Year 2017 will not have any turn towards better data security. The internet is rife with such well-known than the unknown threats. The company’s systems are supposed to be protected.Hackers are going to continue to look for new ways to extort and steal information from businesses and organizations, which unfortunately means those businesses and organizations will have to continue to look for new ways to protect themselves.
Critical infrastructure cames under attack in 2017. Critical infrastructures must be better protected from criminals and terrorists who take advantage of modern technologies that are essential for the functioning of society and the economy. IT security functions of industrial control systems (ICS), energy grids and IoT networks needs to be improved in 2017.
There is push for better web security in 2017. Starting New Year’s Day, Google’s Chrome will begin labeling as “insecure” all websites that transmit passwords or ask for credit card details over plain text HTTP. Beginning in January 2017 (Chrome 56), HTTP sites that transmit passwords or credit cards are marked as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.
SHA-1 is insecure. Starting on Jan 1, 2017, most CAs will migrate to SHA-2 certificates, and major browser makers have already announced plans to adopt the change, including Microsoft, Google, and Mozilla. Their browsers will no longer trust sites that use SHA-1 starting with that date, and they will mark these websites as insecure. 1/3 of Websites Use SHA-1 Certificates Despite Looming Deadline. SHA-1 will still hang around, like a fart in a spacesuit, for many years to come because some people are lazy enough not to make the change.
There will be changes in how security is viewed in 2017 by businesses. We will likely see cloud adoption continue to grow across the United States, network visibility will no longer just be an option, AI and machine learning will shake old security models, and IoT-powered attacks will continue to rise. All of this will factor into how businesses set up, monitor and secure their networks.
The Commoditization of Cyberattacks Will Make Them More Frequent in 2017. More and more companies suffer from disruption to business due to cyber attacks. Cyber-attacks cause companies significant financial losses, but the studies shows that companies are not prepared for attacks. According to Gartner, by 2018 only 40 per cent of large companies have official plans in case of cyber attacks. Last year, the percentage was zero.
Strap yourself in for a bumpy ride in 2017. 2016 sucked. 2017 won’t be much better, sorry. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. DDoS attack toolkits have been around for years, as have services that will enable you to pay for an attack. Expect to see more of them. It seems that 2017 promises to be the most dramatic year yet in DDoS conflict. Whale-sized DDoS attacks will increase, the IoT will become a bigger factor in DDoS and DDoS will overshadow ransomware attacks and is used for extortion. Expect to see the Internet of Things (IoT) and other connected devices play an important part in these attacks.
Biometric identification will become more common in 2017, but it will not replace passwords. Fingerprint identification has become increasingly common in smartphones and already the technology is fast and reliable. This year biometric identification devices were sold for 4.5 billion dollars (most of them go to smart phones and laptops). 91 percent of biometric sales were fingerprint sensors, four per cent of face detection and three per cent iris detection.
Biometrics Won’t Kill Passwords any time soon. Even though PIN codes and passwords are actually pretty lousy protection case against skilled cybercriminal, the password will never disappear entirely, as two per cent of the world’s population is persons with a fingerprint not suitable for biometric identifier to work. Other biometric identification systems have also similar limitations and/or are not yet commonly available at reasonable cost. While biometrics, including fingerprint-, face-, iris-, palm- and speech-recognition, will continue to grow as a more secure substitute for passwords, they will not render passwords obsolete. Until the other common biometrics become commonplace, passwords are here to stay until circa 2030.
Fights with encryption and backdoors for them is not over in 2017. Many public figures in law enforcement have consistently argued that device encryption presents a new threat to police powers of investigation. On the other side House Judiciary Committee’s Encryption Working Group report says encryption backdoors pose a security threat, siding with tech experts in their latest report . The problem is that any system allowing police to get into those encrypted system (let it be phone, computer or communications) could also be exploited by criminals. Any action in this space should weigh any short-term benefits against the longterm impacts. Many industry experts will rightly tell you there is no such thing as partial data encryption. You either have a fully capable system or none at all.
Given the security events of 2016, coupled with the rapid advancements and adoption of cloud computing, 2017 will be the year in which many finally accept that network infrastructure and security will have to be rethought from the ground up. In 2017 the cloud will become a risk for users: The cloud becoming insecure – extortion and IoT openings.
The rivalry between the network attacks and network security is in acceleration. Crippling Internet services with denial of service attacks are becoming more common throughout the world. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. IoT-powered attacks will continue to rise and stopping the attack is not easy. For most companies the key thing is that the attack traffic is stopped before it reaches the company’s Internet connection or servers (needs to use telecom operator and external services increase). In addition to service disturbion Denial of Service Attacks are often used as distraction during the actual data burglary.DDoS may take over from ransomware as a cause for concern.
In 2017 the IT and security professionals talk about more about business risks. Historically, firewalls, DLP, antivirus, SIEM and other technical point solutions have been the centerpiece of security conversations, but the mindset is slowly shifting from technology to risk. The goal of stopping all attacks and preventing all business impact has been recognized as a fool’s errand, and has shifted to measuring risk and minimizing business impacts. Cyber security is increasingly being viewed as a risk management problem.
In 2017 ‘Security’ Must be Added to our Existing Ethical and Philosophic Concerns Over Artificial Intelligence and Algorithms. Algorithms soon run the world. They present problems that are seriously questioned on both ethical and philosophic grounds; and they have become the basis of fictional Armageddons.
Cyber insurance will be more thoughs as on solution for handling cyber risks in 2017. The global cyber insurance market is expected to generate $14 billion by 2022, according to a new report published by Allied Market Research (AMR). That figure represents an impressive compound annual growth rate (CAGR) of nearly 28% from 2016 to 2022.
In 2017 Big Brother will be watching you 24/7.Those of you who’ve read George Orwell’s book 1984 or seen the movie ,will remember how the citizens of the fictitious totalitarian state of Oceana are constantly under surveillance by order of its dictator, Big Brother. So now swap your home desktop computer, laptop or smart phone for the fictitious telescreen and not only are you sitting in front of what is a modern day version of the Big Brother telescreen you are also walking around with one in your pocket or handbag. Sound a bit far fetched to you? Well it’s set to become a reality in many countries.
Users will want better security or at least to feell more secure in 2017. Many people are prepared to to extremes for better security. According to a recent survey of over 2,000 adults conducted by Harris Poll Nearly 40% of Americans Would Give Up Sex for a Year or eating their favourite food in Exchange for Better Online Securit, meant they’d never have to worry about being hacked. When you consider that 87 percent of U.S. adults use the internet, it makes sense that cyber security is one of the biggest concerns today. The single biggest thing people can do to help keep their online identity safe is probably the easiest – a solid password – and not giving it to other people. Still nearly 50% of people have shared a password to an e-mail account or to an account like Netflix.
Security Becomes A Multi-System Issue and more people talking about the issue. Design teams will have to bake strategies in from the start, no matter how insignificant the device.The good news is that it more people talking about the issue. The real challenge is packing enough security features into designs to prevent security breaches of every sort, including those that can come from other electronics that weren’t even considered as part of the design process. Just as devices get more sophisticated, so do hackers.The reality is that security breaches can even cause physical harm. It’s time to look at this at a multi-system, multi-disciplinary level. Otherwise, we literally could be playing with fire.
Block chains have been a big trend for several years. The block chain market is divided now when 2017 starts. During the autumn 2016, we have seen a number of initiatives on cooperation between the financial sector and consulting companies. Microsoft has chosen a platform for Ethereum-block chain and offers it to the Azure cloud service. IBM has jumped Hyperledger consortium bandwagon and offering their own block chains to Bluemix service. Google and Amazon still shine by their absence. Even banks may prefer to see the use of cloud for the block chains.
Other prediction articles worth to look:
What Lies Ahead for Cybersecurity in 2017?
