Here are my predictions for trends in information security and cyber security for year 2016.
Year 2015 was bad for information security was pretty, and I would say that the trend is worrying. So I expect the year 2016 will have many information security challenges. If you want to keep yourself up at night, spend some time reading about the latest developments in cybersecurity. In 2015 there was Airplanes hacked, cars hacked, vulnerabilities in a breathtaking range of sensitive equipment from TSA locks to voting booths to medical devices. The big picture is even scarier. Former NSA Director Mike McConnell suspects China has hacked “every major corporation” in the US. Those problems will continue in 2016 and some new targets for attacks will be found. The system is broken. It isn’t keeping us, our companies, or our government safe. Worse yet, no one seems to know how to fix it.
Attacks through networks are becoming more common all the time. It will be hard to protect against targeted attacks. Hackers will not only customize malware, but they will increasingly use sophisticated phishing and social engineering tricks to gain access to sensitive data. Attackers usually cover their tracks carefully, and in the identification of target can be very difficult. Behind targeted attacks are usually professional criminals. Criminals do not respect geographical borders and hence attacks are spread evenly everywhere. Companies will struggle to absorb the security threats of combined PC and mobile devices in 2016.
EU information security decisions made in late 2015 will have impact on what comes in 2016: New EU data protection legislation package approved and EU Court of Justice decision in which it noted the Safe Harbor procedure is invalid. This means that transfers of personal data from EU countries to the United States under the Safe Harbor violation of law – you need some other agreement for this. The situation for this will probably get clarified during 2016. Data protection legislation changes will lead to increased fines for the unprepared. Legal uncertainty and big fines are a toxic cocktail for some companies. The combination of stiff penalties and ambiguously worded provisions in the new EU-wide data-protection law, which would replace a patchwork of 28 national laws, raises daunting prospects for companies operating in Europe.
After huge amount of user information leaks in 2015 from all kinds of Internet services, there will the challenges for cloud companies to gain trust in their security. You might have just dared to trust “the right cloud services,” since in principle the traditional information security point of view, they seem to be the main things okay, rising this privacy issues raised.
New environments will bring new threats. New operating systems versions means that administrators and users are less familiar with the environments. IPv6 will get more widely used, and the security of IPv6 networks is different from IPv4. Organizations are moving to virtualized environments, which are complex and create network layers that can become an attack vector. Growing network virtualization functionality and programmability are both an opportunity and a threat to security. Cyber security research will be important important in 2016 as 5G networks will be critical infrastructure, on top of which for example. transport, industry, health and the new operators set up their business around 2020.
The huge amount of information security information is becoming harder and harder to manage in 2016. A key problem in revelations as all other news coverage is the exponential growth of knowledge. There are variety of news summaries produced a daily basis, but they are not enough to get good picture of what is happening. There are bigger and smaller news, the impact of which is at times very difficult to assess. SMBs will become a bigger target for cybercriminals. Network and security professionals continue to be among the toughest IT talent to find and hire.
Old way network security focused on perimeter defense is not enough in 2016. Old mantras “encrypt everything” and “secure the perimeter,” are not enough. One deceptive truth seems to drive much of the cybersecurity industry down a rabbit hole: If you keep bad actors and bad software out of your system, you have nothing to worry about. It does not work like that anymore. As perimeter security gets stronger, malicious actors are looking for easier entry points to compromise an organisation through the breadth of its digital attack surface. Now malicious actors target “endpoints”—any device or sensor connected to a network—to break into that network. Traditional sandboxing will no longer protect against the growing malware landscape. Today, most private networks have far too many endpoints to properly secure. In an age of “Bring Your Own Device,” the cloud, remote access, and the Internet of Things, there are too many vulnerabilities hackers can exploit. Keep in mind that everything connected to the Internet can, and will be hacked. To address those threats in 2016, security experts should assume compromise – that hackers and malware already have breached their defenses, or soon will – and instead classify and mitigate threats. In addition to public key infrastructure lock-and-key system you will need also an integrity solution that acts like an alarm. To protect against advanced threats, security professionals will increase their reliance on centralized security management solutions. You need to have prioritization and response plans to various kinds of breaches – with a strong focus on integrity.
Law enforcement versus Silicon Valley tension will continue to be strong throughout year 2016. In 2015 Law enforcement and politicians on both sides of the Atlantic lined up to repeatedly complain that the web was “going dark” as the result of end-to-end encryption and that this was hampering the investigation of terrorism and other serious crimes.Technologists and cryptographers argue that governments are trying to weaken encryption by demanding some form of privileged access for government. It’s not clear how much encryption the NSA can break. With renewed focus on how encrypted messages can be used to plot terrorist attacks, President Barack Obama’s administration is stepping up pressure on the tech sector to help in the battle. Privacy remains a major counter-argument. It seems that Governments Lie About Encryption Backdoors. Encryption systems weakened by mandated backdoors would not be effective in fighting the terrorists that governments invoke as their reason for wanting those backdoors in the first place.
But this does not stop some government officials to demand such thing with varying success on different countries. Another fact is that The existence of coded communications is a reality and the U.S. may not be able to do much about it because nearly everyone living in modern society uses it: Encryption protects your bank information, prevents your password from being stolen when you log into a website, and allows all e-commerce transactions to take place securely. Encryption weakened by mandated backdoors would put all of us at an enormous risk of exposure from data breaches and associated online risks. The truth in 2016 is that any form of privileged access to government – ie, a backdoor – would inevitably weaken crypto-systems and make them more vulnerable to attacks by foreign governments’ intelligence agencies as well as criminals - Juniper’s VPN security hole is proof that govt backdoors are bonkers. Encryption backdoors would be a gleeful win-win for terrorists and a horrific lose-lose for you – the bad guys having strong protections for their data, and the rest of us not. The poorly thought-out and crude surveillance technique could have a devastating effect on the country’s internet security- as for example Kazakhstan will force its citizens to install internet backdoors by requiring all Internet users install state-issued root certificate by January 1, 2016.
Google, Mozilla and Microsoft are pushing for early SHA-1 crypto cutoff that can happen in 2016 instead of earlier planned Jan 1st, 2017. Due to recent research showing that SHA-1 is weaker than previously believed, because it’s been cracked without enormous effort. Mozilla, Microsoft and now Google are all considering bringing the deadline forward by six months to July 1, 2016. SHA-2 is going to be used as the replacement function for SHA-1. Websites like Facebook and those protected by CloudFlare have implemented a SHA-1 fallback mechanism for those systems that do not support SHA-2. Chrome will start display errors if SHA-1 certificates are employed in early 2016 and will completely stop supporting SHA-1 certificates in the end of 2016.
The use of Blockchain technology, permissionless distributed database based on the bitcoin protocol that runs across a global network of independent computers, will get used more widely than for just Bitcoin virtual money. With bitcoin, Blockchain tracks the exchange of money. But it can also track the exchange of anything else that holds value, including stocks, bonds, and other financial securities. Overstock has already used the blockchain to issue private bonds. The Securities and Exchange Commission has approved a plan from online retailer Overstock.com to issue company stock via the Internet, signaling a significant shift in the way financial securities will be distributed and traded in the years to come. Overstock built its technology under the aegis of a subsidiary called TØ.com, and it plans to offer this “cryptosecurity” tech as a service to other businesses. Nasdaq OMX—the company behind the Nasdaq stock exchange—is using the blockchain to oversee the exchange of private stock. Also several major companies from across both the technology and financial industries—including IBM, Intel, and Cisco as well as the London Stock Exchange Group and big-name banks JP Morgan, Wells Fargo, and State Street—have joined forces to create an alternative to the blockchain with Linux Foundation.
The use of disk encryption will increase and there are different ways to do it with different security levels. Microsoft has introduced Windows 10 disk encryption keys are uploaded to Microsoft. This approach has some advantages and disadvantages. The gold standard in disk encryption is end-to-end encryption, where only you can unlock your disk. This is what most companies use, and it seems to work well. It protects data in case your device is lost or stolen. But what if you forget or loose your key? There are certainly cases where it’s helpful to have a backup of your key or password – so keeping a backup of your recovery key in your Microsoft account could be genuinely useful for probably the majority of users that don’t have high security neeeds. The disadvantage of this approach is that Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.
Weak leaking passwords are still huge security problem still in 2016. Passwords are often the weakest parts when it comes to securing users’ accounts, as many don’t use complex passwords or they reuse the same password across services. Two-factor authentication – like using a USB stick with a secret token or entering in a code sent via text method to your phone – can help to increase security, but many users also find this to be a hassle as it introduces an additional step to the login process.
Google begins testing login system that uses phone notifications for authentication instead of passwords: authenticate by responding to a notification sent to their smartphone. The idea is similar to Yahoo’s recently launched “Account Key,” which also offers a password-free means of signing in involving a push notification sent to your phone that then opens an app where you approve the log-in.
