Here are my predictions for trends in information security and cyber security for year 2016.
Year 2015 was bad for information security was pretty, and I would say that the trend is worrying. So I expect the year 2016 will have many information security challenges. If you want to keep yourself up at night, spend some time reading about the latest developments in cybersecurity. In 2015 there was Airplanes hacked, cars hacked, vulnerabilities in a breathtaking range of sensitive equipment from TSA locks to voting booths to medical devices. The big picture is even scarier. Former NSA Director Mike McConnell suspects China has hacked “every major corporation” in the US. Those problems will continue in 2016 and some new targets for attacks will be found. The system is broken. It isn’t keeping us, our companies, or our government safe. Worse yet, no one seems to know how to fix it.
Attacks through networks are becoming more common all the time. It will be hard to protect against targeted attacks. Hackers will not only customize malware, but they will increasingly use sophisticated phishing and social engineering tricks to gain access to sensitive data. Attackers usually cover their tracks carefully, and in the identification of target can be very difficult. Behind targeted attacks are usually professional criminals. Criminals do not respect geographical borders and hence attacks are spread evenly everywhere. Companies will struggle to absorb the security threats of combined PC and mobile devices in 2016.
EU information security decisions made in late 2015 will have impact on what comes in 2016: New EU data protection legislation package approved and EU Court of Justice decision in which it noted the Safe Harbor procedure is invalid. This means that transfers of personal data from EU countries to the United States under the Safe Harbor violation of law – you need some other agreement for this. The situation for this will probably get clarified during 2016. Data protection legislation changes will lead to increased fines for the unprepared. Legal uncertainty and big fines are a toxic cocktail for some companies. The combination of stiff penalties and ambiguously worded provisions in the new EU-wide data-protection law, which would replace a patchwork of 28 national laws, raises daunting prospects for companies operating in Europe.
After huge amount of user information leaks in 2015 from all kinds of Internet services, there will the challenges for cloud companies to gain trust in their security. You might have just dared to trust “the right cloud services,” since in principle the traditional information security point of view, they seem to be the main things okay, rising this privacy issues raised.
New environments will bring new threats. New operating systems versions means that administrators and users are less familiar with the environments. IPv6 will get more widely used, and the security of IPv6 networks is different from IPv4. Organizations are moving to virtualized environments, which are complex and create network layers that can become an attack vector. Growing network virtualization functionality and programmability are both an opportunity and a threat to security. Cyber security research will be important important in 2016 as 5G networks will be critical infrastructure, on top of which for example. transport, industry, health and the new operators set up their business around 2020.
The huge amount of information security information is becoming harder and harder to manage in 2016. A key problem in revelations as all other news coverage is the exponential growth of knowledge. There are variety of news summaries produced a daily basis, but they are not enough to get good picture of what is happening. There are bigger and smaller news, the impact of which is at times very difficult to assess. SMBs will become a bigger target for cybercriminals. Network and security professionals continue to be among the toughest IT talent to find and hire.
Old way network security focused on perimeter defense is not enough in 2016. Old mantras “encrypt everything” and “secure the perimeter,” are not enough. One deceptive truth seems to drive much of the cybersecurity industry down a rabbit hole: If you keep bad actors and bad software out of your system, you have nothing to worry about. It does not work like that anymore. As perimeter security gets stronger, malicious actors are looking for easier entry points to compromise an organisation through the breadth of its digital attack surface. Now malicious actors target “endpoints”—any device or sensor connected to a network—to break into that network. Traditional sandboxing will no longer protect against the growing malware landscape. Today, most private networks have far too many endpoints to properly secure. In an age of “Bring Your Own Device,” the cloud, remote access, and the Internet of Things, there are too many vulnerabilities hackers can exploit. Keep in mind that everything connected to the Internet can, and will be hacked. To address those threats in 2016, security experts should assume compromise – that hackers and malware already have breached their defenses, or soon will – and instead classify and mitigate threats. In addition to public key infrastructure lock-and-key system you will need also an integrity solution that acts like an alarm. To protect against advanced threats, security professionals will increase their reliance on centralized security management solutions. You need to have prioritization and response plans to various kinds of breaches – with a strong focus on integrity.
Law enforcement versus Silicon Valley tension will continue to be strong throughout year 2016. In 2015 Law enforcement and politicians on both sides of the Atlantic lined up to repeatedly complain that the web was “going dark” as the result of end-to-end encryption and that this was hampering the investigation of terrorism and other serious crimes.Technologists and cryptographers argue that governments are trying to weaken encryption by demanding some form of privileged access for government. It’s not clear how much encryption the NSA can break. With renewed focus on how encrypted messages can be used to plot terrorist attacks, President Barack Obama’s administration is stepping up pressure on the tech sector to help in the battle. Privacy remains a major counter-argument. It seems that Governments Lie About Encryption Backdoors. Encryption systems weakened by mandated backdoors would not be effective in fighting the terrorists that governments invoke as their reason for wanting those backdoors in the first place.
But this does not stop some government officials to demand such thing with varying success on different countries. Another fact is that The existence of coded communications is a reality and the U.S. may not be able to do much about it because nearly everyone living in modern society uses it: Encryption protects your bank information, prevents your password from being stolen when you log into a website, and allows all e-commerce transactions to take place securely. Encryption weakened by mandated backdoors would put all of us at an enormous risk of exposure from data breaches and associated online risks. The truth in 2016 is that any form of privileged access to government – ie, a backdoor – would inevitably weaken crypto-systems and make them more vulnerable to attacks by foreign governments’ intelligence agencies as well as criminals - Juniper’s VPN security hole is proof that govt backdoors are bonkers. Encryption backdoors would be a gleeful win-win for terrorists and a horrific lose-lose for you – the bad guys having strong protections for their data, and the rest of us not. The poorly thought-out and crude surveillance technique could have a devastating effect on the country’s internet security- as for example Kazakhstan will force its citizens to install internet backdoors by requiring all Internet users install state-issued root certificate by January 1, 2016.
Google, Mozilla and Microsoft are pushing for early SHA-1 crypto cutoff that can happen in 2016 instead of earlier planned Jan 1st, 2017. Due to recent research showing that SHA-1 is weaker than previously believed, because it’s been cracked without enormous effort. Mozilla, Microsoft and now Google are all considering bringing the deadline forward by six months to July 1, 2016. SHA-2 is going to be used as the replacement function for SHA-1. Websites like Facebook and those protected by CloudFlare have implemented a SHA-1 fallback mechanism for those systems that do not support SHA-2. Chrome will start display errors if SHA-1 certificates are employed in early 2016 and will completely stop supporting SHA-1 certificates in the end of 2016.
The use of Blockchain technology, permissionless distributed database based on the bitcoin protocol that runs across a global network of independent computers, will get used more widely than for just Bitcoin virtual money. With bitcoin, Blockchain tracks the exchange of money. But it can also track the exchange of anything else that holds value, including stocks, bonds, and other financial securities. Overstock has already used the blockchain to issue private bonds. The Securities and Exchange Commission has approved a plan from online retailer Overstock.com to issue company stock via the Internet, signaling a significant shift in the way financial securities will be distributed and traded in the years to come. Overstock built its technology under the aegis of a subsidiary called TØ.com, and it plans to offer this “cryptosecurity” tech as a service to other businesses. Nasdaq OMX—the company behind the Nasdaq stock exchange—is using the blockchain to oversee the exchange of private stock. Also several major companies from across both the technology and financial industries—including IBM, Intel, and Cisco as well as the London Stock Exchange Group and big-name banks JP Morgan, Wells Fargo, and State Street—have joined forces to create an alternative to the blockchain with Linux Foundation.
The use of disk encryption will increase and there are different ways to do it with different security levels. Microsoft has introduced Windows 10 disk encryption keys are uploaded to Microsoft. This approach has some advantages and disadvantages. The gold standard in disk encryption is end-to-end encryption, where only you can unlock your disk. This is what most companies use, and it seems to work well. It protects data in case your device is lost or stolen. But what if you forget or loose your key? There are certainly cases where it’s helpful to have a backup of your key or password – so keeping a backup of your recovery key in your Microsoft account could be genuinely useful for probably the majority of users that don’t have high security neeeds. The disadvantage of this approach is that Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.
