Here are my predictions for trends in information security and cyber security for year 2016.
Year 2015 was bad for information security was pretty, and I would say that the trend is worrying. So I expect the year 2016 will have many information security challenges. If you want to keep yourself up at night, spend some time reading about the latest developments in cybersecurity. In 2015 there was Airplanes hacked, cars hacked, vulnerabilities in a breathtaking range of sensitive equipment from TSA locks to voting booths to medical devices. The big picture is even scarier. Former NSA Director Mike McConnell suspects China has hacked “every major corporation” in the US. Those problems will continue in 2016 and some new targets for attacks will be found. The system is broken. It isn’t keeping us, our companies, or our government safe. Worse yet, no one seems to know how to fix it.
Attacks through networks are becoming more common all the time. It will be hard to protect against targeted attacks. Hackers will not only customize malware, but they will increasingly use sophisticated phishing and social engineering tricks to gain access to sensitive data. Attackers usually cover their tracks carefully, and in the identification of target can be very difficult. Behind targeted attacks are usually professional criminals. Criminals do not respect geographical borders and hence attacks are spread evenly everywhere. Companies will struggle to absorb the security threats of combined PC and mobile devices in 2016.
EU information security decisions made in late 2015 will have impact on what comes in 2016: New EU data protection legislation package approved and EU Court of Justice decision in which it noted the Safe Harbor procedure is invalid. This means that transfers of personal data from EU countries to the United States under the Safe Harbor violation of law – you need some other agreement for this. The situation for this will probably get clarified during 2016. Data protection legislation changes will lead to increased fines for the unprepared. Legal uncertainty and big fines are a toxic cocktail for some companies. The combination of stiff penalties and ambiguously worded provisions in the new EU-wide data-protection law, which would replace a patchwork of 28 national laws, raises daunting prospects for companies operating in Europe.
After huge amount of user information leaks in 2015 from all kinds of Internet services, there will the challenges for cloud companies to gain trust in their security. You might have just dared to trust “the right cloud services,” since in principle the traditional information security point of view, they seem to be the main things okay, rising this privacy issues raised.
New environments will bring new threats. New operating systems versions means that administrators and users are less familiar with the environments. IPv6 will get more widely used, and the security of IPv6 networks is different from IPv4. Organizations are moving to virtualized environments, which are complex and create network layers that can become an attack vector. Growing network virtualization functionality and programmability are both an opportunity and a threat to security. Cyber security research will be important important in 2016 as 5G networks will be critical infrastructure, on top of which for example. transport, industry, health and the new operators set up their business around 2020.
The huge amount of information security information is becoming harder and harder to manage in 2016. A key problem in revelations as all other news coverage is the exponential growth of knowledge. There are variety of news summaries produced a daily basis, but they are not enough to get good picture of what is happening. There are bigger and smaller news, the impact of which is at times very difficult to assess. SMBs will become a bigger target for cybercriminals. Network and security professionals continue to be among the toughest IT talent to find and hire.
Old way network security focused on perimeter defense is not enough in 2016. Old mantras “encrypt everything” and “secure the perimeter,” are not enough. One deceptive truth seems to drive much of the cybersecurity industry down a rabbit hole: If you keep bad actors and bad software out of your system, you have nothing to worry about. It does not work like that anymore. As perimeter security gets stronger, malicious actors are looking for easier entry points to compromise an organisation through the breadth of its digital attack surface. Now malicious actors target “endpoints”—any device or sensor connected to a network—to break into that network. Traditional sandboxing will no longer protect against the growing malware landscape. Today, most private networks have far too many endpoints to properly secure. In an age of “Bring Your Own Device,” the cloud, remote access, and the Internet of Things, there are too many vulnerabilities hackers can exploit. Keep in mind that everything connected to the Internet can, and will be hacked. To address those threats in 2016, security experts should assume compromise – that hackers and malware already have breached their defenses, or soon will – and instead classify and mitigate threats. In addition to public key infrastructure lock-and-key system you will need also an integrity solution that acts like an alarm. To protect against advanced threats, security professionals will increase their reliance on centralized security management solutions. You need to have prioritization and response plans to various kinds of breaches – with a strong focus on integrity.
Law enforcement versus Silicon Valley tension will continue to be strong throughout year 2016. In 2015 Law enforcement and politicians on both sides of the Atlantic lined up to repeatedly complain that the web was “going dark” as the result of end-to-end encryption and that this was hampering the investigation of terrorism and other serious crimes.Technologists and cryptographers argue that governments are trying to weaken encryption by demanding some form of privileged access for government. It’s not clear how much encryption the NSA can break. With renewed focus on how encrypted messages can be used to plot terrorist attacks, President Barack Obama’s administration is stepping up pressure on the tech sector to help in the battle. Privacy remains a major counter-argument. It seems that Governments Lie About Encryption Backdoors. Encryption systems weakened by mandated backdoors would not be effective in fighting the terrorists that governments invoke as their reason for wanting those backdoors in the first place.
But this does not stop some government officials to demand such thing with varying success on different countries. Another fact is that The existence of coded communications is a reality and the U.S. may not be able to do much about it because nearly everyone living in modern society uses it: Encryption protects your bank information, prevents your password from being stolen when you log into a website, and allows all e-commerce transactions to take place securely. Encryption weakened by mandated backdoors would put all of us at an enormous risk of exposure from data breaches and associated online risks. The truth in 2016 is that any form of privileged access to government – ie, a backdoor – would inevitably weaken crypto-systems and make them more vulnerable to attacks by foreign governments’ intelligence agencies as well as criminals - Juniper’s VPN security hole is proof that govt backdoors are bonkers. Encryption backdoors would be a gleeful win-win for terrorists and a horrific lose-lose for you – the bad guys having strong protections for their data, and the rest of us not. The poorly thought-out and crude surveillance technique could have a devastating effect on the country’s internet security- as for example Kazakhstan will force its citizens to install internet backdoors by requiring all Internet users install state-issued root certificate by January 1, 2016.
Google, Mozilla and Microsoft are pushing for early SHA-1 crypto cutoff that can happen in 2016 instead of earlier planned Jan 1st, 2017. Due to recent research showing that SHA-1 is weaker than previously believed, because it’s been cracked without enormous effort. Mozilla, Microsoft and now Google are all considering bringing the deadline forward by six months to July 1, 2016. SHA-2 is going to be used as the replacement function for SHA-1. Websites like Facebook and those protected by CloudFlare have implemented a SHA-1 fallback mechanism for those systems that do not support SHA-2. Chrome will start display errors if SHA-1 certificates are employed in early 2016 and will completely stop supporting SHA-1 certificates in the end of 2016.
The use of Blockchain technology, permissionless distributed database based on the bitcoin protocol that runs across a global network of independent computers, will get used more widely than for just Bitcoin virtual money. With bitcoin, Blockchain tracks the exchange of money. But it can also track the exchange of anything else that holds value, including stocks, bonds, and other financial securities. Overstock has already used the blockchain to issue private bonds. The Securities and Exchange Commission has approved a plan from online retailer Overstock.com to issue company stock via the Internet, signaling a significant shift in the way financial securities will be distributed and traded in the years to come. Overstock built its technology under the aegis of a subsidiary called TØ.com, and it plans to offer this “cryptosecurity” tech as a service to other businesses. Nasdaq OMX—the company behind the Nasdaq stock exchange—is using the blockchain to oversee the exchange of private stock. Also several major companies from across both the technology and financial industries—including IBM, Intel, and Cisco as well as the London Stock Exchange Group and big-name banks JP Morgan, Wells Fargo, and State Street—have joined forces to create an alternative to the blockchain with Linux Foundation.