Smart phone will become more and more security critical part of your life. “Increasingly, individuals and organisations are adopting password managers and multi-factor authentication technologies to plug some of the holes in password-based authentication. “We foresee a world where practically everyone uses their smartphone as a multi-factor authentication element. In this world, the smartphone becomes your most valuable asset: something that enables you to unlock your life online and a target for attackers seeking to access your services.”
Expect that number of mobile vulnerabilities will only grow in 2016. In 2016 we will see increasing numbers of cyber criminals using mobile applications to spread malware. Mobile presents an easy target for cyber criminals, because it is an attack surface that is open and extremely difficult to defend once an app has been released. Android threats will become more than just headline-grabbers. Will 2016 be the year iOS malware goes mainstream?
Critical infrastructures will be highly targeted in 2015. SCADA and ICS networks were not designed for security. Attacks against these systems have increased in recent years. I expect this trend to only get worse. There are still many companies that run their critical systems on Windows XP as “There are some people who don’t have an option to change.” Many times the OS is running in automation and process control systems that run business and mission-critical systems, both in private sector and government enterprises. For example US Navy is using obsolete operating system Microsoft Windows XP to run critical tasks. It all comes down to money and resources, but if someone is obliged to keep something running on an obsolete system, it’s the wrong approach to information security completely.
Cars were hacked at record rate in 2015, and they will be hacked at least at the same rate in 2016. Modern cars are featuring more gadgetry and connected systems, and this will make vehicles just as vulnerable to today’s threats and attacks. I Am The Cavalry has published a five star Cyber Safety Framework to mitigate this threat in cars, hopefully car component makers study it.
IoT and smart devices are still at risk. The Internet of Things will continue to emerge, and businesses will need to think about how to protect their smart devices and prepare for the wider adoption of IoT. IoT platforms – not yet the weapon of choice for commercial malware authors – but business beware. Wearables won’t be safe, either, as they are built using largerly same too often vulnerable technologies as other IoT system. IoT security is still in in infancy in 2016.
Cyber criminals have become more active in 2015 particularly in the malicious the ransom fabrications. The ransom-malware problem will continue to be big in 2016. Commercial malware authors will continue to invest heavily and Exploit kits will continue to dominate on the web. Ransomware today is big business. Ransomware takes control of a computer and holds it hostage until the victim pays, usually in the digital currency Bitcoin. As a remedy against ransom-malware I recommend to ensure IT Support or your service provider the data back-up and restoring procedure operational, practiced and tested. You can need it in 2016 to get your data back without considering paying to criminals. To date ransomware has hit Windows users hardest, although Android and MacOS users are now also facing similar extortion.
Ransomware will continue to dominate in 2016 and it is only a question of time before we see things beyond data being ransomed. We have already seen websites being held ransom to DDoS. Intel’s McAfee Labs also noted a huge spike in ransomware in early 2015, and worries about ransomware in the IoT space—including medical devices. And Kaspersky predicts the “nightmare of ransomware” to continue and “spread to new frontiers” in 2016. Ransomware Is Coming to Medical Devices article tells that according to a report released recently week by Forrester Research the number one cybersecurity prediction for 2016: “We’ll see ransomware for a medical device or wearable.” “It’s definitely feasible from a technical standpoint”. Networked medical devices save lives. Despite the hacking risk, it’s an informed trade-off. Medical device ransomware would be a modern form of highway robbery with lives at stake.
Keep in mind that everything connected to the Internet can, and will be hacked. In 2016 If You’re Not Paranoid, You’re Crazy. As government agencies and tech companies develop more and more intrusive means of watching and influencing people, how can we live free lives? Unfortunately I don’t have solution for that.
2,232 Comments
Tomi Engdahl says:
$17 smartwatch sends something to random Chinese IP address
Samsung Gear 2 also has some problems, researcher says
http://www.theregister.co.uk/2016/03/02/chinese_backdoor_found_in_ebays_popular_cheap_smart_watch/
A cheap smart watch often peddled on eBay uses a pairing app for Android or iOS that contains a backdoor that quietly connects to an unknown Chinese IP address.
The U8 watch sells for just US$17 and offers a 1.48″ touch screen, Bluetooth to connect to either Android or IoS phones and the ability to make or answer calls. The Android companion app for the device can access contacts, call and SMS histories.
Mobile Iron research director Michael Raggo (@datahiding) told the BSides San Francisco conference the watch is a threat to individual and enterprise security.
“We ran dynamic and behavioural analysis (on the pairing app) and discovered that when it was paired, it started communicating outbound over a random IP address to China,” Raggo said.
“We don’t know what the IP address is. “In terms of corporate espionage, in terms of risk, there’s definitely a lot of suspicious behaviours there.”
Tomi Engdahl says:
RSA asks for plaintext Twitter passwords on conference reg page
Should be a good conference if the medium is the message (NOT)
http://www.theregister.co.uk/2016/01/22/bad_form_rsa_sucking_up_suckers_twitter_logins_for_confab_blab/
Scores of security bods registering for security outfit RSA’s Executive Security Action Forum (ESAF) have handed over their Twitter account passwords to the company’s website in what is seen something between bad practice and outright compromise.
The registration process for the February 29 event asks delegates to enter their Twitter credentials so that a prefab tweet about their attendance can be sent.
But the page asks for their direct plaintext password, and does not make use of OAUth-enabled single sign-on which is the standard means by which websites can allow Twitter logons without compromising security.
A search on the social media site reveals the names of users who have willingly punched in their Twitter password into a page that is obviously not using single sign-on.
Tomi Engdahl says:
Hardcoded god-mode code found in RSA 2016 badge-scanning app
Being zapped to score a branded USB stick just got dangerous
http://www.theregister.co.uk/2016/03/03/harddcoded_god_mode_code_found_in_rsa2016_expo_samsung_phones/
RSA 2016 The official RSA app exhibitors use to scan delegate badges contains a hardcoded password allowing vendors to access the full features of the device, says Bluebox Security’s Andrew Blaich.
Vendors of the San Francisco mega-conference expo hall were handed Android Samsung Galaxy S4 phones, locked into kiosk mode and intended for use as scanners of delegates’ badges.
Lead security chap Blaich tinkered with the app downloaded from the Play Store to power the scanners and found a hardcoded admin password within the apps’s code. With that password, an attacker could gain control of the phones.
“Using this password an attacker could gain access to the app’s developer mode, root the device, pull any data off of it, or install malware to steal even more data.” Which is a bad thing when the phone is used to scan badges that link to a database of security conference attendees.
“If you develop an app, it’s usually a best practice to not leave a hardcoded password in your code,” Blaich says.
“Just because an app is being used for one of the world’s largest cyber security conferences doesn’t automatically mean it’s more secure.
Tomi Engdahl says:
Learn things? DROWN HTTPS flaw proves we don’t even test things
You knew SSLv2 was poison, so why was it still there?
http://www.theregister.co.uk/2016/03/02/drown_proves_people_didnt_test_their_servers_after_poodle/
In the wake of the DROWN vulnerability, organisations like the Australian Signals Directorate that offer security incident mitigation strategies might consider adding another item to their lists: test your configuration to make sure it’s what you expected.
The DROWN flaw in HTTPS would not be anything to worry about, except that developers working on server-side software made the fatal assumption that since there were no clients left to request a deprecated SSL connection, they didn’t need to update their code to kill older SSL completely.
We now know that assumption was wrong. DROWN is a cross-protocol attack: the buggy code in SSL v2 implementations is what enables the decryption attack on vastly more secure TLS encryption. This was compounded by a now-fixed bug that meant admins could configure a system thinking that SSLv2 was off, but have it sitting there still supported anyhow.
In other words: if you believed your configuration was secure without going back to test it, you may have ticked all the boxes in your “best practice” list and remain vulnerable.
Are people going back to run post-configuration tests? All too rarely, it seems. According to the Australian Communications and Media Authority’s daily publication of a third-party’s scan (Shadowserver, here) of the country’s address space, a stunning 180,000 hosts here are still vulnerable to POODLE. Similar results are to be expectd around the world.
It’s easy to blame the user – to say “if you had SSL v3 enabled it’s your fault”. And sysadmins were already on notice: the POODLE vulnerability of 2014 was a get-rid-of-SSL warning.
Tomi Engdahl says:
Keith Collins / Quartz:
PIN system used by IRS to protect 724K victims of 2015 breach relies on same Knowledge-Based Authentication tech used in original breach
The IRS is using a system that was hacked to protect victims of a hack—and it was just hacked
http://qz.com/628761/the-irs-is-using-a-system-that-was-hacked-to-protect-victims-of-a-hack-and-it-was-just-hacked/
It ain’t easy being an American taxpayer.
The US Internal Revenue Service said last week that the number of records it lost in a 2015 data breach is higher than it previously thought. When the agency first announced in May 2015 that hackers had broken into its website and stolen tax transcripts, it said that about 100,000 people were affected. It bumped that number up to 334,000 last August, and now says the number of records stolen is actually 724,000.