Network Infrastructure, Visibility and Security in 2017
DDoS in 2017: Strap yourself in for a bumpy ride
Cybersecurity Industry Outlook: 2017 to 2021 | CSO Online
IBM’s Cybersecurity Predictions for 2017 – eForensics
https://eforensicsmag.com/ibms-cybersecurity-predictions-2017/
Top 5 Cybersecurity Threats to Watch Out for in 2017
Experts Hopeful as Confidence in Risk Assessment Falls
3,151 Comments
Tomi Engdahl says:
Canonical preps security lifeboat, yells: Ubuntu 12.04 hold-outs, get in
Window XP moment for penguins
https://www.theregister.co.uk/2017/03/15/ubuntu_12_04_extended_security_maintenance/
Canonical is extending the deadline for security updates for paying users of its five-year-old Ubuntu 12.04 LTS – a first.
Ubuntu 12.04 LTS will become the first Long Term Support release of Canonical’s Linux to get Extended Security Maintenance (ESM). There are six LTS editions.
All others have been end-of-lifed – and given no security reprieve.
LTS editions of Ubuntu Linux are released every two years. Desktop support runs for three years and the server edition receives security patches and updates for a period of five years. LTS editions also set the theme – the look and feel, the UI tweaks and the big features – for the intervening, non-LTS editions of Ubuntu.
Security updates for 12.04 were scheduled to run out on April 28, 2017 but that now won’t happen for those on Canonical’s Ubuntu Advantage programme.
Tomi Engdahl says:
Facebook’s Creepiest Search Tool Is Back Thanks to This Site
Do you know how much of your information is out there?
https://motherboard.vice.com/en_us/article/facebooks-creepiest-search-tool-is-back-thanks-to-this-site
Facebook is a powerful platform, and maybe more so than you realize. If you really understand the quirks of its search function, for example, you can snoop for all photos posted by single females that a particular friend has liked. Creepy, right?
When Facebook launched a feature called Graph Search in 2013 that allowed users to easily do just this, a lot of people thought so, too.
Stalkscan, which launched today, is meant to highlight how much information Facebook users post about themselves, perhaps without thinking about the privacy implications, De Ceukelaire told me over email.
“Graph Search and its privacy issues aren’t new, but I felt like it never really reached the man on the street,” De Ceukelaire wrote. “With my actions and user-friendly tools I want to target the non-tech-savvy people because most of them don’t have a clue what they are sharing with the public.”
Because Graph Search is only available in English on Facebook, the feature wasn’t known to many in De Ceukelaire’s native Belgium until his tool drew attention to it
This creepy Facebook tool is revealing a LOT about you [updated]
https://thenextweb.com/facebook/2017/02/15/creepy-facebook-tool-reminds-us-graph-search-terrible-idea/#.tnw_9EZysT1V#.tnw_YAwxMncJ#.tnw_0XGeeyOs#.tnw_Gnokus88
If we knew how much data we willingly handed out each day, would it matter? If ignorance truly is bliss, as they say, we’re a society of happy internet users that are blissed out of our goddamn minds.
A new tool called Stalkscan gives users a peek at just how sweet ignorance can be.
Tomi Engdahl says:
This creepy Facebook tool is revealing a LOT about you [updated]
https://thenextweb.com/facebook/2017/02/15/creepy-facebook-tool-reminds-us-graph-search-terrible-idea/#.tnw_9EZysT1V#.tnw_YAwxMncJ#.tnw_0XGeeyOs#.tnw_Gnokus88
If we knew how much data we willingly handed out each day, would it matter? If ignorance truly is bliss, as they say, we’re a society of happy internet users that are blissed out of our goddamn minds.
A new tool called Stalkscan gives users a peek at just how sweet ignorance can be.
https://stalkscan.com/
Tomi Engdahl says:
Hack Brief: High-Profile Twitter Accounts Overrun With Swastikas
https://www.wired.com/2017/03/hack-brief-high-profile-twitter-accounts-overrun-swastikas/
Last night, a swath of Twitter accounts with large followings—including Duke University, BBC North America, Forbes, and Amnesty International—tweeted out the same message, in Turkish, that included a swastika and hashtags that translate to “Nazi Germany, Nazi Holland.”
The hacked accounts, which apparently stem from increasing vitriol between Turkey and Holland, appear to have all been restored. They’re an unfortunate reminder, though, any Twitter account is only as safe as the apps you let access it.
Tomi Engdahl says:
Google introduces Family Link, its own parental control software for Android
https://techcrunch.com/2017/03/15/google-introduces-family-link-its-own-parental-control-software-for-android/
Google has just one-upped Apple on mobile in a significant way: today the company today announced the launch of Family Link, an application for parents that lets them establish a child’s first Google account, as well as utilize a series of parental controls to manage and track screen time, daily limits, device “bedtimes,” and which apps kids can use.
While all the major mobile device providers – Apple, Google, and Amazon included – offer parental controls on their devices – Family Link is different because it’s a two-party system.
For the system to work, Family Link requires that both parent and child use Android. The parent will first download the Family Link mobile app to their own device, running Android KitKat (4.4) or higher. An iOS version is not yet available, says Google.
From this app, parents will set up the child’s Google account. It’s designed to be used for those children under the age of 13, Google notes.
Then, on the kid’s device, the child signs in using these new credentials. The child’s phone or tablet must be running either Android Nougat (7.0), or a supported device running Marshmallow (6.1).
Once signed in, the child’s phone usage is tracked and logged, so parents can see how much time kids spend in various apps, via weekly and monthly activity reports. From the parent’s app, moms and dads can set a number of rules for their kids, including how long kids are allowed to be on their mobile devices every day, at what time the devices can no longer be used that day (through a remote locking feature), and which apps can be installed.
Parents can approve or block apps the child wants to download from the Google Play Store, much like how Apple’s iCloud Family Sharing’s “Ask” feature works today.
“[Family Link] can’t make the apps or services on their phone that were designed for adults kid-safe; it’s up to parents to choose what’s right for their kid.”
Family Link
https://families.google.com/familylink/
With the Family Link app from Google, you can stay in the loop as your kid explores on their Android* device. Family Link lets you create a Google Account for your kid that’s like your account, while also helping you set certain digital ground rules that work for your family — like managing the apps your kid can use, keeping an eye on screen time, and setting a bedtime on your kid’s device.
Tomi Engdahl says:
Facial recognition Facebook app hoax terrifies the internet
http://www.telegraph.co.uk/technology/2017/03/14/creepy-facial-recognition-app-users-find-strangers-facebook/
A fake facial recognition app that claimed to be able to identify strangers from a photograph has turned out to be a publicity stunt.
Facezam claimed it could identify people by matching a photo of them with their Facebook profile. It was claimed that all users had to do is take a picture of someone on the street and run it through the app, which will tell them who it thinks the person in the photo is.
After the hoax was revealed to be the work of a viral marketing agency, Facebook said such an app violated its privacy policies.
Facezam is a hoax
http://facezam.com/
Tomi Engdahl says:
WhatsApp, Telegram Patch Account Hijacking Vulnerability
http://www.securityweek.com/whatsapp-telegram-patch-account-hijacking-vulnerability
A vulnerability found in the web versions of WhatsApp and Telegram could have been exploited to hijack accounts by sending the targeted user a malicious HTML file disguised as an image or a video.
The flaw was discovered by researchers at Check Point earlier this month and it was quickly patched by both Telegram and WhatsApp on the server side.
Tomi Engdahl says:
Cyber Risk, Cyber Threats, and Cyber Security: Synonyms or Oxymorons?
http://www.securityweek.com/cyber-risk-cyber-threats-and-cyber-security-synonyms-or-oxymorons
Cyber security and cyber threats are most often confused with cyber risk, and often used interchangeably, but they are worlds apart. What is the difference between these concepts and what really defines an organization’s cyber risk posture, internal security posture, and the exploitability of threats in the context of organizational risk?