Weak leaking passwords are still huge security problem still in 2016. Passwords are often the weakest parts when it comes to securing users’ accounts, as many don’t use complex passwords or they reuse the same password across services. Two-factor authentication – like using a USB stick with a secret token or entering in a code sent via text method to your phone – can help to increase security, but many users also find this to be a hassle as it introduces an additional step to the login process.
Google begins testing login system that uses phone notifications for authentication instead of passwords: authenticate by responding to a notification sent to their smartphone. The idea is similar to Yahoo’s recently launched “Account Key,” which also offers a password-free means of signing in involving a push notification sent to your phone that then opens an app where you approve the log-in.
Smart phone will become more and more security critical part of your life. “Increasingly, individuals and organisations are adopting password managers and multi-factor authentication technologies to plug some of the holes in password-based authentication. “We foresee a world where practically everyone uses their smartphone as a multi-factor authentication element. In this world, the smartphone becomes your most valuable asset: something that enables you to unlock your life online and a target for attackers seeking to access your services.”
Expect that number of mobile vulnerabilities will only grow in 2016. In 2016 we will see increasing numbers of cyber criminals using mobile applications to spread malware. Mobile presents an easy target for cyber criminals, because it is an attack surface that is open and extremely difficult to defend once an app has been released. Android threats will become more than just headline-grabbers. Will 2016 be the year iOS malware goes mainstream?
Critical infrastructures will be highly targeted in 2015. SCADA and ICS networks were not designed for security. Attacks against these systems have increased in recent years. I expect this trend to only get worse. There are still many companies that run their critical systems on Windows XP as “There are some people who don’t have an option to change.” Many times the OS is running in automation and process control systems that run business and mission-critical systems, both in private sector and government enterprises. For example US Navy is using obsolete operating system Microsoft Windows XP to run critical tasks. It all comes down to money and resources, but if someone is obliged to keep something running on an obsolete system, it’s the wrong approach to information security completely.
Cars were hacked at record rate in 2015, and they will be hacked at least at the same rate in 2016. Modern cars are featuring more gadgetry and connected systems, and this will make vehicles just as vulnerable to today’s threats and attacks. I Am The Cavalry has published a five star Cyber Safety Framework to mitigate this threat in cars, hopefully car component makers study it.
IoT and smart devices are still at risk. The Internet of Things will continue to emerge, and businesses will need to think about how to protect their smart devices and prepare for the wider adoption of IoT. IoT platforms – not yet the weapon of choice for commercial malware authors – but business beware. Wearables won’t be safe, either, as they are built using largerly same too often vulnerable technologies as other IoT system. IoT security is still in in infancy in 2016.
Cyber criminals have become more active in 2015 particularly in the malicious the ransom fabrications. The ransom-malware problem will continue to be big in 2016. Commercial malware authors will continue to invest heavily and Exploit kits will continue to dominate on the web. Ransomware today is big business. Ransomware takes control of a computer and holds it hostage until the victim pays, usually in the digital currency Bitcoin. As a remedy against ransom-malware I recommend to ensure IT Support or your service provider the data back-up and restoring procedure operational, practiced and tested. You can need it in 2016 to get your data back without considering paying to criminals. To date ransomware has hit Windows users hardest, although Android and MacOS users are now also facing similar extortion.
Ransomware will continue to dominate in 2016 and it is only a question of time before we see things beyond data being ransomed. We have already seen websites being held ransom to DDoS. Intel’s McAfee Labs also noted a huge spike in ransomware in early 2015, and worries about ransomware in the IoT space—including medical devices. And Kaspersky predicts the “nightmare of ransomware” to continue and “spread to new frontiers” in 2016. Ransomware Is Coming to Medical Devices article tells that according to a report released recently week by Forrester Research the number one cybersecurity prediction for 2016: “We’ll see ransomware for a medical device or wearable.” “It’s definitely feasible from a technical standpoint”. Networked medical devices save lives. Despite the hacking risk, it’s an informed trade-off. Medical device ransomware would be a modern form of highway robbery with lives at stake.
Keep in mind that everything connected to the Internet can, and will be hacked. In 2016 If You’re Not Paranoid, You’re Crazy. As government agencies and tech companies develop more and more intrusive means of watching and influencing people, how can we live free lives? Unfortunately I don’t have solution for that.
2,232 Comments
Tomi Engdahl says:
the rivalry between the network attacks and network security is in acceleration
cripple Internet services to denial of service attacks are becoming more common throughout the world, and Finland is likewise not in these matters no longer a safe haven.
In addition to the Intrusion Prevention effective fight against denial of service attacks is a key issue for e-commerce.
“Denial of Service Attack distraction often works with companies seek to deceive during the actual data burglary. Online shopping criminals are especially interested in customers’ payment card information, “Westersund notes.
“However, the fight against Denial of Service attacks are an effective means. The key thing is that the attack traffic is stopped before it reaches the company’s Internet connection or servers. ”
Source: http://www.iltasanomat.fi/dna-business/art-2000005012533.html
Tomi Engdahl says:
Stupid law of the week: South Carolina wants anti-porno chips in PCs that cost $20 to disable
And it’s only Monday
http://www.theregister.co.uk/2016/12/19/south_carolina_calls_for_smutfree_pcs/
Lawmakers in South Carolina are mulling over banning the sale of computers, tablets and phones unless they have a device that automatically blocks pornography from popping up on-screen.
The Human Trafficking Prevention Act amendment, introduced by State Representative Bill Chumley (R‑Spartanburg), calls for manufacturers and resellers to be fined if they sell an internet-connected product in the US state without a filter capable of stopping smut from appearing by default. The proposed stiff rules, drawn up late last week, follow a crackdown in the state on human trafficking in 2015.
“It’s where almost everybody has access to a computer now. It’s porn on demand,” Chumley told the Spartanburg Herald Journal over the weekend. “We have to start somewhere … we’re bringing attention to it. We’re not being political. It’s an issue I’m pretty passionate about.”
Tomi Engdahl says:
AT&T is adding a spam filter for phone calls
http://www.theverge.com/2016/12/20/14028948/att-call-protect-spam-filter-fraud-caller
Today, AT&T introduced a new service for automated blocking of fraud or spam calls. Dubbed AT&T Call Protect, the system identifies specific numbers believed to be sources of fraud, and will either deliver those calls with a warning or block them outright. Users can whitelist specific numbers, although temporary blocks require downloading a separate Call Protect app. The feature is only available on postpaid iOS and Android devices, and can be activated through the MyAT&T system.
Tomi Engdahl says:
Security company McAfee founded and later sold to Intel for John McAfee is now a firm Everykey named President. The company has developed a small stick, which replaces all Bluetooth devices such as password online services. Military-grade encryption.
Everykey is a stick, which requires the device to be opened only BLE connection (Bluetooth low energy). It works on Android and iOS devices, as well as with Windows laptops and maccien. Parents with Windows machines requires a separate dongle stick for a laptop.
Everykey operates so that it automatically generates complex passwords are stored on secure Everkey servers. The server is protected with 128-bit AES keys. If you loose the key, you can immediately lock your account via the mobile app or web pages or with phone call. The new key drive will be sent with quick post service.
