Year 2017 will not have any turn towards better data security. The internet is rife with such well-known than the unknown threats. The company’s systems are supposed to be protected.Hackers are going to continue to look for new ways to extort and steal information from businesses and organizations, which unfortunately means those businesses and organizations will have to continue to look for new ways to protect themselves.
Critical infrastructure cames under attack in 2017. Critical infrastructures must be better protected from criminals and terrorists who take advantage of modern technologies that are essential for the functioning of society and the economy. IT security functions of industrial control systems (ICS), energy grids and IoT networks needs to be improved in 2017.
There is push for better web security in 2017. Starting New Year’s Day, Google’s Chrome will begin labeling as “insecure” all websites that transmit passwords or ask for credit card details over plain text HTTP. Beginning in January 2017 (Chrome 56), HTTP sites that transmit passwords or credit cards are marked as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.
SHA-1 is insecure. Starting on Jan 1, 2017, most CAs will migrate to SHA-2 certificates, and major browser makers have already announced plans to adopt the change, including Microsoft, Google, and Mozilla. Their browsers will no longer trust sites that use SHA-1 starting with that date, and they will mark these websites as insecure. 1/3 of Websites Use SHA-1 Certificates Despite Looming Deadline. SHA-1 will still hang around, like a fart in a spacesuit, for many years to come because some people are lazy enough not to make the change.
There will be changes in how security is viewed in 2017 by businesses. We will likely see cloud adoption continue to grow across the United States, network visibility will no longer just be an option, AI and machine learning will shake old security models, and IoT-powered attacks will continue to rise. All of this will factor into how businesses set up, monitor and secure their networks.
The Commoditization of Cyberattacks Will Make Them More Frequent in 2017. More and more companies suffer from disruption to business due to cyber attacks. Cyber-attacks cause companies significant financial losses, but the studies shows that companies are not prepared for attacks. According to Gartner, by 2018 only 40 per cent of large companies have official plans in case of cyber attacks. Last year, the percentage was zero.
Strap yourself in for a bumpy ride in 2017. 2016 sucked. 2017 won’t be much better, sorry. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. DDoS attack toolkits have been around for years, as have services that will enable you to pay for an attack. Expect to see more of them. It seems that 2017 promises to be the most dramatic year yet in DDoS conflict. Whale-sized DDoS attacks will increase, the IoT will become a bigger factor in DDoS and DDoS will overshadow ransomware attacks and is used for extortion. Expect to see the Internet of Things (IoT) and other connected devices play an important part in these attacks.
Biometric identification will become more common in 2017, but it will not replace passwords. Fingerprint identification has become increasingly common in smartphones and already the technology is fast and reliable. This year biometric identification devices were sold for 4.5 billion dollars (most of them go to smart phones and laptops). 91 percent of biometric sales were fingerprint sensors, four per cent of face detection and three per cent iris detection.
Biometrics Won’t Kill Passwords any time soon. Even though PIN codes and passwords are actually pretty lousy protection case against skilled cybercriminal, the password will never disappear entirely, as two per cent of the world’s population is persons with a fingerprint not suitable for biometric identifier to work. Other biometric identification systems have also similar limitations and/or are not yet commonly available at reasonable cost. While biometrics, including fingerprint-, face-, iris-, palm- and speech-recognition, will continue to grow as a more secure substitute for passwords, they will not render passwords obsolete. Until the other common biometrics become commonplace, passwords are here to stay until circa 2030.
Fights with encryption and backdoors for them is not over in 2017. Many public figures in law enforcement have consistently argued that device encryption presents a new threat to police powers of investigation. On the other side House Judiciary Committee’s Encryption Working Group report says encryption backdoors pose a security threat, siding with tech experts in their latest report . The problem is that any system allowing police to get into those encrypted system (let it be phone, computer or communications) could also be exploited by criminals. Any action in this space should weigh any short-term benefits against the longterm impacts. Many industry experts will rightly tell you there is no such thing as partial data encryption. You either have a fully capable system or none at all.