And it gets worse. To protect the victims of the data breach from further harm, the IRS provided them with “Identity Protection PINs.” The PINs are secret codes those taxpayers now have to put on all of their tax returns, or the IRS won’t accept them. As long as they keep their PINs secret, they should be safe from fraud.
For this master plan to work, though, the IRS would also have to keep the PINs secret. Unfortunately, it seems the agency is having some trouble with that.
Security researcher and journalist Brian Krebs reported yesterday (March 1) that at least one of the PINs has been compromised.
But how could a secret code meant to stop fraud be used to commit more fraud? Get ready for some terrible/wonderful irony. If someone loses their PIN, they can retrieve it by logging into a service on the IRS website. And that login process is secured by the same technology that hackers broke through in the original data breach.
That technology is called Knowledge-Based Authentication, or KBA, which asks security questions to confirm a user’s identity. You’ve probably seen this before. KBA asks questions about a person’s credit history, like “On which of the following streets have you lived?” or “What is your total scheduled monthly mortgage payment?” and provides multiple-choice answers.
The hackers who stole tax transcripts in the 2015 data breach found a way to correctly answer those questions on the IRS’s “Get Transcript” page, which has since been taken down.
Thieves Nab IRS PINs to Hijack Tax Refunds
http://krebsonsecurity.com/2016/03/thieves-nab-irs-pins-to-hijack-tax-refunds/
Becky Wittrock, a certified public accountant (CPA) from Sioux Falls, S.D., said she received an IP PIN in 2014 after crooks tried to impersonate her to the IRS.
Wittrock said she found out her IP PIN had been compromised by thieves this year after she tried to file her tax return on Feb. 25, 2016. Turns out, the crooks beat her to the punch by more than three weeks, filing a large refund request with the IRS on Feb. 2, 2016.
“So, last year I was devastated by this,” Wittrock said, “But this year I’m just pissed.”
Wittrock said she called the toll-free number for the IRS that was printed on the identity theft literature she received from the year before.
“The guy said, ‘Yes, I do see a return was filed under your name on Feb. 2, and that there was the correct IP PIN supplied’,” Wittrock recalled. “I asked him how can that be, and he said, ‘You’re not the first, we’ve had many cases of that this year.’”
According to Wittrock, the IRS representative shared that the agency wouldn’t be relying on IP PINs for long.
“He said, ‘We won’t be using the six digit PIN next year. We’re working on coming up with another method of verification’,” she recalled. “He also had thrown in something about [requiring] a driver’s license, which didn’t sound like a good solution to me.”
Interestingly, the IRS’s own failure to use anything close to modern authentication methods may have contributed to Wittrock’s original victimization. From January 2014 to May 2015, the IRS allowed anyone to access someone else’s previous year’s W-2 forms, just by supplying the taxpayer’s name, date of birth, Social Security number, address, and the answers to easy-to-guess-or-Google KBA questions.
Tomi Engdahl says:
Guix Gets Grafts: Timely Delivery of Security Updates
http://linux.slashdot.org/story/16/03/03/0435200/guix-gets-grafts-timely-delivery-of-security-updates
GNU Guix, the functional package manager (and with GuixSD, distribution) got a nice feature yesterday: timely delivery of security updates with grafts. Guix’s new grafts feature recursively produces re-linked packages as dependencies without waiting for all to compile when a time-sensitive security upgrade is an issue. This came just in time for this week’s OpenSSL security issues,
GNU Guix – News: Timely delivery of security updates
https://savannah.gnu.org/forum/forum.php?forum_id=8470
GNU Guix implements the functional package management discipline. What this means is that the the package graph in Guix is an immutable, persistent data structure—similar to a singly-linked list in a functional programming language, or to the object graph in the Git version control system.
A common difficulty with persistent data structures is the algorithmic complexity of updates—the computational cost of updating an arbitrary element of the data structure. For instance, to update the nth element of a singly-linked list, you first need to traverse and copy the n − 1 elements at the head of the list, then insert the new element and make it point to the tail of the list.
With the functional package management paradigm, the cost of updating a package is simple to understand: you need to rebuild the package itself, and all the packages that depend on it. This is nice in many ways: all packages must build from source, there is no way we can be using binaries that cannot be rebuilt from their Corresponding Source, breakage due to incompatible application binary interfaces (ABIs) is foreign to our users, we have a precise trail of the tools that produced binaries—that is, builds are “referentially transparent”, and as a bonus, we get features such as transactional upgrades and rollbacks, peaceful coexistence of different variants of the same package, and more.
Tomi Engdahl says:
Pirates Hacked Shipping Firm’s CMS To Plan Attacks, Find Valuable Cargo
http://yro.slashdot.org/story/16/03/03/0215204/pirates-hacked-shipping-firms-cms-to-plan-attacks-find-valuable-cargo
Verizon’s most recent Data Breach Digest includes a curious hacking case. Apparently a group of sea pirates have hired a hacker who uploaded a Web shell to a shipping company’s CMS that allowed them to download cargo inventories and ship routes. They then used this information to attack ships
Data breach digest. Scenarios from the field.
Learn from our data breach investigations.
http://www.verizonenterprise.com/verizon-insights/data-breach-digest/2016/
Tomi Engdahl says:
Sea Pirates Hacked Shipping Company to Plan Attacks, Find Valuable Cargo
http://news.softpedia.com/news/sea-pirates-hacked-shipping-company-to-find-valuable-cargo-501268.shtml
A curious case reported by Verizon’s RISK Team shows that even those lowly sea pirates chasing after cargo ships with old Kalashnikovs in worn-out dingies are resorting to hacking to boost up their profits.
As described in Verizon’s most recent Data Breach Digest, a collection of cyber-security case studies the company’s RISK Team helped investigate and solve sometime in the past year, a reputable global shipping conglomerate started having peculiar problems with sea pirates.
The shipping company was telling Verizon that pirates were boarding their vessels at regular intervals, equipped with a barcode reader (and weapons, of course), searching specific crates, emptying all the high-value cargo, and making off with the loot within minutes of launching their attacks.
All of this made the shipping company think there was something strange and hired the RISK Team to track down the source of a possible leak, which they suspected to be either an undiscovered data breach or an insider activating from within the company’s headquarters.
“The sea pirates were working together with a hacker”
The RISK Team quickly narrowed down the problem to the firm’s outdated custom-built CMS, which featured an insecure upload script. As the Verizon team explained, a hacker, either part of the sea pirates group or hired by them, had uploaded a Web shell via this insecure form. In turn, this shell was uploaded inside a Web-accessible directory.
To make things worse, that particular folder also had “execute” permissions, meaning the hacker could send commands to the Web shell via URL parameters and have them executed without any further exploit chaining.
Using this access to the shipping firm’s database, the hacker pulled down BoLs (bills of lading), future shipment schedules, and ship routes so the pirates could plan their attack and identify crates holding valuable content.
http://www.verizonenterprise.com/verizon-insights/data-breach-digest/2016/
Tomi Engdahl says:
iOS 9.3 will tell you loud and clear if your employer is monitoring your iPhone
http://mashable.com/2016/03/02/ios-9-3-employer-monitoring/#VpugJRUtKaqX
Nobody likes being monitored. But even if you suspected your company is following your activities on the iPhone, would you know where to check?
In the next iteration of its smartphone operating system, iOS 9.3, Apple is looking to make this an easier task. According to Reddit user MaGNeTiX, the latest beta of iOS 9.3 has a message telling users their iPhone is being supervised.
“This iPhone is managed by your organisation,” the message on the lock screen says. And in the About screen, you get a little more detail, with a message saying your iPhone’s supervisor can monitor your Internet traffic and locate your device.
Tomi Engdahl says:
Pavel Alpeyev / Bloomberg Business:
Samsung says customer privacy is “extremely important” and backdoors would undermine trust, but stops short of openly supporting Apple, won’t file amicus brief — Samsung Echoes Apple’s Arguments on Importance of User Privacy — The world’s largest smartphone vendor also opposes backdoors
Samsung Echoes Apple’s Arguments on Importance of User Privacy
http://www.bloomberg.com/news/articles/2016-03-03/samsung-echoes-apple-s-arguments-on-importance-of-user-privacy
New York Times:
Several tech execs were initially worried about supporting Apple in FBI case because of its potential to backfire, concerns over public perception — Apple Gets Tech Industry Backing in iPhone Dispute, Despite Misgivings — It is a remarkable moment for the technology industry …
Apple Gets Tech Industry Backing in iPhone Dispute, Despite Misgivings
http://www.nytimes.com/2016/03/03/technology/tech-rallies-to-apples-defense-but-not-without-some-hand-wringing.html?_r=0
Tomi Engdahl says:
San Bernardino iPhone could contain ‘dormant cyber pathogen,’ says cyberpunk DA
http://www.theverge.com/2016/3/3/11159234/san-bernardino-iphone-cyber-pathogen-district-attorney
The iPhone at the center of the ongoing legal battle between Apple and the FBI may hold a “dormant cyber pathogen” that could cripple San Bernardino, according to the county’s District Attorney. Michael Ramos’ court filing ascertains that the iPhone, provided to San Bernardino shooter Syed Rizwan Farook by his employers, “may contain evidence that can only be found on the seized phone that it was used as a weapon to introduce a lying dormant cyber pathogen that endangers San Bernardino’s infrastructure.”