Source: http://etn.fi/index.php?option=com_content&view=article&id=5617&via=n&datum=2016-12-20_15:45:51&mottagare=30929
More: https://everykey.com/gu/special-offers/03/index.html
Tomi Engdahl says:
Hacking the IoT: As Bad As I Feared It’d Be
An engineer takes on his router and the IoT.
https://www.designnews.com/iot/hacking-iot-bad-i-feared-itd-be/187085758747142?cid=nl.x.dn14.edt.aud.dn.20161216.tst004c
Tomi Engdahl says:
Joseph Cox / Motherboard:
Egypt blocks encrypted messaging app Signal; Open Whisper Systems says it’ll debut a fix over the coming weeks, suggests Tor, VPN workarounds in the meantime
Signal Claims Egypt Is Blocking Access to Encrypted Messaging App
http://motherboard.vice.com/read/signal-claims-egypt-is-blocking-access-to-encrypted-messaging-app
Egypt has been censoring access to encrypted messaging app Signal, according to Open Whisper Systems, the company behind the app. The move highlights that as privacy-focused users move to technologies such as Signal, governments may still try to limit their use.
“We’ve been investigating over the weekend, and have confirmed that Egypt is censoring access to Signal,” a tweet from Open Whisper Systems on Monday reads.
Signal is a free app available on Android and iOS, and also has an accompanying desktop client. Users can send text messages, photos, and videos using end-to-end encryption; meaning that those who intercept the communication, such as a government or internet service provider cannot read its contents.
Signal’s protocol has also been adopted by other end-to-end encrypted messaging systems, such as WhatsApp and Facebook’s Secret Conversations feature.
Tomi Engdahl says:
Facebook Ready to Retire SHA-1
http://www.securityweek.com/facebook-ready-retire-sha-1
One year after saying that certificates using the SHA-1 hash algorithm should be kept alive in older browsers, Facebook is finally ready to retire the insecure cryptographic hash function and move to stronger standards.
Last year, after security researchers revealed that collision attacks against SHA-1 are more practical and cheaper than previously believed, major browser companies announced plans to kill support for it as soon as possible. Facebook, however, was one of the large Internet companies to suggest that SHA-1 shouldn’t be retired altogether, and Twitter backed this proposal soon after.
Now, Wojciech Wojtyniak, a Production Engineer at Facebook, says that the social platform is ready to end support for SHA-1 certificates at the end of this year. The “well-documented security weaknesses for these older certificates” are the main reason for this, Wojtyniak notes.
“Fortunately, after an examination of our SHA-1 usage, we have determined that it is no longer necessary for us to maintain our remaining SHA-1 certificates. In fact, we have not been serving SHA-1 traffic since early November and there has been no measurable impact,”
With Chrome, Firefox, and Microsoft Edge (and Internet Explorer 11) already en-route to sunset SHA-1 in the coming months, other large Internet players are making similar moves as well. Akamai recently said that it would end support for the algorithm on Dec 27, 2016.
Tomi Engdahl says:
Organizations in the Dark as Most Networks Actively Breached: Analysis
http://www.securityweek.com/organizations-dark-most-networks-actively-breached-analysis
Twenty Organizations Were Analyzed in a Recent Study; All 20 Were Already Unknowingly Compromised
While most of the security industry is looking forward and making threat predictions for 2017, one vendor has stopped to analyze what has been happening in 2016 — and the reality is, we aren’t even aware of what is happening in our networks today.
Breach detection firm SS8 used its BreachDetect platform to analyze 20 different organizations across multiple industry sectors. BreachDetect was developed for and is used by law enforcement agencies conducting forensic examinations. None of the 20 organizations analyzed were known to be compromised before the analysis — but all 20 were found to have indicators of compromise. The results were published in a blog post last week
Top Cyber Security Evasion and Exfiltration Techniques Exposed
http://blog.ss8.com/2016-breachdetect-threat-rewind-report/
And while many of us have read about non-essential devices (sometimes referred to as Internet-of-things, or IoT) being used as an attack vector, we saw 70% of threats leveraging non-essential devices to either infiltrate the network, or exfiltrate data out from the corporate environment.
Tomi Engdahl says:
Panasonic In-Flight Entertainment Systems Can Be Hacked: Researcher
http://www.securityweek.com/panasonic-flight-entertainment-systems-can-be-hacked-researcher
IOActive has disclosed several vulnerabilities found in Panasonic Avionics in-flight entertainment (IFE) systems and warned that such security holes could, under certain circumstances, pose a serious risk to an aircraft.
Panasonic Avionics is one of the world’s largest suppliers of in-flight entertainment and communications systems. The company says it has delivered more than 8,000 IFE systems and 1,300 in-flight connectivity solutions to major airlines.
Tomi Engdahl says:
“Shadow Brokers” Data Obtained From Insider: Flashpoint
http://www.securityweek.com/shadow-brokers-data-obtained-insider-flashpoint
New evidence uncovered by researchers after the group calling itself “Shadow Brokers” made available some new files reinforces the theory that the exploits and tools were obtained from a rogue insider and not by hacking NSA systems.
In mid-August, The Shadow Brokers leaked 300 Mb of firewall exploits, implants and tools, claiming that the files had been obtained from the NSA-linked Equation Group. The threat actor launched an all-pay auction in hopes of making a serious profit for a second batch of files that included exploits, vulnerabilities, RATs and data collection tools.
The extensive use of Markdown, a lightweight markup language commonly used in code repositories, has led researchers to believe that the files have been copied from an internal system or a code repository, not obtained through remote access or from an external staging server.
Flashpoint has assessed with “medium confidence” that the information was likely obtained from a rogue insider.
Tomi Engdahl says:
RansomFree by Cybereason is a free ransomware alert tool for Windows PCs
http://www.digitaltrends.com/computing/cybereason-ransomware-alert-tool/
Boston-based cybersecurity company Cybereason has released a real-time ransomware detection and response program called RansomFree for consumers. The free software for Windows 7 to 10, the company claims, can spot most strains of ransomware before it starts encrypting files, alerting the user to take action.
RansomFree uses “behavioral and proprietary deception techniques” to detect ransomware strains in action. Users receive a pop-up notification when ransomware has been found on their computer and is trying to encrypt files. The user can then decide to take action.
“RansomFree relies on the common denominator of all ransomware, no matter their distribution or method of operation — they all need to search for target files on the local drives and encrypt them. By anticipating these common patterns, RansomFree can bait ransomware to expose their intentions and accurately detect them before they are able to fully achieve their malicious goal.”
According to Uri, the software can detect 99 percent of all ransomware. However, ransomware is ever evolving, with new tricks to avoid detection and decryption. Sternfield added that RansomFree will be updated daily in an attempt to stay ahead in this arms race.
https://ransomfree.cybereason.com/
Tomi Engdahl says:
Andy Greenberg / Wired:
Open Whisper Systems, the developers behind Signal, use “domain fronting” for its Android app to bypass censorship in Egypt and UAE, with iOS update coming soon — Any subversive software developer knows its app has truly caught on when repressive regimes around the world start to block it.
Encryption App ‘Signal’ Fights Censorship With a Clever Workaround
https://www.wired.com/2016/12/encryption-app-signal-fights-censorship-clever-workaround/
Any subversive software developer knows its app has truly caught on when repressive regimes around the world start to block it. Earlier this week the encryption app Signal, already a favorite within the security and cryptography community, unlocked that achievement. Now, it’s making its countermove in the cat-and-mouse game of online censorship.
On Wednesday, Open Whisper Systems, which created and maintains Signal, announced that it’s added a feature to its Android app that will allow it to sidestep censorship in Egypt and the United Arab Emirates, where it was blocked just days ago. Android users can simply update the app to gain unfettered access to the encryption tool, according to Open Whisper Systems founder Moxie Marlinspike, and an iOS version of the update is coming soon.
Signal’s new anti-censorship feature uses a trick called “domain fronting,” Marlinspike explains. A country like Egypt, with only a few small internet service providers tightly controlled by the government, can block any direct request to a service on its blacklist. But clever services can circumvent that censorship by hiding their traffic inside of encrypted connections to a major internet service, like the content delivery networks (CDNs) that host content closer to users to speed up their online experience—or in Signal’s case, Google’s App Engine platform, designed to host apps on Google’s servers.