Given the security events of 2016, coupled with the rapid advancements and adoption of cloud computing, 2017 will be the year in which many finally accept that network infrastructure and security will have to be rethought from the ground up. In 2017 the cloud will become a risk for users: The cloud becoming insecure – extortion and IoT openings.
The rivalry between the network attacks and network security is in acceleration. Crippling Internet services with denial of service attacks are becoming more common throughout the world. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. IoT-powered attacks will continue to rise and stopping the attack is not easy. For most companies the key thing is that the attack traffic is stopped before it reaches the company’s Internet connection or servers (needs to use telecom operator and external services increase). In addition to service disturbion Denial of Service Attacks are often used as distraction during the actual data burglary.DDoS may take over from ransomware as a cause for concern.
In 2017 the IT and security professionals talk about more about business risks. Historically, firewalls, DLP, antivirus, SIEM and other technical point solutions have been the centerpiece of security conversations, but the mindset is slowly shifting from technology to risk. The goal of stopping all attacks and preventing all business impact has been recognized as a fool’s errand, and has shifted to measuring risk and minimizing business impacts. Cyber security is increasingly being viewed as a risk management problem.
In 2017 ‘Security’ Must be Added to our Existing Ethical and Philosophic Concerns Over Artificial Intelligence and Algorithms. Algorithms soon run the world. They present problems that are seriously questioned on both ethical and philosophic grounds; and they have become the basis of fictional Armageddons.
Cyber insurance will be more thoughs as on solution for handling cyber risks in 2017. The global cyber insurance market is expected to generate $14 billion by 2022, according to a new report published by Allied Market Research (AMR). That figure represents an impressive compound annual growth rate (CAGR) of nearly 28% from 2016 to 2022.
In 2017 Big Brother will be watching you 24/7.Those of you who’ve read George Orwell’s book 1984 or seen the movie ,will remember how the citizens of the fictitious totalitarian state of Oceana are constantly under surveillance by order of its dictator, Big Brother. So now swap your home desktop computer, laptop or smart phone for the fictitious telescreen and not only are you sitting in front of what is a modern day version of the Big Brother telescreen you are also walking around with one in your pocket or handbag. Sound a bit far fetched to you? Well it’s set to become a reality in many countries.
Users will want better security or at least to feell more secure in 2017. Many people are prepared to to extremes for better security. According to a recent survey of over 2,000 adults conducted by Harris Poll Nearly 40% of Americans Would Give Up Sex for a Year or eating their favourite food in Exchange for Better Online Securit, meant they’d never have to worry about being hacked. When you consider that 87 percent of U.S. adults use the internet, it makes sense that cyber security is one of the biggest concerns today. The single biggest thing people can do to help keep their online identity safe is probably the easiest – a solid password – and not giving it to other people. Still nearly 50% of people have shared a password to an e-mail account or to an account like Netflix.
Security Becomes A Multi-System Issue and more people talking about the issue. Design teams will have to bake strategies in from the start, no matter how insignificant the device.The good news is that it more people talking about the issue. The real challenge is packing enough security features into designs to prevent security breaches of every sort, including those that can come from other electronics that weren’t even considered as part of the design process. Just as devices get more sophisticated, so do hackers.The reality is that security breaches can even cause physical harm. It’s time to look at this at a multi-system, multi-disciplinary level. Otherwise, we literally could be playing with fire.
Block chains have been a big trend for several years. The block chain market is divided now when 2017 starts. During the autumn 2016, we have seen a number of initiatives on cooperation between the financial sector and consulting companies. Microsoft has chosen a platform for Ethereum-block chain and offers it to the Azure cloud service. IBM has jumped Hyperledger consortium bandwagon and offering their own block chains to Bluemix service. Google and Amazon still shine by their absence. Even banks may prefer to see the use of cloud for the block chains.
Other prediction articles worth to look:
What Lies Ahead for Cybersecurity in 2017?
