Here are my predictions for trends in information security and cyber security for year 2016.
Year 2015 was bad for information security was pretty, and I would say that the trend is worrying. So I expect the year 2016 will have many information security challenges. If you want to keep yourself up at night, spend some time reading about the latest developments in cybersecurity. In 2015 there was Airplanes hacked, cars hacked, vulnerabilities in a breathtaking range of sensitive equipment from TSA locks to voting booths to medical devices. The big picture is even scarier. Former NSA Director Mike McConnell suspects China has hacked “every major corporation” in the US. Those problems will continue in 2016 and some new targets for attacks will be found. The system is broken. It isn’t keeping us, our companies, or our government safe. Worse yet, no one seems to know how to fix it.
Attacks through networks are becoming more common all the time. It will be hard to protect against targeted attacks. Hackers will not only customize malware, but they will increasingly use sophisticated phishing and social engineering tricks to gain access to sensitive data. Attackers usually cover their tracks carefully, and in the identification of target can be very difficult. Behind targeted attacks are usually professional criminals. Criminals do not respect geographical borders and hence attacks are spread evenly everywhere. Companies will struggle to absorb the security threats of combined PC and mobile devices in 2016.
EU information security decisions made in late 2015 will have impact on what comes in 2016: New EU data protection legislation package approved and EU Court of Justice decision in which it noted the Safe Harbor procedure is invalid. This means that transfers of personal data from EU countries to the United States under the Safe Harbor violation of law – you need some other agreement for this. The situation for this will probably get clarified during 2016. Data protection legislation changes will lead to increased fines for the unprepared. Legal uncertainty and big fines are a toxic cocktail for some companies. The combination of stiff penalties and ambiguously worded provisions in the new EU-wide data-protection law, which would replace a patchwork of 28 national laws, raises daunting prospects for companies operating in Europe.
After huge amount of user information leaks in 2015 from all kinds of Internet services, there will the challenges for cloud companies to gain trust in their security. You might have just dared to trust “the right cloud services,” since in principle the traditional information security point of view, they seem to be the main things okay, rising this privacy issues raised.
New environments will bring new threats. New operating systems versions means that administrators and users are less familiar with the environments. IPv6 will get more widely used, and the security of IPv6 networks is different from IPv4. Organizations are moving to virtualized environments, which are complex and create network layers that can become an attack vector. Growing network virtualization functionality and programmability are both an opportunity and a threat to security. Cyber security research will be important important in 2016 as 5G networks will be critical infrastructure, on top of which for example. transport, industry, health and the new operators set up their business around 2020.
The huge amount of information security information is becoming harder and harder to manage in 2016. A key problem in revelations as all other news coverage is the exponential growth of knowledge. There are variety of news summaries produced a daily basis, but they are not enough to get good picture of what is happening. There are bigger and smaller news, the impact of which is at times very difficult to assess. SMBs will become a bigger target for cybercriminals. Network and security professionals continue to be among the toughest IT talent to find and hire.
Old way network security focused on perimeter defense is not enough in 2016. Old mantras “encrypt everything” and “secure the perimeter,” are not enough. One deceptive truth seems to drive much of the cybersecurity industry down a rabbit hole: If you keep bad actors and bad software out of your system, you have nothing to worry about. It does not work like that anymore. As perimeter security gets stronger, malicious actors are looking for easier entry points to compromise an organisation through the breadth of its digital attack surface. Now malicious actors target “endpoints”—any device or sensor connected to a network—to break into that network. Traditional sandboxing will no longer protect against the growing malware landscape. Today, most private networks have far too many endpoints to properly secure. In an age of “Bring Your Own Device,” the cloud, remote access, and the Internet of Things, there are too many vulnerabilities hackers can exploit. Keep in mind that everything connected to the Internet can, and will be hacked. To address those threats in 2016, security experts should assume compromise – that hackers and malware already have breached their defenses, or soon will – and instead classify and mitigate threats. In addition to public key infrastructure lock-and-key system you will need also an integrity solution that acts like an alarm. To protect against advanced threats, security professionals will increase their reliance on centralized security management solutions. You need to have prioritization and response plans to various kinds of breaches – with a strong focus on integrity.
Law enforcement versus Silicon Valley tension will continue to be strong throughout year 2016. In 2015 Law enforcement and politicians on both sides of the Atlantic lined up to repeatedly complain that the web was “going dark” as the result of end-to-end encryption and that this was hampering the investigation of terrorism and other serious crimes.Technologists and cryptographers argue that governments are trying to weaken encryption by demanding some form of privileged access for government. It’s not clear how much encryption the NSA can break. With renewed focus on how encrypted messages can be used to plot terrorist attacks, President Barack Obama’s administration is stepping up pressure on the tech sector to help in the battle. Privacy remains a major counter-argument. It seems that Governments Lie About Encryption Backdoors. Encryption systems weakened by mandated backdoors would not be effective in fighting the terrorists that governments invoke as their reason for wanting those backdoors in the first place.
But this does not stop some government officials to demand such thing with varying success on different countries. Another fact is that The existence of coded communications is a reality and the U.S. may not be able to do much about it because nearly everyone living in modern society uses it: Encryption protects your bank information, prevents your password from being stolen when you log into a website, and allows all e-commerce transactions to take place securely. Encryption weakened by mandated backdoors would put all of us at an enormous risk of exposure from data breaches and associated online risks. The truth in 2016 is that any form of privileged access to government – ie, a backdoor – would inevitably weaken crypto-systems and make them more vulnerable to attacks by foreign governments’ intelligence agencies as well as criminals - Juniper’s VPN security hole is proof that govt backdoors are bonkers. Encryption backdoors would be a gleeful win-win for terrorists and a horrific lose-lose for you – the bad guys having strong protections for their data, and the rest of us not. The poorly thought-out and crude surveillance technique could have a devastating effect on the country’s internet security- as for example Kazakhstan will force its citizens to install internet backdoors by requiring all Internet users install state-issued root certificate by January 1, 2016.
Google, Mozilla and Microsoft are pushing for early SHA-1 crypto cutoff that can happen in 2016 instead of earlier planned Jan 1st, 2017. Due to recent research showing that SHA-1 is weaker than previously believed, because it’s been cracked without enormous effort. Mozilla, Microsoft and now Google are all considering bringing the deadline forward by six months to July 1, 2016. SHA-2 is going to be used as the replacement function for SHA-1. Websites like Facebook and those protected by CloudFlare have implemented a SHA-1 fallback mechanism for those systems that do not support SHA-2. Chrome will start display errors if SHA-1 certificates are employed in early 2016 and will completely stop supporting SHA-1 certificates in the end of 2016.
The use of Blockchain technology, permissionless distributed database based on the bitcoin protocol that runs across a global network of independent computers, will get used more widely than for just Bitcoin virtual money. With bitcoin, Blockchain tracks the exchange of money. But it can also track the exchange of anything else that holds value, including stocks, bonds, and other financial securities. Overstock has already used the blockchain to issue private bonds. The Securities and Exchange Commission has approved a plan from online retailer Overstock.com to issue company stock via the Internet, signaling a significant shift in the way financial securities will be distributed and traded in the years to come. Overstock built its technology under the aegis of a subsidiary called TØ.com, and it plans to offer this “cryptosecurity” tech as a service to other businesses. Nasdaq OMX—the company behind the Nasdaq stock exchange—is using the blockchain to oversee the exchange of private stock. Also several major companies from across both the technology and financial industries—including IBM, Intel, and Cisco as well as the London Stock Exchange Group and big-name banks JP Morgan, Wells Fargo, and State Street—have joined forces to create an alternative to the blockchain with Linux Foundation.
