilities of your organization. This is not a new phenomenon—industries have turned to supply chain partners for a variety of business drivers in all sorts of markets and quickly realized they were inheriting risks from their allies. The growing use of open source components in agile and CI/CD environments have simply pushed the software supply chain and the need to trust your allies center stage.

    So what is the source of these software vulnerabilities? Heinlein’s Razor tells us, “Never attribute to malice that which can be adequately explained by incompetence, but don’t rule out malice.” A study of software vulnerabilities proves Heinlein to be quite prophetic when it comes to assessing the strengths, weaknesses, and potential risks of your allies.

    Got your attention? Good. Now consider your own coding practices. Does your team write bugless code? Have you eliminated the OWASP Top 10 from your software? Your honest answer will be no. So why would you assume that your allies have achieved some form of bug-free coding Nirvana? After all, they are competing against other would-be suppliers in the chain, and are under the same pressures as you. Who has time for security? Suffice it to say you should expect to inherit vulnerabilities from the incompetence of your ally at writing secure code.

    Now that we have covered off incompetence, remember Heinlein warns to never rule out malice.

    The insider threat represents real risk because traditional static and dynamic application security tests (SAST and DAST) that lie at the heart of most software security initiatives won’t find these vulnerabilities. Seasoned security experts can find the malicious constructs through source code analysis, but the majority of the code from your allies comes in binary form and you won’t have access to the source code. There are a limited number of tools that can detect insider threat constructs in binary code (full disclosure, Cigital offers such a tool), but they are not widely deployed. So while open source component analysis is getting all the press, it may be the insider threat that stands to cause the most harm.

    So what is the solution? The best place to start is to establish the policies and processes necessary to ensure that your organization takes the steps to reduce the vulnerabilities introduced by the software supply chain. Create policies around open source usage and the testing of third-party applications. Create guidelines that define the gates necessary for software from the software supply chain to make it into production.

    https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet

    Reply
  36. Tomi Engdahl says:

    Ransomware: The most profitable malware in history
    http://cisco.ziffdavis.com/ransomware/

    Ransomware is expected to gross cyberthieves $1 billion this year. In fact, just one ransomware program, Cryptowall, is estimated to have generated $325 million from U.S. victims last year alone. And ransomware can have catastrophic consequences. Combat ransomware now or pay the price later.

    For example, ransomware now affects Mac OS, and so-called Ransomware-as-a-Service (RaaS) is spreading. Indeed, anyone can now attack a specific user or organization’s network by paying a professional hacker to do so.

    Reply
  37. Tomi Engdahl says:

    Security Researchers Can Turn Headphones Into Microphones
    https://news.slashdot.org/story/16/11/24/0142232/security-researchers-can-turn-headphones-into-microphones

    As if we don’t already have enough devices that can listen in on our conversations, security researchers at Israel’s Ben Gurion University have created malware that will turn your headphones into microphones that can slyly record your conversations

    The proof-of-concept, called “Speake(a)r,” first turned headphones connected to a PC into microphones and then tested the quality of sound recorded by a microphone vs. headphones on a target PC. In short, the headphones were nearly as good as an unpowered microphone at picking up audio in a room. It essentially “retasks” the RealTek audio codec chip output found in many desktop computers into an input channel. This means you can plug your headphones into a seemingly output-only jack and hackers can still listen in. This isn’t a driver fix, either.

    The researchers have published a video on YouTube demonstrating how this malware works.
    https://www.youtube.com/watch?v=ez3o8aIZCDM

    Security researchers can turn headphones into microphones
    https://techcrunch.com/2016/11/23/security-researchers-can-turn-headphones-into-microphones/

    Security researchers at Israel’s Ben Gurion University have created a proof-of-concept exploit that lets them turn headphones into microphones to secretly record conversations. The PoC, called “Speake(a)r,” first turned headphones connected to a PC into microphones and then tested the quality of sound recorded by a microphone vs. headphones on a target PC. In short, the headphones were nearly as good as an unpowered microphone at picking up audio in a room.