Two conditions are required for a security incident to occur: a vulnerability must be present in some form (e.g., a software flaw or insecure programming; insecure configuration of IT infrastructure; insecure business operations; risky behavior by internal staff or other people, conducted maliciously or by mistake) and secondly, a threat must exploit that vulnerability.
Typically, security professionals have no direct control over threats. As a result, organizations have tended to focus on known, more visible facts – vulnerabilities and control failures – while neglecting threats as a factor in cyber risk assessments. However, as the volume of vulnerabilities has exploded over the past few years, it has become almost impossible to remediate all of them without vetting the impact and likelihood that they will be exploited. The point is, why dedicate resources to fixing vulnerabilities that have no threat associated with them and are not even reachable?
Since a threat is the agent that takes advantage of a vulnerability, this relationship must be a key factor in the risk assessment process.
Once internal security intelligence is contextualized with external threat data (e.g., exploits, malware, threat actors, reputational intelligence), these findings must be correlated with business criticality to determine the real risk of the security gaps and their ultimate impact on the business.
Tomi Engdahl says:
Don’t Leave Security to Luck – 5 Security Controls to Implement in 2017
http://www.securityweek.com/dont-leave-security-luck-5-security-controls-implement-2017
Like burglars looking for the soft target in the neighborhood, such as the house without cameras or newspapers piled up indicating a family on vacation, cyber criminals are constantly probing for vulnerabilities.
If there are only five controls that a security organization can reasonably tackle this year, what should they be?
Harden credentials used to access sensitive information and beyond
Reduce the attack surface of credentials
Isolate – and monitor – the problem children
Concentrate encryption on the crown jewels – and everything else
Trust, but verify
Tomi Engdahl says:
Current issues in industrial cybersecurity
Ransomware is as loathsome as it sounds; programmable logic controllers (PLCs) seen as likely targets.
http://www.controleng.com/single-article/current-issues-in-industrial-cybersecurity/0b6e85d1bc4470214766f201aa816d5c.html
A meteoric rise in ransomware attacks in the past year is disturbing news for engineers in manufacturing and production environments. Ransomware, as you might imagine, is a kind of malicious software used by criminals to prevent access to a computing system until their demands are met.
Executing a ransomware attack doesn’t take programming skills per se, as kits for committing such attacks are readily available today in some the Internet’s darker corners, either for free or for a small fee.
The simulated attack highlights vulnerabilities in industrial control systems (ICS) found in manufacturing and production plants, the researchers said. Believed to be the first demonstration of a ransomware compromise of real PLCs, the research was presented this February at the RSA Conference in San Francisco.
Many ICSs lack strong security protocols. It’s therefore only a matter of time before critical industrial systems are compromised and held for ransom, as compromising the PLCs in these systems is a next logical step for these attackers, the Georgia Tech researchers said.
2016 industrial cybersecurity developers summarized
Other current and noteworthy cyberthreat developments mentioned in SonicWall’s recently released 2017 Annual Threat Report include the following:
Poorly designed IoT devices are being compromised for use in massively distributed denial-of-services attacks.
Secure sockets layer/transport layer security (SSL/TLS)-encrypted malware provides an uninspected backdoor into networks that cybercriminals can exploit. At the same time, SSL/TLS-encrypted traffic grew by 34%, partly in response to growing cloud application adoption.
Android devices saw increased security protections but remained vulnerable to overlay attacks.
On the other side of the ledger, the often-seen exploit kits Angler, Nuclear, and Neutrino disappeared in mid-2016. What’s more, unique malware samples collected fell to 60 million in 2016, compared with 63 million in 2015, a 6.25% decrease. Total attack attempts dropped for the first time in years, to 7.87 billion in 2016 from 8.19 billion in 2015.
Tomi Engdahl says:
Several Vulnerabilities Patched in Drupal 8
http://www.securityweek.com/several-vulnerabilities-patched-drupal-8
Several vulnerabilities have been patched in the Drupal content management system (CMS) with the release of version 8.2.7, including access bypass, cross-site request forgery (CSRF) and remote code execution flaws.
Tomi Engdahl says:
Defense-in-Depth has Failed Us. Now What?
http://www.securityweek.com/defense-depth-has-failed-us-now-what
Defense-in-depth. It’s a philosophy we’re all familiar with: layering defenses so that if one fails, another layer is there to stop the attack. Sounds like a great approach, and it has become standard practice for the vast majority. The problem is that, frankly, it has not worked. For years we have been bombarded with a slew of headlines about compromises and breaches. And the velocity is increasing. In spite of all its layers of protection, defense-in-depth has failed us.
There are various reasons why defense-in-depth has failed, stemming from the fact that each layer of defense has been a point product – a disparate technology that has its own intelligence and works within its own silo.
First, silos make it extremely difficult to share that intelligence – between tools or even teams – in any real way.
Second, management complexity grows exponentially as you add additional management consoles for an already stretched security team.
Third, these silos of technology just create an obstacle course for the attacker.
As companies layer new products and technologies, they now find themselves with 40+ security products and vendors in 40+ silos. And because these products aren’t integrated, each layer in the architecture creates its own logs and events, generating a massive amount of data and a massive management challenge. Where does all this data go? How can you keep up with this data overload? Recent ESG research finds that 42 percent of security professionals say their organization ignores a significant number of security alerts due to the volume and more than 30 percent say they ignore more than half! In most cases, it is the security operators within the Security Operations Center (SOC) that find themselves drowning in this data as they undertake the onerous task of manually correlating logs and events for investigations and other activities.
In search of a solution
In an attempt to overcome the data overload challenge, SIEMs emerged as a way to store all this data and aggregate and correlate logs and events. This has worked to an extent; however, even SIEMs have limitations – some technological and some economical. On the technology front, SIEMs can be complex and, with today’s volumes of data, can face scale challenges. On the economic front, it can be costly for a company to store everything in the SIEM and thus they pick and choose what to include and what to exclude.
In theory, applying threat feeds directly to the SIEM should work and provide some relief, but in reality this approach creates new and additional challenges for multiple reasons:
1. Lack of Context. SIEMs can only apply limited (if any) context to logs and events.
2. False Positives. Without context it is impossible to determine the “who, what, where, when, why and how” of an attack, in order to assess the relevance to your environment. As a result, SIEMs generate frequent false positives.
3. Questionable Relevance. Threat intelligence feeds only offer “global” risk scores based on the provider’s research and visibility, not within the context of their company’s specific environment.
4. No Prioritization. Prioritization based on company-specific parameters is imperative for faster decision making that improves security posture.
5. SIEM Architecture Limitations. As previously mentioned, SIEMs themselves are already overwhelmed by the vast volumes of logs and events defense-in-depth generates. Adding millions and millions of additional data does not scale in an affordable way.
By automatically applying context, relevance and prioritization to threat data prior to applying it to the SIEM, the SIEM becomes more efficient and effective. Customized threat intelligence scores based on parameters you set, coupled with context, allows for prioritization based on what’s relevant to your specific environment.
Tomi Engdahl says:
Security Teams Need to Understand How Developers Tools Work
http://www.securityweek.com/security-teams-need-understand-how-developers-tools-work
Understanding Development Work Practices Allows Security Teams to Speak to Developers Using Terms They Understand
Buckminster Fuller famously said that giving people a tool will shape the way they think. Similarly, when it comes to development teams, understanding how development tools work can provide a valuable window into the developers thought process. Security teams can use these insights to better advance their agendas and get vulnerabilities detected and fixed faster.
Security teams understand the risk associated with fielding vulnerable applications, but they need the support of the DevOps team to build secure applications and address identified security issues.
How Do Developers Track Their Workload?
Developers typically track their work load in defect tracking or change management systems such as Atlassian JIRA, Bugzilla, HPE Application Lifecycle Management (ALM) and IBM ClearCase.
A key difference between security and development teams is that security professionals care about vulnerabilities and developers care about bugs. The critical point for security teams to understand is that developers will likely not care about vulnerabilities until those vulnerabilities are being tracked in in their bug tracking system.