Network Infrastructure, Visibility and Security in 2017
DDoS in 2017: Strap yourself in for a bumpy ride
Cybersecurity Industry Outlook: 2017 to 2021 | CSO Online
IBM’s Cybersecurity Predictions for 2017 – eForensics
https://eforensicsmag.com/ibms-cybersecurity-predictions-2017/
Top 5 Cybersecurity Threats to Watch Out for in 2017
Experts Hopeful as Confidence in Risk Assessment Falls
3,151 Comments
Tomi Engdahl says:
Kate Conger / TechCrunch:
Android 2016 security report: 50% of devices in use at the end of 2016 had not received a platform security update in one year
Android plans to improve security update speed this year
https://techcrunch.com/2017/03/22/security-updates-are-still-slow-for-android-users/
Google has spent the past year working with third-party manufacturers and phone carriers to improve its update system for Android, which is often criticized for not being fast enough to protect users from known vulnerabilities. And while Google says it has made some progress in this area — Android issued security updates to 735 million devices from more than 200 manufacturers in 2016 — about half of Android users still aren’t receiving important security patches.
“There is still a lot of work to do to protect all Android users: about half of devices in use at the end of 2016 had not received a platform security update in the previous year,” Android security leads Adrian Ludwig and Melinda Miller wrote in a year-in-review post. Android issued monthly security updates during that time frame.
When phone makers discover vulnerabilities in their products — either through external reports from security researchers or through internal audits — it kicks off a race to patch the problem before it’s widely exploited. But in the Android ecosystem, which includes hundreds of carriers and manufacturers, pushing those updates out to every user is a complex process.
Tomi Engdahl says:
Geof Wheelwright / GeekWire:
Twitter partnering with IBM’s Watson team to “identify abuse patterns” among users on Twitter before the behavior starts, says VP of data strategy Chris Moody
Twitter starts using IBM’s Watson technology to help identify bullies who tweet
http://www.geekwire.com/2017/twitter-starts-using-ibms-watson-technology-help-identify-bullies-tweet/
LAS VEGAS — Twitter wants to do a better job of policing bullies who tweet, and Twitter vice-president of data strategy Chris Moody declared from the keynote stage at IBM’s InterConnect conference this week that it is using IBM Watson technology to help meet that challenge.
“We have had some abuse on the platform. We’ve talked very publicly in the in the last few months and said our number 1 priority is stop the abuse,” he said. “But it’s a very, very hard challenge.”
Tomi Engdahl says:
New York Times:
As Chinese state-backed firms invest in cutting edge US startups, DoD white paper distributed to WH says US govt failing to protect critical tech, sources say
China Bets on Sensitive U.S. Start-Ups, Worrying the Pentagon
https://www.nytimes.com/2017/03/22/technology/china-defense-start-ups.html
HONG KONG — When the United States Air Force wanted help making military robots more perceptive, it turned to a Boston-based artificial intelligence start-up called Neurala. But when Neurala needed money, it got little response from the American military.
So Neurala turned to China, landing an undisclosed sum from an investment firm backed by a state-run Chinese company.
Chinese firms have become significant investors in American start-ups working on cutting-edge technologies with potential military applications.
The deals are ringing alarm bells in Washington. According to a new white paper commissioned by the Department of Defense, Beijing is encouraging Chinese companies with close government ties to invest in American start-ups specializing in critical technologies like artificial intelligence and robots to advance China’s military capacity as well as its economy.
Continue reading the main story
The white paper, which was distributed to the senior levels of the Trump administration this week, concludes that United States government controls that are supposed to protect potentially critical technologies are falling short, according to three people knowledgeable about its contents, who spoke on the condition of anonymity.
Tomi Engdahl says:
Lithuanian Man Arrested Over $100 Million Email Scam
http://www.securityweek.com/lithuanian-man-arrested-over-100-million-email-scam
A Lithuanian man has been indicted in the United States for convincing two U.S.-based Internet companies into wiring over $100 million to bank accounts he controlled as part of an email fraud scheme.
Evaldas Rimasauskas, 48, was arrested late last week in Lithuania on the basis of a provisional arrest warrant, the New York Office of the FBI said.