    The hack is fairly ingenious. It essentially “retasks” the RealTek audio codec chip output found in many desktop computers into an input channel. This means you can plug your headphones into a seemingly output-only jack and hackers can still listen in. “Our experiments demonstrate that intelligible audio can be acquired through earphones and can then be transmitted distances up to several meters away,” wrote researcher Mordecai Guri. “In addition, we showed that the same setup achieves channel capacity rates close to 1 Kbps in a wide range of frequencies.”

    “Most of today’s built-in sound cards are to some degree retaskable, which means that they can be used for more than one thing. …the kernel exposes an interface that makes it possible to retask your jacks, but almost no one seems to use it, or even know about it,” wrote Linux sound engineer David Henningsson. That’s exactly the exploit Speak(a)r uses.

    SPEAKE(a)R: Turn Speakers to Microphones for Fun and Profit
    https://arxiv.org/ftp/arxiv/papers/1611/1611.07350.pdf

    Reply
  38. Tomi Engdahl says:

    Android Malware Used To Hack and Steal Tesla Car
    https://it.slashdot.org/story/16/11/25/1139233/android-malware-used-to-hack-and-steal-tesla-car

    By leveraging security flaws in the Tesla Android app, an attacker can steal Tesla cars. The only hard part is tricking Tesla owners into installing an Android app on their phones, which isn’t that difficult according to a demo video from Norwegian firm Promon.

    This malicious app can use many of the freely available Android rooting exploits to take over the user’s phone, steal the OAuth token from the Tesla app and the user’s login credentials.

    Android Malware Used to Hack and Steal a Tesla Car
    http://www.bleepingcomputer.com/news/security/android-malware-used-to-hack-and-steal-a-tesla-car/

    By infecting a Tesla owner’s phone with Android malware, a car thief can hack and then steal a Tesla car, security researchers have revealed this week.

    Previous attempts to hack Tesla cars attacked the vehicle’s on-board software itself. This is how Chinese security researchers from Keen Lab have managed to hack a Tesla Model S last month, allowing an attacker to control a car from 12 miles away.

    Security experts from Norwegian security firm Promon have taken a different approach, and instead of trying complicated attacks on the car’s firmware, they have chosen to go after Tesla’s Android app that many car owners use to interact with their vehicle.

    Reply
  39. Tomi Engdahl says:

    Toronto blockchain security startup hires antivirus pioneer John McAfee as chief security officer (update)
    http://venturebeat.com/2016/11/24/toronto-blockchain-security-startup-hires-antivirus-pioneer-john-mcafee-as-chief-security-officer/

    The epic and unpredictable adventures of John McAfee have taken their most startling turn yet: He’s accepted a job working for someone else.

    Toronto-based Equibit Development Corporation said in a press release today that McAfee has been hired as the company’s chief security officer. In a somewhat unusual arrangement, however, McAfee will be reporting to the board and not the CEO.

    Update November 25 at 2:15 p.m.: Equibit issued a clarification to their previous press release to clarifying that McAfee would be only an adviser to the company’s board and not an actual employee.

    Reply
  40. Tomi Engdahl says:

    XSS game area
    https://xss-game.appspot.com/

    Cross-site scripting (XSS) bugs are one of the most common and dangerous types of vulnerabilities in Web applications. These nasty buggers can allow your enemies to steal or modify user data in your apps and you must learn to dispatch them, pronto!

    At Google, we know very well how important these bugs are.

    In this training program, you will learn to find and exploit XSS bugs. You’ll use this knowledge to confuse and infuriate your adversaries by preventing such bugs from happening in your applications.

    Reply
  41. Tomi Engdahl says:

    Melbourne man arrested for broadcasting fake messages to pilots
    Commerical kit, not hacking, all that’s needed.
    http://www.theregister.co.uk/2016/11/24/melbourne_man_arrested_for_broadcasting_fake_messages_to_pilots/

    Melbourne man Paul Sant has been charged with unauthorised broadcasting over to pilots over radio bands restricted to aviation users, causing one plane to abort a landing to Tullamarine Airport.

    Sant, 19, is alleged to have placed 16 separate transmissions to pilots at Tullamarine and Avalon airports between 5 September and 3 November.

    He faces up to a maximum 20 years jail.

    Aviation transmission gear capable of communicating with pilots can be bought online for around AU$200.