For security teams to make progress in addressing vulnerabilities, their first priority should involve getting the vulnerabilities they care about translated into defects or changing requests that the development team will track. This typically requires a conversation between security teams and a representative from the development team, but crossing this boundary helps to remove friction from the remediation process.
Where Do Developers Spend Most of Their Time?
Developers spend a tremendous amount of their time in their Integrated Development Environments (IDEs). This is where they write and test code and save code updates back to version tracking systems. Common IDEs include Microsoft Visual Studio, Jetbrains IntelliJ, and Eclipse. The objective for security teams is to get information about application security integrated into these environments to further reduce friction from the remediation process. If developers can track down the location of vulnerabilities in code and receive guidance on addressing these vulnerabilities without leaving their IDE, they can fix vulnerabilities faster.
How Do Developers Test Their Code?
A critical shift that occurs as development teams move to embrace Agile methodologies and DevOps practices is that toward automated testing.
A common unit testing toolset is the xUnit framework and a common tool for building functional and regression test suites for web applications is Selenium. Security representatives would do well to look at the sort of automated verification approaches that development teams are using and look for opportunities to extend those checks to involve security.
How Do Developers Automate and Orchestrate Common Processes?
There are several steps typically involved in a development team taking the latest results from their development, turning that into a new software build, and then determining if that build is of an acceptable level of quality to consider releasing. Development teams use automation servers to coordinate the continuous integration, deployment, and delivery processes with common examples such as Jenkins and Atlassian Bamboo.
integrating application security testing into CI/CD pipelines can be a huge win for security teams looking to decrease the number of vulnerabilities that get deployed to production.
What Metrics Do Developers Track and How Do They Track Them?
Many development team metrics – such as the time required to fix bugs – can be reported by the defect tracking systems. Some teams use additional tracking systems such as SonarQube to track code-level measurements like technical debt and defect density.
Tomi Engdahl says:
Planes, Trains, Automobiles, and Digital Transformation
http://www.securityweek.com/planes-trains-automobiles-and-digital-transformation
When most people think about technology innovation in the transportation sector, connected and self-driving cars immediately come to mind. But digital transformation is happening across other transportation industries as well.
A few notable trends are making digital transformation a priority for many transportation providers.
Commoditization. This phenomenon is nothing new.
Data is king.
Tapping into telematics. As the cost for telematics declines, more transportation providers are able to use telematics to gain greater insights into fleets of vehicles, aircraft, ships, and railcars.
Third-party interconnectivity. Planes, trains, automobiles – you name it – OEMs have always been part of the manufacturing supply chain. Now new partners are extending the supply chain as a data economy has emerged around the transportation sector. These partners buy, analyze, and sell data used to drive decision making related to sales, marketing, insurance, product development, and more.
To develop a strong security posture while capturing digital value, transportation providers need to ask themselves some important questions, including:
1. Where does security reside in my company? Security can’t be put into a silo and removed from the business decision making process.
2. Do we have the necessary visibility to understand and manage third-party risk?
3. Are we prioritizing our security investments appropriately? Threat modeling helps you understand the types of threats and level of exposure you face.
Digital transformation isn’t going to happen overnight, but the transportation sector is well on its way. Security must go hand-in-hand with important business decisions.
Tomi Engdahl says:
Open wide, Node.js! NodeSource will certify you now
Testing and ongoing checkups
https://www.theregister.co.uk/2017/03/17/nodesource_nodejs_certification/
NodeSource has offered to clean up Node.JS with a program certifying modules as “safe.”
The three-year-old company Thursday announced the release of NodeSource Certified Modules, which it promised would deliver “rigorous analysis” of 400,000 modules using a certification algorithm from proprietary code.
Certified Modules will evaluate packages in a registry and calculate a trust score. The company will monitor certified modules on an on-going, paid-for basis.
NodeSource chief executive Joe McCann in a statement said that Certified Modules would “take the pain” out of choosing Node modules, with certification showing which modules are safe, secure and reliable.
Bringing trust to third-party Node.js modules
https://nodesource.com/products/certified-modules
The secure, reliable way to take advantage of the massive ecosystem of packages available for Node.js users.
Tomi Engdahl says:
ABTA website hacked, 43,000 people affected by breach
Hacker used flaw in web server to access data uploaded to website of holiday and travel association.
http://www.zdnet.com/article/abta-website-hacked-43000-people-affected-by-breach/
Hackers used a flaw in the web server running the website of ABTA, the UK’s largest holiday and travel association, to access the data of as many as 43,000 people.
ABTA CEO Mark Tanzer says an “external infiltrator” used a vulnerability in the firm’s web server to access data provided by its members and some of those members’ customers.
ABTA is the UK’s largest travel association, representing travel agents and tour operators that sell £32bn of holidays and other travel each year.
It said the unauthorised access — on 27 February 2017 — may have affected 43,000 individuals.
Tomi Engdahl says:
Automating security? Robots can’t replace humans in decision loop
http://www.zdnet.com/article/robot-vs-welterweight-automated-security-cannot-replace-human-in-the-decision-loop/
While technology can be used for malicious purposes, such as hardware used for DDoS attacks, it’s the human that crafts the malware, determines the victim, and orchestrates the crime.
“Why do so many vendors this year think they can sell me something that can… do my job for me?” was a question I received from a chief security officer friend during a happy hour.
My response? “Oh sweet, naive angel. Only one in four security marketers tell the truth; don’t confuse the product with the marketing.” (Consequently, 67 percent of all marketers make up statistics.)
The problem isn’t limited to marketing, however, and it’s not limited only to RSA or other demand generation-focused conferences. It’s that companies trying to demonstrate a “vision” are going too far in trying to indicate that they can do that much better than competitors, almost to the point of making wild claims.
“Automation! Machine Learning! Artificial Intelligence (AI)! can do everything security for you!”
No. There always has to be a human in the decision loop.
Automation and other advances such as machine learning and AI, have critical roles in security solutions. And, to some extent, automation of processes helps organizations reduce overhead.
automation is becoming a near-future reality for everything from fast food to driver-less vehicles. However, when there are too many variables or if the decision-making necessitates experience, automation may not be enough.
“There are some excellent software programs that automate security penetration testing,” Rad said. “However, I have not known of a company to fully accept the results from an automated penetration test and not also request an experienced security engineer to manage the process and review the results for false positives and false negatives.”
Rothman went on to say that the challenge, especially with machine learning (It dices!), is this alarming idea that it’s going to tell you what you don’t know and then just do things, and he, like many security professionals, do not trust and are not comfortable with that notion.
“I am going to focus on the patterns that I know and actions that I know and let my humans do the rest,”
Tomi Engdahl says:
Millions of Records Leaked From Huge US Corporate Database
https://it.slashdot.org/story/17/03/15/1722238/millions-of-records-leaked-from-huge-us-corporate-database
The database, about 52 gigabytes in size, contains just under 33.7 million unique email addresses and other contact information from employees of thousands of companies, representing a large portion of the US corporate population. Dun & Bradstreet, a business services giant, confirmed that it owns the database
Millions of records leaked from huge US corporate database
http://www.zdnet.com/article/millions-of-records-leaked-from-huge-corporate-database/
Exclusive: The database contains more than 33 million records from government departments and large corporate clients which get sold onto marketers.
Tomi Engdahl says:
Barrister fined after idiot husband slings unencrypted client data onto the internet
When cloud backups go wrong
http://www.theregister.co.uk/2017/03/16/barrister_fined_over_data_breach/
A barrister has been fined by the UK Information Commissioner’s Office after client information was accidentally uploaded to the internet.
According to the ICO, some 725 unencrypted documents — which were created and stored on the computer — were temporarily uploaded to an internet directory as a back-up during the software upgrade.