The use of disk encryption will increase and there are different ways to do it with different security levels. Microsoft has introduced Windows 10 disk encryption keys are uploaded to Microsoft. This approach has some advantages and disadvantages. The gold standard in disk encryption is end-to-end encryption, where only you can unlock your disk. This is what most companies use, and it seems to work well. It protects data in case your device is lost or stolen. But what if you forget or loose your key? There are certainly cases where it’s helpful to have a backup of your key or password – so keeping a backup of your recovery key in your Microsoft account could be genuinely useful for probably the majority of users that don’t have high security neeeds. The disadvantage of this approach is that Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.
Weak leaking passwords are still huge security problem still in 2016. Passwords are often the weakest parts when it comes to securing users’ accounts, as many don’t use complex passwords or they reuse the same password across services. Two-factor authentication – like using a USB stick with a secret token or entering in a code sent via text method to your phone – can help to increase security, but many users also find this to be a hassle as it introduces an additional step to the login process.
Google begins testing login system that uses phone notifications for authentication instead of passwords: authenticate by responding to a notification sent to their smartphone. The idea is similar to Yahoo’s recently launched “Account Key,” which also offers a password-free means of signing in involving a push notification sent to your phone that then opens an app where you approve the log-in.
Smart phone will become more and more security critical part of your life. “Increasingly, individuals and organisations are adopting password managers and multi-factor authentication technologies to plug some of the holes in password-based authentication. “We foresee a world where practically everyone uses their smartphone as a multi-factor authentication element. In this world, the smartphone becomes your most valuable asset: something that enables you to unlock your life online and a target for attackers seeking to access your services.”
Expect that number of mobile vulnerabilities will only grow in 2016. In 2016 we will see increasing numbers of cyber criminals using mobile applications to spread malware. Mobile presents an easy target for cyber criminals, because it is an attack surface that is open and extremely difficult to defend once an app has been released. Android threats will become more than just headline-grabbers. Will 2016 be the year iOS malware goes mainstream?
Critical infrastructures will be highly targeted in 2015. SCADA and ICS networks were not designed for security. Attacks against these systems have increased in recent years. I expect this trend to only get worse. There are still many companies that run their critical systems on Windows XP as “There are some people who don’t have an option to change.” Many times the OS is running in automation and process control systems that run business and mission-critical systems, both in private sector and government enterprises. For example US Navy is using obsolete operating system Microsoft Windows XP to run critical tasks. It all comes down to money and resources, but if someone is obliged to keep something running on an obsolete system, it’s the wrong approach to information security completely.
Cars were hacked at record rate in 2015, and they will be hacked at least at the same rate in 2016. Modern cars are featuring more gadgetry and connected systems, and this will make vehicles just as vulnerable to today’s threats and attacks. I Am The Cavalry has published a five star Cyber Safety Framework to mitigate this threat in cars, hopefully car component makers study it.
IoT and smart devices are still at risk. The Internet of Things will continue to emerge, and businesses will need to think about how to protect their smart devices and prepare for the wider adoption of IoT. IoT platforms – not yet the weapon of choice for commercial malware authors – but business beware. Wearables won’t be safe, either, as they are built using largerly same too often vulnerable technologies as other IoT system. IoT security is still in in infancy in 2016.
Cyber criminals have become more active in 2015 particularly in the malicious the ransom fabrications. The ransom-malware problem will continue to be big in 2016. Commercial malware authors will continue to invest heavily and Exploit kits will continue to dominate on the web. Ransomware today is big business. Ransomware takes control of a computer and holds it hostage until the victim pays, usually in the digital currency Bitcoin. As a remedy against ransom-malware I recommend to ensure IT Support or your service provider the data back-up and restoring procedure operational, practiced and tested. You can need it in 2016 to get your data back without considering paying to criminals. To date ransomware has hit Windows users hardest, although Android and MacOS users are now also facing similar extortion.
Ransomware will continue to dominate in 2016 and it is only a question of time before we see things beyond data being ransomed. We have already seen websites being held ransom to DDoS. Intel’s McAfee Labs also noted a huge spike in ransomware in early 2015, and worries about ransomware in the IoT space—including medical devices. And Kaspersky predicts the “nightmare of ransomware” to continue and “spread to new frontiers” in 2016. Ransomware Is Coming to Medical Devices article tells that according to a report released recently week by Forrester Research the number one cybersecurity prediction for 2016: “We’ll see ransomware for a medical device or wearable.” “It’s definitely feasible from a technical standpoint”. Networked medical devices save lives. Despite the hacking risk, it’s an informed trade-off. Medical device ransomware would be a modern form of highway robbery with lives at stake.
Keep in mind that everything connected to the Internet can, and will be hacked. In 2016 If You’re Not Paranoid, You’re Crazy. As government agencies and tech companies develop more and more intrusive means of watching and influencing people, how can we live free lives? Unfortunately I don’t have solution for that.
2,232 Comments
Tomi Engdahl says:
Russell Brandom / The Verge:
Google settles privacy suit, tentatively agrees to only scan emails for ads after they arrive in your inbox, which should have little effect on users or privacy — The company won’t do ad scans until after a message hits your inbox — Yesterday, Google tentatively agreed to a series …
Google just dodged a privacy lawsuit by scanning your emails a tiny bit slower
The company won’t do ad scans until after a message hits your inbox
http://www.theverge.com/2016/12/14/13958884/google-email-scanning-lawsuit-ecpa-cipa-matera
Yesterday, Google tentatively agreed to a series of changes in the way it collects data from Gmail, as part of a proposed settlement in Northern California District Court. If the court approves the settlement, Google will eliminate any collection of advertising-specific data before an email is accessible in a user’s inbox. The result likely won’t be noticeable to users, but it represents a real change to the way Google’s systems work, brought about after a voluntary settlement rather than a legal ruling.
Tomi Engdahl says:
Malvertising Campaign Infects Your Router Instead of Your Browser
https://it.slashdot.org/story/16/12/14/2059217/malvertising-campaign-infects-your-router-instead-of-your-browser
Malicious ads are serving exploit code to infect routers, instead of browsers, in order to insert ads in every site users are visiting. Unlike previous malvertising campaigns that targeted users of old Flash or Internet Explorer versions, this campaign focused on Chrome users, on both desktop and mobile devices. The malicious ads included in this malvertising campaign contain exploit code for 166 router models, which allow attackers to take over the device and insert ads on websites that didn’t feature ads, or replace original ads with the attackers’ own. Researchers haven’t yet managed to determine an exact list of affected router models, but some of the brands targeted by the attackers include Linksys, Netgear, D-Link, Comtrend, Pirelli, and Zyxel.
Malvertising Campaign Infects Your Router Instead of Your Browser
https://www.bleepingcomputer.com/news/security/malvertising-campaign-infects-your-router-instead-of-your-browser/
Exploit kit searches for vulnerable routers, not browsers or Flash installs
The way this entire operation works is by crooks buying ads on legitimate websites. The attackers insert malicious JavaScript in these ads, which use a WebRTC request to a Mozilla STUN server to determine the user’s local IP address.
Based on this local IP address, the malicious code can determine if the user is on a local network managed by a small home router, and continue the attack. If this check fails, the attackers just show a random legitimate ad and move on.
For the victims the crooks deem valuable, the attack chain continues. These users receive a tainted ad which redirects them to the DNSChanger EK home, where the actual exploitation begins.
The next step is for the attackers to send an image file to the user’s browser, which contains an AES (encryption algorithm) key embedded inside the photo using the technique of steganography.
The malicious ad uses this AES key to decrypt further traffic it receives from the DNSChanger exploit kit. Crooks encrypt their operations to avoid the prying eyes of security researchers.