Well, that certainly sounds scary! A malicious electronic disease held in check only by the joint forces of the Federal Bureau of Investigation and Apple’s passcode screen? Ramos has gone for the nuclear option here — as everyone knows, affixing the word “cyber” to anything makes it ten times more ominous, while also having the effect of convincing people you know what you’re talking about when it comes to technology. Sadly for Ramos, that doesn’t seem to be the case. Speaking to Ars Technica, iPhone forensics expert Jonathan Zdziarski said that in describing a “dormant cyber pathogen,” Ramos might as well be talking about a magical unicorn that he swears exists on his phone.
San Bernardino DA says seized iPhone may hold “dormant cyber pathogen”
He says iPhone might be “a weapon” to trigger some nefarious worm of some sort.
http://arstechnica.com/tech-policy/2016/03/san-bernardino-da-says-seized-iphone-may-hold-dormant-cyber-pathogen/
Tomi Engdahl says:
Track your friends’ sleep patterns with the help of a Facebook hack
All it takes is a bit of code that checks your timestamps every ten minutes.
http://arstechnica.co.uk/security/2016/03/track-your-friends-sleep-patterns-with-the-help-of-a-facebook-hack/
We frequently joke about the Orwellian dystopia of our society. Every day, there seems to be news about how our private data has been compromised yet again, or how we’re secretly under surveillance. Now, there’s a way to use Facebook to monitor your friends’ sleep patterns—or rather, to derive someone’s sleeping habits by tracking when they open up Facebook.
Søren Louv-Jansen, the developer responsible, explains it in more detail in his post on Medium. His code, which is available on Github, examines Facebook timestamps every ten minutes in order to create a relatively accurate timetable. It operates on the idea that many habitual users will check Facebook right after they wake up and just before they sleep, meaning that it’s a valid approach for a disconcertingly large number of us.
How you can use Facebook to track your friends’ sleeping habits
https://medium.com/@sqrendk/how-you-can-use-facebook-to-track-your-friends-sleeping-habits-505ace7fffb6#.af9g2n582
Tomi Engdahl says:
Amazon removed device encryption from Fire OS 5 because no one was using it
New Fire tablets and old ones that were upgraded to Fire OS 5 can’t be encrypted.
http://arstechnica.com/gadgets/2016/03/amazon-removed-device-encryption-from-fire-os-5-because-no-one-was-using-it/
In the wake of Apple’s high-profile fight with the FBI, more users and journalists have been paying attention to encryption of local storage in phones and tablets. Apple strengthened the encryption on all iDevices in iOS 8, making it so that no one could decrypt the storage without knowing the user’s passcode. Google made encryption a requirement for all Google-approved Android phones that ship with Marshmallow (after a false start in Lollipop), and it has been available as an optional Android security feature for years.
Tomi Engdahl says:
FBI is asking courts to legalize crypto backdoors because Congress won’t
The most lawmakers have done is float bill to create a “commission” to study issue.
http://arstechnica.com/tech-policy/2016/03/fbi-is-asking-courts-to-legalize-crypto-backdoors-because-congress-wont/
James Comey, the FBI director, told a House panel on Tuesday that the so-called “Going Dark” problem is “grave, growing, and extremely complex.” (PDF)
His prepared testimony to the House Judiciary Committee is not surprising. There’s been a chorus of government actors singing that same song for years. But what we didn’t hear was the bureau director ask Congress for legislation authorizing encryption backdoors. That’s because there’s no congressional support—which underscores why the President Obama administration is now invoking a 1789 obscure law in federal courthouses asking judges to do what Congress has declined to do.
“If I didn’t do that, I oughta be fired,” Comey told the panel during his live testimony. The panel’s hearing, “Encryption Tightrope: Balancing Americans’ Security and Privacy,” was largely dedicated to the FBI’s legal battle with Apple. He said if the bureau had the capability to bypass iPhone passcode locks in the dozens of pending cases where they’ve gone to court, “We wouldn’t be litigating if we could.”
Tomi Engdahl says:
Hack the planet, er, Pentagon: US Dept of Defense puts bounties on bugs
Just pass the background test
http://www.theregister.co.uk/2016/03/03/defence_launches_hack_the_pentagon_bug_bounty/
The Pentagon will next month launch the US government’s first bug bounty program encouraging hackers to break into its websites in what could lead to a broader invitation to hack state assets for cash.
Details on the cash rewards offered under the ‘Hack the Pentagon’ program have not yet been released.
it will use “commercial sector crowdsourcing” bug bounty programs – such as HackerOne or BugCrowd – meaning it will be open to “qualified” hackers who pass background checks.
The program will be restricted in scope so that hackers can target defined assets and not mission-critical systems.
Tomi Engdahl says:
NSA Chief Worries About Cyber Attack on US Infrastructure
http://www.securityweek.com/nsa-chief-worries-about-cyber-attack-us-infrastructure
SAN FRANCISCO – RSA CONFERENCE 2016 – US National Security Agency chief Michael Rogers warned Tuesday that hackers will try to mount a cyber attack against US infrastructure, similar to the power failure in western Ukraine last year.
“It’s only a matter of the when, not the if, you are going to see a nation state, a group or an actor engage in destructive behavior against critical infrastructure of the United States,” Rogers told a cybersecurity conference in San Francisco.
Rogers also heads the US military’s Cyber Command, which is engaged in targeting enemy networks and social media sites.
On December 23, parts of western Ukraine were plunged into darkness after a computer virus affected the networks of several regional electricity companies.
“An actor penetrated the Ukrainian power grid and brought large segments of it offline in a very well-crafted attack that both focused on knocking the system down but also focused on how was the provider likely to respond to that outage,” Rogers said. ”
Seven weeks ago it was Ukraine. That isn’t the last we are going to see of this, and that worries me,” he added.
Tomi Engdahl says:
Credit Unions Feeling Pinch in Wendy’s Breach
http://krebsonsecurity.com/2016/03/credit-unions-feeling-pinch-in-wendys-breach/
A number of credit unions say they have experienced an unusually high level of debit card fraud from the breach at nationwide fast food chain Wendy’s, and that the losses so far eclipse those that came in the wake of huge card breaches at Target and Home Depot.
As first noted on this blog in January, Wendy’s is investigating a pattern of unusual card activity at some stores. In a preliminary 2015 annual report, Wendy’s confirmed that malware designed to steal card data was found on some systems. The company says it doesn’t yet know the extent of the breach or how many customers may have been impacted.
Tomi Engdahl says:
Nokia: Smart phone security situation worse than Windows PC
Nokia working in Berlin Security Center researchers have published a report, according to which the smartphone is already nousstu Windows computers with mobile networks worse polluter. 60 per cent of the mobile networks of pollution came via a smartphone.
The report shows that the number of Android malware has increased, and they have also developed a more ovelimmiksi. At the same time iOS disadvantages are the first time risen to 20 biggest handicap to the list. These were the malware were encountered iPhones XcodeGhost and FlexiSpy. For example, six percent in October due to network constraints iPhone.
Source: http://etn.fi/index.php?option=com_content&view=article&id=4066:nokia-alypuhelin-jo-windows-koneita-pahempi-saastuttaja&catid=13&Itemid=101
Tomi Engdahl says:
Bitcoin’s Nightmare Scenario Has Come To Pass
http://developers.slashdot.org/story/16/03/04/057207/bitcoins-nightmare-scenario-has-come-to-pass
Ben Popper writes at The Verge that bitcoin’s nightmare scenario has come to pass as the bitcoin network reached its capacity, causing transactions around the world to be massively delayed, and in some cases to fail completely. The average time to confirm a transaction has ballooned from 10 minutes to 43 minutes. Users are left confused and shops that once accepted Bitcoin are dropping out. For those who want the Bitcoin system to continue to grow and thrive, this is troubling. Merchants can’t rely on digital transactions that can take minutes or hours to validate.
Bitcoin’s nightmare scenario has come to pass
The network’s capacity to process transactions has maxed out
http://www.theverge.com/2016/3/2/11146584/bitcoin-core-classic-debate-transaction-limit-crisis
Over the last year and a half a number of prominent voices in the Bitcoin community have been warning that the system needed to make fundamental changes to its core software code to avoid being overwhelmed by the continued growth of Bitcoin transactions. There was strong disagreement within the community, however, about how to solve this problem, or if the problem would ever materialize.