Tomi Engdahl says:
Ginny Marvin / Marketing Land:
Verizon “supercookie” partner Turn settles with FTC over privacy violations charges that it continued tracking consumers even after they opted out of tracking
Turn agrees to settle with FTC over privacy violations for digital ad tracking
The ad tech firm was found continuing to track users even after they opted out.
http://marketingland.com/turn-settles-ftc-digital-advertising-privacy-violations-201478
Turn, which operates a demand side platform (DSP) and data management platform (DMP) that facilitate digital ad targeting, has settled with the Federal Trade Commission over charges it continued tracking consumers even after they opted out of tracking.
The FTC alleged that Turn used unique mobile identifiers to track Verizon Wireless customers regardless if they had blocked or deleted cookies in their browsers. The FTC also found that Turn’s mechanism for consumers to opt out of ad targeting was only available for mobile browsers, not mobile applications, as the company had claimed.
Tomi Engdahl says:
Russell Brandom / The Verge:
House Judiciary Committee’s Encryption Working Group report says encryption backdoors pose a security threat, siding with tech experts
Congressional group says backdoor laws would do more harm than good
http://www.theverge.com/2016/12/20/14032864/congress-encryption-working-group-report-backdoor
Today, the House Judiciary Committee’s Encryption Working Group released its year-end report — and the result is good news for technology companies. While the report doesn’t explicitly rule out encryption legislation, it lands firmly on the side of encryption policy critics, arguing that law enforcement backdoors pose a threat to security.
The result is a major blow to many public figures in law enforcement, who have consistently argued that device encryption presents a new threat to police powers of investigation.
Critics counter that any system allowing police to get into those phones could also be exploited by criminals, an argument the working group ultimately found convincing.
“Congressional action in this space should weigh any short-term benefits against the longterm impacts to the national interest,” today’s report reads. “Congress cannot stop bad actors—at home or overseas— from adopting encryption. Therefore, the Committees should explore other strategies to address the needs of the law enforcement community.”
Encryption Working Group
Year-End Report
December 20, 2016
https://judiciary.house.gov/wp-content/uploads/2016/12/20161220EWGFINALReport.pdf
Tomi Engdahl says:
Chance Miller / 9to5Mac:
Apple indefinitely extends January 1, 2017 deadline requiring App Transport Security support in all apps submitted to the App Store
Apple extends deadline for app developers to switch to HTTPS server connectivity
https://9to5mac.com/2016/12/21/apple-delays-requirement-for-https/
Over the summer, Apple informed developers that all apps would be required to securely connect to servers by January 1st, 2017. The announcement came as part of the App Transport Security feature in iOS 9. This evening, however, Apple announced that it is extending the deadline for developers to make the switch to HTTPS connectivity…
In a post on its developer website, Apple stated that it is giving developers more time to support App Transport Security and thus extending the deadline. At this point, however, Apple has not announced the new deadline
Tomi Engdahl says:
Farhad Manjoo / New York Times:
WhatsApp is being used by many immigrants and migrants to stay in touch with family members and friends back home, thanks to its security, simplicity, ubiquity
For Millions of Immigrants, a Common Language: WhatsApp
http://www.nytimes.com/2016/12/21/technology/for-millions-of-immigrants-a-common-language-whatsapp.html
When Facebook bought WhatsApp for more than $19 billion in 2014, Jan Koum, a founder of the messaging company, arranged to sign a part of the deal outside the suburban social services center where he had once waited in line to collect food stamps.
Because it’s free, has a relatively good record on privacy and security, and is popular in so many parts of the world, WhatsApp has cultivated an unusual audience: It has become the lingua franca among people who, whether by choice or by force, have left their homes for the unknown.
Continue reading the main story
This is happening as the world is increasingly at war over migration; 2016 was, among other things, a prolonged and pitched battle over the rights and privileges of migrant people, whether Syrians in Europe, Europeans in Britain’s fight over Brexit, or the issue of Mexican and Muslim immigration that dominated the American presidential race.
Tomi Engdahl says:
Joseph Cox / Motherboard:
Documents reveal how Israel-based Cellebrite works with US law enforcement across 20 states to extract data from locked phones, more
http://motherboard.vice.com/read/us-state-police-have-spent-millions-on-israeli-phone-cracking-tech-cellebrite
Tomi Engdahl says:
Cyber Risk Reduction is All About the Business
http://www.securityweek.com/cyber-risk-reduction-all-about-business
During the past year, you may have noticed a shift in the way IT and security professionals talk about cyber security.
Historically, firewalls, DLP, antivirus, SIEM and other technical point solutions have been the centerpiece of security conversations, but the mindset is slowly shifting from technology to risk.
The goal of stopping all attacks and preventing all business impact has been recognized as a fool’s errand, and has shifted to measuring risk and minimizing business impacts. Cyber security is increasingly being viewed as a risk management problem, aligned with or, in many cases surpassing other operational risks on enterprises’ priority lists. According to a recent board report, 89 percent of board members say they are very involved in making cyber risk decisions, the majority ranking cyber risk as the highest priority.
Tomi Engdahl says:
Spam “Hailstorms” Deliver Variety of Threats
http://www.securityweek.com/spam-hailstorms-deliver-variety-threats
Spam campaigns have evolved from sending a low number of messages for long periods of time to sending a high volume of emails over a short time span, which improves delivery rates before protection mechanisms can be triggered, Cisco Talos researchers warn.
Called “hailstorm” spam, the new type of spam relies on the use of a large number of sender IP addresses from all around the world.
Tomi Engdahl says:
Google Releases Crypto Library Testing Tool
http://www.securityweek.com/google-releases-crypto-library-testing-tool
Google this week announced the availability of Project Wycheproof, an open source tool designed for finding known vulnerabilities in popular cryptographic software libraries.
Developed in Java due to its common cryptographic interface, Project Wycheproof includes tests for the most popular crypto algorithms, including AES-EAX, AES-GCM, DH, DHIES, DSA, ECDH, ECDSA, ECIES and RSA. The more than 80 test cases developed by Google experts have led to the discovery of over 40 bugs in RSA, DSA, ECDH and DH.
Project Wycheproof tests crypto libraries against known attacks.
https://github.com/google/wycheproof
Tomi Engdahl says:
Rapid7 Appointed CVE Numbering Authority
http://www.securityweek.com/rapid7-appointed-cve-numbering-authority
Rapid7 has been designated as a Common Vulnerability and Exposures (CVE) Numbering Authority (CNA), which enables the security firm to assign CVE identifiers to flaws acknowledged by affected vendors.
Boston, Mass.-based Rapid7 can, effective immediately, assign CVE identifiers to vulnerabilities found in its own products and software from other vendors, regardless if the issues have been disclosed by Rapid7 employees or third-party experts.
In 2016, Rapid7 has coordinated vulnerability disclosures with over 25 vendors on behalf of its researchers. The company has also been known to help third-party experts with developing proof-of-concept (PoC) exploits and reporting flaws to affected vendors.
“We are honored to become a CNA and look forward to collaborating with MITRE, who have impressed us with their efforts to evolve the CVE program to meet ever-increasing needs,” said Corey Thomas, president and CEO at Rapid7.
Tomi Engdahl says:
Shane Harris / Wall Street Journal:
Report: source code for malicious version of Android app used by Ukraine military shows malware used in DNC hack, raising confidence of Fancy Bear-Kremlin ties — Report adds evidence to allegations that the hackers were working for the Russian government — WASHINGTON—Malicious software used …
Cyber Experts Cite Link Between DNC Hacks and Aggression Against Ukraine
Report adds evidence to allegations that the hackers were working for the Russian government
http://www.wsj.com/articles/cyber-experts-cite-link-between-dnc-hacks-and-aggression-against-ukraine-1482385672
Danger Close: Fancy Bear Tracking of Ukrainian Field Artillery Units
https://www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/
Tomi Engdahl says:
FANCY BEAR Targets Ukrainian Howitzers
http://hackaday.com/2016/12/22/fancy-bear-targets-ukranian-howitzers/
Just in case you’re one of the people out there who still doesn’t believe in “the cyber” — it appears that the Russian military served malicious cell-phone apps to the Ukrainian army that allowed them to track a particular artillery cannon.