The use of disk encryption will increase and there are different ways to do it with different security levels. Microsoft has introduced Windows 10 disk encryption keys are uploaded to Microsoft. This approach has some advantages and disadvantages. The gold standard in disk encryption is end-to-end encryption, where only you can unlock your disk. This is what most companies use, and it seems to work well. It protects data in case your device is lost or stolen. But what if you forget or loose your key? There are certainly cases where it’s helpful to have a backup of your key or password – so keeping a backup of your recovery key in your Microsoft account could be genuinely useful for probably the majority of users that don’t have high security neeeds. The disadvantage of this approach is that Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.
Weak leaking passwords are still huge security problem still in 2016. Passwords are often the weakest parts when it comes to securing users’ accounts, as many don’t use complex passwords or they reuse the same password across services. Two-factor authentication – like using a USB stick with a secret token or entering in a code sent via text method to your phone – can help to increase security, but many users also find this to be a hassle as it introduces an additional step to the login process.
Google begins testing login system that uses phone notifications for authentication instead of passwords: authenticate by responding to a notification sent to their smartphone. The idea is similar to Yahoo’s recently launched “Account Key,” which also offers a password-free means of signing in involving a push notification sent to your phone that then opens an app where you approve the log-in.
Smart phone will become more and more security critical part of your life. “Increasingly, individuals and organisations are adopting password managers and multi-factor authentication technologies to plug some of the holes in password-based authentication. “We foresee a world where practically everyone uses their smartphone as a multi-factor authentication element. In this world, the smartphone becomes your most valuable asset: something that enables you to unlock your life online and a target for attackers seeking to access your services.”
Expect that number of mobile vulnerabilities will only grow in 2016. In 2016 we will see increasing numbers of cyber criminals using mobile applications to spread malware. Mobile presents an easy target for cyber criminals, because it is an attack surface that is open and extremely difficult to defend once an app has been released. Android threats will become more than just headline-grabbers. Will 2016 be the year iOS malware goes mainstream?
Critical infrastructures will be highly targeted in 2015. SCADA and ICS networks were not designed for security. Attacks against these systems have increased in recent years. I expect this trend to only get worse. There are still many companies that run their critical systems on Windows XP as “There are some people who don’t have an option to change.” Many times the OS is running in automation and process control systems that run business and mission-critical systems, both in private sector and government enterprises. For example US Navy is using obsolete operating system Microsoft Windows XP to run critical tasks. It all comes down to money and resources, but if someone is obliged to keep something running on an obsolete system, it’s the wrong approach to information security completely.
Cars were hacked at record rate in 2015, and they will be hacked at least at the same rate in 2016. Modern cars are featuring more gadgetry and connected systems, and this will make vehicles just as vulnerable to today’s threats and attacks. I Am The Cavalry has published a five star Cyber Safety Framework to mitigate this threat in cars, hopefully car component makers study it.
IoT and smart devices are still at risk. The Internet of Things will continue to emerge, and businesses will need to think about how to protect their smart devices and prepare for the wider adoption of IoT. IoT platforms – not yet the weapon of choice for commercial malware authors – but business beware. Wearables won’t be safe, either, as they are built using largerly same too often vulnerable technologies as other IoT system. IoT security is still in in infancy in 2016.
Cyber criminals have become more active in 2015 particularly in the malicious the ransom fabrications. The ransom-malware problem will continue to be big in 2016. Commercial malware authors will continue to invest heavily and Exploit kits will continue to dominate on the web. Ransomware today is big business. Ransomware takes control of a computer and holds it hostage until the victim pays, usually in the digital currency Bitcoin. As a remedy against ransom-malware I recommend to ensure IT Support or your service provider the data back-up and restoring procedure operational, practiced and tested. You can need it in 2016 to get your data back without considering paying to criminals. To date ransomware has hit Windows users hardest, although Android and MacOS users are now also facing similar extortion.
Ransomware will continue to dominate in 2016 and it is only a question of time before we see things beyond data being ransomed. We have already seen websites being held ransom to DDoS. Intel’s McAfee Labs also noted a huge spike in ransomware in early 2015, and worries about ransomware in the IoT space—including medical devices. And Kaspersky predicts the “nightmare of ransomware” to continue and “spread to new frontiers” in 2016. Ransomware Is Coming to Medical Devices article tells that according to a report released recently week by Forrester Research the number one cybersecurity prediction for 2016: “We’ll see ransomware for a medical device or wearable.” “It’s definitely feasible from a technical standpoint”. Networked medical devices save lives. Despite the hacking risk, it’s an informed trade-off. Medical device ransomware would be a modern form of highway robbery with lives at stake.
Keep in mind that everything connected to the Internet can, and will be hacked. In 2016 If You’re Not Paranoid, You’re Crazy. As government agencies and tech companies develop more and more intrusive means of watching and influencing people, how can we live free lives? Unfortunately I don’t have solution for that.
2,232 Comments
Tomi Engdahl says:
UK regulator starts cracking down on fake online reviews
The company posted 800 reviews on behalf of 86 businesses between 2014 and 2015.
http://www.engadget.com/2016/03/07/uk-regulator-starts-cracking-down-on-fake-online-reviews/
nline reviews, like those on Amazon, are typically a good way to judge the quality of a product or service before you decide to part with your money. They can also be huge indicators of the reputation of the retailer you’re about to do business with.
With profits on the line, some businesses have taken steps to ensure they’re getting good reviews, a service which marketing companies are all too willing to provide. Last week, the Competition and Markets Authority (CMA) confirmed it had issued its first crackdown on the practice, after it caught UK company Total SEO & Marketing Ltd (Total SEO) posting over 800 fake reviews between 2014 and 2015.
Tomi Engdahl says:
Yaqiu Wang / Committee to Protect Journalists:
Anonymous former Weibo censor discusses off limit topics, sensitive words, and methodology
Read and delete: How Weibo’s censors tackle dissent and free speech
https://cpj.org/blog/2016/03/read-and-delete-how-weibos-censors-tackle-dissent-.php
The Chinese microblogging site Weibo has a huge following, with around 100 million users posting every day. For those living in China, one of CPJ’s 10 most censored countries, the social network offers the chance to discuss and share news that is often blocked in mainstream outlets.
Insight into how Weibo balances the demands of government censorship with the need to attract users has been provided by a former employee, who says he worked in its 150-member censorship department for a couple of years.
Tomi Engdahl says:
South Korea Says North Hacked Phones of Key Officials
http://www.securityweek.com/south-korea-says-north-hacked-phones-key-officials
South Korea’s spy agency said Tuesday that North Korea had hacked into smartphones belonging to a number of key government officials, part of a series of cyber-attacks launched after its fourth nuclear test.
The revelations by the National Intelligence Service (NIS) came as the government is seeking to push through parliament an anti-cyber terrorism law that critics say would grant the agency unmatched surveillance powers over cyberspace, including messenger servicing networks.
In a statement, the NIS said the North stole phone numbers and texts from the smartphones of dozens of key South Korean officials between late February and early March.
Tomi Engdahl says:
Pawn Storm Group Targets Turkey
http://www.securityweek.com/pawn-storm-group-targets-turkey
Pawn Storm, the cyber espionage group linked by some researchers to Russia, has recently started targeting government and news organizations in Turkey, Trend Micro reported on Monday.