This week the dire predictions came to pass, as the network reached its capacity, causing transactions around the world to be massively delayed, and in some cases to fail completely. The average time to confirm a transaction has ballooned from 10 minutes to 43 minutes. Users are left confused and shops that once accepted Bitcoin are dropping out.
Bitcoin transactions are confirmed every time miners create a new block on the networks chain. Each block takes about ten minutes to mine, and can hold 1MB of information. At current volumes, there are more than 1MB worth of transactions asking to be confirmed in that time. To solve this bottleneck, many in the Bitcoin community have called for increasing the block size to 2MB.
This sounds simple, but has proven to be a highly contentious issue. A schism has developed between the team in charge of the original codebase for Bitcoin, known as Core, and a rival faction pushing its own version of that open source code with a block size increase added in, known as Classic.
The Looming Problem That Could Kill Bitcoin
https://www.technologyreview.com/s/540921/the-looming-problem-that-could-kill-bitcoin/
The way things are going, the digital currency Bitcoin will start to malfunction early next year. Transactions will become increasingly delayed, and the system of money now worth $3.3 billion will begin to die as its flakiness drives people away. So says Gavin Andresen, who in 2010 was designated chief caretaker of the code that powers Bitcoin by its shadowy creator. Andresen held the role of “core maintainer” during most of Bitcoin’s improbable rise; he stepped down last year but still remains heavily involved with the currency (see “The Man Who Really Built Bitcoin”).
Andresen’s gloomy prediction stems from the fact that Bitcoin can’t process more than seven transactions a second. That’s a tiny volume compared to the tens of thousands per second that payment systems like Visa can handle—and a limit he expects to start crippling Bitcoin early in 2016.
Tomi Engdahl says:
Mozilla Bans Popular Firefox Add-On That Tampered With Security Settings
http://yro.slashdot.org/story/16/03/04/0132248/mozilla-bans-popular-firefox-add-on-that-tampered-with-security-settings
Mozilla has banned the popular (250,000+ installs) YouTube Unblock add-on that allowed users to view YouTube clips blocked in their country. The reason for this move is because the add-on was caught disabling a Firefox security setting (code signing) which the allowed it to silent-install another add-on, which Avast (antivirus software) was detecting as malware.
Mozilla Bans Firefox Add-on That Tampered with Security Settings
http://news.softpedia.com/news/mozilla-bans-firefox-add-on-that-tampered-with-security-settings-501315.shtml
Tomi Engdahl says:
Godfather Of Encryption Explains Why Apple Should Help The FBI
http://yro.slashdot.org/story/16/03/04/0032248/godfather-of-encryption-explains-why-apple-should-help-the-fbi
Famed cryptographer and Turing Award winner, Adi Shamir, has an interesting if not surprising take on Apple’s current legal tussle with the FBI. While speaking on a panel at RSA Conference 2016 earlier this week, the man who helped co-invent the vaunted RSA algorithm (he’s the ‘S’ in RSA) explained why he sides with the FBI as it pertains to the San Bernardino shooter’s locked iPhone. It has nothing to do with placing trapdoors on millions of phones around the world,” Shamir explained.
Godfather of encryption explains why Apple should help the FBI hack the terrorist’s iPhone
http://bgr.com/2016/03/03/san-berdardino-iphone-hack-godfather-of-encryption-apple-fbi-iphone/
Tomi Engdahl says:
Q&A: Bruce Schneier on joining IBM, IoT woes, and Apple v the FBI
It’s going to get worse before it gets better
http://www.theregister.co.uk/2016/03/04/bruce_schneier_speaks/
RSA 2016 Security guru Bruce Schneier is a regular at shows like RSA and his talks are usually standing-room-only affairs.
Q: First things first – you’re the CTO of Resilient Systems, which IBM is in the process of buying. Are you planning to stay on?
That’s the plan; I’m 100 per cent planning on joining IBM. As far as I know the entire team is coming over as well.
Q: Yesterday you gave a rather scary talk on the likelihood of a coming breakdown in the interconnected world. You talked about a lot of problems – what do you think the solutions are?
I didn’t mean to be doom laden, but that’s the way these things start – you always start with the problems. But I’m just on the start of this process – it’s likely that yesterday’s talk will form the basis of my next book and when I’ve thought that through, about a third of the volume will look at solutions.
But I really do believe this is a big problem that needs to be addressed. I hope a catastrophic failure won’t come about, but the fact of the matter is we humans are much more reactive than proactive.
Bruce Schneier: We’re sleepwalking towards digital disaster and are too dumb to stop
Coders and tech bros playing chance with the future
http://www.theregister.co.uk/2016/03/02/sleepwalking_towards_digital_disaster/
Tomi Engdahl says:
How Attackers Likely Bypassed Linode’s Two-Factor Authentication to Hack PagerDuty
http://www.securityweek.com/how-attackers-likely-bypassed-linodes-two-factor-authentication-hack-pagerduty
In July 2015, operations performance management company PagerDuty advised customers to change their passwords after discovering that its systems had been breached.
Recently, it was discovered that the attacker gained access to PagerDuty servers’ through Linode’s (PagerDuty’s cloud provider) administrative panel. To do so, attackers had to bypass the administrative Two-Factor-Authentication (2FA) controls. as a result of the breach, it’s reported that PagerDuty has moved to another cloud provider.
When Two Becomes One
As in most cases, administrative accounts credentials were the weakest link in Linode’s/PagerDuty breach. Linode Two-Factor-Authentication was only relevant for the client-side, as it required something the client knows (password) and something the client have (mobile app with embedded secret). However, on the server-side these two factors “collapsed” into a single factor as both the password and the TOTP’s secret key were accessible from a single application and probably stored on the same user’s row in the database.
Cloud environments introduce both opportunities and risks. Therefore, cloud providers must make security their top priority, and cloud customers must consider the security provided by the different cloud providers as a key element in making their purchasing decision.
Tomi Engdahl says:
Should Application Security Become its Own Discipline?
http://www.securityweek.com/should-application-security-become-its-own-discipline
Application Security Should Be Its Own Discipline
Considering that you can find vendors, startups, and specialists in any of these 28 application security technologies, is it realistic to expect any one person to be a subject matter expert in all of them?
Of course not. Thus, one of these analyst firms asserts (and I agree) that application security should be a full-time gig; application security should become its own discipline.
A model already exists for what that discipline might look like: call it DevSecOps.
Whatever you call it, DevSecOps adoption, conferences notwithstanding, has been slow. Partly because traditional IT silos themselves are slow and can be resistant to process change. Personally, I think it’s because retaining good developers is really hard when Silicon Valley is always tempting them away. And security developers aren’t exactly falling out of trees, either. Like the practitioners at the intersection of cloud and security, DevSecOps may be one of the most short-staffed fields right now.
Tomi Engdahl says:
Kaspersky Launches Targeted Attack Protection Platform
http://www.securityweek.com/kaspersky-launches-targeted-attack-protection-platform
SAN FRANCISCO – RSA CONFERENCE 2016 – Kaspersky Lab, the Moscow-based security firm known for uncovering some of the world’s most sophisticated attack operations globally, today announced a new solution aimed at helping customers detect advanced targeted attacks, and a new security Intelligence offering for enterprises.
Generically named the Kaspersky Anti Targeted Attack Platform, the system monitors network, web and e-mail activity to help detect attacks at any stage, even if no malicious activity has occurred.
http://www.kaspersky.com/enterprise-security/anti-targeted-attacks
Tomi Engdahl says:
Google’s DLP for Gmail Adds Optical Character Recognition
http://www.securityweek.com/googles-dlp-gmail-adds-optical-character-recognition
Google on Tuesday made a series of improvements to Data Loss Prevention (DLP) for Gmail, which will bring improved data protection and control over detection thresholds.
DLP for Gmail was launched in December 2015 to help Google Apps for Work customers keep their sensitive information secure. It was designed to automatically check all outgoing emails based on a set of predefined content detectors set by the Apps admins, and to take or prompt for appropriate actions when needed.
The company announced a new set of features that extend the capabilities available to admins, including Optical character recognition (OCR) for improved attachment scanning, a new set of predefined content detectors, and increased control over content detection thresholds.
The new OCR feature in DLP for Gmail should prove highly useful in situations when sensitive information resides not just in text documents, but also in scanned copies and images. With the new enhancement, admins can set DLP policies to analyze common image types and extract text for policy evaluation.
Tomi Engdahl says:
Incident Response Should Never End
http://www.securityweek.com/incident-response-should-never-end
Increasing resiliency to attacks is the focus for security professionals today. Despite the fact that defenders are developing technologies and tactics that are growing in sophistication, adversaries are as well…at a more rapid pace.
Well-funded cybercriminals use a combination of evolved technologies and tactics to evade detection. Defenders will continue to strive to block 100 percent of attacks before they occur – but, as history has proven, bad actors will infiltrate our networks. To boost resilience we need to not only try to prevent an attack, but we need to stop the exploitation of an attack, requiring that we think differently about Incident Response (IR). Instead of only a point-in-time set of steps to try to prevent malware from getting in or reimage an affected machine, IR must become a continuous process.