They were apparently “visible to an internet search engine
Tomi Engdahl says:
ISPs say your Web browsing and app usage history isn’t “sensitive”
ISP lobby groups make case against the FCC’s broadband privacy rules.
https://arstechnica.com/tech-policy/2017/03/isps-say-your-web-browsing-and-app-usage-history-isnt-sensitive/
ISPs that want the federal government to eliminate broadband privacy rules say that your Web browsing and app usage data should not be classified as “sensitive” information.
“Web browsing and app usage history are not ‘sensitive information,’” CTIA said in a filing with the Federal Communications Commission yesterday. CTIA is the main lobbyist group representing mobile broadband providers such as AT&T, Verizon Wireless, T-Mobile USA, and Sprint.
Tomi Engdahl says:
Judge OKs warrant to reveal who searched a crime victim’s name on Google
Order seeks data for “any/all user or subscriber information” related to the searches.
https://arstechnica.com/tech-policy/2017/03/judge-oks-warrant-to-reveal-who-searched-a-fraud-victims-name-on-google/
Police in a small suburban town of 50,000 people just outside Minneapolis, Minnesota, have won a court order requiring Google to determine who has used its search engine to look up the name of a local financial fraud victim.
The court order demanding such a massive search is perhaps the most expansive one we’ve seen unconnected to the US national security apparatus and, if carried out, could set an Orwellian precedent in a bid by the Edina Police Department to solve a wire-fraud crime worth less than $30,000.
The warrant demands Google to help police determine who searched for variations of the victim’s name between December 1 of last year through January 7, 2017. A Google search, the warrant application says, reveals the photo used on the bogus passport. The image was not rendered on Yahoo or Bing, according to the documents. The warrant commands Google to divulge “any/all user or subscriber information”—including e-mail addresses, payment information, MAC addresses, social security numbers, dates of birth, and IP addresses—of anybody who conducted a search for the victim’s name.
After learning of the warrant, Andrew Crocker, a staff attorney with the Electronic Frontier Foundation, tweeted: “Holy shit. Case name should be In re Minnesota Unconstitutional General Warrant.”
Tomi Engdahl says:
GitHub awards researcher $18,000 for remote code execution flaw discovery
http://www.zdnet.com/article/github-awards-researcher-18000-for-remote-code-execution-flaw/?PatrolX
The severe bug impacted GitHub Enterprise and could have given attackers the opportunity to hijack the management console.
Tomi Engdahl says:
Old Linux kernel security bug bites
A Linux developer discovered a serious security hole that’s been hiding for years in an out-of-date driver.
http://www.zdnet.com/article/old-linux-kernel-security-bug-bites/
OK, hands up, who knows what High-Level Data Link Control (HDLC) is? It’s an archaic networking data framing protocol that’s used in modems, X.25, frame-relay, ISDN, and other now uncommon networking technologies.
Alexander Popov, a young and rising Linux developer at Russia’s Positive Technologies, found and fixed the flaw. The bug had been living in the Linux kernel since June 2009.
Specifically, Popov discovered a race condition flaw in the n_hdlc driver (drivers/tty/n_hdlc.c) in the Linux kernel through 4.10.1 (CVE-2017-2636). This is part of the TTY/Serial driver development tree. A local, unprivileged user can use this hole to gain higher privileges on a vulnerable system or cause a denial-of-service attack.
The vulnerability has a Common Vulnerability Scoring System (CVSS) score of 7.8, which gives it a High rating, just below critical. Exploiting this flaw is relatively easy and doesn’t require specialized hardware or peripherals to be attacked in the targeted system.
Red Hat reports that the issue impacts the Linux kernel packages shipped with Red Hat Enterprise Linux (RHEL) 6, 7, and Red Hat Enterprise MRG 2, Red Hat’s real-time Linux. Red Hat will soon release updates for its operating systems.
Although it’s almost never used, its module is included with most shipping Linux kernels. It is not normally loaded, but as Popov explained in a later note, “The module is automatically loaded if an unprivileged user opens a pseudoterminal and calls TIOCSETD ioctl for it setting N_HDLC line discipline.”
Now, that may sound complicated, but it’s not. It’s easy to do, which means it’s easy for a local user to exploit.
Tomi Engdahl says:
Nest CCTV cameras can be easily blacked out by Bluetooth burglars
So far, no patch available to the public
https://www.theregister.co.uk/2017/03/21/nest_security_cameras_bluetooth_burglar/
Nest’s Dropcam and Dropcam Pro security cameras can be wirelessly attacked via Bluetooth to crash and stop recording footage. This is perfect for burglars and other crooks who want to knock out the cams moments before robbing a joint.
The three vulnerabilities are in camera firmware version 5.2.1, and no patch is publicly available, we understand. Security researcher Jason Doyle, based in Florida, US, spotted the holes, and alerted Google-stablemate Nest about them in October – but there’s been no software updates to correct the programming cockups. This month, Doyle went public with details of the flaws, including example exploits.
Tomi Engdahl says:
3D Printing Has an Urgent Need for Cybersecurity
https://www.designnews.com/3d-printing/3d-printing-has-urgent-need-cybersecurity/42281071756489?cid=nl.x.dn14.edt.aud.dn.20170321
It’s not just about hackers stealing designs. New research shows that 3D-printed products can be tampered with to create counterfeits and undetectable, devastating flaws.
In the race to adopt new 3D printing and additive manufacturing (AM) technologies, engineers and manufacturers are overlooking a key element – cybersecurity.
According to a new paper, “ Manufacturing and Security Challenges in 3D Printing ”, written by researchers at New York University’s Tandon School of Engineering and published in the May 2016 issue of the journal JOM, The Journal of The Minerals, Metals & Materials Society (TMS) , 3D printing carries cybersecurity vulnerabilities that can lead to potentially dangerous, undetectable defects as well as opening the door for counterfeit products.
“Our emphasis in this paper was to show there could be certain small defects in materials, so small that common detection techniques would miss them, but they compromise the properties of these components,” he said. “Many people have shown [3D printers] can be hacked. As a materials scientist my emphasis was to show these tiny defects can be included that would comprise the integrity of the materials used.”
Securing 3D Printing
So what then are the solutions? Gupta said there is the possibility of using and creating new a better materials. However he said, “There are printing techniques that only work with certain materials. At this point AM is limited to using a certain variety of materials, so you have to look at a combination of materials and printing to tackle the problem.”
What about new detection methods? It’s possible, but it might not be the most cost-effective solution. “ There are these methods that are already in line,” Gupta said. “Testing every product for every possibility of defect is very expensive. You can use something like a CT scan that will give more defects, but it’s more expensive because of time and cost constraints.
For Gupta everyone along the complex supply chain, from the 3D printer manufacturers themselves to the design engineers that use them, all the way to the manufacturers, are going to have to take some role in addressing these cyber threats.
The idea is that new security features could be embedded into CAD files or the printed products themselves in order to deter counterfeiting and prevent knock-offs or components that have been maliciously tampered with from being used. “We have designed a set of features you can put into a CAD file that will print the part only under a very specific set of conditions,” Gupta said. “If somebody steals that file then the part they create will be defective. So there will be a very clear point of distinguishing a counterfeit from a genuine product.” He also suggested expanding the same technology into creating ID codes (barcodes or QR codes) that can be printed in the parts. “Those codes can be scanned in very specific conditions and you can find out whether the part is genuine.”
Tomi Engdahl says:
Wireless networks provide hackers avenue of attack
http://fuelfix.com/blog/2017/03/13/wireless-networks-provide-hackers-avenue-of-attack/
Wireless networks represent another avenue of attack for hackers and another potential vulnerability for oil and gas production facilities, refineries, pipelines and other industrial plants, government and private cyber security specialists said.
Homeland Security said network scanning and probing accounted for 79 cyber incidents involving industrial controls in 2014 and 2015, but would not disclose additional details.
Skilled hackers, with a modest equipment that costs a few hundred dollars, could break into these in about two hours.