The legitimate version of the Android app helped its operator use the 1960’s-era former Soviet howitzer. The trojanized version of this application did just the same, except it also phoned home to Russian military intelligence with its location. In addition to giving the Russian army valuable information about troop movements in general, it also led to the destruction of 80% of the cannons in question over two years.
This is also the same exploit that was used against the Democratic National Committee in the United States. Attribution is one of the hardest parts of white-hat hacking
Danger Close: Fancy Bear Tracking of Ukrainian Field Artillery Units
https://www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/
Tomi Engdahl says:
Shane Harris / Wall Street Journal:
Report: source code for malicious version of Android app used by Ukraine military shows malware used in DNC hack, raising confidence of Fancy Bear-Kremlin ties — Report adds evidence to allegations that the hackers were working for the Russian government — WASHINGTON—Malicious software used …
Cyber Experts Cite Link Between DNC Hacks and Aggression Against Ukraine
Report adds evidence to allegations that the hackers were working for the Russian government
http://www.wsj.com/articles/cyber-experts-cite-link-between-dnc-hacks-and-aggression-against-ukraine-1482385672
WASHINGTON—Malicious software used in a hack against the Democratic National Committee is similar to that used against the Ukrainian military, a computer-security firm has determined
Tomi Engdahl says:
Tony Romm / Politico:
US government now presents travelers entering on visa waiver program with optional request to provide names of their social media accounts — NEW YORK — The U.S. government quietly began requesting that select foreign visitors provide their Facebook, Twitter and other social media accounts upon arriving …
U.S. government begins asking foreign travelers about social media
http://www.politico.com/story/2016/12/foreign-travelers-social-media-232930
The U.S. government quietly began requesting that select foreign visitors provide their Facebook, Twitter and other social media accounts upon arriving in the country, a move designed to spot potential terrorist threats that drew months of opposition from tech giants and privacy hawks alike.
Since Tuesday, foreign travelers arriving in the United States on the visa waiver program have been presented with an “optional” request to “enter information associated with your online presence,” a government official confirmed Thursday. The prompt includes a drop-down menu that lists platforms including Facebook, Google+, Instagram, LinkedIn and YouTube, as well as a space for users to input their account names on those sites.
The new policy comes as Washington tries to improve its ability to spot and deny entry to individuals who have ties to terrorist groups like the Islamic State. But the government has faced a barrage of criticism since it first floated the idea last summer.
“There are very few rules about how that information is being collected, maintained [and] disseminated to other agencies, and there are no guidelines about limiting the government’s use of that information,”
“The choice to hand over this information is technically voluntary,” he said. “But the process to enter the U.S. is confusing, and it’s likely that most visitors will fill out the card completely rather than risk additional questions from intimidating, uniformed officers — the same officers who will decide which of your jokes are funny and which ones make you a security risk.”
Tomi Engdahl says:
Cybersecurity Industry Remains Concerned Over Wassenaar Arrangement
http://www.securityweek.com/cybersecurity-industry-remains-concerned-over-wassenaar-arrangement
The Wassenaar Arrangement is a multilateral export control regime designed to prevent the trans-national proliferation of weapons. There are 41 participating states, including 26 independent members of the European Union (plus the UK). The EU, per se, does not participate.
In 2013 the export-restricted technologies were expanded to include internet-based surveillance systems including ‘intrusion software’. The wording, however, does not adequately differentiate between intrusion software for beneficial purposes and intrusion software for malevolent purposes. Despite recent changes, the wording remains broad and potentially harmful to the cybersecurity industry and security research community.
The intention was to make it harder for companies such as FinFisher GmbH and HackingTeam to provide surveillance technology to repressive regimes for use against dissidents. These products can still be exported, but only with a valid export license. The wording of the Wassenaar Arrangement, however, potentially prohibits the export of penetration testing technology designed to strengthen network security.
The second issue is particularly relevant to global organizations.
It could even imply, he told SecurityWeek, that “multi-national organizations could need to obtain an export license to transfer penetration software between its own subsidiaries in different countries around the globe.”
The problematic language within the Arrangement is particularly disturbing for the US, with its large number of global technology companies.
Changes to the Arrangement require the agreement of all 41 members
“I am deeply disappointed that Wassenaar member states declined to make needed updates to the intrusion software controls, particularly those related to technologies necessary for their development,”
In July, a leaked draft proposal shows that the European Commission has embarked on updating 428/2009. However, early assumptions are that it will not clarify the legitimate use of intrusion software.
“A potential unintended consequence of this type of dual-use regulation,” F-Secure security advisor Erka Koivunen told SecurityWeek, “would be that security researchers would not be able to collaborate, share information or publish their results in fear of breaching the rules. It is not clear at this stage whether this is an unfounded fear, but I think it is correct to say that as a company we are following this regulation carefully.”
Tomi Engdahl says:
Russian hackers reportedly attack Ukrainian weapons, power grid
Power goes out while howitzers are hijacked.
https://www.engadget.com/2016/12/22/russian-hackers-reportedly-attack-ukrainian-weapons-power-grid/
As the conflict in Eastern Ukraine escalates, two separate reports point to Russian hackers disrupting the power grid and weapons in the war-torn country. Outside of Kiev, between 100,000 and 200,000 people were plunged into darkness when portions of the Ukrenergo power company were knocked offline on December 18. The electricity was quickly restored but the situation is raised concerns of infrastructure hacking.
The director of the power company, Vsevolod Kovalchuk, told Defense One that he is 99 percent sure a deliberate attack caused the outage. The event is similar to another blackout last year that was reportedly pulled off by Russian hackers, Sandworm. So far there’s no direct connection between the hackers and the Russian military.
Meanwhile it looks like an app built to help quickly target the D-30 howitzers used by the Ukrainian military was hijacked with malware that could have potentially shared the location of those large guns with Russia.
CROWDSTRIKE GLOBAL INTELLIGENCE TEAM
Copyright 2016
USE OF FANCY BEAR ANDROID MALWARE IN TRACKING OF UKRAINIAN FIELD ARTILLERY UNITS
https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf
Tomi Engdahl says:
Millions of Websites Vulnerable Due To Security Bug In Popular PHP Script
https://developers.slashdot.org/story/16/12/27/2127244/millions-of-websites-vulnerable-due-to-security-bug-in-popular-php-script
A security flaw discovered in a common PHP class allows knowledgeable attackers to execute code on a website that uses a vulnerable version of the script, which in turn can allow an attacker to take control over the underlying server. The vulnerable library is PHPMailer, a PHP script that allows developers to automate the task of sending emails using PHP code, also included with WordPress, Drupal, Joomla, and more.
The vulnerability was fixed on Christmas with the release of PHPMailer version 5.2.18.
Millions of Websites Vulnerable Due to Security Bug in Popular PHP Script
https://www.bleepingcomputer.com/news/security/millions-of-websites-vulnerable-due-to-security-bug-in-popular-php-script/
A security flaw discovered in a common PHP script allows knowledgeable attackers to execute code on a website that uses a vulnerable version of the script, which in turn can allow an attacker to take control over the underlying server.
The vulnerable library is PHPMailer, a PHP script that allows developers to automate the task of sending emails using PHP code.
Across time, the library has grown in popularity and is currently included in hundreds of millions of websites on the Internet, along with some of the most popular PHP CMSs today, such as WordPress, Joomla, Drupal, SugarCRM, vTiger CRM, Mantis, XOOPS, Zikula, and more.
Tomi Engdahl says:
Billy Steele / Engadget:
Report: police sought Echo data with warrant in murder case; Amazon declined to share the data Echo logged on servers but did provide suspect’s account details — Amazon’s Echo devices and its virtual assistant are meant to help find answers by listening for your voice commands.