The economic and politically-motivated threat actor, which has been active for the past decade, is also known as APT28, Sednit, Sofacy, Fancy Bear and Tsar Team. The group has focused its activities on individuals and military, government, media and defense organizations from across the world, including Ukraine, Poland, Russia, the United States, and various NATO member countries. The list of known targets also includes governments in Europe, Asia and the Middle East.
Tomi Engdahl says:
Multiple Passcode Bypass Vulnerabilities Discovered in iOS 9
http://www.securityweek.com/multiple-passcode-bypass-vulnerabilities-discovered-ios-9
Apple’s iOS 9.0, 9.1, and most recent 9.2.1 releases contain multiple connected passcode protection bypass vulnerabilities that affect both iPhone and iPad devices, researchers at Vulnerability Lab warn.
These vulnerabilities allow a local attacker who has physical access to the device to bypass the passcode protection mechanism of the Apple mobile iOS, the bug’s security advisory reveals. Apple iPhone 5, 5s, 6 and 6s, as well as iPad mini and iPad 1 and 2 are affected by the bug.
Tomi Engdahl says:
Let’s Encrypt Issues More Than 1 Million Digital Certificates
http://www.securityweek.com/lets-encrypt-issues-more-1-million-digital-certificates
Free and open Certificate Authority (CA) Let’s Encrypt announced this week that it has issued more than 1 million certificates since issuing its first Digital Certificate last year.
Originally proposed by the Electronic Frontier Foundation (EFF), the initiative has already attracted support from industry leaders such as Mozilla, Cisco, Akamai, Automattic and IdenTrust, among others. Backed by the Linux Foundation, its goal is to encrypt website traffic using Transport Layer Security (TLS) to protect user data from eavesdroppers.
Tomi Engdahl says:
The Mobile App is the New Endpoint
http://www.securityweek.com/mobile-app-new-endpoint
The landscape of enterprise endpoints has shifted dramatically in the last few years, as typical endpoints have evolved from laptops to mobile devices—a shift that’s likely to grow as mobile devices offer increased screen sizes and resolutions, better onscreen keyboards and more processing power.
Recently, Apple CEO Tim Cook was widely quoted as saying that he doesn’t even travel with a laptop anymore; he gets along fine with just an iPad and an iPhone. Cook can leave his laptop behind because software is evolving, too, from desktop applications to self-hosted web applications, to SaaS, and now to mobile apps. Using the apps on his two iOS devices, Cook can do everything he needs to do when he’s on the road.
Security Considerations
As the perimeter of the enterprise erodes and devices exist in a more distributed environment, enterprise teams have the complicated task of figuring out what they can still manage. In this day of BYOD devices and zero-trust operating environments, IT and security professionals gain nothing from trying to manage the unmanageable—which is just as well, because the device is no longer the endpoint that matters.
The new endpoint is the mobile app: it’s our interface with the user and the point at which data and transactions come into the enterprise, or service provider or retailer or financial institution. It’s the new focus of users’ interactions and the workflows they rely upon to make themselves more productive. It’s the new vault for the things that matter in their lives—their organizations’ proprietary information and their own HR records, the private health information they share with their doctors and their kids’ social security numbers for school. Mobile apps have quickly become where all of us store our most vital data.
And attackers know that the money is where the data resides. They know that security is often overlooked in the rush to release mobile apps, leaving an open door to data.
Tomi Engdahl says:
Apple has shut down the first fully-functional Mac OS X ransomware
http://techcrunch.com/2016/03/07/apple-has-shut-down-the-first-fully-functional-mac-os-x-ransomware/?ncid=rss&cps=gravity_1730_5585249745811595303
Apple has shut down what appears to have been the first, fully-functional ransomware targeting Mac computers. This particular form of cyber threat involves malware that encrypts the data on your personal computer so you can no longer access it. Afterwards, the hackers request that you pay them in a hard-to-trace digital currency – in this case, bitcoin – in order for you to retrieve your files. This ransomware, called KeRanger,” was first reported by researchers at Palo Alto Networks. They also noted that Apple has now revoked the abused certificate that was used in the attack and updated its built-in anti-malware system XProtect with a new signature to protect customers.
Tomi Engdahl says:
FBI quietly changes its privacy rules for accessing NSA data on Americans
http://www.theguardian.com/us-news/2016/mar/08/fbi-changes-privacy-rules-accessing-nsa-prism-data
Exclusive: Classified revisions accepted by secret Fisa court affect NSA data involving Americans’ international emails, texts and phone calls
The FBI has quietly revised its privacy rules for searching data involving Americans’ international communications that was collected by the National Security Agency, US officials have confirmed to the Guardian.
The classified revisions were accepted by the secret US court that governs surveillance, during its annual recertification of the agencies’ broad surveillance powers. The new rules affect a set of powers colloquially known as Section 702, the portion of the law that authorizes the NSA’s sweeping “Prism” program to collect internet data. Section 702 falls under the Foreign Intelligence Surveillance Act (Fisa), and is a provision set to expire later this year.
Tomi Engdahl says:
Sharing passwords is a bad idea, yet people still do it
http://betanews.com/2016/03/08/password-sharing/
A lot of people like sharing their passwords with others, even though such actions put their data at risk — and they know it. Those are the results of a new survey commissioned by password management firm LastPass, and conducted by RedShift Research.
According to the survey, more than half (55 percent) of UK’s consumers share passwords with others, jeopardizing their financial information in the process. They know that’s risky — three quarters (75 percent) have confirmed it — but still, 96 percent have admitted sharing up to six passwords with others.
The most common person to share a password with is a partner for 66 percent of those surveyed. After sharing a password, 63 percent fail to change it. The survey also says they are usually shared verbally, as well as that business passwords are shared more freely than their private counterparts. The survey included 2,000 adults from the UK.
Tomi Engdahl says:
In Europe, You’ll Need a VPN to See Real Google Search Results
http://www.wired.com/2016/03/europe-youll-need-vpn-see-real-google-search-results/
Europe’s so-called “right to be forgotten” rules. First passed in 2014, the EU law states that companies like Google have a responsibility to remove personal information about individuals from their search engines, so long as that information is not of public interest and is “inadequate, irrelevant, no longer relevant or excessive.” In practice, this means that Google and other search engines must remove links to pages, such as news sites, at the request of people who don’t want particular information about themselves known.
Up until now, Google has only flushed information from country-specific search engines.
Now, it will be removed from all Google search results, including those from google.com itself, if you visit from a computer that appears to be in the EU. To get around that restriction, users may have to turn to a VPN—short for virtual private network. Such services allow users to mask the geographical origins of their internet requests
Tomi Engdahl says:
Boffins bust biometrics with inkjet printer
Printed electronics makes the perfect fake fingerprint
http://www.theregister.co.uk/2016/03/09/boffins_bust_biometrics_with_inkjet_printer/
Boffins from Michigan State University have loaded up an inkjet printer with cartridges designed for printing electronic circuits, and used the output to fool smartphone fingerprint sensors.
All that’s needed is a scan of the victim’s fingerprint (reversed so it presents the right way when printed), and a suitable inkjet printer loaded up with ink and paper from printed electronics specialist AGIC.
In their paper (PDF) the researchers, Kai Cao and Anil Jain from the university’s Department of Computer Science and Engineering cracked a Samsung Galaxy S6 and a Huawei Honor 7.