Tomi Engdahl says:
Flash is dangerous:
http://www.tivi.fi/Kaikki_uutiset/etko-vielakaan-hylannyt-flashia-vaara-on-kasvanut-verkkosivuilla-6309593
https://tunne.la/kaytantotiedosto-vaarantaa-miljoonan-suomalaisen-tietosuojan
Tomi Engdahl says:
Social Engineering Your Way To The Target PA System
http://hackaday.com/2016/03/04/social-engineering-your-way-to-the-target-pa-system/
If we were to express an official view of the what these guys did once they hacked into a Target store’s PA system, we’d have to go with definitely uncool. However, it’s good to know that phone phreaking and good ol’ social engineering isn’t dead yet. Many of us got our start by playing with the systems around us.
Anyone could call into a Target store and request to be transferred to the PA’s extension code, which was the same everywhere. If the person transferring the call wasn’t quick on their feet, the caller would then be patched directly into the stores PA system. The kicker? Target had no way of stopping the PA until the caller hung-up. It’s the way the system was designed.
Target stores attacked by pornographic pranksters
http://www.bbc.com/news/technology-34556644
Explicit audio from a pornographic film was blasted out for all to hear. And it kept playing. And playing. For 15 minutes.
Young, who was shopping with her three-year-old twin boys, uploaded the clip to Facebook.
“People were up in arms,” she wrote. “Some people threw their things down and walked out. Others were yelling at employees.”
As pranks go, it’s fairly low-grade. But Target has a problem. Staff at the store in Campbell, a small city just south of San Jose, were all but powerless to stop it due to how the PA system is designed.
And it’s not an isolated incident. According to local media, it’s at least the fourth time this prank has happened since April. In one instance, a store had to be evacuated.
‘Control of the intercom’
Well not quite – but the cause is interesting, and yet another example of how systems are left with vulnerabilities by creators who never imagined people might have malicious intent.
“Non-Target team members are attempting to access the intercom system by calling stores and requesting to be connected to line [xxxx],” it reads.
“If connected, callers have control of the intercom until they hang up.
“We are actively working to limit intercom access to the Guest Services phone only. In the meantime, inform all operators to not connect any calls to line [xxxx].”
Target should be acutely aware of weak systems. The retailer was at the centre of a huge hack attack storm last year.
Tomi Engdahl says:
Richard Lawler / Engadget:
Amazon reverses course, says it is bringing back support for device encryption to tablets running Fire OS via a software update due this spring
Amazon reverses course on encryption for its Fire tablets
You will be able to encrypt Amazon Fire tablets again after a new update this spring.
http://www.engadget.com/2016/03/04/amazon-will-bring-encryption-back-to-FireOS/
Tomi Engdahl says:
Olivia Solon / Guardian:
DARPA’s upcoming $2M Cyber Grand Challenge wants teams to build AI-based hacking software that can exploit rival teams’ vulnerabilities while fixing their own
These engineers are developing artificially intelligent hackers
http://www.theguardian.com/technology/2016/mar/03/artificial-intelligence-hackers-security-autonomous-learning
In a sign of the autonomous security of the future, a $2m contest wants teams to build a system that can exploit rivals’ vulnerabilities while fixing its own
Could you invent an autonomous hacking system that could find and fix vulnerabilities in computer systems before criminals could exploit them, and without any human being involved?
That’s the challenge faced by seven teams competing in Darpa’s Cyber Grand Challenge in August.
Each of the teams has already won $750,000 for qualifying and must now put their hacking systems up against six others in a game of “capture the flag”. The software must be able to attack the other team’s vulnerabilities as well as find and fix weaknesses in their own software – all while protecting its performance and functionality. The winning team will walk away with $2m.
“Fully automated hacking systems are the final frontier. Humans can find vulnerabilities but can’t analyse millions of programs,” explained Giovanni Vigna, a professor of computer science at University of California Santa Barbara, speaking at the RSA security conference in San Francisco.
http://www.cybergrandchallenge.com/
Tomi Engdahl says:
Selina Wang / Bloomberg Business:
Experts: FBI could crack terrorist’s iPhone without Apple’s help, but wants to set a legal precedent that would give them access to phone data with a warrant
Who Needs Apple When the FBI Could Hack Terrorist iPhone Itself
http://www.bloomberg.com/news/articles/2016-03-04/who-needs-apple-when-the-fbi-could-hack-terrorist-iphone-itself
The Federal Bureau of Investigation has put the onus on Apple Inc. to break into the iPhone 5c carried by San Bernardino terrorist Syed Rizwan Farook. In fact, the feds almost certainly could do it themselves.
Security experts say there are many ways the FBI could hack the iPhone now at the center of a standoff between Apple and the U.S. government. They argue that doing so would be faster than waiting for the courts to decide whether Apple should be forced to create software that would let investigators try multiple passcodes without erasing the device. No one is saying a government hack would be easy, but the experts interviewed for this story have concluded the Feds aren’t even trying because they’d rather win a legal precedent that gives agents the power to access phone data with a warrant.
Jonathan Zdziarski, a cybersecurity researcher who consults with law enforcement, says the FBI could learn something from back-alley techies in China who break into iPhones all the time. He describes a kiosk in a Shenzhen mall that charges $60 to upgrade a 16-gigabyte phone to 128 gigabytes. Using a PC, tweezers and screwdrivers, he says, the kiosk operator copies the contents of the iPhone onto a chip with more capacity then swaps it in.
Zdziarski says the FBI could use a similar workaround: copy the phone’s contents onto a chip so there’s a backup file when password attempts erase the device. The trick is figuring out a way of doing this hundreds of times without destroying the chip.
That’s just one of multiple ways the FBI could extract data by messing with iPhone hardware, Zdziarski says. Other potential solutions include finding and exploiting cracks in the software. All systems contain flaws and they continue to be found every month in Apple’s software
“The FBI must learn to investigate smarter; you, Congress, can provide it with the resources and guidance to help it do so,” Landau wrote in her testimony. “Bring FBI investigative capabilities into the twenty-first century.”
In the meantime, the FBI will continue to use the courts to force Apple to build back doors into its devices — which Apple says would risk exposing customers’ private information to hackers and authoritarian regimes. FBI Director James Comey said at the congressional hearing that “we have engaged all parts of the U.S. government to see, does anybody have a way, short of asking Apple, to do it, with a 5C running iOS9, and we do not.”
Tomi Engdahl says:
Stan Higgins / CoinDesk:
As Bitcoin approaches its 1MB block size limit, transaction processing takes 10+ hours for some, while transaction fees rise several times — Bitcoin’s Capacity Issues No ‘Nightmare’, But Higher Fees May Be New Reality — While bitcoin may not be facing a “nightmare” scenario as indicated by the media …
Bitcoin’s Capacity Issues No ‘Nightmare’, But Higher Fees May Be New Reality
http://www.coindesk.com/bitcoin-capacity-nightmare-fees-reality/
While bitcoin may not be facing a “nightmare” scenario as indicated by the media, digital currency users are now paying higher-than-average fees and waiting longer for transactions to confirm due to an unknown disruptive network user.
The incident has sparked a flurry of questions about the nature of the increased transaction load on the network as it comes amid the ongoing debate over scaling the bitcoin network.
Known as the “block size debate”, the issue has fragmented the bitcoin community into two camps: Bitcoin Core, the network’s volunteer developers, who are seeking to change to how signatures are stored, thus increasing capacity as early as April of this year; and Bitcoin Classic, a contingent of developers and enthusiasts who have launched software that would more quickly force an update to the 1 MB cap on transactions they believe is an impediment to user adoption.
Tomi Engdahl says:
WordPress Plugin Comes With a Backdoor, Steals Admin Credentials In Cleartext
http://it.slashdot.org/story/16/03/05/0428231/wordpress-plugin-comes-with-a-backdoor-steals-admin-credentials-in-cleartext
An anonymous reader writes that a WordPress plugin for managing custom post types has apparently been forcibly taken over by an Indian developer who has added a backdoor to the code which lets him install files on infected sites.
Popular WordPress Plugin Comes with a Backdoor, Steals Site Admin Credentials
http://news.softpedia.com/news/popular-wordpress-plugin-comes-with-a-backdoor-steals-site-admin-credentials-501383.shtml
Security researchers have unmasked the wicked actions of a WordPress plugin that was installing a backdoor through which it was altering core WordPress files so it could log and steal user credentials from infected sites.
First signs of something being wrong were spotted by the Sucuri team, a company that provides website security. Sucuri’s researchers were alerted by one of their clients to the presence of a weirdly named file (auto-update.php) that didn’t exist until a recent plugin update.