Malvertising campaign targets 166 router models
After the user receives his encryption key, the DNSChanger exploit kit sends each victim a list of router “fingerprints.” Proofpoint researchers say they’ve seen the exploit kit serving 166 router fingerprints at the time of writing.
The malicious ad uses these fingerprints to test the router type the user is using, and then report back to the exploit kit’s server.
The DNSChanger EK replies back with exploit packages that can take over the router and change its DNS settings in order to relay traffic through the crooks’ servers.
Attackers use compromised routers to replace ads in the user’s normal traffic
Once the attack has gained control over the router, he can use it to replace legitimate ads with his own, or add advertisements on websites that didn’t feature ads.
While previous malvertising campaigns usually targeted users of Internet Explorer, this campaign focused on Chrome users, on both desktop and mobile devices. Ad replacement and insertion also takes place on traffic to mobile devices, not just desktops.
Updating router firmware is the recommended course of action
Because the attack is carried out via the user’s browser, using strong router passwords or disabling the administration interface is not enough.
The only way users can stay safe is if they update their router’s firmware to the most recent versions, which most likely includes protection against the vulnerabilities used by the DNSChanger EK.
Tomi Engdahl says:
NIST issues cybersecurity framework for small businesses
http://www.cablinginstall.com/articles/pt/2016/11/nist-issues-cybersecurity-framework-for-small-businesses.html
Most small businesses do not have the resources that large corporations have to implement a cybersecurity program. NIST [National Institute of Standards and Technology - U.S. Dept. of Commerce] recently published NISTIR 7621, a cybersecurity framework meant specifically for small businesses.
The guide was developed in conjunction with the small business administration and looks to simplify the cybersecurity process while still making it a successful program. The document is only 54 pages long
Small Business Information Security:
The Fundamentals
http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf
Tomi Engdahl says:
Information Security is formally defined as “The protection of information and information
systems from unauthorized access, use, disclosure, disruption, modification, or destruction in
order to provide confidentiality, integrity, and availability” [44USC]
.
Source: http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf
Tomi Engdahl says:
Bloomberg News:
Source: Verizon is looking to get a price cut or exit the $4.8B Yahoo deal after company discloses 1B accounts hacked in 2013; Yahoo stock down 5% — Verizon Communications Inc. is exploring a price cut or possible exit from its $4.83 billion pending acquisition of Yahoo! Inc. …
Verizon Explores Lower Price or Even Exit From Yahoo Deal
https://www.bloomberg.com/news/articles/2016-12-15/verizon-weighs-scrapping-yahoo-deal-on-hacking-liability?cmpid=socialflow-twitter-business
Verizon Communications Inc. is exploring a price cut or possible exit from its $4.83 billion pending acquisition of Yahoo! Inc., after the company reported a second major e-mail hack affecting as many as 1 billion users, according to a person familiar with the matter.
While a Verizon group led by AOL Chief Executive Officer Tim Armstrong is still focused on integration planning to get Yahoo up and running, another team, walled off from the rest, is reviewing the breach disclosures and the company’s options, said the person, who asked not to be identified discussing private information.
Yahoo shares fell as much as 6.5 percent to $38.25, the biggest intraday decline since February. Verizon rose less than 1 percent to $52.07.
In October, with slow progress and limited information available from the investigation, Silliman put Yahoo on notice, saying it was reasonable to assume the breach has had a material impact on the deal.
In the 2013 hack disclosed Wednesday, Yahoo said compromised user account information may have included names, e-mail addresses, telephone numbers, dates of birth, passwords and, in some cases, encrypted or unencrypted security questions and answers. The company said it was notifying potentially affected users and had taken steps to secure their accounts.
Verizon has said that the deal, which is expected to close in the first quarter of 2017, still makes sense strategically.
Tomi Engdahl says:
Yahoo reveals new hack: ‘Unauthorized third party’ stole data from more than 1 billion accounts
http://venturebeat.com/2016/12/14/yahoo-reveals-another-hack-where-unauthorized-third-party-stole-data-from-1-billion-accounts/
The intrusion occurred in August 2013 as a result of cookies forged by hackers who had obtained Yahoo’s proprietary code.
However, the company was quick to say that its investigation suggests that no passwords in clear text, payment card data, or bank account information were taken.
How this impacts Yahoo’s deal with Verizon remains to be seen, but if there was some hesitation before, when 500 million user accounts were compromised, then news of 1 billion compromised accounts will likely cause executives to pause before proceeding further.
Verizon, as you may know, has agreed to pay out $4.83 billion for the long-struggling, but iconic, technology and search provider.
So 500 million in 2014 and 1 billion in 2013. Do we really want to know what else may have happened before?
“Espionage has gone digital, like so many other things in our world. We’re increasingly seeing data being used as a weapon, where leaked or fabricated information is being used to intentionally damage individuals and governments. While cybercriminals are motivated by financial incentives, state actors are motivated by political and strategic incentives.”
Tomi Engdahl says:
Ashley Madison Dating Site to Pay $1.6 Million Over Breach
http://www.securityweek.com/ashley-madison-dating-site-pay-16-million-over-breach
The operators of the Ashley Madison affair-minded dating website agreed Wednesday to pay a $1.6 million penalty over a data breach exposing data from 36 million users, US officials announced.
The financial penalty, split between the federal government and US states suing the company, would increase to $8.75 million to the FTC plus $8.75 million to states if Ashley Madison fails to abide by new information security practices and refrain from misleading consumers.
“This case represents one of the largest data breaches that the FTC has investigated to date, implicating 36 million individuals worldwide,” said FTC chairwoman Edith Ramirez.
No compensation
Ramirez said the penalty being paid is too small to allow for “redress” or compensation to affected consumers, noting that compensation is rarely obtained in data security cases.
“We want them (the company) to feel the pain, we don’t want them to profit from unlawful conduct,” Ramirez told reporters in a conference call.
Tomi Engdahl says:
Two APTs Used Same Zero-Day to Target Individuals in Europe
http://www.securityweek.com/two-apts-used-same-zero-day-target-individuals-europe
Researchers at Microsoft have observed two separate advanced persistent threat (APT) actors that leveraged the same Flash Player zero-day vulnerability to spy on Turkish citizens living in Turkey and various other European countries.
Dubbed by Microsoft PROMETHIUM and NEODYMIUM – the company assigns chemical element names to threat actors – the groups used different infrastructure and malware, but there are some similarities that indicate a possible connection at a higher organizational level.
The attacks, spotted in early May, leveraged a Flash Player exploit (CVE-2016-4117) that Adobe patched on May 12. The groups used the same exploit at the same time, before it was publicly disclosed, and against the same type of targets.
Microsoft Edge to Block Flash by Default
http://www.securityweek.com/microsoft-edge-block-flash-default
Microsoft Edge is the latest Web browser to switch to HTML5 and keep Flash blocked by default unless users enable it to run on sites that require it.
Both Google and Mozilla announced similar moves for the Chrome and Firefox browsers, and Microsoft appears determined to join the pack. While Chrome 55 started blocking Flash by default earlier this month, Mozilla announced in July that Firefox would make a similar move next year. For now, only some Flash content on web pages is being blocked.
Tomi Engdahl says:
It’s now illegal in the US to punish customers for posting bad web reviews
Consumer rights law forbids retaliation for poor scores
http://www.theregister.co.uk/2016/12/15/obama_signs_bill_to_protect_bad_reviews/
President Obama has signed into effect a new law that bars businesses from punishing customers for giving bad reviews.
The Consumer Review Fairness Act (HR 5111) voids any contract that involves prohibitions or penalties related to poor online reviews.
“Consumers in the 21st century economy should be able to post, comment and tweet their honest and accurate feedback without fear of retribution,” Lance said of the bill.