“If this were a targeted attack,” Dunn said, “whether it be ‘hactivism’ or a nation-state, all they have is time and money and opportunity.”
Tomi Engdahl says:
Jeff John Roberts / Fortune:
Google launches Protect Your Election, a set of security tools to help election websites, human rights groups, and others defend against DDoS and other attacks
Google Launches ‘Protect Your Election’ Kit Ahead of French Vote
http://fortune.com/2017/03/21/google-election-dos-attack-hackers/
As worries mount about cyberthreats to democracy, Google on Tuesday announced the launch of a free set of tools to help election websites, human rights groups, and other parties defend their computer systems from attacks.
The arrival of the toolkit, known as “Protect Your Election,” comes as France prepares to go to the polls next month, and a week after hackers took down one of the Netherlands’ leading election information sites during that country’s vote last week, according to Google, citing local media.
Tomi Engdahl says:
Over 20 million Gmail and 5 million Yahoo accounts available for sale on the Dark Web
http://securityaffairs.co/wordpress/57300/deep-web/gmail-yahoo-accounts-dark-web.html
A vendor with the online moniker “SunTzu583” is reportedly selling millions of login credentials for Gmail and Yahoo accounts on a black market in the dark web. Over 20 million Gmail accounts and 5 million Yahoo accounts are available for sale, the huge trove of data is the result of previous massive data breaches.
Tomi Engdahl says:
With appeals ruling, the United States has effectively outlawed file encryption
https://www.privateinternetaccess.com/blog/2017/03/with-appeals-ruling-the-united-states-has-effectively-outlawed-file-encryption/
An appeals court has denied the appeal of a person who is jailed indefinitely for refusing to decrypt files. The man has not been charged with anything, but was ordered to hand over the unencrypted contents on police assertion of what the contents were. When this can result in lifetime imprisonment under “contempt of court”, the United States has effectively outlawed file-level encryption
Tomi Engdahl says:
Microsoft Windows 10 has a keylogger enabled by default – here’s how to disable it
https://www.privateinternetaccess.com/blog/2017/03/microsoft-windows-10-keylogger-enabled-default-heres-disable/
Tomi Engdahl says:
Non-Targeted Malware Hits 3,000 Industrial Sites a Year: Study
http://www.securityweek.com/non-targeted-malware-hits-3000-industrial-sites-year-study
Thousands of industrial facilities have their systems infected with common malware every year, and the number of attacks targeting ICS is higher than it appears, according to a study conducted by industrial cybersecurity firm Dragos.
There have been an increasing number of media reports on malware infections affecting critical infrastructure and other industrial facilities, and while attention from the press can have some benefits, most experts agree that overhyped media reporting is likely to have a negative impact on ICS security.
Existing public information on ICS attacks shows numbers that are either very high (e.g. over 500,000 attacks according to unspecified reports cited by Dragos), or very low (e.g. roughly 290 incidents per year reported by ICS-CERT).
Dragos’ research has also showed that targeted ICS intrusions are not as rare as they appear to be. While Stuxnet, Havex and BlackEnergy are the only pieces of malware known to specifically target ICS systems, the security firm has identified a dozen intrusions involving ICS-themed malware.
One ICS-themed malware that attracted the attention of researchers has been disguised as software for Siemens programmable logic controllers (PLCs). The threat, described by Dragos as crimeware, has been submitted to public malware databases ten times between 2013 and March 2017. The samples were initially detected by antiviruses as false positives and later as a basic piece of malware.
Tomi Engdahl says:
Metaspoit’s New RFTransceiver Finds Security Flaws in IoT Radio Communications
http://www.securityweek.com/metaspoits-new-rftransceiver-finds-security-flaws-iot-radio-communications
The Internet of Things is pervasive, rapidly growing, and largely insecure. Researchers have discovered security flaws in products ranging from baby alarms and dolls, to motor vehicles and medical equipment — and the likelihood is that there are many more simply not yet discovered.
Metasploit has now released a new hardware bridge extension to help researchers and pentesters — and IoT user organizations — discover security flaws in IoT radio communications. While many of the known flaws are found in consumer devices, IoT devices are increasingly making their way into and onto business premises; and it is very difficult for security teams to control them.
“Wireless systems often control alarm systems, surveillance monitoring, door access, server room HVAC controls, and many other areas,” writes Craig Smith, Transportation Research Lead at Rapid7 in a blog announcement today. These same devices can often contain flaws that can be used by attackers, but are unknown to the user.
With Metasploit’s new RFTransceiver radio frequency testing extension, companies will be able to better understand their true security posture. They will, suggests Smith, “be able to test physical security controls and better understand when foreign IoT and other devices are brought onto the premises.”
“We strongly believe,” writes Smith, “that RF testing is an incredibly important — though currently often overlooked — component of vulnerability testing. We believe that failing to test the usage of radio frequency in products puts people and organizations at risk. We also believe the importance of RF testing will continue to escalate as the IoT ecosystem further expands.”
Wood believes that the Metasploit capability will “make it easier for people to do research in this area which again will start to increase awareness and hopefully the overall security.”
The danger, of course, is that criminal elements could also use Metasploit to find flaws suitable for exploiting. It is a criticism that has always been leveled against Metasploit
But he adds that the bad guys are already doing bad things, and the best defense is to know what they can do. “Sunlight is the best disinfectant,” he adds.
F-Secure is at least one security firm that agrees. “RF has traditionally been a fruitful attack vector,” a spokesperson told SecurityWeek, “so maybe the availability of more tools in the field will improve that situation.”
At the same time, F-Secure is aware of the dangers. “This sort of technology is very much ‘dual use’ in the sense that while it is essential to security researchers and red teams, it can also be used as an attack tool by malicious parties.”
Senior security consultant Taneli Kaivola added, “Now that the door has been opened for the wider public, we can expect to see the scope and capability of this tool expanding. I fully expect to see SDRs (software defined radios, adding additional frequencies) supported in the framework popping up like mushrooms in the rain.”
Metasploit’s RF Transceiver Capabilities
https://community.rapid7.com/community/metasploit/blog/2017/03/21/metasploits-rf-transceiver-capabilities
Radio, radio, everywhere
Chances are your company and employees are already using many other radio frequencies (RFs) outside of the standard 802.11 network for various reasons. Perhaps you have a garage door with a wireless opener? Company vehicle key fobs? Not to mention RFID card readers, wireless security systems, Zigbee controlled lights, or HVAC systems.
What are the ranges for these devices? Are they encrypted or protected? What happens when they receive interference? Do they fail in a closed or open state?
The inability to effectively answer these questions (easily or even at all) is the very reason we are releasing the RFTransceiver extension for Metasploit’s Hardware Bridge, and why we think this will be a critical tool for security researchers and penetration testers in understanding the actual attack surface.
How it works
Just one quick author’s note before we get into the ‘how-to’ portion. Rapid7 does not sell the hardware required to perform RF testing. The required hardware can be found at any number of places, including Hacker Warehouse, Hak5, or any electronics store that carries software defined radios or RF transmitter hobbyist equipment.
With the RFTransceiver, security pros have the ability to craft and monitor different RF packets to properly identify and access a company’s wireless systems beyond Ethernet accessible technologies.
The first RFTransceiver release supports the TI cc11xx Low-Power Sub-1GHz RF Transceiver. The RFTransceiver extension makes it possible to tune your device to identify and demodulate signals. You can even create short bursts of interference to identify failure states. This release provides a full API that is compatible with the popular RfCat python framework for the TI cc11xx chipsets. If you have existing programs that use RfCat you should be able to port those into Metasploit without much difficulty. This release comes with two post modules: an Amplitude Modulation based brute forcer (rfpwnon) and a generic transmitter (transmitter).