It’s a much simpler approach than the “gummy bear fake fingerprint”, which needs materials like latex milk or white wood glue.
http://www.cse.msu.edu/rgroups/biometrics/Publications/Fingerprint/CaoJain_HackingMobilePhonesUsing2DPrintedFingerprint_MSU-CSE-16-2.pdf
Tomi Engdahl says:
Cyber-crooks now prefer ransomware to botnets. Yep, firms are paying up
CryptoWall most prevalent nasty – survey
http://www.theregister.co.uk/2016/03/09/trend_micro_ransomware_iot_threat_rise/
File-encrypting ransomware has eclipsed botnets to become the main threat to enterprises, according to Trend Micro.
During the fourth quarter of 2015, 83 per cent of all data extortion attacks were made with the use of crypto-ransomware.
CryptoWall topped the list of 2015’s most notorious ransomware families, with a 31 per cent share. According to FBI statistics released last June, CryptoWall managed to generate more than $18m for its creators in a little over a year.
These revenues – traced by monitoring BitCoin wallets and similar techniques – provide evidence that a growing percentage of organisations affected by ransomware attacks are paying up.
Tomi Engdahl says:
Verizon Slapped With $1.35M Fine For ‘Supercookies’
http://www.nbcnews.com/tech/tech-news/verizon-slapped-1-35m-fine-supercookies-privacy-violation-n533781
Verizon will pay a $1.35 million fine and agreed to a three-year consent decree after the Federal Communications Commission said it found the company’s wireless unit violated the privacy of its users.
Verizon Wireless agreed to get consumer consent before sending data about “supercookies” from its more than 100 million users, under a settlement. The largest U.S. mobile company inserted unique tracking codes in its users traffic for advertising purposes.
Tomi Engdahl says:
The Dark Arts: SQL Injection and Secure Passwords
http://hackaday.com/2016/03/09/the-dark-arts-sql-injection-and-secure-passwords/
His main password was “kibafo33”. According to a password security checker, it would take about 11 minutes to crack. Adding a single special character and capitalizing a letter, such as Kiba#fo33, brings that time up to 275 days.
Cracking passwords consists of using common phrases and brute force attacks.
SQL injection (SQLi) is a technique that allows an attacker to execute SQL statements in an entry field. This technique was used with great success by the Lulzsec hackers.
Typically, a mischievous SQL statement is passed to the database along with a normal input.
Running rouge SQL statements on a test website is one thing, running them on a real website is another.
PHP sites tend to be targets as they are more likely to be vulnerable to SQLi attacks. A method called Google Dorking (pdf) is one method used to find these sites.
You now have more than enough information to start testing your site to see if it’s vulnerable to an SQLi hack. In many cases, the hacker winds up with the MD5 hash of the database password.
Preventing SQLi can be done by sanitizing inputs on your webpage.
https://info.publicintelligence.net/DHS-FBI-NCTC-GoogleDorking.pdf
Tomi Engdahl says:
GCHQ chief offers olive branch to technology firms in online privacy row
http://www.telegraph.co.uk/news/uknews/terrorism-in-the-uk/12186741/GCHQ-chief-offers-olive-branch-to-technology-firms-in-online-privacy-row.html
Robert Hannigan said his agency, Government and the major communications and internet companies needed a “new relationship” to tackle the problems of encryption.
Tomi Engdahl says:
The web is a terrorist’s command-and-control network of choice
http://www.ft.com/intl/cms/s/2/c89b6c58-6342-11e4-8a63-00144feabdc0.html#axzz42J5c1AQp
People do not want social media platforms to facilitate murder, writes Robert Hannigan
Tomi Engdahl says:
Google Open Sources Vendor Security Assessment Framework
http://www.securityweek.com/google-releases-source-code-security-assessment-questionnaire
Google announced on Monday that it has decided to open source its Vendor Security Assessment Questionnaire (VSAQ) framework to help companies improve their security programs.
While it’s owned by Google, the VSAQ is not an official product of the search giant. The interactive questionnaire application was developed to support security reviews by facilitating the collection of information and allowing users to display it in a template form.
Instructions on how to set up, build and deploy the VSAQ framework are available on Google’s GitHub page.
https://github.com/google/vsaq
Tomi Engdahl says:
Home Depot Will Pay Up To $19.5 Million For Massive 2014 Data Breach
http://yro.slashdot.org/story/16/03/09/161257/home-depot-will-pay-up-to-195-million-for-massive-2014-data-breach
In remedy for the 2014 data breach that included the theft of data pertaining to about 56 million payment cards, as well as 53 million email addresses, Home Depot has reportedly agreed to pay $13 million to reimburse customers for their losses and $6.5 million to provide them with 18 months of identity protection services.
Home Depot will pay up to $19.5 million for massive 2014 data breach
http://www.csoonline.com/article/3041994/security/home-depot-will-pay-up-to-195-million-for-massive-2014-data-breach.html
Tomi Engdahl says:
Rosen Hotel Chain Had a PoS Malware Infection for 17 Months
http://news.softpedia.com/news/rosen-hotel-chain-had-a-pos-malware-infection-for-17-months-501530.shtml
Rosen Hotels & Resorts Inc. (RH&R), a Florida-based US hotel chain, had some bad news for its customers during the past week after the company announced a malware infection that affected its credit card processing system for over 17 months.
As the hotel chain is explaining in a statement on its website
“Malware infection was first spotted in September 2014″
The company did find malware, and now RH&R is saying that between September 2, 2014 and February 18, 2016, some of its computer systems that handle payment card transactions were affected by malware.
The malware was specifically designed to scrape computer memory for credit card information. RH&R says that the malware stole information about the cardholder’s name, card number, expiration date, and internal verification code.
“When are hotel chains going to strengthen their security measures?”
“It’s troubling to see another malware attack be so successful— and even more troubling that it persisted over a prolonged period of time without being detected,”
“We counsel our customers that any business, regardless of size, that processes payment data or offers free Wi-Fi to guests, is a lucrative target for cybercriminals. That hasn’t changed and isn’t likely to, as long as business owners continue to overlook security as a key part of their operations,”
Tomi Engdahl says:
Triada Trojan Most Advanced Mobile Malware Yet: Kaspersky
http://www.securityweek.com/triada-trojan-most-advanced-mobile-malware-yet-kaspersky
Triada Trojan Exists in RAM and Uses Zygote Process to Hook All Applications on Android
Security researchers at Kaspersky Lab recently came across a new Trojan targeting Android devices, which they say is the most advanced mobile malware seen to date.
Dubbed Triada (Backdoor.AndroidOS.Triada), this malware family was mainly designed to redirect financial SMS transactions to buy additional content or steal money from the user. What sets the Trojan apart, however, is a modular architecture combined with the ability to infiltrate all process on the infected system to achieve high persistence.
Tomi Engdahl says:
Data protection: Don’t be an emotional knee jerk. When it comes to the law, RTFM
Know the law? Read the contract? No? Stop confusing yourself
http://www.theregister.co.uk/2016/03/10/frank_jennings_data_protection/
How many times have you spoken to someone in a call centre who refused to give you information on the basis that the “Data Protection Act” prevents them?
Any potential customers in Germany who told you they can’t buy your IT or cloud service because their law prohibits data transfers outside Germany? Has anyone told you that a Brexit would allow the UK to make its own laws including regarding data? Or has a customer refused to buy your solution because you’re reselling public cloud, which means they will lose ownership of data?