“Too many companies are burying non-disparagement clauses in fine print and going after consumers when they post negative feedback online.”
Tomi Engdahl says:
Microsoft cautions holiday shoppers about fake credit card emails carrying Cerber ransomware
The scam emails claim to be notifying customers about fake pending charges on their credit cards.
http://www.ibtimes.co.uk/microsoft-cautions-holiday-shoppers-about-fake-credit-card-emails-carrying-cerber-ransomware-1596644
Tomi Engdahl says:
Google just dodged a privacy lawsuit by scanning your emails a tiny bit slower
4 comments
The company won’t do ad scans until after a message hits your inbox
http://www.theverge.com/2016/12/14/13958884/google-email-scanning-lawsuit-ecpa-cipa-matera
Tomi Engdahl says:
A $300 Device Can Steal Mac FileVault2 Passwords
https://it.slashdot.org/story/16/12/15/234232/a-300-device-can-steal-mac-filevault2-passwords
Swedish hardware hacker Ulf Frisk has created a device that can extract Mac FileVault2 (Apple’s disk encryption utility) passwords from a device’s memory before macOS boots and anti-DMA protections kick in. The extracted passwords are in cleartext, and they also double as the macOS logon passwords.
Apple fixed the attack in macOS 10.12.2. The device is similar to what Samy Kamker created with Poison Tap.
macOS FileVault2 Password Retrieval
http://blog.frizk.net/2016/12/filevault-password-retrieval.html
Tomi Engdahl says:
White House supports claim Putin directed US election hack
http://www.bbc.com/news/world-us-canada-38336272
The White House has suggested Russian President Vladimir Putin was directly involved in a hacking operation aimed at interfering with the US election.
Ben Rhodes, adviser to President Barack Obama, said that Mr Putin maintains tight control on government operations, which suggests that he was aware.
White House Press Secretary Josh Earnest added that it was “pretty obvious” that Mr Putin was involved.
Tomi Engdahl says:
China takes action on thousands of websites for ‘harmful’, obscene content
http://www.reuters.com/article/us-china-internet-idUSKBN1441GK
China has shut down or “dealt with” thousands of websites for sharing “harmful” erotic or obscene content since April, the state’s office for combating pornography and illegal publications announced on Thursday.
The office said 2,500 websites were prosecuted or shut down and more than 3 million “harmful” posts were deleted in eight months up to December during a drive to “purify” the internet in China and protect youth, the official Xinhua news agency reported.
Tomi Engdahl says:
Google publishes eight secret data requests from the FBI
http://www.theverge.com/2016/12/13/13938446/google-gag-order-national-security-letter-published-fbi
In a post today, Google published a series of eight National Security Letters, in which the Federal Bureau of Investigation secretly requested subscriber information on specific accounts. The letters range from 2010 to 2015, but follow a nearly identical format, identifying a number of accounts and sometimes a specific time frame but providing no evidence or suspicion to justify the request.
Google was legally prohibited from disclosing the requests when they were first issued, but that prohibition has since been lifted.
Sharing National Security Letters with the public
https://blog.google/topics/public-policy/sharing-national-security-letters-public/
In our continued effort to increase transparency around government demands for user data, today we begin to make available to the public the National Security Letters (NSLs) we have received where, either through litigation or legislation, we have been freed of nondisclosure obligations. We previewed this back in October when we updated our Transparency Report.
Tomi Engdahl says:
The Cost of Trust: How Secure Are Your Toys?
http://www.securityweek.com/cost-trust-how-secure-are-your-toys
Consumers Must Demand that Internet-Connected toys Offer the Basics of Trust and Security
You’ve planned a precision military strike; readied your forces and resources to acquire the target when it’s at hand; and done all the intel and weighed your options between kinetic and digital operations.
You’re finally ready to acquire THE toy of the holiday season.
If your target is a connected toy, there is a new angle to consider: how secure is that toy? Is the connectivity of the toy potentially exposing personal data about your child?
Tomi Engdahl says:
Flash Crashes and Rogue Algorithms: The Case for “Securing” Artificial Intelligence
http://www.securityweek.com/case-securing-algorithms-and-artificial-intelligence
‘Security’ Must be Added to our Existing Ethical and Philosophic Concerns Over Artificial Intelligence and Algorithms
Algorithms run the world. That’s a bit far-fetched, but we’re getting there. They control what we see on Facebook, whether we get hired for a new job, whether we get a bank loan, whether a new piece of code is good or malicious, and whether we should buy or sell shares of stock or currencies.
Algorithms are used for such purposes because they are good at making probabilistic projections based on past data with no human intervention and at machine speed — they are fast and cheap. But they are not infallible. They present problems that are seriously questioned on both ethical and philosophic grounds; and they have become the basis of fictional Armageddons.
Tomi Engdahl says:
Zero-Days Hitting Fedora and Ubuntu Open Desktops To a World of Hurt
https://linux.slashdot.org/story/16/12/16/0229207/zero-days-hitting-fedora-and-ubuntu-open-desktops-to-a-world-of-hurt
It’s the year of the Linux desktop getting pwned. Chris Evans (not the red white and blue one) has released a number of linux zero day exploits, the most recent of which employs specially crafted audio files to compromise linux desktop machines. Ars Technica reports: “‘I like to prove that vulnerabilities are not just theoretical — that they are actually exploitable to cause real problems,’ Evans told Ars when explaining why he developed — and released — an exploit for fully patched systems. ‘
Redux: compromising Linux using… SNES Ricoh 5A22 processor opcodes?!
https://scarybeastsecurity.blogspot.fi/2016/12/redux-compromising-linux-using-snes.html
Overview
TL;DR: full reliable 0day drive-by exploit against Fedora 25 + Google Chrome, by breaking out of Super Nintendo Entertainment System emulation via cascading side effects from a subtle and interesting emulation error. Very full details follow.
Resolving all the above, I present here a full, working, reliable, 0day exploit for current Linux distributions (Ubuntu 16.04 LTS and Fedora 25). It’s a full drive-by download in the context of Fedora. It abuses cascading subtle side effects of an emulation misstep that at first appears extremely difficult to exploit but ends up presenting beautiful and 100% reliable exploitation possibilities.
Appendix A: patch
No reason I shouldn’t propose a patch. Here it is.
Tomi Engdahl says:
Nymaim Trojan Fingerprints MAC Addresses to Bypass Virtualization
http://www.securityweek.com/nymaim-trojan-uses-mac-addresses-bypass-virtualization
The Nymaim Trojan is now fingerprinting MAC addresses to see if it is running in a virtualized environment, SophosLabs security researchers warn.
The Trojan, often used to download additional malware onto compromised machines and recently associated with several ransomware campaigns, is comparing the targeted machine’s MAC address against a hardcoded list, which allows it to avoid virtual environments and thwart analysis tools.
This approach, SophosLabs researcher Sandor Nemes explains, results in Nymaim losing some targets, but also means that it escapes the automated antivirus sandboxes, which can buy an attacker precious time. The new behavior was observed in the samples used in a campaign targeting mostly German-speaking users.
Tomi Engdahl says:
‘So sorry’ Evernote rips up privacy changes
And we won’t read your notes – promise
http://www.theregister.co.uk/2016/12/16/so_sorry_evernote_rips_up_privacy_changes/
Evernote has scrapped changes to its data protection practices after a furious customer backlash.
Evernote now says it will not now implement the changes it announced earlier in the week come January 23, as it had planned.
“We announced a change to our privacy policy that made it seem like we didn’t care about the privacy of our customers or their notes. This was not our intent, and our customers let us know that we messed up, in no uncertain terms. We heard them, and we’re taking immediate action to fix it,” Evernote CEO Chris O’Neill said a statement.