Using the new RFTransceiver extension requires the purchase of an RfCat-compatible device like the Yard Stick One. Then download the latest RfCat drivers
Tomi Engdahl says:
Cisco Patches Serious DoS Flaws in IOS
http://www.securityweek.com/cisco-patches-serious-dos-flaws-ios
Cisco has released updates for its IOS and IOS XE software to address a couple of high severity flaws that can be exploited to cause a denial-of-service (DoS) condition on vulnerable devices.
The security holes were disclosed on Monday by Omar Eissa, a researcher at Germany-based security firm ERNW, at the TROOPERS conference in a talk focusing on Cisco’s Autonomic Networking Infrastructure (ANI). The ANI vulnerabilities found by Eissa allow unauthenticated attackers to cause affected devices to reload.
One of the flaws, identified as CVE-2017-3850, can be exploited by a remote attacker simply by knowing the targeted Cisco device’s IPv6 address. The weakness can be exploited by sending a specially crafted IPv6 packet to an appliance, but the attack only works if the device runs a version of IOS that supports ANI and its IPv6 interface is reachable.
The second vulnerability, CVE-2017-3849, can be exploited if the targeted device is running an IOS release that supports ANI, it’s configured as an autonomic registrar, and it has a whitelist configured.
Cisco has published indicators of compromise (IoC) and the company’s IOS Software Checker can be used by customers to determine if their IOS and IOS XE software is vulnerable to such attacks. The networking giant has found no evidence of exploitation in the wild.
Tomi Engdahl says:
System Bits: March 21
http://semiengineering.com/system-bits-march-21/
According to University of Michigan researchers, sound waves could be used to hack into critical sensors in a wide range of technologies including smartphones, automobiles, medical devices and IoT devices.
New research calls into question the longstanding computer science tenet that software can automatically trust hardware sensors, which feed autonomous systems with fundamental data they need to make decisions, the team said.
The work showed that inertial sensors, also known as capacitive MEMS accelerometers, which measure the rate of change in an object’s speed in three dimensions, can be tricked.
Sonic cyber attack shows security holes in ubiquitous sensors
http://ns.umich.edu/new/multimedia/videos/24664-sonic-cyber-attack-shows-security-holes-in-ubiquitous-sensors
The inertial sensors involved in this research are known as capacitive MEMS accelerometers. They measure the rate of change in an object’s speed in three dimensions.
It turns out they can be tricked. Led by Kevin Fu, U-M associate professor of computer science and engineering, the team used precisely tuned acoustic tones to deceive 15 different models of accelerometers into registering movement that never occurred. The approach served as a backdoor into the devices—enabling the researchers to control other aspects of the system.
“The fundamental physics of the hardware allowed us to trick sensors into delivering a false reality to the microprocessor,” Fu said. “Our findings upend widely held assumptions about the security of the underlying hardware.
“Analog is the new digital when it comes to cybersecurity,” Fu said. “Thousands of everyday devices already contain tiny MEMS accelerometers. Tomorrow’s devices will aggressively rely on sensors to make automated decisions with kinetic consequences.”
Autonomous systems like package delivery drones and self-driving cars, for example, base their decisions on what their sensors tell them
The researchers identified the resonant frequencies of 20 different accelerometers from five different manufacturers. Then instead of shattering the chips, they tricked them into decoding sounds as false sensor readings that they then delivered to the microprocessor.
Trippel noticed additional vulnerabilities in these systems as the analog signal was digitally processed. Digital “low pass filters” that screen out the highest frequencies, as well as amplifiers, haven’t been designed with security in mind, he said.
Tomi Engdahl says:
Burglars can easily make Google Nest security cameras stop recording
https://www.helpnetsecurity.com/2017/03/21/nest-security-cameras-stop-recording/
Google Nest’s Dropcam, Dropcam Pro, Nest Cam Outdoor and Nest Cam Indoor security cameras can be easily disabled by an attacker that’s in their Bluetooth range, a security researcher has found.
Tomi Engdahl says:
Microsoft’s Edge Was Most Hacked Browser At Pwn2Own 2017, While Chrome Remained Unhackable
https://tech.slashdot.org/story/17/03/21/2330222/microsofts-edge-was-most-hacked-browser-at-pwn2own-2017-while-chrome-remained-unhackable
At the Pwn2Own 2017 hacking event, Microsoft’s Edge browser proved itself to be the least secure browser at the event, after it was hacked no less than five times. Google’s Chrome browser, on the other hand, remained unhackable during the contest.
Microsoft Edge: Most Hacked Browser At Pwn2Own 2017
http://www.tomshardware.com/news/pwn2own-2017-microsoft-edge-hacked,33940.html
Microsoft Losing Its Edge
Microsoft created the Edge browser by rewriting most of it from scratch (some parts were forked from Internet Explorer). The company’s goal was to have a browser that’s much more secure and that can keep up with Chrome and Firefox when it comes to supporting the latest web standards. Edge even implemented sandboxing technologies that were similar to what Chrome was using, which put it ahead of Firefox, which is still trying to play catch-up in this regard.
However, despite these improvements in code cleanness and security technologies, it hasn’t quite proven itself when faced with experienced hackers at contests such as Pwn2Own.
Tomi Engdahl says:
Moodle – Remote Code Execution
http://netanelrub.in/2017/03/20/moodle-remote-code-execution/
The vulnerability (CVE-2017-2641) allows an attacker to execute PHP code at the vulnerable Moodle server. This vulnerability actually consists of many small vulnerabilities, as described further in the blog post.
Moodle is a very popular learning management system, deployed in many universities around the world, including top institutes such as MIT, Stanford, the University of Cambridge, and Oxfords’ University.
These statistics, along with the fact Moodle stores a lot of sensitive information, such as grades, tests, and students private data, makes it a critical target, and the main reason I audited it.
Tomi Engdahl says:
Nokia to develop optical encryption for mobile phones
User and device identity, ensuring absolute is becoming increasingly important. Nokia is involved in the University of Oxford in the project, which is developing quantum based encryption mechanism for devices such as smartphones.
In practice, it is a separate device, which is sent to the ultra fast LED encryption key is about half a meter away. A bit like the NFC backup, but optically. It is officially called Quantum Key Distribution- or QDK technology.
According to researchers at Oxford transmission can indeed listen, but if the burst is captured and sent to follow-up, it gets corrupted so that the absence can be detected.
Oxford developed device comprises of six indicator light, covering the desired part of the spectrum. They will send nano-scale pulse every four seconds nanoseconds. One ledipari to send the key bits, one for measuring the security of the channel and makes a third error correction.
Source: http://etn.fi/index.php?option=com_content&view=article&id=6021&via=n&datum=2017-03-17_15:12:11&mottagare=30929
Tomi Engdahl says:
Women Still Underrepresented in Information Security
https://it.slashdot.org/story/17/03/15/183222/women-still-underrepresented-in-information-security
Women make up only 11 percent of the cyber security workforce according to the latest report from the Center for Cyber Safety and Education and the Executive Women’s Forum (EWF).
Yet despite out qualifying them, women in cybersecurity earned less than men at every level and the wage gap shows very little signs of improvement. Men are four times more likely to hold C and executive level position
Women still underrepresented in information security
https://betanews.com/2017/03/15/women-underrepresented-in-security/
Tomi Engdahl says:
F-Secure’s test discouraging result: every second fell to the message scam
Many years have trumpeted that suspicious links provided in the email should go to click on. Far too often the warnings falling on deaf ears.
F-Secure has done its client indicates the test. Employees were sent hoax messages, and what was the result? Depressing: 52 percent clicked on the link in the message.
“It is surprising about all the people who click on while working. They are not stupid, but just do not expect of being ripped off, “F-Secure security expert Tom Van de Wiele says the release.
F-Secure warns that the attackers hit consistently in companies with the technology to provide protection relies too much.
“Human problems can not be solved only by technology.”
“Attackers trick people very gracefully to bypass their defenses.”