I regularly encounter people who tell me the way it is and yet they have not actually read the law or the contract. I understand: not everyone wants to wade through the tedium to work out what is what. That is what you pay lawyers for.
All too often though, emotional knee-jerk reactionism is used as a substitute for proper advice. The UK Data Protection Act (you can read it here) does not prevent transfers outside of the UK. The whole point of the EU Data Protection Directive (read here), upon which the UK Act is based, was to harmonise laws across the whole of the European Union (actually, it also extends to the three additional countries in the European Economic Area).
Yes, it was not entirely successful and it needs to be updated, hence the new Regulation which is coming into force in 2018. But, without going into specifics, data transfers within this “Fortress Europe” are acceptable now and will be under the new law too.
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML
Tomi Engdahl says:
Security Trends From RSA Conference 2016 in San Francisco
http://www.securityweek.com/security-trends-rsa-conference-2016-san-francisco
The RSA Conference in San Francisco is the largest annual gathering of people working in, selling to, reporting on or analyzing the security industry. Each year there are general trends that come out of the show, although trends can be in the eye of the beholder.
Attended by roughly 40,000 people, there were more than 500 vendors and 700 sessions
1. Apple is winning the hearts and minds of security professionals
2. Attacks from the inside are not necessarily perpetrated by insiders
3. Analytics has entered the cliché zone
4. Venture capital for security companies is slowing, which will drive vendor consolidation
5. What next?
Tomi Engdahl says:
Reuters:
Sources: tech companies may face civil penalties like contempt of court for withholding encrypted data in new Burr-Feinstein bill — Senators close to finishing encryption penalties legislation: sources — Technology companies could face civil penalties for refusing to comply with court orders …
Senators close to finishing encryption penalties legislation: sources
http://www.reuters.com/article/us-apple-encryption-legislation-idUSKCN0WB2QC?feedType=RSS&feedName=technologyNews
Technology companies could face civil penalties for refusing to comply with court orders to help investigators access encrypted data under draft legislation nearing completion in the U.S. Senate, sources familiar with continuing discussions told Reuters on Wednesday.
The long-awaited legislation from Senators Richard Burr and Dianne Feinstein, the top Republican and Democrat on the Senate Intelligence Committee, may be introduced as soon as next week, one of the sources said.
It would expose companies like Apple Inc, which is fighting a magistrate judge’s order to unlock an iPhone connected to the mass-shooting in San Bernardino, California, to contempt of court proceedings and related penalties, the source said.
It is particularly unlikely the proposal will gain traction in the U.S. House of Representatives, which staked out positions strongly supporting digital privacy in the wake of revelations about government-sanctioned surveillance of communications by former National Security Agency contractor Edward Snowden.
Tomi Engdahl says:
A Warning for Wearables: Think Before You Emote
http://www.eetimes.com/author.asp?section_id=36&doc_id=1329149&
An examination of how wearable devices could become the modern equivalent of blogs broadcasting proprietary workplace information directly to the Internet of Things — and beyond.
In 2013, I wrote an article for The Guardian about a woman who owned a wearable device that measured her stress at work. After realizing her anxiety was spiking every day at the same time her oppressive manager checked in at her cubicle, she began tallying her aggregate physiological data for a month. After commiserating with two other colleagues suffering similar tensions with the same manager, all three employees took their data to their boss. Presenting quantified proof to the CEO (time-stamped data correlating to an increase of stress), the employees demanded the negative manager get fired before their health insurance premiums increased.
Put simply, and literally, they also noted: “He’s killing us.”
A Warning for Wearables: Think Before You Emote
http://www.darkreading.com/operations/a-warning-for-wearables-think-before-you-emote/a/d-id/1324605?
Tomi Engdahl says:
Android Trojan targets customers of major banks and can bypass 2FA
http://betanews.com/2016/03/09/android-banking-trojan/
Researchers at security company ESET have uncovered a new strain of Android malware that can steal the login credentials of mobile banking users.
Named Android/Spy.Agent.SI, the malware presents victims with a fake version of the login screen of their banking application and locks the screen until they enter their username and password.
Using the stolen credentials, thieves can then log in to the victim’s account remotely and transfer money out. They can also use the malware to send them all of the SMS text messages received by the infected device, and remove them.
“This allows SMS-based two-factor authentication of fraudulent transactions to be bypassed, without raising the suspicions of the device’s owner,” says Lukáš Štefanko, ESET Malware Researcher specializing in Android malware.
Tomi Engdahl says:
How a hacker’s typo helped stop a billion dollar bank heist
http://www.reuters.com/article/us-usa-fed-bangladesh-typo-insight-idUSKCN0WC0TC
A spelling mistake in an online bank transfer instruction helped prevent a nearly $1 billion heist last month involving the Bangladesh central bank and the New York Fed, banking officials said.
Unknown hackers still managed to get away with about $80 million, one of the largest known bank thefts in history.
The hackers breached Bangladesh Bank’s systems and stole its credentials for payment transfers, two senior officials at the bank said.
The transactions that were stopped totalled $850-$870 million, one of the officials said.
Last year, Russian computer security company Kaspersky Lab said a multinational gang of cyber criminals had stolen as much as $1 billion from as many as 100 financial institutions around the world in about two years.
Iraqi dictator Saddam Hussein’s son Qusay took $1 billion from Iraq’s central bank
Tomi Engdahl says:
0day remote code exec holes in mobile modems can read SMS and HTTP
Or that mobile USB dongle could let an attacker take over your PC! Hooray!
http://www.theregister.co.uk/2016/03/11/ruskie_finds_0day_remote_code_exec_holes_in_popular_modems/
Russian security tester Timur Yunusov has found critical vulnerabilities in routers and 3G and 4G modems from Huawei, ZTE, Gemtek, and Quanta. The flaws mean attackers could completely compromise machines and intercept SMS and HTTP traffic.
The research first detailed in December and showcased to hackers yesterday at the Nullcon conference in Goa revealed un-patched flaws in eight devices of which thousands were exposed over the Shodan device search engine.
Tomi Engdahl says:
Flash – aaah-aarrgh! Patch now as hackers exploit fresh holes
Flash, I love you, but we only have fourteen hours to save everyone’s computers
http://www.theregister.co.uk/2016/03/10/adobe_flash_march_updates/
Tomi Engdahl says:
Intel Updates True Key App to Simplify Security
by Anton Shilov on March 10, 2016 12:00 PM EST
http://www.anandtech.com/show/10132/intel-updates-true-key-app-to-simplify-security
Tomi Engdahl says:
Justin Sink / Bloomberg Business:
At SXSW, President Obama advises tech industry to compromise on encryption now instead of waiting for Congress to act — Government Can’t Let Smartphones Be ‘Black Boxes,’ Obama Says — Obama advises tech industry to compromise before Congress acts — President appears at South by Southwest as FBI sues Apple Inc.
Government Can’t Let Smartphones Be `Black Boxes,’ Obama Says
http://www.bloomberg.com/politics/articles/2016-03-11/obama-confronts-a-skeptical-silicon-valley-at-south-by-southwest
President Barack Obama said Friday that smartphones — like the iPhone the FBI is trying to force Apple Inc. to help it hack — can’t be allowed to be “black boxes,” inaccessible to the government. The technology industry, he said, should work with the government instead of leaving the issue to Congress.
“You cannot take an absolutist view on this,” Obama said at the South by Southwest festival in Austin, Texas. “If your argument is strong encryption no matter what, and we can and should create black boxes, that I think does not strike the kind of balance we have lived with for 200, 300 years, and it’s fetishizing our phones above every other value.”