“We are excited about what we can offer Evernote customers thanks to the use of machine learning, but we must ask for permission, not assume we have it. We’re sorry we disappointed our customers, and we are reviewing our entire privacy policy because of this.”
Tomi Engdahl says:
Dear hackers, Ubuntu’s app crash reporter will happily execute your evil code on a victim’s box
To everyone else, get patching
http://www.theregister.co.uk/2016/12/15/researcher_details_justpatched_pwnage_flaws_in_ubuntu/
Users and administrators of Ubuntu Linux desktops are being advised to patch their systems following the disclosure of serious security flaws.
Researcher Donncha O’Cearbhaill, who discovered and privately reported the vulnerabilities to Ubuntu, said that a successful exploit of the bugs could allow an attacker to remotely execute code by way of a maliciously booby-trapped file.
The researcher found he could inject code into the OS’s crash file handler by crafting a crash file that, when parsed, executes arbitrary Python code
Tomi Engdahl says:
Yahoo under scrutiny after latest hack, Verizon seeks new deal terms
http://www.reuters.com/article/us-yahoo-cyber-idUSKBN14420S?il=0
Yahoo Inc (YHOO.O) came under renewed scrutiny by federal investigators and lawmakers on Thursday after disclosing the largest known data breach in history, prompting Verizon Communications Inc (VZ.N) to demand better terms for its planned purchase of Yahoo’s internet business.
BIGGEST BREACH
Yahoo said late on Wednesday that it had uncovered a 2013 cyber attack that compromised data of more than 1 billion user accounts, the largest known breach on record.
The White House said on Thursday the U.S. Federal Bureau of Investigation was probing the breach. Several lawsuits seeking class-action status on behalf of Yahoo shareholders have been filed, or are in the works.
Germany’s cyber security authority, the Federal Office for Information Security (BSI), advised German consumers to consider switching to safer alternatives for email
The latest breach drew widespread criticism from security experts, several advising consumers to close their Yahoo accounts.
Tomi Engdahl says:
Devin Coldewey / TechCrunch:
The US Election Assistance Commission, which oversees security of voting systems, was hacked around the time of the election, allegedly by a Russian hacker — The U.S. Election Assistance Commission, which is responsible for testing and certifying voting systems, among other things …
The government body that oversees the security of voting systems was itself hacked
https://techcrunch.com/2016/12/15/the-government-body-that-oversees-the-security-of-voting-systems-was-itself-hacked/
The U.S. Election Assistance Commission, which is responsible for testing and certifying voting systems, among other things, was hacked around the time of the election, security outfit Recorded Future reports. The EAC confirmed a “potential intrusion” in a statement issued to TechCrunch.
This isn’t a smoking gun for a stolen election or anything like that; the EAC doesn’t actually run the elections, nor does it handle voter information. But it is a shameful display all the same, especially considering how loudly and frequently the hacking threat has been bruited by officials this year.
In addition to logins, Rasputin was selling an open SQL injection vulnerability for the EAC’s internal website.
In its statement, the EAC said it was working with the FBI “to determine the source of this criminal activity.”
Tomi Engdahl says:
Russell Brandom / The Verge:
Under pressure from the ACLU in California, Twitter cuts off geospatial intelligence data being sold by Dataminr to police, prohibiting its use for surveillance
Twitter cuts off geospatial data access for police intelligence centers
Fusion centers now get a limited version of the Dataminr tool
http://www.theverge.com/2016/12/15/13969110/twitter-dataminr-fusion-center-geospatial-data-surveillance
Police across the country will now have a harder time singling out individual Twitter users. Twitter announced today that it has cut off all geospatial intelligence data being sold to police intelligence centers, also known as fusion centers.
The geospatial intelligence tool was being provided by Dataminr, an analytics firm partially owned by Twitter, which has exclusive access to the company’s live data feed or “firehose.”
“Our long-standing position has been that the use of Twitter data for surveillance is strictly prohibited,” the company said in a statement, “and we continue to expand our enforcement efforts.”
In October, the ACLU of Northern California found evidence of a similar tool called Geofeedia being used to track Baltimore protestors through Facebook, Instagram, and Twitter feeds. Facebook has also used social-media surveillance tools for corporate security purposes, using Geofeedia to catch an intruder in Mark Zuckerberg’s office.
Tomi Engdahl says:
After Failed Auction, Shadow Brokers Opens NSA Hacking Tools for Direct Sales
Wednesday, December 14, 2016 Mohit Kumar
http://thehackernews.com/2016/12/nsa-hack-shadow-brokers.html
The hacker group that’s believed to be behind the high-profile cyber theft of NSA hacking tools and exploits that sparked a larger debate on the Internet concerning abilities of US intelligence agencies and their own security
The group put the stolen cyber weapons on auction but received not much response and gone quiet for some time.
However, The Shadow Brokers has now appeared to have put up the NSA’s hacking tools and exploits for direct sale on an underground website.
A newly uncovered site reportedly contains a file signed with the cryptographic key of The Shadow Brokers, suggesting the hacker group has now moved to sell NSA hacking tools directly to buyers one by one, Motherboard reports.
Newly Uncovered Site Suggests NSA Exploits for Direct Sale
http://motherboard.vice.com/read/newly-uncovered-site-suggests-nsa-exploits-for-direct-sale
Tomi Engdahl says:
Apple, Google, and Uber join list of tech companies refusing to build Muslim registry
http://www.theverge.com/2016/12/16/13990234/google-muslim-registry-refusal-donald-trump-silicon-valley
Apple, Google, and Uber have all broken their respective silences on whether they would participate in helping build a Muslim registry for the incoming Trump administration, BuzzFeed reports. In a statement issued today, an Apple spokesperson said, “We think people should be treated the same no matter how they worship, what they look like, who they love. We haven’t been asked and we would oppose such an effort.”
Google, Apple And Uber Say They Would Not Help Build A Muslim Registry
https://www.buzzfeed.com/nitashatiku/google-muslim-registry-trump?utm_term=.nkkRvAWQO#.xeJB1eZNy
In response to questions from BuzzFeed News, Google, Apple, and Uber said they would not help build a Muslim registry. Meanwhile, Oracle declined to comment.
Tomi Engdahl says:
‘I told him to cut it out’ – Obama is convinced Putin’s hackers swung the election for Trump
And so what are you gonna do about it, Barry?
http://www.theregister.co.uk/2016/12/17/us_election_hacking_row/
Outgoing US President Barack Obama has promised to take action against Russia over its alleged interference in the presidential election campaign.
American intelligence agencies have concluded that hackers linked to the Kremlin infiltrated the computer network of the Democratic National Committee as well as the email account of Hillary Clinton’s campaign chief John Podesta with the aim of influencing the November 8 outcome.
Russia has dismissed these allegation as baseless (or “amusing rubbish”), a denial that cut little ice with Obama given the consensus among the US intelligence community that the Kremlin ran a dirty tricks campaign. Even the FBI now accepts, after initial reluctance, the CIA’s conclusion that Russia helped miscreants meddle with the election.
Obama also gave a press conference today – his final one as US President – in which he discussed the hacking claims and all but pinned the blame on Vladimir Putin’s government. “Mr Putin is well aware of my feelings about this, because I spoke to him directly about it … I told him to cut it out,” said Obama.
Republican president-elect Donald Trump dismissed the accusations against Russia as “ridiculous” and motivated by sour grapes.
By leaking emails stolen from servers, miscreants threw the Democratic Party and the Clinton campaign off balance at crucial points in the election campaign cycle. The two biggest bombshells were the DNC emails that sparked the resignation of party chairwoman Debbie Wasserman Schultz in July and the online dumping of the John Podesta emails, through WikiLeaks, in October.