If an organization tells its employees the technical protection of the highest class, this creates a false sense of security and an ideal situation to attack
Source: http://www.tivi.fi/Kaikki_uutiset/f-securen-testin-masentava-tulos-joka-toinen-lankesi-huijausviestiin-6634948
Tomi Engdahl says:
Hackers: We Will Remotely Wipe iPhones Unless Apple Pays Ransom
https://motherboard.vice.com/en_us/article/hackers-we-will-remotely-wipe-iphones-unless-apple-pays-ransom?utm_source=vicefbus
“I just want my money,” one of the hackers said.
A hacker or group of hackers is apparently trying to extort Apple over alleged access to a large cache of iCloud and other Apple email accounts.
The hackers, who identified themselves as ‘Turkish Crime Family’, demanded $75,000 in Bitcoin or Ethereum, another increasingly popular crypto-currency, or $100,000 worth of iTunes gift cards in exchange for deleting the alleged cache of data.
“I just want my money and thought this would be an interesting report that a lot of Apple customers would be interested in reading and hearing,” one of the hackers told Motherboard.
The hackers provided screenshots of alleged emails between the group and members of Apple’s security team.
The hackers also uploaded a YouTube video of them allegedly logging into some of the stolen accounts.
According to one of the emails in the accessed account, the hackers claim to have access to over 300 million Apple email accounts, including those use @icloud and @me domains. However, the hackers appear to be inconsistent in their story; one of the hackers then claimed they had 559 million accounts in all.
Tomi Engdahl says:
Confirmed: TSA bans gear bigger than phones from airplane cabins
Air travel to the US from eight countries appears to be affected
https://www.theregister.co.uk/2017/03/20/tsa_bans_devices_bigger_than_phones_certain_airlines/
People traveling by air to America from an undisclosed list of countries will no longer be allowed to carry devices larger than a mobile phone in carry-on baggage.
Those traveling with such devices will be required to store them in checked baggage.
Tomi Engdahl says:
Twitter Suspended Hundreds of Thousands of Accounts Amid ‘Violent Extremism’
https://yro.slashdot.org/story/17/03/21/1624201/twitter-suspended-hundreds-of-thousands-of-accounts-amid-violent-extremism
Twitter said on Tuesday it had suspended more than half a million accounts since the middle of 2015 as the company steps up efforts to tackle “violent extremism” on its microblogging platform.
The company shut down a total of 376,890 accounts in the last six months of 2016,
Twitter Suspended Hundreds of Thousands of Accounts Amid ‘Violent Extremism’
http://fortune.com/2017/03/21/twitter-account-suspension/
Twitter (twtr) also said it had started taking legal requests to remove content posted by verified journalists and media outlets.
Tomi Engdahl says:
UK flight ban on electronic devices announced
http://www.bbc.com/news/uk-39343971
The UK government has announced a cabin baggage ban on laptops and tablets on direct flights to the UK from Turkey, Lebanon, Jordan, Egypt, Tunisia and Saudi Arabia.
The ban follows a similar move in the US, where officials say bombs could be hidden in a series of devices.
Downing Street said it was “necessary, effective and proportionate”.
The ban applies to any device larger than 16cm long, 9.3cm wide or 1.5cm deep. It includes smart phones, but most fall inside these limits.
Any affected device, including e-readers, will need to be placed into hold luggage.
Passengers can still take most smartphones, games consoles and DVD players onto the plane
This is a controversial decision, and, I’m told, not an easy one for the government.
The UK ban goes even further than the US move which does not affect national carriers.
Department of Homeland Security said extremists were seeking “innovative methods” to bring down jet
Tomi Engdahl says:
Hackers Try to Steal Self-Driving Tech From China’s Baidu
http://spectrum.ieee.org/cars-that-think/transportation/self-driving/hackers-tried-to-steal-selfdriving-tech-from-chinas-baidu
Robocar technology has received perhaps the most honest compliment mankind can bestow: Hackers tried to steal it. Even more extraordinary was the willingness of the targeted company, China’s Baidu, to acknowledge the attempted heist.
“someone tried to hire someone in the underground market to steal from us,”
With all these companies competing for skills that take years to develop, the price of engineering talent has soared. And it’s no wonder that the temptation to steal those engineers’ work has also increased.
Tomi Engdahl says:
FBI wiretapped Russian gambling ring based at Trump Tower
http://www.nydailynews.com/news/national/fbi-wiretapped-russian-gambling-ring-headquarted-trump-tower-article-1.3004226
The Feds were monitoring Russian activity at Trump Tower — but it was years before President Trump ever ran for office.
The FBI had a court-sanctioned warrant from 2011 to 2013 to monitor a Russian crime organization working
Tomi Engdahl says:
Russell Brandom / The Verge:
How iCloud account data helped police identify the attacker who allegedly tweeted seizure-inducing strobe, despite his use of a prepaid SIM bought with cash — An anonymous SIM card in a non-anonymous iPhone — In theory, it was the perfect setup: an anonymous Twitter account on a prepaid SIM card, bought with cash.
iCloud may have doxxed a journalist’s Twitter attacker
An anonymous SIM card in a non-anonymous iPhone
http://www.theverge.com/2017/3/20/14987874/eichenwald-twitter-troll-seizure-arrested-icloud-anonymous
In theory, it was the perfect setup: an anonymous Twitter account on a prepaid SIM card, bought with cash. With no credit card or other identifiable info tied to the account, there should have been no way to trace tweets back to a human.
But on Friday, after taking all those precautions, a man named John Rivello was arrested for sending seizure-inducing tweets to Newsweek journalist Kurt Eichenwald.
While AT&T didn’t have any directly identifying data, the company’s toll records showed that the SIM card had been used by an iPhone 6. That sent investigators looking for an iCloud account linked to the same number. After another search warrant to Apple, they got what they were looking for.
Tomi Engdahl says:
The Art of Human Hacking
The seven deadly sins of social engineering
http://xeushack.com/the-art-of-human-hacking
Tomi Engdahl says:
Suicide Games penetration in Finland – Russian Ombudsman for Children: Heightened suicides in Russia 60 per cent
Russia’s Ombudsman for Children Anna Kuznetsova is of the view that, like the Blue Whale game social network games spread of suicide have increased suicide rate in Russia, nearly 60 per cent last year.
Source: http://www.iltalehti.fi/ulkomaat/201703232200090140_ul.shtml?ref=juurinyt_desktop
Tomi Engdahl says:
F-Secure has been doing for a couple of years simulated data theft companies. Security Company has not previously just been on the Functioning of the noise, which is called in English often known as red teaming.
It is a practice that F-Secure’s employees take the permission of the client company use the same bag of tricks, which are also used by cyber-criminals. F-Secure’s CEO Samu Konttinen says that the security company to implement already dozens of red teaming engagements per year.
“Commissioned by, for example, can be a CEO, to whom the company’s own security manager is first given an assurance that the organization’s data security of all is in order. The Terms of Reference can not read data break-in addition to, say, take a selfie of yourself with CEO’s table, “says Konttinen.
F-Secure’s success rate has been so far mandates for a hundred. Security Company employees have managed to break one way or another in all the service situation of the client companies, many of which have been major players in the Nordic countries.
“Sometimes we use only data network hacking ways. In between are used in addition to the physical breaking into bag of tricks, making it possible to physically install the devices to the corporate network. For example, the customer database hacking can prove, if desired, adding there additional people such as Pelle Peloton,”
“Yellow vest is like an invisibility cloak. When it is turned on, the workers easily think that a person can go anywhere and even kind enough to allow this to proceed, “says Konttinen.
F-Secure researchers have even managed to break into a machine room of the organization as part of a simulated attack and there to install their own equipment.
The researchers have also been caught. However, they are caught with them in case of a label with authorization by the organization simulated attack with all possible means.
Source: http://www.tivi.fi/Kaikki_uutiset/f-secure-murtautui-konesaliin-asiakas-maksoi-hyokkayksesta-6635302