The indictment (PDF) claims that Rimasauskas has orchestrated a fraudulent scheme in or around 2013 through in or about 2015, to deceive targeted companies, including a multinational technology company and a multinational online social media company, into wiring funds to bank accounts he controlled.
Tomi Engdahl says:
North Korean Hackers Were Behind a Recent Major Cyber Attack
http://fortune.com/2017/03/15/north-korea-hackers-cyber-attack/
A North Korean hacking group known as Lazarus was likely behind a recent cyber campaign targeting organizations in 31 countries, following high-profile attacks on Bangladesh Bank, Sony and South Korea, cyber security firm Symantec said on Wednesday.
Symantec said in a blog that researchers have uncovered four pieces of digital evidence suggesting the Lazarus group was behind the campaign that sought to infect victims with “loader” software used to stage attacks by installing other malicious programs.
A North Korean hacking group known as Lazarus was likely behind a recent cyber campaign targeting organizations in 31 countries, following high-profile attacks on Bangladesh Bank, Sony and South Korea, cyber security firm Symantec said on Wednesday.
Symantec said in a blog that researchers have uncovered four pieces of digital evidence suggesting the Lazarus group was behind the campaign that sought to infect victims with “loader” software used to stage attacks by installing other malicious programs.
Lazarus has already been blamed for a string of hacks dating back to at least 2009, including last year’s $81 million heist from Bangladesh’s central bank, the 2014 hack of Sony Pictures Entertainment that crippled its network for weeks and a long-running campaign against organizations in South Korea.
2016 Bangladesh Bank heist
https://en.wikipedia.org/wiki/2016_Bangladesh_Bank_heist
In February 2016, instructions to steal US$951 million from Bangladesh Bank, the central bank of Bangladesh, were issued via the SWIFT network. Five transactions issued by hackers, worth $101 million and withdrawn from a Bangladesh Bank account at the Federal Reserve Bank of New York, succeeded
Tomi Engdahl says:
Proposed Legislation Would Give Legal Right to Hack Back
http://www.securityweek.com/proposed-legislation-would-give-legal-right-hack-back
Hacking back is a perennial and contentious issue. Its latest instance comes in the form of a ‘Discussion Draft’ bill proposed by Representative Tom Graves (R-GA): The Active Cyber Defense Certainty Act. Graves claims it is gaining bipartisan support, and he expects to present it to the House of Representatives for vote within the next few months.
The Draft Bill (PDF) is an amendment to the Computer Fraud and Abuse Act (CFAA). The CFAA is a deterrent to hacking through potentially severe sanctions; but it has not been effective in preventing cybercrime, and it has made hacking back illegal. The new bill would remove those parts of the CFAA that effectively prevent private business from taking their own action against hackers: “It is a defense to a prosecution under this section that the conduct constituting the offense was an active cyber defense measure.”
Noticeably, the bill uses the term ‘active cyber defense’ throughout, and never once mentions the term ‘hacking back’
The George Washington University report warns, “Today, when active defense is discussed, too often the discussion shifts to ‘hacking back’ — offensive cyber measures that are beyond the scope of what we define as permissible activity in this report.” This has clearly happened with the Graves proposal: it conflates active defense with hacking back.
Tomi Engdahl says:
Citadel Botnet Author Pleads Guilty
http://www.securityweek.com/citadel-botnet-author-pleads-guilty
A Russian national has pleaded guilty in a United States court to charges related to the development and distribution of the Citadel malware.
Mark Vartanyan, who has been going by the hacker name of “Kolypto,” was arrested in Norway and extradited to the United States in Dec. 2016. For his role in the development and maintenance of the Citadel malware, he is charged with one count of computer fraud.
Tomi Engdahl says:
Trump team communications captured by intelligence community surveillance, committee chair says
http://www.news.com.au/finance/work/leaders/trump-team-communications-captured-by-intelligence-community-surveillance-committee-chair-says/news-story/415c0d611b82c4ef7f59972150b1ab54
A TOP intelligence chief has partially backed Donald Trump’s wire-tapping claims, saying the US president was surveilled “inappropriately”.