The plugin in question was Custom Content Type Manager (CCTM), a popular WordPress plugin for creating custom post types that, in the three years since it was uploaded on the WordPress plugin repo, has amassed quite a following, being currently installed on more than 10,000 sites.
As Sucuri’s investigation revealed, in the past two weeks, the plugin that looked like an abandoned project for the last 10 months, mysteriously changed owner, and immediately after, the new developer, named wooranker, updated the plugin and pushed out a new version.
All the changes he made to the plugin were of a nefarious nature.
Besides gathering info on the victim’s site, this plugin also tapped into the WordPress login process and recorded usernames and the password, albeit in encrypted format, sending the data to the wordpresscore.com server.
These two modifications were pushed out as Custom Content Type Manager version 0.9.8.8, which in many cases the users themselves installed or were automatically installed on their sites if the auto-update feature was turned on.
Tomi Engdahl says:
China Tries Its Hand at Pre-Crime
Beijing wants to identify subversives before they strike.
http://www.bloomberg.com/news/articles/2016-03-03/china-tries-its-hand-at-pre-crime
China’s effort to flush out threats to stability is expanding into an area that used to exist only in dystopian sci-fi: pre-crime. The Communist Party has directed one of the country’s largest state-run defense contractors, China Electronics Technology Group, to develop software to collate data on jobs, hobbies, consumption habits, and other behavior of ordinary citizens to predict terrorist acts before they occur. “It’s very crucial to examine the cause after an act of terror,” Wu Manqing, the chief engineer for the military contractor, told reporters at a conference in December. “But what is more important is to predict the upcoming activities.”
The program is unprecedented because there are no safeguards from privacy protection laws and minimal pushback from civil liberty advocates and companies
Building a crystal ball to predict and prevent terror attacks, a real-world version of Minority Report, is the ultimate goal of crime fighters the world over. But, so far, more data has just meant more noise, security experts say. “There are not enough examples of terrorist activity to model what it looks like in data, and that’s true no matter how much data you have,” says Jim Harper, a senior fellow at the Cato Institute. “You need yeast to make bread. You can’t make up for a lack of yeast by adding more flour.”
“We don’t call it a big data platform but a united information environment.” —Wu Manqing, China Electronics Technology
China was a surveillance state long before Edward Snowden clued Americans in to the extent of domestic spying.
New antiterror laws that went into effect on Jan. 1 allow authorities to gain access to bank accounts, telecommunications, and a national network of surveillance cameras called Skynet. Companies including Baidu, China’s leading search engine; Tencent, operator of the popular social messaging app WeChat; and Sina, which controls the Weibo microblogging site, already cooperate with official requests for information, according to a report from the U.S. Congressional Research Service.
Tomi Engdahl says:
Online crime have their own online stores
The cyber various forms continues to grow. Good growing phenomenon for its part, offers the so-called dark network that is dark web, where it is possible to supply and demand to meet anonymously.
Cybercriminals do not need to have knowledge of technically skilled as the knowledge and tools needed for cyber criminals can now buy a service, reminiscent of the Finnish Communications Regulatory Authority.
Tightening malware, keyloggers and other information stealing malware, phishing sites, and -roskapostit, malicious spam, the dissemination of spam and denial of service attacks and others are more and more “products or services”, which is available today.
around cyber crime is noticeable break-in or at the very least a slight reversal in the direction of where the criminal does not have to know how to encode their malicious software, to set up their own servers to provide malicious content to break into thousands of e-mail accounts, or capture of thousands of computers as members of a botnet. These now receive a service.
The situation is mutually beneficial. Skilled encoder needs to take the appropriate malicious software and sell it. A skilled criminal needs to think about what kind of fragments of its own operation consists of buying and fit the pieces.
Source: http://www.tivi.fi/Kaikki_uutiset/verkkorikollisilla-on-omia-verkkokauppoja-tallaisia-tyokaluja-tarjolla-6310945
Tomi Engdahl says:
French President’s Epic Periscope Fail Leads to Massive Live Trolling
http://www.nbcnews.com/tech/tech-news/french-president-s-epic-periscope-fail-leads-massive-live-trolling-n530882
French President François Hollande and his media team learned the hard way that it pays to completely master modern technology before broadcasting a live event.
During a public relations trip to an online fashion company in the Paris suburbs, Hollande’s media team broadcast the event in real time on the streaming app Periscope. However, his staffers failed to disable the app’s live comments option, which prominently displays viewers’ comments across the screen. Thousands of French viewers seized the opportunity to post their unadulterated opinions on Hollande as the real-time broadcast unfolded.
French President François Hollande and his media team learned the hard way that it pays to completely master modern technology before broadcasting a live event.
During a public relations trip to an online fashion company in the Paris suburbs, Hollande’s media team broadcast the event in real time on the streaming app Periscope. However, his staffers failed to disable the app’s live comments option, which prominently displays viewers’ comments across the screen. Thousands of French viewers seized the opportunity to post their unadulterated opinions on Hollande as the real-time broadcast unfolded.
Insults and ridicule filled the screen immediately, mocking everything from the president’s socks to his sex life. Many users gleefully pointed out how incompetent his staffers were for not disabling the commenting feed. Others generally derided the president and his policies.
The session was eventually terminated after 30 minutes, but the damage was already done. Le Nouvel Observateur called the incident “a catastrophe” for the president, and public relations experts said it “undermined the dignity of France’s presidential office.”
Tomi Engdahl says:
A Phone App Helps Day Laborers Attack Wage Theft
http://hardware.slashdot.org/story/16/03/06/0150236/a-phone-app-helps-day-laborers-attack-wage-theft
“After three years of planning, an immigrant rights group in Jackson Heights is set to start a smartphone app for day laborers, a new digital tool with many uses: Workers will be able to rate employers (think Yelp or Uber), log their hours and wages, take pictures of job sites and help identify, down to the color and make of a car, employers with a history of withholding wages. They will also be able to send instant alerts to other workers. The advocacy group will safeguard the information and work with lawyers to negotiate payment.”
New Weapon in Day Laborers’ Fight Against Wage Theft: A Smartphone App
http://www.nytimes.com/2016/03/02/nyregion/new-weapon-in-day-laborers-fight-against-wage-theft-a-smartphone-app.html?_r=3
Tomi Engdahl says:
French parliament votes to jail tech execs who refuse to decrypt data
Because terrorism
http://www.theregister.co.uk/2016/03/04/france_to_jail_tech_execs_over_encryption/
The French parliament has voted in favor of punishing companies that refuse to decrypt data for government investigators – by threatening businesses with big fines and possible jail terms for staff.
This comes amid the FBI’s high-profile battle with Apple in the US to unlock a dead killer’s encrypted iPhone.
French deputies voted to add an amendment to a penal reform bill that would fine companies €350,000 (US$385,350) for a refusal to decrypt and give up to five years in jail for senior executives. Telecommunications company executives would face smaller fines and up to two years in jail for not cooperating with the authorities.
Tomi Engdahl says:
Jim Finkle / Reuters:
First known ransomware for Mac users arrives via infected Transmission BitTorrent client; Apple revokes developer certificate that enabled infected installs — Apple users targeted in first known Mac ransomware campaign — Apple Inc (AAPL.O) customers were targeted by hackers over the weekend …
Apple users targeted in first known Mac ransomware campaign
http://www.reuters.com/article/us-apple-ransomware-idUSKCN0W80VX?feedType=RSS&feedName=technologyNews
Tomi Engdahl says:
Google confirms it will extend E.U. right-to-be-forgotten to all Google Search domains from next week
http://venturebeat.com/2016/03/04/google-confirms-it-will-extend-e-u-right-to-be-forgotten-to-all-google-search-domains/
Google has confirmed previous reports that it is to comply with European regulators requesting that the Internet giant extend the scope of the so-called “right-to-be-forgotten” legislation beyond that of European search engines.
The right-to-be-forgotten ruling, or “right to delist” as Google perhaps more accurately calls it, was the result of an E.U. directive back in 2014 that was designed to help individuals hide web pages that contained out-of-date, irrelevant, and ultimately “damaging” information about them.
So far, this has meant that people living in the E.U. could submit requests to Google and other search engine operators to have such web pages deindexed from E.U. versions of search engines
Google will tap IP addresses and other geolocation “signals” to restrict access to the delisted URL on all Google Search domains, however, delisting will only apply to the country of the person who requested the removal.
Tomi Engdahl says:
ISIS Hackers Target the Wrong Google
http://europe.newsweek.com/isis-hackers-target-wrong-google-431911
Hackers affiliated with the Islamic State militant group (ISIS) who promised to take down Google appear to have mistakenly attacked the wrong target.
The so-called Cyber Caliphate Army (CCA) announced plans on the secure messaging app Telegram to hack Google on Monday; however, Google services appear to have been unaffected.
Instead, the website of Add Google Online was defaced with ISIS imagery and a message stating, “hacked by CCA”.