Rapid technological advancements “offer us enormous opportunities, but also are very disruptive and unsettling,” Obama said at the festival, where he hoped to persuade tech workers to enter public service. “They empower individuals to do things that they could have never dreamed of before, but they also empower folks who are very dangerous to spread dangerous messages.”
Tomi Engdahl says:
Adobe issues emergency patch for Flash bug
http://www.bbc.com/news/technology-35783558
Adobe has issued an emergency patch for its Flash media player that closes loopholes in the widely used software.
In its security advisory, Adobe said one of the bugs was being actively exploited in a “limited number of targeted attacks”.
In total, the patch closes 23 separate security bugs in the Flash player.
Attackers abusing the security holes would be able to take over a computer to steal useful data or spy on the machine’s owner.
The update urges people to apply the patch as soon as possible because many of the problems are rated as critical – the highest level.
Tomi Engdahl says:
Danny Palmer / ZDNet:
Verisign: The number of DDoS attacks increased 85% in Q4 2015, compared to Q4 a year ago
DDoS attacks: Getting bigger and more dangerous all the time
Number of recorded DDoS attacks has almost doubled in a year, warns report.
http://www.zdnet.com/article/ddos-attacks-getting-bigger-and-more-dangerous-all-the-time/
Distributed Denial of Service (DDoS) attacks are more frequent, bigger and more damaging than ever before a new report by internet security firm Verisign has warned.
According to statistic published in the VeriSign Distributed Denial of Service Trends Report, DDoS activity is the highest it’s ever been, with the final quarter of 2015 seeing an 85 percent rise in instances – almost double the number of attacks – when compared with the same same period in 2014. The figures for Q4 2015 also represent a 15 percent rise on the previous quarter.
The report also suggests that cyber attackers are getting much more persistent as targets are now being hit by repeated attacks, with some reportedly being the target of DDoS attacks up to 16 times in just three months.
If an increase in attacks isn’t worrying enough for potential targets, the size and the amount of damage DDoS attacks can do is also on the rise. The fastest flood attack detected by Verisign occurred during the final quarter of 2015, targeting a company in the telecommunications industry by sending 125 million packets per second (Mpps), and driving a volumetric DDoS attack of 65 gigabits per second (Gbps).
While that particular attack was made against a company in the telecommunications sector, Verisign has warned that organisations in all industries are potentially at risk from “indiscriminate” DDoS attacks.
Indeed, it was companies which provide IT, cloud, and software services which are currently most targeted, with 32 percent of DDoS attacks made against this sector. However, the number of DDoS incidents media and entertainment providers wasn’t far behind, with 30 percent of attacks made against organisations in this industry.
Attacks against the financial sector made up 15 percent of incidents, the public sector accounts for 10 percent and while the biggest DDoS event was recorded against the telecommunications industry, this sector accounts for only 8 percent of DDoS attacks.
In terms of preventing attacks, Verisign recommends organisations “consider augmenting your existing DNS capacity with a cloud-based hosted DNS or managed DNS service”.
Tomi Engdahl says:
French minister: Tech companies blocking access to Paris attackers’ phones
http://edition.cnn.com/2016/03/11/politics/apple-paris-terror-attacks-san-bernardino/
French authorities still have not been able to break encryption on the cell phones of the Paris attackers because tech companies won’t cooperate, French Interior Minister Bernard Cazeneuve told CNN.
The U.S. has been pressuring Apple to allow access to a phone connected to the San Bernardino, California, terror attack, and France, too, is accusing Apple and other corporations of making it harder to prevent terror attacks by resisting breaking encryption on the electronic devices of known and suspected terrorists.
Back door could provide clues
Unlocking the two phones found at Stade de France, one of the targets of the deadly rampage on November 13 in the French capital, could help investigators unveil any contacts the attackers had with other ISIS sympathizers and provide clues to how the attacks were planned and carried out.
French authorities have not reached out to Apple to request access to the Paris attackers’ cellphones, an industry executive told CNN.
Like a “Swiss bank account in their pocket”
Obama also spoke to the issue of technology companies and encryption at the SXSW conference in Austin, Texas, Friday.
“The question we now have to ask is, if technologically it is possible to make an impenetrable device or system where the encryption is so strong that there’s no key, there’s no door at all, then how do we apprehend the child pornographer? How do we solve or disrupt a terrorist plot?” he asked.
“If in fact you can’t crack that at all, government can’t get in, then everybody’s walking around with a Swiss bank account in their pocket,” he said.
Highlighting the central role of online communications to ISIS recruiting and operations, Cazeneuve said later at a speech at George Washington University, “Most of the new jihadists who have travelled or are seeking to travel to Syria or Iraq were radicalized online.”
Tomi Engdahl says:
The new Java malware is a platform independent
Kaspersky Lab researchers’ discovery of a trojan comes from Brazil. What is new is that haitake base of Java’s JAR archive, which can operate in both Windows, Linux and Mac computers than in certain circumstances, even on mobile devices.
The Trojan is called Banloader.
Kaspersky Lab, the actual self-phishing software is still Windows-based. But since the self-loader is a platform independent, it is clear that cyber criminals are moving on all platforms operating in malware.
Source: http://etn.fi/index.php?option=com_content&view=article&id=4114:uusi-java-haitta-on-alustariippumaton&catid=13&Itemid=101
Tomi Engdahl says:
Husain Sumra / MacRumors:
Last Week Tonight’s John Oliver weighs in on Apple’s legal battle with the FBI, explains the importance of encryption
John Oliver Creates Apple Encryption Ad in ‘Last Week Tonight’ Segment on FBI Backdoor Request
http://www.macrumors.com/2016/03/14/john-liver-last-week-tonight-apple-encryption/
Oliver starts the segment by explaining what encryption is, what it protects and how it can be hacked before diving into the debate between Apple and the FBI, which centers around San Bernardino shooter Syed Farook’s iPhone. The segment first lays out the case for law enforcement, touching on Republican Presidential candidate Donald Trump’s proposed Apple boycott, before spending a significant amount of time explaining why creating a backdoor for the government would be a bad idea.
Tomi Engdahl says:
Frederic Lardinois / TechCrunch:
Google adds support for Microsoft Office, Facebook at Work, Slack and others to its single sign-on solution
Google adds support for Microsoft Office, Facebook at Work, Slack and others to its single sign-on solution
http://techcrunch.com/2016/03/14/google-adds-support-for-microsoft-office-facebook-at-work-slack-and-others-to-its-single-sign-on-solution/
Google doesn’t just offer its own web-based productivity apps, but it also offers a service for business users who want to use Google as an identity provider for accessing other online services using the widely used SAML standard.
Today, Google is adding a few new options to this program, which now includes a number of Google competitors. Among the 14 new pre-configured options are the likes of Microsoft Office 365, Facebook at Work, New Relic, Concur, Box, Tableau, HipChat and Slack.
Tomi Engdahl says:
Prime Numbers are Stranger than You Thought
http://hackaday.com/2016/03/14/prime-numbers-are-stranger-than-you-thought/
If you’ve spent any time around prime numbers, you know they’re a pretty odd bunch. (Get it?) But it turns out that they’re even stranger than we knew — until recently. According to this very readable writeup of brand-new research by [Kannan Soundararajan] and [Robert Lemkein], the final digits of prime numbers repel each other.