Devin Nunes, the Republican Chair of the House Intelligence Committee, revealed overnight that some of the US President’s personal communications had been caught up in “incidental” surveillance involving a foreign power in the months after the election.
Tomi Engdahl says:
Security services ‘prevented 13 UK terror attacks since 2013′
http://www.bbc.com/news/uk-39176110
Security services have prevented 13 potential terror attacks since June 2013, the UK’s most senior counter-terrorism police officer has revealed.
Assistant commissioner Mark Rowley also said there were 500 live counter-terror investigations at any time.
Tomi Engdahl says:
Hamza Shaban / BuzzFeed:
Senate votes 50-48 to repeal Obama-era regulations requiring that ISPs ask before sharing customer data — The Senate voted Thursday to make it easier for internet service providers to share sensitive information about their customers, a first step in overturning landmark privacy rules …
Senate Republicans Vote To Gut Internet Privacy
https://www.buzzfeed.com/hamzashaban/the-republican-controlled-senate-votes-to-strip-internet?utm_term=.ki0dopEaxn#.lpX6JL148M
Passed by the Federal Communications Commission under president Obama, the privacy rules require internet providers like Comcast and AT&T to first get your permission before they can sell your private information like browsing history and location data.
The Senate voted Thursday to make it easier for internet service providers to share sensitive information about their customers, a first step in overturning landmark privacy rules that consumer advocates and Democratic lawmakers view as crucial protections in the digital age. The vote was passed along party lines, 50-48, with all but two Republicans voting in favor of the repeal and every Democrat voting against it. Two Republican Senators did not vote.
Passed by the Federal Communications Commission in the final months of the Obama presidency, the privacy rules prohibited internet providers like Comcast and Verizon from selling customer information, including browsing history and location data, without first getting consent. The rules also compelled providers to tell customers about the data they collect, the purpose of that data collection, and to identify the types of third party companies that might be given access to that information.
But the telecom industry and Republicans in Congress fiercely opposed the new regulations. Critics argued that these rules unfairly target internet providers, restricting their ability to turn personal information into targeted advertising and other tailored services, even as giant web companies like Google and Facebook are free to collect and sell our information without those limitations.
Tomi Engdahl says:
Kate Conger / TechCrunch:
Android 2016 security report: 50% of devices in use at the end of 2016 had not received a platform security update in one year — Google has spent the past year working with third-party manufacturers and phone carriers to improve its update system for Android, which is often criticized …
Android plans to improve security update speed this year
https://techcrunch.com/2017/03/22/security-updates-are-still-slow-for-android-users/
Google has spent the past year working with third-party manufacturers and phone carriers to improve its update system for Android, which is often criticized for not being fast enough to protect users from known vulnerabilities. And while Google says it has made some progress in this area — Android issued security updates to 735 million devices from more than 200 manufacturers in 2016 — about half of Android users still aren’t receiving important security patches.
Tomi Engdahl says:
Thomas Fox-Brewster / Forbes:
Profile of Tracer, a phone surveillance tool made by a US firm that is being resold by Moscow-based OpenGSM; sources say Apple has been tracking it since 2015
This American Surveillance Tool Helped Russians Spy On Androids And iPhones
https://www.forbes.com/sites/thomasbrewster/2017/03/22/iphone-android-malware-from-las-vegas-in-russia-cybercrime-links/#45b6463d2a8a
Alner is the chief of a small malware merchant, Killer Mobile, whose Tracer surveillance tool for Android and iPhone has spread far beyond Las Vegas, all the way to Russia, a Forbes investigation found. In what appears to be an unprecedented spyware deal between American and Russian firms, Killer’s cellphone spy tools were resold by Moscow-based surveillance tech dealer, OpenGSM, which markets to both government agencies and the average consumer.