    Enthusiasts regularly tune into the broadcasts which are sent unencrypted meaning no hacking is required to make transmissions.

    Reply
  42. Tomi Engdahl says:

    The UK wants to ban citizens from accessing websites that feature “non-conventional” porn
    The UK also wants more stringent age verification checks for porn sites
    http://www.techspot.com/news/67168-uk-wants-ban-citizens-accessing-websites-feature-non.html

    Not content with introducing the most extreme surveillance law ever passed in a democracy, the UK government also feels its citizens need to be protected from the horrors of online pornography. As such, it plans to ban websites that display “non-conventional” sex acts.

    The proposal, which is part of the digital economy bill, would see the same UK pornography restrictions that are in place for adult DVDs and video-on-demand services applied to online content.

    ISPs would be forced to block sites featuring material that would not be certified for commercial sale by the British Board of Film Classification (BBFC) – the UK’s version of MPAA.

    Basically, porn sites would need to block about half of their content from UK audiences in order to comply.

    Additionally, even those site that host so-called conventional adult material could suffer under the bill, as they will be forced to verify British users’ ages before allowing them access. The age checks could be carried out using credit cards – because nobody would have any issues with typing their Visa number into a porn site, obviously.

    The Digital Economy Bill could be amended before it becomes law but, unless the government pays attention to the numerous anti-censorship protesters, completely legal adult content could soon be banned.

    Reply
  43. Tomi Engdahl says:

    Ransomware Compromises San Francisco’s Mass Transit System
    https://news.slashdot.org/story/16/11/27/1819205/ransomware-compromises-san-franciscos-mass-transit-system

    Buses and light rail cars make San Francisco’s “Muni” fleet the seventh largest mass transit system in America. But yesterday its arrival-time screens just displayed the message “You Hacked, ALL Data Encrypted” — and all the rides were free, according to a local CBS report shared by RAYinNYC

    ‘You Hacked,’ Cyber Attackers Crash Muni Computer System Across SF
    http://sanfrancisco.cbslocal.com/2016/11/26/you-hacked-cyber-attackers-crash-muni-computer-system-across-sf/

    That was the message on San Francisco Muni station computer screens across the city, giving passengers free rides all day on Saturday.

    Inside sources say the system has been hacked for days.

    SFMTA has officially confirmed the hack, but says it has not affected any service.

    A spokesperson with the transit agency tells KPIX 5 it is an ongoing investigation.

    “There’s no impact to the transit service, but we have opened the fare gates as a precaution to minimize customer impact,” said Muni spokesperson Paul Rose. “Because this is an ongoing investigation it would not be appropriate to provide additional details at this point.”

    “I was like, is this part of Black Friday deal, or something?”

    Reply
  44. Tomi Engdahl says:

    Grand App Auto: Tesla smartphone hack can track, locate, unlock, and start cars
    Musk’s lot better get on this
    http://www.theregister.co.uk/2016/11/25/tesla_car_app_hack_enables_car_theft/

    A smartphone app flaw has left Tesla vehicles vulnerable to being tracked, located, unlocked, and stolen.

    Security experts at Norwegian app security firm Promon were able to take full control of a Tesla vehicle, including finding where the car is parked, opening the door and enabling its keyless driving functionality. A lack of security in the Tesla smartphone app opened the door to all manner of exploits, as explained in a blog post here. The cyber-attack unearthed by Promon provides additional functionality to that exposed by Keen Security Labs in a different hack in late September.

    Tom Lysemose Hansen, founder and CTO at Promon, said: “Keen Security Labs’ recent research exploited flaws in the CAN bus systems of Tesla vehicles, enabling them to take control of a limited number of functions of the car. Our test is the first one to use the Tesla app as an entry point, and goes a step further by showing that a compromised app can lead directly to the theft of a car.”

    Reply
  45. Tomi Engdahl says:

    Trump Tower briefly identified as ‘Dump Tower’ on Google Maps
    http://www.digitaltrends.com/web/dump-tower-google-maps/

    Google may have disabled Map Maker earlier this year to stop the public at large from trolling Google Maps, but apparently, where there’s a will, there’s a way. On Saturday, November 26, someone succeeded in changing the name of Trump Tower to “Dump Tower” on Google Maps, because trolls will always be trolls.