Police seek Amazon Echo data in murder case (updated)
The company declined to do so, but the case raises bigger questions about IoT privacy.
https://www.engadget.com/2016/12/27/amazon-echo-audio-data-murder-case/
Amazon’s Echo devices and its virtual assistant are meant to help find answers by listening for your voice commands. However, police in Arkansas want to know if one of the gadgets overheard something that can help with a murder case. According to The Information, authorities in Bentonville issued a warrant for Amazon to hand over any audio or records from an Echo belonging to James Andrew Bates. Bates is set to go to trial for first-degree murder for the death of Victor Collins next year.
Amazon declined to give police any of the information that the Echo logged on its servers, but it did hand over Bates’ account details and purchases. Police say they were able to pull data off of the speaker, but it’s unclear what info they were able to access.
Amazon Echo and the Hot Tub Murder
https://www.theinformation.com/amazon-echo-and-the-hot-tub-murder?eu=JnmYMZlQZHz7uehZk0Lvtg
Tomi Engdahl says:
Sebastian Moss / DatacenterDynamics:
Chinese consortium buys 49% of British data center operator Global Switch for £2.4B, prompting security concerns among UK’s politicians
Chinese investors buy 49 percent of Global Switch
http://www.datacenterdynamics.com/content-tracks/colo-cloud/chinese-investors-buy-49-percent-of-global-switch/97520.fullarticle
The £2.4bn deal for the Reuben Brothers business drew the attention of UK politicians earlier this year, when they spoke of nervousness over Chinese corporations having control over the UK’s digital infrastructure.
Global Switch will build a new data center in Shanghai in a joint venture with Daily-Tech, a route that Western companies have increasingly used to gain access to the Chinese market – a market which could soon become all the more hostile due to cyber security laws.
Tomi Engdahl says:
Ellen Nakashima / Washington Post:
Obama urges the end of the “dual hat” arrangement where US Cyber Command and NSA are led by the same person
Obama moves to split cyberwarfare command from the NSA
https://www.washingtonpost.com/world/national-security/obama-moves-to-split-cyberwarfare-command-from-the-nsa/2016/12/23/a7707fc4-c95b-11e6-8bee-54e800ef2a63_story.html?utm_term=.480412c80937
Tomi Engdahl says:
Kevin McCoy / USA Today:
Three Chinese citizens charged in US for computer intrusion, insider trading, and more, after allegedly trading on information obtained by hacking law firms — Chinese traders hacked into the computer systems of U.S. law firms that handle mergers, then used the data for insider trading …
Chinese traders charged with insider trading on hacked information
http://www.usatoday.com/story/money/2016/12/27/chinese-traders-charged-insider-trading-hacked-information/95874200/
Chinese traders hacked into the computer systems of U.S. law firms that handle mergers, then used the data for insider trading that generated more than $4 million in illegal profits, federal prosecutors and regulators charged Tuesday.
The suspects in the alleged criminal marriage of cyber-hacking and securities fraud targeted at least seven law firms and other entities that handle the sensitive and often lucrative legal work of advising companies pursuing mergers and acquisitions, according to a 13-count superseding indictment unsealed in New York.
SEC investigators used trading surveillance and analysis to identify the alleged scheme, which was carried out through the use of both U.S. and offshore accounts, said Stephanie Avakian, acting director of the SEC’s enforcement division.
Tomi Engdahl says:
Nevada accidentally leaks thousands of medical marijuana dispensary applications
http://www.zdnet.com/article/nevada-leaks-personal-data-on-thousands-of-medical-marijuana-dispensary-applicants/
The data includes their dates of birth, home addresses, citizenship, and driving license and social security numbers of the applicants.
Nevada’s state government website has leaked the personal data on over 11,700 applicants for dispensing medical marijuana in the state.
Each application, eight pages in length, includes the person’s full name, home address, citizenship, and even their weight and height, race, and eye and hair color. The applications also include the applicant’s citizenship, their driving license number (where applicable), and social security number.
Security researcher Justin Shafer found the bug in the state’s website portal, allowing anyone with the right web address to access and enumerate the thousands of applications.
Though the medical marijuana portal can be found with a crafted Google search query, we’re not publishing the web address out of caution until the bug is fixed.
The spokesperson added that the leaked data was a “portion” of one of several databases.
The state government will be notifying applicants in the next few days of the leak in line with state law.
Tomi Engdahl says:
Destructive KillDisk Malware Turns Into Ransomware
https://it.slashdot.org/story/16/12/28/2053205/destructive-killdisk-malware-turns-into-ransomware
A recently discovered variant of the KillDisk malware encrypts files and holds them for ransom instead of deleting them. Since KillDisk has been used in attacks aimed at industrial control systems (ICS), experts are concerned that threat actors may be bringing ransomware into the industrial domain. CyberX VP of research David Atch told SecurityWeek that the KillDisk variant they have analyzed is a well-written piece of ransomware,
Destructive KillDisk Malware Turns Into Ransomware
http://www.securityweek.com/destructive-killdisk-malware-turns-ransomware
A recently discovered variant of the KillDisk malware encrypts files and holds them for ransom instead of deleting them. Since KillDisk has been used in attacks aimed at industrial control systems (ICS), experts are concerned that threat actors may be bringing ransomware into the industrial domain.
Previous versions of KillDisk wiped hard drives in an effort to make systems inoperable, but a new variant observed by industrial cyber security firm CyberX encrypts files using a combination of RSA and AES algorithms. Specifically, each file is encrypted with an individual AES key and these keys are encrypted using an RSA 1028 key stored in the body of the malware.
The ransomware is designed to encrypt various types of files, including documents, databases, source code, disk images, emails and media files. Both local partitions and network folders are targeted.
Tomi Engdahl says:
Massive Attack from New “Leet Botnet” Reaches 650 Gbps
http://www.securityweek.com/massive-attack-new-leet-botnet-reaches-650-gbps
New Leet Botnet Shows IoT Device Security Regulation May Become Necessary
Just before Christmas, Imperva found its network under a massive DDoS assault that reached 650 Gbps (Gigabit per second), making it one of the largest known DDoS attacks on record.
Powered by what Imperva is calling the Leet Botnet, the attack occurred on the morning of Dec. 21, and was delivered against several anycasted IPs on the Imperva Incapsula network.
While precise device attribution is not yet possible, it seems likely that, like Mirai, it uses thousands of compromised IoT devices.
“Due to IP spoofing, it’s hard to accurately identify the devices used in this attack,” Avishay Zawoznik, security research specialist for the Incapsula product line at Imperva, told SecurityWeek. “We did, however, find some reliable clues in the payload’s content. Here, manual analyses of individual payloads pointed to some type of Linux device. For instance, some were ‘stuffed’ with the details of the proc filesystem (/proc) folder, which is specific to Unix-like systems.”
Hidden behind spoofed IP addresses, it was impossible to locate the geographical location of the attacking devices; but Imperva was able to analyze the content of the packets being used. Although similar in size to the Mirai attack on KrebsOnSecurity in October, it was immediately clear that this was different. (There have been some suggestions that the Mirai attack against DNS service provider Dyn could have exceeded 1 Tbps.)
Leet’s name comes from a ‘signature’ within the packets. “In the TCP Options header of these packets, the values were arranged so they would spell ’1337′. To the uninitiated, this is leetspeak for ‘leet’, or ‘elite’,” notes Imperva.
Two separate payloads were used: regular SYN packets (44 to 60 bytes), and abnormally large SYN packets (799 to 936 bytes). The content of the large packets was taken from the compromised devices and scrambled. The result is an inexhaustible supply of obfuscated and randomized payloads that can bypass any signature-based defenses that mitigate attacks by identifying similarities in packet content.
There is no immediate solution beyond preparation as far as possible. “Organisations should be prepared to mitigate DDoS attacks and be prepared to get back up and running once the attack is over,” suggests F-Secure security advisor Sean Sullivan. “DDoS attacks cannot be prevented; being prepared to reduce downtime in the aftermath lessens the threat of DDoS. Extortionists will move on to weaker targets that are less prepared.”