For instance, if your prime ends in 3, it’s more likely that the next prime will end in 9 than in 1 or 7. Whoah!
Even spookier? The finding holds up in many different bases. It was actually first noticed in base-three
Mathematicians Discover Prime Conspiracy
https://www.quantamagazine.org/20160313-mathematicians-discover-prime-conspiracy/
A previously unnoticed property of prime numbers seems to violate a longstanding assumption about how they behave
Two mathematicians have uncovered a simple, previously unnoticed property of prime numbers — those numbers that are divisible only by 1 and themselves. Prime numbers, it seems, have decided preferences about the final digits of the primes that immediately follow them.
Among the first billion prime numbers, for instance, a prime ending in 9 is almost 65 percent more likely to be followed by a prime ending in 1 than another prime ending in 9.
“We’ve been studying primes for a long time, and no one spotted this before,” said Andrew Granville, a number theorist at the University of Montreal and University College London. “It’s crazy.”
The discovery is the exact opposite of what most mathematicians would have predicted
This conspiracy among prime numbers seems, at first glance, to violate a longstanding assumption in number theory: that prime numbers behave much like random numbers.
Tomi Engdahl says:
Jason Del Rey / Re/code:
Amazon files patent for a process allowing users to authenticate by performing an action or gesture while taking a selfie
Amazon Wants the Patent for Pay-By-Selfie
http://recode.net/2016/03/14/amazon-wants-the-patent-for-pay-by-selfie/
First, Amazon patented one-click purchasing buying. Now it wants a patent for pay-by-selfie.
The Seattle-based e-commerce company recently filed a patent application for a process that would allow shoppers to make a purchase by taking a photo and/or video of themselves rather than keying in their account password. The application is related to a separate patent Amazon holds for a technology that allows a device to authenticate a user via a photo or video, but not necessarily to complete a transaction.
The current application aims to make it safer for shoppers to buy something online by relying on images of themselves instead of a password, which can be hard to remember and dangerous when stolen, and also apparently something that can come between friends.
Tomi Engdahl says:
Jack Nicas / Wall Street Journal:
Experts estimate fewer than 10% of the world’s 1.4B Android phones are encrypted, compared with 95% of iPhones
Google Faces Challenges in Encrypting Android Phones
Some handset makers have resisted over concerns encryption would slow performance of less expensive models
http://www.wsj.com/news/article_email/google-faces-challenges-in-encrypting-android-phones-1457999906-lMyQjAxMTE2MDE3NjUxMDYzWj
Tomi Engdahl says:
Russell Brandom / The Verge:
Google says 75% of web requests to its non-YouTube sites are now encrypted, up from about 50% two years ago — Google is giving itself an encryption report card — Today, Google added a new section to its transparency report, giving users a running tally of how many Google requests use HTTPS encryption.
Google is giving itself an encryption report card
http://www.theverge.com/2016/3/15/11233498/google-ssl-encryption-transparency-report
Today, Google added a new section to its transparency report, giving users a running tally of how many Google requests use HTTPS encryption. Groups like EFF have long pushed for wider usage of HTTPS, but implementation can be demanding, particularly for services as complex as Google’s. “Our aim with this project is to hold ourselves accountable and encourage others to encrypt so we can make the web even safer for everyone,” Google said in an accompanying statement.
Roughly three-quarters of requests from Google products use SSL. Products like Gmail, and Drive require SSL protection for security reasons, but it’s less important for casual products like Maps or News.
Tomi Engdahl says:
Unlocking Encryption:
Information Security and the Rule of Law
http://www2.itif.org/2016-unlocking-encryption-exec-summary.pdf
The widespread adoption of encryption among consumers and businesses has created one
of the most difficult policy dilemmas of the digital age
. Simply put, advances in encryption have vastly improved
information security for consumers and businesses
but also made it harder for law enforcement and national security officials
to prevent and investigate crimes and terrorism.
The
Debate Over Encryption
The debate over encryption has gained more attention recently as some law enforcement
agenci
es have
complained about thei
r lack of access to data. These complaints have been
spurred by decision
s that
some
mobile and cloud
-based service providers have made to
upgrade their security controls so that their
customers
can retain the keys used to encrypt
their data, thereby lockin
g out third
parties, including law enforcement
.
However, these complaints are not new.
Impact of Limiting Encryption
Any decisions to weaken or limit encryption will have
harmful effects
on the overall digital
economy, including making digital systems more vulnerable
; increas
ing
costs for consumers
(as risks increase
and companies pass on greater oper
ational expenses)
; decreas
ing
competitiveness
of U.S. businesses
seeking international market share
; and diminish
ing
U.S. leadership
in
setting policies to improve cybersecurity
.
Tomi Engdahl says:
Sean Gallagher / Ars Technica:
FOIA request shows NSA refused to give Hillary Clinton a modified BlackBerry like Obama’s, so she used her own even though her staff knew the security risks — NSA refused Clinton a secure BlackBerry like Obama, so she used her own — Condaleeza Rice had one, but NSA balked at bulk support State wanted, docs show.
NSA refused Clinton a secure BlackBerry like Obama, so she used her own
Condaleeza Rice had one, but NSA balked at bulk support State wanted, docs show.
http://arstechnica.com/information-technology/2016/03/nsa-refused-clinton-a-secure-blackberry-like-obama-so-she-used-her-own/
Judicial Watch, the conservative political action group that has largely driven the investigation into former Secretary of State Hillary Clinton’s e-mails, has obtained documents through a Freedom of Information Act request indicating that Clinton tried and failed to get the National Security Agency to give her the same secure BlackBerry that President Obama used. Donald Reid, the State Department’s coordinator for security infrastructure, reported in a 2009 e-mail, “Each time we asked the question ‘What was the solution for POTUS,’ we were politely asked to shut up and color.”
So Reid was tasked with trying to find a “BlackBerry-like” solution that would allow Clinton to be able to check her e-mail while in the secure office suite. The problem was that the solution supported by the NSA—its SME PED (Secure Mobile Environment Portable Electronic Device)—was hardly BlackBerry-like. SME PED devices are based on a secure version of Windows CE, and they’re only rated up to “Secret” classification.
Tomi Engdahl says:
Zack Whittaker / ZDNet:
Source: US government has demanded source code from tech firms through FISA orders and in civil cases filed under seal, with companies losing “most of the time”
US government pushed tech firms to hand over source code
http://www.zdnet.com/article/us-government-pushed-tech-firms-to-hand-over-source-code/
Obtaining a company’s source code makes it radically easier to find security flaws and vulnerabilities for surveillance and intelligence-gathering operations.
The US government has made numerous attempts to obtain source code from tech companies in an effort to find security flaws that could be used for surveillance or investigations.
The government has demanded source code in civil cases filed under seal but also by seeking clandestine rulings authorized under the secretive Foreign Intelligence Surveillance Act (FISA)
With these hearings held in secret and away from the public gaze, the person said that the tech companies hit by these demands are losing “most of the time.”
In a recent filing against Apple, the government cited a 2013 case where it won a court order demanding that Lavabit, an encrypted email provider said to have been used by whistleblower Edward Snowden, must turn over its source code and private keys.
Asked whether the Justice Dept. would demand source code in the future, the spokesperson declined to comment.
It’s not uncommon for tech companies to refer to their source code as the “crown jewel” of their business. The highly sensitive code can reveal future products and services. Source code can also be used to find security vulnerabilities and weaknesses that government agencies could use to conduct surveillance or collect evidence as part of ongoing investigations.