US spies concluded that the Russians also hacked the Republican National Committee (RNC) as well as the DNC but decided not to leak the Republican data trove.
The CIA reckoned Russia was motivated by a desire to tilt the election in favor of Putin-friendly and easily manipulatable Donald Trump.
Tomi Engdahl says:
Election Assistance Commission Hacked Using SQL Injection
https://yro.slashdot.org/story/16/12/16/2025225/election-assistance-commission-hacked-using-sql-injection
The commission that is responsible for ensuring the integrity of voting machines was itself hacked. The hacker gained access to non-public reports on weaknesses in voting machines. The hack occurred after the election, so it is unlikely that this hack resulted in changing the result. However, if one hacker can break in, how does anyone know that there was not a prior hack? The hack used an SQL injection flaw to gain access to usernames and passwords which were then cracked.
U.S. election agency breached by hackers after November vote
http://www.reuters.com/article/us-election-hack-commission-idUSKBN1442VC
The U.S. agency charged with ensuring that voting machines meet security standards was itself penetrated by a hacker after the November elections, according to a security firm working with law enforcement on the matter.
The security firm, Recorded Future, was monitoring underground electronic markets where hackers buy and sell wares and discovered someone offering log-on credentials for access to computers at the U.S. Election Assistance Commission, company executives said.
Tomi Engdahl says:
Banks ‘not doing enough’ to protect against bank-transfer scams
Must do more to identify fraudulent payments
http://www.theregister.co.uk/2016/12/16/bank_transfer_scams/
UK banks have been told they needed to go further protecting consumers against money transfer scams – a growing form of fraud.
The Payment Systems Regulator said institutions must improve the way they respond to bank transfer scams and do more to identify fraudulent payments without advocating changes in liability for fraudulent losses, which currently fall on consumers.
Consumers conned into transferring money to a fraudster by bank transfer have no legal right to get their money back from their bank. Credit card and direct debit payments, by contrast, offer guarantees to consumers.
PSR’s response to a super-complaint by Which? on bank transfer scams “has let the banks off the hook” the consumer group said.
Two weeks after launching an online scam reporting tool in November, more than 650 people reported to Which? losses via bank transfers to totalling £5.5m.
“While recognising that the industry is not doing enough, it [the regulator] has failed to adequately address the issue of liability and has let the banks off the hook, giving them little incentive to do more to protect their customers.”
Tomi Engdahl says:
Ubuntu App Crash Reporter Bug Allows Remote Code Execution
Flaw already patched, make sure you update ASAP
http://news.softpedia.com/news/ubuntu-app-crash-reporter-bug-allows-remote-code-execution-511030.shtml
A security researcher has discovered a vulnerability in Ubuntu’s crash reporter that would allow remote code execution, making it possible for an attacker to compromise a system using just a malicious file.
Donncha O’Cearbhaill writes that the security bug resides in the Apport crash reporting tool on Ubuntu, which can be tricked into opening a malicious crash file that includes Python code executed on launch.
“The vulnerable code was introduced on 2012-08-22 in Apport revision 2464. This code was first included in release 2.6.1. All Ubuntu Desktop versions 12.10 (Quantal) and later include this vulnerable code by default,” the researcher notes.
A proof-of-concept shows that it’s possible to compromise a system using this vulnerability with the help of a malicious file, which allows for arbitrary code execution when clicked.
Reliably compromising Ubuntu desktops by attacking the crash reporter
https://donncha.is/2016/12/compromising-ubuntu-desktop/
Tomi Engdahl says:
Yahoo Hack Shows Data’s Use for Information Warfare
http://www.securityweek.com/yahoo-hack-shows-data-tool-information-warfare
The 2013 hack affecting a billion Yahoo users shows how seemingly innocuous bits of data gleaned from cyber attacks can be exploited for espionage and information warfare, as well as for profit.
The breach, disclosed Wednesday, is the largest on record and comes just months after Yahoo disclosed a separate attack in 2014 affecting data from 500 million users.
the ability to create a searchable database with data tidbits such as birth dates and phone numbers makes it enormously valuable to hackers seeking to make a profit or engage in industrial or state espionage
“For someone using data as a weapon, this is of tremendous value,”
the attack could fuel disinformation campaigns by governments.
“And since a significant number of victims (if any) have not reported identity theft resulting from the incident, there is a strong likelihood that the breach was not conducted for monetary gain,” Scott said.
“This could indicate that the breach was an espionage stage of an information warfare effort.”
James Lewis, a senior fellow specializing in cybersecurity at the Center for Strategic and International Studies, said new analytics tools can sift through databases for political espionage purposes
“If you’re a criminal, you would think you could monetize a billion accounts,” Lewis said. “Even if you got a penny or a dime for each, you would still be making a lot of money.”
The attacks also pose a threat to the future of Yahoo
Dickson said that it’s likely that “Verizon is doing a double take” on the $4.8 billion deal.
“If this kills that deal, I think it will increase the focus on cybersecurity hygiene across the board,” he said.
Tomi Engdahl says:
Over 8,800 WordPress Plugins Have Flaws: Study
http://www.securityweek.com/over-8800-wordpress-plugins-have-flaws-study
Researchers at web application security firm RIPS Technologies have analyzed 44,705 of the roughly 48,000 plugins available in the official WordPress plugins directory and discovered that more than 8,800 of them are affected by at least one vulnerability.
The company downloaded all the plugins and used its static code analyzer to check the ones that have at least one PHP file. An analysis of the size of these plugins showed that roughly 14,000 of them have only 2-5 files and only 10,500 of them have more than 500 lines of code.
Researchers determined that of the plugins with more than 500 lines of code, which have been classified as “larger plugins,” 4,559, or 43 percent of the total, contain at least one medium severity issue (e.g. cross-site scripting).
RIPS’s analysis showed that nearly 36,000 of the plugins did not have any vulnerabilities and 1,426 had only low severity flaws. Medium severity bugs have been identified in more than 4,600 plugins, while high and critical security holes have been found in 2,799 and 41 plugins, respectively.
The State of WordPress Security
https://blog.ripstech.com/2016/the-state-of-wordpress-security/
Tomi Engdahl says:
McAfee Takes Six Months To Patch Remote Code Exploit In Linux VirusScan Enterprise
https://linux.slashdot.org/story/16/12/17/0345248/mcafee-takes-six-months-to-patch-remote-code-exploit-in-linux-virusscan-enterprise
A researcher has reported 10 vulnerabilities in McAfee’s VirusScan Enterprise for Linux that when chained together result in root remote code execution. McAfee took six months to fix the bugs issuing a patch December 9th.
P0wnographer finds remote code exec bug in McAfee enterprise
This one ticks all the boxes: Runs as root ✔ Claims security ✔ Unpopular product with few updates ✔
http://www.theregister.co.uk/2016/12/13/boffin_dishes_10_mcafee_enterprise_bugs_for_chained_rce_root_death/
McAfee has taken six months to patch 10 critical vulnerabilities in its VirusScan Enterprise Linux client. And these were nasty bugs as when chained they resulted remote code execution as root.
Andrew Fasano, security researcher with MIT Lincoln Laboratory, says attackers can chain the flaws to compromise McAfee Linux clients by spinning up malicious update servers.
“At a first glance, Intel’s McAfee VirusScan Enterprise for Linux has all the best characteristics that vulnerability researchers love: it runs as root, it claims to make your machine more secure, it’s not particularly popular, and it looks like it hasn’t been updated in a long time,” Fasano writes.