Tomi Engdahl says:
Vulnerabilities Plague PHP 7′s Unserialize Mechanism
http://www.securityweek.com/vulnerabilities-plague-php-7s-unserialize-mechanism
PHP 7’s “unserialize” function is plagued by a series of vulnerabilities that could allow an attacker to take full control over affected servers, Check Point security researchers reveal.
Tracked as CVE-2016-7479, CVE-2016-7480, and CVE-2016-7478, the vulnerabilities are new, but they can be exploited in a similar manner as detailed in a separate vulnerability detailed in August. The flaw, a use-after-free in SPL, could be exploited “by using re-usable exploit primitives for PHP-7 unserialize vulnerabilities,” Check Point said in August.
In a report (PDF) that provides full details of the exploitation method, Check Point experts explained that the unserialize function could be abused to read memory, to forge objects, and to achieve code execution on the affected server. They also underlined that the function was dangerous and that it had been proven so numerous times over the past years, although it remained in use.
http://blog.checkpoint.com/wp-content/uploads/2016/08/Exploiting-PHP-7-unserialize-Report-160829.pdf
Tomi Engdahl says:
“Switcher” Android Trojan Hacks Routers, Hijacks Traffic
http://www.securityweek.com/switcher-android-trojan-hacks-routers-hijacks-traffic
Researchers at Kaspersky Lab have come across a new Android Trojan that hacks routers and changes their DNS settings in an effort to redirect traffic to malicious websites.
Dubbed “Switcher,” the malware has been disguised as an Android client for the Chinese search engine Baidu, and a Chinese app for sharing Wi-Fi network details. Once users install one of these apps, the malware attempts to guess the username and password of the Wi-Fi router the infected Android device is connected to.
Switcher includes a list of more than two dozen username and password combinations that could allow it to access the router’s web administration interface, such as admin:admin, admin:123456, or admin:00000000.
“With the help of JavaScript it tries to login using different combinations of logins and passwords. Judging by the hardcoded names of input fields and the structures of the HTML documents that the trojan tries to access, the JavaScript code used will work only on web interfaces of TP-LINK Wi-Fi routers,” Nikita Buchka, mobile security expert at Kaspersky Lab, said in a blog post.
Switcher: Android joins the ‘attack-the-router’ club
https://securelist.com/blog/mobile/76969/switcher-android-joins-the-attack-the-router-club/
Recently, in our never-ending quest to protect the world from malware, we found a misbehaving Android trojan. Although malware targeting the Android OS stopped being a novelty quite some time ago, this trojan is quite unique. Instead of attacking a user, it attacks the Wi-Fi network the user is connected to, or, to be precise, the wireless router that serves the network. The trojan, dubbed Trojan.AndroidOS.Switcher, performs a brute-force password guessing attack on the router’s admin web interface. If the attack succeeds, the malware changes the addresses of the DNS servers in the router’s settings, thereby rerouting all DNS queries from devices in the attacked Wi-Fi network to the servers of the cybercriminals (such an attack is also known as DNS-hijacking). So, let us explain in detail how Switcher performs its brute-force attacks, gets into the routers and undertakes its DNS-hijack.
Tomi Engdahl says:
IBM Reports Significant Increase in ICS Attacks
http://www.securityweek.com/ibm-reports-significant-increase-ics-attacks
The number of attacks aimed at industrial control systems (ICS) increased by 110 percent in 2016 compared to the previous year, according to data from IBM Managed Security Services.
The company has attributed this significant increase to brute force attacks on supervisory control and data acquisition (SCADA) systems.
Attackers apparently used a penetration testing framework made available on GitHub in January 2016. The tool, named smod, can be used to conduct a security assessment of the Modbus serial communications protocol and it includes brute-force capabilities.
“The public release and subsequent use of this tool by various unknown actors likely led to the rise in malicious activity against ICS in the past 12 months,”
MODBUS Penetration Testing Framework
https://github.com/enddo/smod
smod is a modular framework with every kind of diagnostic and offensive feature you could need in order to pentest modbus protocol. It is a full Modbus protocol implementation using Python and Scapy. This software could be run on Linux/OSX under python 2.7.x.
Tomi Engdahl says:
Critical RCE Flaw Patched in PHPMailer
http://www.securityweek.com/critical-rce-flaw-patched-phpmailer
The developers of PHPMailer have patched a critical vulnerability that can be exploited by a remote attacker for arbitrary code execution, a researcher said on Sunday.
With millions of installations, PHPMailer is considered the world’s most popular email creation and transfer class for PHP. It has been used by several major open-source projects, including WordPress, Drupal, 1CRM, SugarCRM, Yii and Joomla.
Tomi Engdahl says:
Thailand Detains Nine for Hacks Protesting Cyber Law
http://www.securityweek.com/thailand-detains-nine-hacks-protesting-cyber-law
Thai authorities have detained at least nine people on suspicion of hacking, a senior junta official said Monday, following days of disruption to government websites sparked by the passing of a controversial cyber censorship law.
Earlier this month Thailand’s rubber-stamp parliament unanimously approved a new security law that will make it much easier for the junta to scrub the web of content it dislikes.
The broadly-worded bill bans people from uploading anything deemed “in breach of good morality” and empowers a new committee to take down websites. Since the bill’s passing, hactivists have targeted Thai government websites.
Tomi Engdahl says:
Healthcare Industry Can Go Beyond Compliance to Achieve Better Security
http://www.securityweek.com/healthcare-industry-can-go-beyond-compliance-achieve-better-security
The Healthcare Industry Has a complex Relationship with Security, Compliance, and Legislation
Most larger organizations are at a maturation point where their security has moved beyond industry compliance requirements and can focus on measures that proactively enhance security.
Recent media attention surrounding large-scale cyber attacks and data breaches in healthcare has encouraged many to take a closer look at the industry’s susceptibility to security issues. Many of the factors contributing to this susceptibility — including poor password hygiene, legacy or unpatched systems, and lax user-access controls — do indeed exist across all industries. However, others are unique to healthcare — including some that developed in part as externalities of recent legislation and outdated compliance requirements.
In particular, the healthcare industry’s rushed adoption of Electronic Medical Records (EMRs) is one such factor.
Tomi Engdahl says:
North Korea’s Android Tablet Takes a Screenshot Every Time You Open an App
https://yro.slashdot.org/story/16/12/28/2040216/north-koreas-android-tablet-takes-a-screenshot-every-time-you-open-an-app?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
When you think of North Korea, the first thing that springs to mind is probably not a well-featured tablet PC. But that’s just what researchers at the Chaos Communication Congress hacking festival revealed on Tuesday. Called Woolim, this tablet is designed to limit the distribution of contraband media, track its users, and generally act as a propaganda platform for the Democratic People’s Republic of Korea (DPRK). Woolim is a small, white Android device that looks like a fairly standard tablet. The hardware itself is made by Chinese manufacturer Hoozo, but the North Korean government has removed some components such as those for wi-fi and bluetooth, and put its own bespoke software on top.
Here’s North Korea’s Totalitarian Android Tablet
http://motherboard.vice.com/read/heres-north-koreas-totalitarian-android-tablet
Called Woolim, this tablet is designed to limit the distribution of contraband media, track its users, and generally act as a propaganda platform for the Democratic People’s Republic of Korea (DPRK).
“It’s pretty locked down,” researcher Florian Grunow told Motherboard in an interview on Tuesday. Grunow presented the research along with co-researchers Niklaus Schiess and Manuel Lubetzki.
After the researchers presented work covering RedStar OS, North Korea’s Linux-based operating system, a South Korean NGO offered the tablet to the group. Woolim is just one of several tablets designed for North Korea, but Woolim appears to be the most recent, likely dating from 2015.