    Of course, the vigilant Google Maps team soon corrected the spelling to its original version,

    While the team managed to put out this first fire, another quickly arose to take its place (as is often the case on the internet), and later in the day on Saturday, Trump International Hotel & Tower in Columbus Circle was renamed Dump International Hotel & Tower.

    It is still unclear who was behind the name-changing prank

    Reply
  46. Tomi Engdahl says:

    48 Organizations Now Have Access To Every Brit’s Browsing Hstory
    https://news.slashdot.org/story/16/11/28/0430248/48-organizations-now-have-access-to-every-brits-browsing-hstory

    For those who missed our original reports, here is the new law in a nutshell: it requires telecom companies to keep records of all users’ web activity for a year, creating databases of personal information that the firms worry could be vulnerable to leaks and hackers. Civil liberties groups say the law establishes mass surveillance of British citizens

    These Are The 48 Organizations That Now Have Access To Every Brit’s Browsing History
    http://www.zerohedge.com/news/2016-11-26/these-are-48-organizations-now-have-access-every-brits-browsing-history

    Reply
  47. Tomi Engdahl says:

    Backdoored Phishing Templates Advertised on YouTube
    http://www.securityweek.com/backdoored-phishing-templates-advertised-youtube

    Scammers are abusing YouTube as a new way to promote backdoored phishing templates and provide potential buyers with information on how to use the nefarious software, Proofpoint researchers warn.

    Because cybercrime is a business, crooks are constantly searching for new means to advertise their products to increase gains. For some, YouTube seemed like a good selling venue, and they decided to promote their kits on this legitimate website.

    A search for “paypal scama” returns over 114,000 results, but buyers are in for a surprise, Proofpoint reveals. To be more precise, while the kits work as advertised, they also include a backdoor that automatically sends the phished information back to the author.

    Reply
  48. Tomi Engdahl says:

    Microsoft Azure Flaws Exposed RHEL Instances
    http://www.securityweek.com/microsoft-azure-flaws-exposed-rhel-instances

    Vulnerabilities in Microsoft’s Azure cloud platform could have been exploited by attackers to gain administrator access to Red Hat Enterprise Linux (RHEL) instances and storage accounts, according to a software engineer.

    Azure and Amazon Web Services (AWS) rely on the Red Hat Update Infrastructure (RHUI) to manage yum repository content for RHEL instances. Red Hat Update Appliances, which contact the Red Hat Network to fetch new and updated packages, have been created by Microsoft and Amazon for each region.

    Reply
  49. Tomi Engdahl says:

    U.S. Navy Warns 130,000 Sailors of Data Breach
    http://www.securityweek.com/us-navy-warns-130000-sailors-data-breach

    The U.S. Navy has launched an investigation into a data breach involving the personal information of more than 130,000 current and former sailors.

    The organization was informed by Hewlett Packard Enterprise Services on October 27 that the laptop of an employee supporting a Navy contract had been “compromised.” An investigation revealed that the device contained the personal details, including names and social security numbers (SSNs), of 134,386 current and former sailors.

    Reply
  50. Tomi Engdahl says:

    Researchers Hijack Tesla Car by Hacking Mobile App
    http://www.securityweek.com/researchers-hijack-tesla-car-hacking-mobile-app

    Researchers at Norway-based security firm Promon have demonstrated how thieves with the necessary hacking skills can track and steal Tesla vehicles through the carmaker’s Android application.

    In a video released this week, experts showed how they could obtain the targeted user’s credentials and leverage the information to track the vehicle and drive it away. There are several conditions that need to be met for this attack and the victim must be tricked into installing a malicious app on their mobile phone, but the researchers believe their scenario is plausible.

    According to Promon, the Tesla mobile app uses HTTP requests and an OAuth token to communicate with the Tesla server. The token is valid for 90 days and it allows users to authenticate without having to enter their username and password every time they launch the app.

    Tesla cars can be stolen by hacking the app
    https://promon.co/blog/tesla-cars-can-be-stolen-by-hacking-the-app/

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*