The attack on Add Google Online follows similar attacks by CCA on seemingly arbitrary targets
Michael Smith, an advisor to the U.S. Congress and co-founder of national security firm Kronos Advisory, believes the increase in frequency of attacks carried out by ISIS hackers signals an increase in the group’s cyber capabilities.
“I expect these activities will become more common,”
Tomi Engdahl says:
A regular inkjet printer can spoof a fingerprint and unlock a phone in under 15 minutes
http://qz.com/631697/a-regular-inkjet-printer-can-spoof-a-fingerprint-and-unlock-a-phone-in-under-15-minutes/
Researchers at Michigan State University have found a cheaper and faster way to unlock mobile phones protected by fingerprint sensors using an off-the-shelf printer and special photo paper. The process can be done in well under 15 minutes, significantly faster than current fingerprint spoofs—which rely on 3D printing—that take more than twice as long.
The method uses a normal inkjet printer and conductive silver ink and a type of photo paper, both from a Japanese manufacturer called AgIC. The researchers used a Brother printer that costs about $400 new on Amazon. The method is detailed in a technical report (pdf) published Feb. 20.
The process starts with a scanned photo of the target user’s fingerprint.
The Michigan State researchers, Anil Jain and Kai Cao, tested four phones, unlocking two successfully. They were a Samsung Galaxy S6, Huawei Honor 7, iPhone 5s, and Meizu MX4 Pro. The spoof worked on the Samsung and Huawei handsets, but not the Apple and Meizu ones.
Cao told Quartz that the spoof worked on the iPhone during an earlier attempt, but it didn’t work when he tried to replicate the result for the technical report.
A well-known earlier fingerprint spoof comes from the Chaos Computer Club in Berlin, a nonprofit that works on security and privacy in technology, and involved printing the target fingerprint with latex milk or woodglue. That process, sometimes called 2.5D printing, first described in 2013, successfully unlocked an iPhone 5s.
http://www.cse.msu.edu/rgroups/biometrics/Publications/Fingerprint/CaoJain_HackingMobilePhonesUsing2DPrintedFingerprint_MSU-CSE-16-2.pdf
Tomi Engdahl says:
Who Needs Apple When the FBI Could Hack Terrorist iPhone Itself
http://www.bloomberg.com/news/articles/2016-03-04/who-needs-apple-when-the-fbi-could-hack-terrorist-iphone-itself
Experts say Feds could access data without going to court
A kiosk in a Chinese mall holds a potential solution
The Federal Bureau of Investigation has put the onus on Apple Inc. to break into the iPhone 5c carried by San Bernardino terrorist Syed Rizwan Farook. In fact, the feds almost certainly could do it themselves.
Security experts say there are many ways the FBI could hack the iPhone now at the center of a standoff between Apple and the U.S. government.
Jonathan Zdziarski, a cybersecurity researcher who consults with law enforcement, says the FBI could learn something from back-alley techies in China who break into iPhones all the time. He describes a kiosk in a Shenzhen mall that charges $60 to upgrade a 16-gigabyte phone to 128 gigabytes. Using a PC, tweezers and screwdrivers, he says, the kiosk operator copies the contents of the iPhone onto a chip with more capacity then swaps it in.
Tomi Engdahl says:
AMD to fix slippery hypervisor-busting bug in its CPU microcode
Patch for Piledriver chips emitted this week to kill off potentially exploitable glitches
http://www.theregister.co.uk/2016/03/06/amd_microcode_6000836_fix/
AMD will release on Monday new processor microcode to crush an esoteric bug that can be potentially exploited by virtual machine guests to hijack host servers.
Machines using AMD Piledriver CPUs, such as the Opteron 6300 family of server chips, and specifically CPU microcode versions 0×6000832 and 0×6000836 – the latest available – are vulnerable to the flaw.
When triggered, the bug can glitch a processor core to execute data as software, which crashes the currently running process. It is possible for a non-root user in a virtual machine to exploit this defect to upset the host system, or trick the host kernel into executing malicious code controlled by the user.
In other words, it is possible on some AMD-powered servers for a normal user in a guest virtual machine to escape to the underlying host and take over the whole shared server. Although it is rather tricky to exploit – for one thing, it requires precise timing – AMD has a fix ready for operating system makers to distribute to affected users from this week.
“AMD is aware of the potential issue of unprivileged code running in virtual machine guests on systems that make use of AMD Opteron 6200/6300,” a spokesman told The Register.
Tomi Engdahl says:
BorgBackup 1.0.0 Released
http://apple.slashdot.org/story/16/03/06/1635235/borgbackup-100-released
After almost a year of development, bug fixing and cleanup, BorgBackup 1.0.0 has been released. BorgBackup is a fork of the Attic-Backup project — a deduplicating, compressing, encrypting and authenticating backup program for Linux, FreeBSD, Mac OS X and other unixoid operating systems (Windows may also work using CygWin, but that is rather experimental/unsupported).
http://borgbackup.readthedocs.org/en/stable/
BorgBackup (short: Borg) is a deduplicating backup program. Optionally, it supports compression and authenticated encryption.
The main goal of Borg is to provide an efficient and secure way to backup data. The data deduplication technique used makes Borg suitable for daily backups since only changes are stored. The authenticated encryption technique makes it suitable for backups to not fully trusted targets.
Tomi Engdahl says:
Apple: FBI request threatens kids, electricity grid, liberty
Software engineering senior veep Craig Federighi cranks up debate about that iPhone
http://www.theregister.co.uk/2016/03/07/apple_fbi_request_threatens_kids_electricity_grid_liberty/
Apple’s opened another front in its argument over FBI access to San Bernardino killer Syed Farook’s iPhone, arguing in a Washington Post column that creating even a single possible point of attack threatens national and personal security.
Apple’s senior veep of software engineering Craig Federighi makes that argument here, correctly pointing out that compromising a device known to be used by an individual is a fine way to access data and facilities that individual accesses.
“Our nation’s vital infrastructure — such as power grids and transportation hubs — becomes more vulnerable when individual devices get hacked,” he argues. “Criminals and terrorists who want to infiltrate systems and disrupt sensitive networks may start their attacks through access to just one person’s smartphone.”
Smartphones are therefore “part of the security perimeter that protects your family and co-workers.”
Federighi goes on to say that Apple works mighty hard to ensure its products are secure and asserts “Doing anything to hamper that mission would be a serious mistake.”
Apple VP: The FBI wants to roll back safeguards that keep us a step ahead of criminals
https://www.washingtonpost.com/opinions/apple-vp-the-fbi-wants-to-roll-back-safeguards-that-keep-us-a-step-ahead-of-criminals/2016/03/06/cceb0622-e3d1-11e5-a6f3-21ccdbc5f74e_story.html
Tomi Engdahl says:
How Common Is Your PIN?
http://news.slashdot.org/story/16/03/06/1714220/how-common-is-your-pin
We’ve seen password frequency lists, here is an analysis of PIN frequency with a nice heatmap towards the bottom.
PIN analysis
http://datagenetics.com/blog/september32012/index.html
“All credit card PIN numbers in the World leaked”
The body of the message simply said 0000 0001 0002 0003 0004 …
Ian’s messages made me chuckle. Then, later the same day, I read this XKCD cartoon. The merging of these two humorous topics created the seed for this article.
Tomi Engdahl says:
MIT’s New 5-Atom Quantum Computer Could Make Today’s Encryption Obsolete
http://news.slashdot.org/story/16/03/06/1913213/mits-new-5-atom-quantum-computer-could-make-todays-encryption-obsolete
In traditional computing, numbers are represented by either 0s or 1s, but quantum computing relies on atomic-scale units, or “quibits,” that can be simultaneously 0 and 1 — a state known as a superposition that’s far more efficient. It typically takes about 12 qubits to factor the number 15, but researchers at MIT and the University of Innsbruck in Austria have found a way to pare that down to five qubits, each represented by a single atom, they said this week.
That, in turn, presents new risks for factorization-based methods such as RSA, used for protecting credit cards, state secrets and other confidential data.
MIT’s new 5-atom quantum computer could make today’s encryption obsolete
The scalable new system could easily crack RSA techniques
http://www.pcworld.com/article/3041115/security/mits-new-5-atom-quantum-computer-could-transform-encryption.html#tk.rss_all
Tomi Engdahl says:
FBI Request Exceeds ‘Just 1 iPhone’
Judiciary Committee hearing brings Apple, FBI, experts to table
http://www.eetimes.com/document.asp?doc_id=1329079&
The software/workaround in question would do the following for the smartphone in question:
Do away with data deletion after 10 failed attempts to login
Do away with the time delay between successive failed login attempts
Rewrite the code that controls the touch screen and allow the FBI to put a probe into the phone and bypass the need to enter numeric digits
The FBI has come under fire for lacking sufficient knowledge of Apple security systems; Comey also admitted that the agency did not ask for Apple’s source code or try to duplicate the shooter’s phone to bypass the login timing mechanism.