Tomi Engdahl says:
Santa Knows If Your Contact Form Uses PHPMailer < 5.2.18
http://hackaday.com/2016/12/25/santa-knows-if-your-contact-form-uses-phpmailer-5-2-18/
PHPMailer, one of the most used classes for sending emails from within PHP, has a serious vulnerability in versions less than 5.2.18 (current version). The security researcher [Dawid Golunski] just published a limited advisory stating that PHPMailer suffers from a critical flaw that might lead an attacker to achieve remote code execution in the context of the web server user. PHPMailer is used by several open-source projects, among them are: WordPress, Drupal, 1CRM, SugarCRM, Yii and Joomla. A fix has been issued and PHPMailer is urging all users to upgrade their systems.
Tomi Engdahl says:
Obama to Announce Retaliation Against Russia for Election Hacks
http://www.securityweek.com/obama-announce-retaliation-against-russia-election-hacks
The Obama administration is thought to be finalizing its response to Russian interference in the 2016 election. This could include any combination of economic sanctions, criminal indictments or a cyber response — but the intention is to get something in place that cannot easily be rolled back by President-elect Donald Trump. Details could be announced as early as this week.
Government agencies have concluded that Russia, likely with the personal direction of Vladimir Putin, were behind the DNC hacks earlier this year. This is thought to be part of a wider ‘disinformation’ campaign designed to support Trump over Clinton. Similar disinformation concerns have been raised in Germany over next year’s German elections.
One of Obama’s problems is that he has limited means to invoke retaliation at this stage of his presidency. A 2015 executive order allows sanctions against people who harm computer systems that are part of the US critical infrastructure (CI) or seek to gain competitive advantage through the cybertheft of commercial information; but elections have not been considered part of the CI.
Criminal indictments, similar to those brought against Chinese military officials in 2014, will depend upon irrefutable legal evidence; and it is thought that the FBI is not convinced that it yet has enough evidence that could be used in a criminal case.
Some form of covert cyber retaliation is a strong option; but brings its own problems. One difficulty would be in containing the action in a way that would not lead to an escalation of cyber conflict — and it has been suggested that leaking personal and embarrassing information on senior Russian officials could be an option.
Anything more extensive could be dangerous. “While offensive cyber operations can be highly precise munitions in that they can be directed to only impact specific targets,”
He warns that unintended escalation of serious cyber retaliation is a real danger. “Impacting digital infrastructure beyond the intended target opens the door to draw additional nation states into a conflict. This increases risk to civilian populations as countries see the need to retaliate or escalate.”
Tomi Engdahl says:
A journalist is suing U.S. spy agencies for more details on Russia’s hacking of the U.S. election
http://www.recode.net/2016/12/27/14088808/russia-hacking-trump-election-journalist-sues-foia-leopold-shapiro-cia-fbi
The CIA, FBI, Department of Homeland Security and the Office of the Director of National Intelligence have failed to respond to a Freedom of Information Act request.
A lawsuit was filed yesterday against the CIA, FBI, Department of Homeland Security and the Office of the Director of National Intelligence for failure to comply with a Freedom of Information Act request seeking records pertaining to Russian interference with the recent U.S. presidential election.
Jason Leopold, an investigative reporter who frequently writes for Vice, and Ryan Shapiro, a PhD candidate at MIT and research affiliate at Harvard who is known for his activism around the release of government records, filed the lawsuit after never receiving word as to whether or not their petition for expedited processing of their information request would be granted.
Specifically, the FOIA requests seek information Congress may have received to or from federal intellegence agencies that reference terms like CrowdStrike, Fancy Bear, Guccifer 2.0, related IP addresses and other terms that surfaced in relation to the hacking of campaign-related systems in the run-up to the campaign. Leopold and Shapiro are also requesting communications between FBI director James Comey and the White House about publically accusing Russia of interfering with the election.
Tomi Engdahl says:
Your Children Already Know What They’re Getting for Christmas—Thanks, Internet
http://www.wsj.com/articles/those-ads-that-follow-you-around-the-internet-are-ruining-christmas-1482507745
Online shopping makes it simple to buy gifts, but cookies, browsing histories and thumbprint passwords make it hard to hide them; it’s from Amazon, not Santa
Tomi Engdahl says:
U.S. companies want to play China’s game. They just can’t win it.
https://www.washingtonpost.com/world/asia_pacific/us-companies-want-to-play-chinas-game-they-just-cant-win-it/2016/12/22/0fffa35a-b7f3-11e6-939c-91749443c5e5_story.html
BEHIND THE FIREWALL: How China tamed the Internet | This is part of a series examining the impact of China’s Great Firewall, a mechanism of Internet censorship and surveillance that affects nearly 700 million users.
Tomi Engdahl says:
Andrew E. Kramer / New York Times:
How Russia has bolstered its cyberwarfare capabilities in recent years by working with outside firms and recruiting convicted hackers, scientists, college grads — MOSCOW — Aleksandr B. Vyarya thought his job was to defend people from cyberattacks until, he says, his government approached him with a request to do the opposite.
How Russia Recruited Elite Hackers for Its Cyberwa
http://www.nytimes.com/2016/12/29/world/europe/how-russia-recruited-elite-hackers-for-its-cyberwar.html
Aleksandr B. Vyarya thought his job was to defend people from cyberattacks until, he says, his government approached him with a request to do the opposite.
“This is against my principles — and illegal,” he said of the Russian military’s hacking effort.
While much about Russia’s cyberwarfare program is shrouded in secrecy, details of the government’s effort to recruit programmers in recent years — whether professionals like Mr. Vyarya, college students, or even criminals — are shedding some light on the Kremlin’s plan to create elite teams of computer hackers.
American intelligence agencies say that a team of Russian hackers stole data from the Democratic National Committee during the presidential campaign. On Thursday, the Obama administration imposed sanctions against Russia for interfering in the election, the bedrock of the American political system.
For more than three years, rather than rely on military officers working out of isolated bunkers, Russian government recruiters have scouted a wide range of programmers, placing prominent ads on social media sites, offering jobs to college students and professional coders, and even speaking openly about looking in Russia’s criminal underworld for potential talent.
David E. Sanger / New York Times:
White House announces sanctions and ejection of Russian intelligence operatives in response to political hacking — WASHINGTON — The Obama administration struck back at Russia on Thursday for its efforts to influence the 2016 election, ejecting 35 Russian intelligence operatives …
Obama Strikes Back at Russia for Election Hacking
http://www.nytimes.com/2016/12/29/us/politics/russia-election-hacking-sanctions.html
The Obama administration struck back at Russia on Thursday for its efforts to influence the 2016 election, ejecting 35 Russian intelligence operatives from the United States and imposing sanctions on Russia’s two leading intelligence services, including four top officers of the military intelligence unit the White House believes ordered the attacks on the Democratic National Committee and other political organizations.
Tomi Engdahl says:
FBI Aliases of Russian Hacking Groups, Ranked
http://gizmodo.com/fbi-aliases-of-russian-hacking-groups-ranked-1790610899?utm_campaign=socialflow_gizmodo_facebook&utm_source=gizmodo_facebook&utm_medium=socialflow
In response to Russian “cyber operations aimed at the U.S. election,” the White House released a declassified joint analysis by the FBI and Department of Homeland Security on Thursday of the campaign they have named “Grizzly Steppe.”
In the report, the agencies summarize the spear-phishing operation that allowed the Russian intelligence organizations known as “Cozy Bear” and “Fancy Bear” to independently access Democratic Party emails and recommend a series of measures to mitigate further attacks.
list of “Reported Russian Military and Civilian Intelligence Services” aliases and tools contained in the report
Tomi Engdahl says:
Obama Fires Back at Election Hacks by Politely Asking Russian Guys to Leave
http://gizmodo.com/obama-strikes-back-at-election-hacks-by-politely-asking-1790605345#_ga=1.125861901.122581585.1444279257
On Thursday, President Obama announced several emblematic measures against Russia for “cyber operations aimed at the U.S. election,” including expelling 35 Russian intelligence operatives from the United States, sanctioning two of the country’s security agencies and releasing a declassified report detailing malicious cyber activity by Russian actors.
It’s unclear, however, how much the White House’s actions will deter future attacks as they impose few serious costs on Russia.