Tomi Engdahl says:
Hack attack fear scares Canadian exam board away from online tests
Back to pen and paper
http://www.theregister.co.uk/2016/12/17/canadians_drops_online_literacy_tests_in_favor_of_pencil_and_paper_next_year/
Every year Ottawa’s Education Quality and Accountability Office (EQAO) tests secondary school students in their literacy skills. This year it rolled out online tests and the results weren’t good.
In October the online pilot test of the Ontario Secondary School Literacy Test (OSSLT) was deployed and quickly fell over with its legs in the air mimicking a dead parrot. The failure was the result of what it called an “intentional, malicious and sustained distributed denial-of-service attack,” against the testing system.
The attack was successful despite earlier testing of the online system against the possibility of just such an online assault. Forensic examiners are still investigating where the attack came from
because the source of the attack is still unknown, the EQAO is dropping all online testing for the time being.
Tomi Engdahl says:
How Long Before AI Systems Are Hacked in Creative New Ways?
https://www.technologyreview.com/s/603116/how-long-before-ai-systems-are-hacked-in-creative-new-ways/?utm_campaign=internal&utm_medium=homepage&utm_source=top-stories_1&set=603154
Research points to ways that machine-learning programs could be tricked into doing unwanted things.
Tomi Engdahl says:
US hacking claims: Russia says ‘indecent’ without evidence
http://www.bbc.com/news/world-us-canada-38341569
US claims that Russia hacked official emails, without evidence, are “indecent”, the Kremlin has said.
“They need to either stop talking about this or finally present some sort of proof,” Russian President Vladimir Putin’s spokesman said.
On Friday, Hillary Clinton said Mr Putin ordered the hack because he had a “personal beef” against her.
President Barack Obama has vowed to take action against Russia for its alleged interference.
The intelligence agencies say they have overwhelming evidence that Russian hackers linked to the Kremlin were behind the hacks.
The CIA has concluded that Russia’s motivation was to sway the election in favour of Mr Trump, but no evidence has been made public.
Tomi Engdahl says:
Yahoo’s billion-user database reportedly sold on the Dark Web for just $300,000
http://thenextweb.com/security/2016/12/16/yahoos-billion-user-database-reportedly-sold-on-the-dark-web-for-just-300000/
As if 2016 wasn’t shitty enough for Yahoo – which admitted to two separate breaches that saw 500 million users’ and then 1 billion users’ details stolen by hackers – the New York Times reports that a billion-user database was sold on the Dark Web last August for $300,000.
That’s according to Andrew Komarov, chief intelligence office at security firm InfoArmor. He told NYT that three buyers, including two prominent spammers and another who might be involved in espionage tactics purchased the entire database at the aforementioned price from a hacker group believed to based in Eastern Europe.
It’s lovely to know that it only costs $300,000 to be able to threaten a billion people’s online existence – which means each account is only worth $0.0003 to hackers who can ruin your life online in a matter of minutes.
1-Billion Yahoo Users’ Database Reportedly Sold For $300,000 On Dark Web
Friday, December 16, 2016 Mohit Kumar
http://thehackernews.com/2016/12/yahoo-hacking.html
Recently Yahoo disclosed a three-year-old massive data breach in its company that exposed personal details associated with more than 1 Billion user accounts, which is said to be the largest data breach of any company ever.
The new development in Yahoo!’s 2013 data breach is that the hacker sold its over Billion-user database on the Dark Web last August for $300,000, according to Andrew Komarov, Chief Intelligence Officer (CIO) at security firm InfoArmor.
Komarov told the New York Times that three different buyers, including two “prominent spammers” and the third, is believed to be involved in espionage tactics paid $300,000 to gain control of the entire database.
Komarov also said his company obtained a copy of the Yahoo database earlier this year, and got in touch with the law enforcement authorities in the United States and other countries in the European Union, Canada, and Australia.
Komarov said his company did not go to Yahoo directly “because the internet giant was dismissive of the security firm when approached by an intermediary,” adding that he didn’t trust Yahoo to investigate the data breach thoroughly.
Tomi Engdahl says:
Does Code Reuse Endanger Secure Software Development?
https://it.slashdot.org/story/16/12/17/1751234/does-code-reuse-endanger-secure-software-development
The amount of insecure software tied to reused third-party libraries and lingering in applications long after patches have been deployed is staggering. It’s a habitual problem perpetuated by developers failing to vet third-party code for vulnerabilities
Tomi Engdahl says:
LinkedIn’s training arm resets 55,000 members’ passwords
Lynda.com database accessed by ‘unauthorized third party’
http://www.theregister.co.uk/2016/12/18/linkedin_lynda_breach/
Tomi Engdahl says:
According to security experts, the problem is two-fold. On one hand, developers use reliable code that at a later date is found to have a vulnerability. Second, insecure code is used by a developer who doesn’t exercise due diligence on the software libraries used in their project.
Source: https://it.slashdot.org/story/16/12/17/1751234/does-code-reuse-endanger-secure-software-development?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
Tomi Engdahl says:
If you use a third-party library that has a bug in it, you’ll be exposed to the same bugs that everybody else using that library are. On the other hand, if you go at it alone, your implementation will have bugs of its own. And if the library is well-maintained, it’ll have fewer bugs than the thing you make from scratch.
Implementing the common functionality from scratch can easily become another kind of “not exercising due diligence”, particularly when dealing with complex code. Or to put it another way: code reuse may endanger secure software development, but not reusing code may also endanger secure software development.
Source: https://it.slashdot.org/story/16/12/17/1751234/does-code-reuse-endanger-secure-software-development?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
Tomi Engdahl says:
FYI! – Your! hacked! Yahoo! account! is! worth! $0.0003!
Stolen billion-user database being flogged for $300,000, apparently
http://www.theregister.co.uk/2016/12/19/yourii_hackedii_yahooii_accountii_isii_worthii_00003ii/
The hacked database containing the account details of more than one billion Yahoo! users is reportedly being sold for a meager $300,000.
Arizona-based InfoArmor also claims it had obtained a copy of the swiped records months ago, but did not report it to Yahoo! over fears the Purple Palace would dismiss or seek to bury the incident, least it interfere with the looming $4.8 Verizon merger.
Tomi Engdahl says:
Criminals can guess Visa card number and security code in just six seconds, experts find
The ‘guessing’ method is thought to have been used in the Tesco Bank hack
http://www.independent.co.uk/news/uk/crime/criminals-guess-visa-card-details-fraud-six-seconds-a7450776.html
Criminals can work out the card number, expiry date and security code for a Visa debit or credit card in as little as six seconds using guesswork, researchers have found.
Experts from Newcastle University said it was “frighteningly easy” to do with a laptop and an internet connection.
Fraudsters use a so-called Distributed Guessing Attack to get around security features put in place to stop online fraud, and this may have been the method used in the recent Tesco Bank hack.
Researchers found that the system did not detect cyber criminals making multiple invalid attempts on websites in order to get payment card data.
According to a study published in the academic journal IEEE Security & Privacy, that meant fraudsters could use computers to systematically fire different variations of security data at hundreds of websites simultaneously.
“Firstly, the current online payment system does not detect multiple invalid payment requests from different websites.
“Secondly, different websites ask for different variations in the card data fields to validate an online purchase. This means it’s quite easy to build up the information and piece it together like a jigsaw.
Tomi Engdahl says:
No More Ransom Alliance Gains Momentum
http://www.securityweek.com/no-more-ransom-alliance-gains-momentum
In July 2016 the Dutch National Police, Europol, Kaspersky Lab and Intel Security launched the No More Ransom project and website. A primary purpose is to help victims of ransomware recover encrypted files without having to pay the criminals.