Most worrisome of all is that digital sleuths have spotted OpenGSM trying to recruit cybercriminals to boost the firm’s software sales, while hanging around the same dark corners of the web as Russia’s most diabolical data thieves
The spread of American malware to Russia, and to a Moscow company linked to government and criminal hacking, is a stark reminder of the muddied waters of the cyber arms market where players in enemy countries can provide dangerous spy tools to one another despite the risks of breaking wiretapping and export laws. Not to mention the concomitant ethical dilemmas.
a cellphone surveillance market that’s out of control. “There needs to be a remedy for this market,”
An OpenGSM manual provided by the researcher (who wished to remain anonymous) directed users to a website controlled by Alner, where they could download an iPhone spy tool onto a target’s device as part of a €600 ($650) package. Further proof of a connection came in the form of Killer Android malware dating back to April 2015, hosted on an OpenGSM website.
Tomi Engdahl says:
US bans electronic devices on flights from eight majority-Muslim countries
No American carriers are impacted by the ban, which involves devices larger than a mobile phone
http://www.independent.co.uk/news/world/americas/us-politics/donald-trump-us-bans-electronic-devices-on-flights-eight-muslim-countries-royal-jordanian-airlines-a7640591.html
Donald Trump’s administration has banned airline passengers from eight Middle Eastern and North African countries from carrying large electronic devices.
US and UK ban cabin laptops on some inbound flights
http://www.bbc.com/news/world-us-canada-39333424
The US and UK are banning laptops from cabin baggage on flights from certain countries in the Middle East and North Africa, as well as Turkey.
The US ban on electronic devices larger than a smartphone is being imposed as an anti-terrorist precaution.
It covers inbound flights on nine airlines operating out of 10 airports. Phones are not affected.
Tomi Engdahl says:
CERT publishes deep-dive ‘don’t be stupid’ list for C++ coders
Your hefty guide to avoiding the mistakes everyone makes
https://www.theregister.co.uk/2017/03/23/cert_c_plus_plus_coding_standard/
CERT has followed last year’s release of its secure C coding standard with a similar set of rules for C++.
Carnegie-Mellon University’s announcement says the Software Engineering Institute (SEI) has put ten years into researching secure coding. The resulting SEI CERT C++ Coding Standard has 83 rules specific to features of C++ that aren’t in C.
“This newly released C++ standard adds to our previously released C standard secure coding guidance for features that are unique to the C++ language. For example, this standard has guidance for object oriented programming and containers,” said CERT’s Robert Schiela, technical manager, Secure Coding, in the canned release. “It also contains guidance for features that were added to C++14, like lambda objects.”
While specific to C++14, the guidelines in the standard can be applied to older versions, back to C++11.
SEI CERT C++ Coding Standard
https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=637
The C++ rules and recommendations in this wiki are a work in progress and reflect the current thinking of the secure coding community. Because this is a development website, many pages are incomplete or contain errors. As rules and recommendations mature, they are published in report or book form as official releases. These releases are issued as dictated by the needs and interests of the secure software development community.
The CERT C++ Coding Standard does not currently expose any recommendations
Tomi Engdahl says:
Error prone, insecure, inevitable: Say hello to today’s facial recog tech
If you want a picture of the future, imagine a database with every human visage
https://www.theregister.co.uk/2017/03/22/facial_recognition_tech_questioned/
Facial recognition technology represents a valuable, and likely inevitable, method of identification for cops and Feds. Unfortunately, it’s largely unregulated, error prone, and insecure.
Chaffetz said the technology makes mistakes, with one in seven FBI facial recognition searches incorrectly returning a list of innocent people as matches, despite the presence of the actual matching image in the database. Chaffetz also expressed doubts about the government’s ability to secure such data. “I don’t believe they can keep all this information locked down and secure,” he said.
“Is it the right public policy to populate a database with everybody’s face in it…or [just those] who have ‘earned it’?” mused Chaffetz.
The GAO reviewed the FBI’s Next Generation Identification-Interstate Photo System (NGI-IPS) and found that the agency failed to publish data on the privacy risks, failed to adequately evaluate the error rate of the technology, and failed to assess the accuracy of systems operated by external partners, such as states and other federal agencies.