Given to a rival or an unauthorized source, the damage can be incalculable.
IBM referred to a 2014 statement saying that the company does not provide “software source code or encryption keys to the NSA or any other government agency for the purpose of accessing client data.” A spokesperson confirmed that the statement is still valid, but did not comment further on whether source code had been handed over to a government agency for any other reason.
Microsoft, Juniper Networks, and Seagate declined to comment.
“Apple has also not provided any government with its proprietary iOS source code,” wrote Federighi.
But even senior tech executives may not know if their source code or proprietary technology had been turned over to the government, particularly if the order came from the Foreign Intelligence Surveillance Court (FISC).
The secretive Washington DC-based court, created in 1979 to oversee the government’s surveillance warrants, has authorized more than 99 percent of all surveillance requests.
Tomi Engdahl says:
Andy Greenberg / Wired:
FBI, Department of Transportation, and National Highway Traffic Safety Administration warn drivers about threat of over-the-internet attacks on cars — The FBI Warns That Car Hacking Is a Real Risk — It’s been eight months since a pair of security researchers proved beyond any doubt …
The FBI Warns That Car Hacking Is a Real Risk
http://www.wired.com/2016/03/fbi-warns-car-hacking-real-risk/
It’s been eight months since a pair of security researchers proved beyond any doubt that car hacking is more than an action movie plot device when they remotely killed the transmission of a 2014 Jeep Cherokee as I drove it down a St. Louis highway. Now the FBI has caught up with that news, and it’s warning Americans to take the risk of vehicular cybersabotage seriously.
In a public service announcement issued together with the Department of Transportation and the National Highway Traffic and Safety Administration, the FBI on Thursday released a warning to drivers about the threat of over-the-internet attacks on cars and trucks. The announcement doesn’t reveal any sign that the agencies have learned about incidents of car hacking that weren’t already public. But it cites all of last year’s car hacking research to offer a list of tips about how to keep vehicles secure from hackers and recommendations about what to do if you believe your car has been hacked—including a request to notify the FBI.
“Modern motor vehicles often include new connected vehicle technologies that aim to provide benefits such as added safety features, improved fuel economy, and greater overall convenience,” the PSA reads. “Aftermarket devices are also providing consumers with new features to monitor the status of their vehicles. However, with this increased connectivity, it is important that consumers and manufacturers maintain awareness of potential cyber security threats.”
Tomi Engdahl says:
Phishing continues to pose a growing threat to the security of industries of every kind — from financial organizations to government contractors to healthcare firms. Today’s savvy phisher manages to evade even the most significant safeguards through carefully planned, socially engineered email phishing attacks.
In fact, according to Verizon’s Data Breach Investigations Reports, 95% of all espionage attacks and nearly 80% of all malware attacks involve phishing. And people — your internal users — are the largest and most vulnerable point of entry.
Source: https://webinar.darkreading.com/1594?keycode=DRWE04
Tomi Engdahl says:
Security is a top concern when transitioning your company – and most important applications – to the cloud. Protecting your business from internal threats, external attacks, and data loss are important to everyone on the team, regardless of level or role. Most organizations face two primary challenges when trying to achieve cloud security:
1. Putting together the pieces of the security puzzle
2. Making sure you can do #1 accurately and efficiently.
Improve your threat visibility
Reach your security goals
Think like an attacker
Source: https://webinar.darkreading.com/1840?keycode=DRWE02
Tomi Engdahl says:
Jonathan Zdziarski / Zdziarski’s Blog of Things:
Why the FBI’s alternative method to unlock iPhone may involve NAND mirroring by an external forensics firm to enable brute force guessing of shooter’s PIN
My Take on FBI’s “Alternative” Method
http://www.zdziarski.com/blog/?p=5966
FBI acknowledged today that there “appears” to be an alternative way into Farook’s iPhone 5c – something that experts have been shouting for weeks now; in fact, we’ve been saying there are several viable methods. Before I get into which method I think is being used here, here are some possibilities of other viable methods
Most of the tech experts I’ve heard from believe the same as I do – that NAND mirroring is likely being used to some degree to brute force the pin on the device. This is where the NAND chip is typically desoldered, dumped into a file (likely by a chip reader/programmer, which is like a cd burner for chips), and then copied so that if the device begins to wipe or delay after five or ten tries, they can just re-write the original image back to the chip. This technique is kind of like cheating at Super Mario Bros. with a save-game, allowing you to play the same level over and over after you keep dying
One other possibility exists along the same lines. Some firms have developed hardware invasive techniques that worked on older iOS 8 devices
Using a NAND copying / mirroring technique, this barrier could be overcome in iOS 9, allowing the device to write and verify the attempt, but have that change later blown away by restoring an original copy of the chip.
All of this paints a pretty clear picture: the leading theory at present, based on all of this, is that an external forensics company, with hardware capabilities, is likely copying the NAND storage off the chip and frequently re-copying all or part of the chip’s contents back to the device in order to brute force the pin
Tomi Engdahl says:
Andy Greenberg / Wired:
Researchers find 24 cars from 19 manufacturers vulnerable to radio amplification attack that extends range of key fobs to open cars, start ignitions
Radio Attack Lets Hackers Steal 24 Different Car Models
http://www.wired.com/2016/03/study-finds-24-car-models-open-unlocking-ignition-hack/
For years, car owners with keyless entry systems have reported thieves approaching their vehicles with mysterious devices and effortlessly opening them in seconds. After having his Prius burgled repeatedly outside his Los Angeles home, the New York Times‘ former tech columnist Nick Bilton came to the conclusion that the thieves must be amplifying the signal from the key fob in the house to trick his car’s keyless entry system into thinking the key was in the thieves’ hand. He eventually resorted to keeping his keys in the freezer.
Now a group of German vehicle security researchers has released new findings about the extent of that wireless key hack, and their work ought to convince hundreds of thousands of drivers to keep their car keys next to their Pudding Pops.
“This clear vulnerability in [wireless] keys facilitates the work of thieves immensely,” reads a post in German about the researchers’ findings on the ADAC website. “The radio connection between keys and car can easily be extended over several hundred meters, regardless of whether the original key is, for example, at home or in the pocket of the owner.”
That car key hack is far from new: Swiss researchers published a paper detailing a similar amplification attack as early as 2011.
list of vulnerable vehicles from their findings, which focused on European models:
The ADAC researchers pulled off the attack by building a pair of radio devices; one is meant to be held a few feet from the victim’s car, while the other is placed near the victim’s key fob.
The full attack uses only a few cheap chips, batteries, a radio transmitter, and an antenna, the ADAC researchers say
Tomi Engdahl says:
Hackers giving up on crypto ransomware. Now they just lock up device, hope you pay
Talks TOR, abuses kidnapped machines but doesn’t encrypt
http://www.theregister.co.uk/2016/03/22/encryption_ransomware_going_out_fashion/
Malware slingers have gone back to basics with the release of a new strain of ransomware malware that locks up compromised devices without encrypting files.
The infection was discovered on a porn site that redirects users to an exploit kit that pushes the ransom locker malware.
Researchers at Cyphort Labs who discovered the threat said it was the first of its kind that they had seen in some time.
The success of file-encrypting ransomware such as CryptoLocker, CryptoWall, Locky has rendered earlier system locker malware unfashionable if not obsolete. Ransom lockers can be normally be cleaned by using “rescue discs”, unlike file-scrambling malware strains.