In October, the alliance expanded with the addition of law enforcement agencies from 13 additional countries. At that time Europol told SecurityWeek that public and private interest in the project had been greater than anticipated, and expansion had subsequently been ascribed to two separate phases. This was Phase 1: LEAs. Phase 2, already in progress, would see the arrival of private industry.
Yesterday, in Phase 2, Europol announced further expansion with the inclusion of four new ‘Associated’ partners: Bitdefender, Check Point, Emsisoft and Trend Micro.
Ransomware has been the scourge of 2016. Victim losses to ransoms totaled $24 million in 2015. This year predictions put the total amount closer to $1 billion. This puts the 6000 people and $2 million saved so far by No More Ransom into perspective — which does not belittle the benefit to those 6000 people.
Recent surveys from both IBM X-Force and Sophos show that most end users and consumers still have little understanding of the threat. The IBM report noted, “The results show a lack of [consumer] awareness about ransomware, which may be resulting in little or no action taken to protect devices and data.” Furthermore, there seems little understanding of what to do if infected. “Friends and family members consistently rank among the top two go-to sources.”
These figures are corroborated by a separate survey, detailed in a blog post yesterday, by Sophos. “The survey confirmed,” it says, “that out of all the people who took part over half give IT advice to family and friends. Yet, 14% of these people admitted to feeling unsure about whether they had properly backed up the data on someone else’s computer or if they have the ability to recover that data if it was hacked, 18% didn’t know either way and 11% are not even sure that the computers they look after are protected from hackers and viruses.”
Tomi Engdahl says:
MacBooks Leak Disk Encryption Password
http://www.securityweek.com/macbooks-leak-disk-encryption-password
Apple recently addressed a vulnerability in its macOS operating system that can be exploited by an attacker to obtain a MacBook’s FileVault password using a $300 device.
The issue was discovered by Sweden-based researcher Ulf Frisk at the end of July. Apple was notified about the flaw in mid-August and patched it earlier this month with the release of macOS 10.12.2.
FileVault 2 is a full-disk encryption program that uses XTS-AES-128 encryption with a 256-bit key to prevent unauthorized access to the information on the startup disk. Frisk has demonstrated that an attacker with physical access to a locked or sleeping MacBook can retrieve the FileVault 2 password in clear text by connecting a special device to the targeted system’s Thunderbolt port.
Tomi Engdahl says:
0-Day Exploits Could Wreak Havoc on Linux Desktops
http://www.securityweek.com/0-day-exploits-could-wreak-havoc-linux-desktops
Security researcher Chris Evans this week made public a full 0-day drive-by download exploit impacting Ubuntu and Fedora and possibly other current Linux distributions as well.
The full 0-day drive-by exploit was tested to work against Fedora 25 + Google Chrome and Ubuntu 16.04 LTS, and relies on breaking out of Super Nintendo Entertainment System (SNES) emulation via subtle cascading side effects from an emulation error.
The issue, Evans says, lies within the Sony SPC700 emulated processor and abuses cascading subtle side effects of an emulation misstep. This is possible because the Linux GStreamer media playback framework offers support for the playback of SNES music files by emulating the SNES CPU and audio processor.
Tomi Engdahl says:
Eavesdropping Via Headphones
http://hackaday.com/2016/12/18/eavesdropping-via-headphones/
We all know that speakers are microphones and microphones are speakers, right? If not, take a moment to plug your headphones into a microphone jack and yell into them. It’s not exactly hi-fi, but it works.
So it’s not a huge surprise that three security researchers in Israel have managed to turn the combination headphone and microphone input jacks that are present on most laptops into an eavesdropping device
https://arxiv.org/ftp/arxiv/papers/1611/1611.07350.pdf
Tomi Engdahl says:
PIN codes and passwords are actually pretty lousy protection case against skilled cybercriminals. However, the password will never disappear entirely, as two per cent of the world’s population is persons with a fingerprint biometric identifier does not work.
Fingerprint identification has become increasingly common in smartphones and already the technology is fast and reliable. The wrong fingerprint opening of the unit is very unlikely, as the so-called. the possibility of a false positive is according to various estimates about one in 50,000 copies.
Iris is even more secure identification. The likelihood of another identical iris discovery 1:10 78. In practice, biometric identification is always so certain that it will be enough for normal use.
For this reason, the French research institute Yole Developpement estimates that some current password will remain central identified at least until the year 2030 to around.
According to Yole 91 percent of biometric sales this year will be fingerprint sensor.
The iris detection overall market share of three per cent and four per cent of face detection.
The total devices sold 4.5 billion dollars, of which 65 per cent goes to the consumer electronics products, mainly smart phones and laptops.
Source: http://etn.fi/index.php?option=com_content&view=article&id=5607:salasana-ei-koskaan-katoa&catid=13&Itemid=101
Tomi Engdahl says:
Ginny Marvin / Marketing Land:
Russian hackers use “Methbot” botnet to steal $3M-$5M video ad revenue per day from over 6K premium publishers in largest ad fraud uncovered to date
White Ops reports biggest ad fraud botnet found yet: ‘Methbot’ targeting high-CPM video inventory
http://marketingland.com/white-ops-reports-biggest-ad-fraud-botnet-found-yet-methbot-targeting-high-cpm-video-inventory-201371
Digital advertising fraud security firm White Ops released a report Tuesday detailing the exploits of “Methbot,” a new variation on the botnet. The firm says Russian cybercriminals have used Methbot to siphon off $3 to $5 million in video ad revenue from premium publishers every day.
The operation targeted high-value video advertising inventory, including inventory sold through private marketplaces, by spoofing more than 6,000 premium publisher domains and creating fake pages on which it could run real ads from real advertisers.
What makes Methbot unique from other major botnets is that instead of hijacking home computers at the user level, the Russian cyber criminals invested in building a network of 800 to 1,200 dedicated servers running from data servers in the US and the Netherlands. The perpetrators then obtained or leased 571,904 real IP addresses. The real IP addresses mask the fake ad calls by making them appear to come from legitimate residential Internet Service Providers such as Verizon, Comcast and Spectrum.
IPv4 Market Group estimated the IP addresses alone currently are valued at over $4 million.
White Ops believes Methbot is by far the biggest ad fraud scam to affect digital advertising.
For comparison, the ZeroAccess botnet was estimated to take in $900,000 per day and the Chameleon botnet, $200,000 per day.
The botnet has been siphoning an estimated $3 to $5 million in ad revenue per day, making it the largest ad fraud scam uncovered to date.
Tomi Engdahl says:
Emil Protalinski / VentureBeat:
Google open sources Project Wycheproof, security tests of cryptographic libraries for known attacks, says 40+ security bugs have already been discovered
Google releases Project Wycheproof: Security tests to check cryptographic libraries for known attacks
http://venturebeat.com/2016/12/19/google-releases-project-wycheproof-security-tests-to-check-cryptographic-libraries-for-known-attacks/
Google today released Project Wycheproof, a set of security tests that check cryptographic software libraries for known weaknesses being used in attacks. The project, named after Mount Wycheproof, the smallest mountain in the world, is available for free on GitHub.
Project Wycheproof includes over 80 test cases, and Google says they have already uncovered more than 40 security bugs.
some of the tests — they will be released once the affected cryptographic libraries have been patched.
The tests encompass the most popular crypto algorithms, including AES-EAX, AES-GCM, DH DHIES, DSA, ECDH, ECDSA, ECIES, and RSA. The tests detect whether a library is vulnerable to many attacks, including invalid curve attacks, biased nonces in digital signature schemes, and all of Bleichenbacher’s attacks. In short, Project Wycheproof allows developers and users to check libraries against a large number of known attacks without having to “sift through hundreds of academic papers or become cryptographers themselves.”