Tomi Engdahl says:
Security
Malware ‘disguised as Siemens firmware drills into 10 industrial plants’
Four years of active infection, claims security biz Dragos
https://www.theregister.co.uk/2017/03/22/malware_siemens_plc_firmware/
Malware posing as legitimate firmware for Siemens control gear has apparently infected industrial equipment worldwide over the past four years.
The cyber-nasty is packaged as software to be installed on Siemens programmable logic controllers (PLC), we’re told. At least 10 industrial plants – seven in the US – were found running the infected firmware, a study by industrial cybersecurity firm Dragos claims.
Project MIMICS – Stage One
https://dragos.com/blog/mimics/
Tomi Engdahl says:
Coppers ‘persistently’ breach data protection laws with police tech
Staff association warns that systems ‘increasingly’ being used for personal reasons
https://www.theregister.co.uk/2017/03/22/coppers_persistently_breaching_data_protecton_laws_with_pnc_and_anpr/
Coppers in England and Wales are “persistently” committing data breaches, according to the Police Federation’s head of misconduct.
Technologies from the Police National Computer (PNC) systems through to the Automatic Number Plate Recognition (ANPR) databases are “increasingly being used by officers for non-work related reasons” according to the Police Federation, the statutory staff association for officers
“Computer misuse is a serious issue and if officers commit data protection breaches – outside of lawful policing purposes – they are likely to face very significant penalties,”
Tomi Engdahl says:
Google Maps will now let you share your location, creating a whole new set of privacy concerns
Every step you take …
http://www.recode.net/2017/3/22/15016062/google-maps-share-location-privacy
Google has announced new features for Google Maps, including some that make it easier to share your location with contacts, which could spur privacy concerns.
Altogether, the updates don’t mark a sweeping change as the company has been careful about how it tweaks the service. That’s because Maps is Google’s most-used app after YouTube and the fourth-most-used app overall with over 95 million people accessing it every month, according to comScore. Maps has become crucial to Google’s mobile strategy.
Given that, it’s noteworthy that the changes don’t include any new ways for Google to make money from Maps.
Location sharing is the most significant update. People can let anyone else know where they are by sending a text message with a link. The link can be opened by anyone, even if they don’t have the Maps app. People can also share their location within the app to others who use Maps.
That could raise all kinds of privacy concerns. The links, for example, can be shared to anyone else through a simple copy and paste, whether or not the original user intended their information to be known to a wider circle. The links will expire after three days, or earlier if the user sets the date.
Share your trips and real-time location from Google Maps
https://blog.google/products/maps/share-your-trips-and-real-time-location-google-maps/
Tomi Engdahl says:
Two Ways GDPR Will Change Your Data Storage Solution
http://www.linuxjournal.com/content/two-ways-gdpr-will-change-your-data-storage-solution
By now, most companies who do any business in the EU are aware of the General Data Protection Regulation (GDPR), which goes into effect in 2018 and applies to any entity doing business within any of the 28 EU member states. Not only does the GDPR apply somewhat broadly to “monitoring the behaviour” of EU residents, but it also comes with some hefty fines (up to €20 million, or 4% of worldwide turnover) for companies that violate the regulation. In short, the new regulation is going to require companies to implement entirely new processes and procedures around the collection and storage of personally identifiable information (PII), which will likely result in changes to data storage solutions as well.
The GDPR defines PII as any information that relates to a EU resident’s private, professional or public life (that is, banking information, medical information, email addresses, social media posts and so on), and a lot of the regulation goes into making sure that this PII is not only stored with a person’s permission, but that it’s also kept for a specified purpose and for a duration that makes sense, given the initial reason for obtaining the data. So, if a customer signs up for a product warranty, and the warranty is good for three years, the company would need to get the customer’s explicit permission to use his or her PII for marketing campaigns or to keep that data beyond the three-year warranty limit.
Under the GDPR, companies will need to build controls regarding security roles and levels in regard to data access, and be able to provide tight data-breach mechanisms and notification protocols.
But because liability of the new regulation falls on all parties, thereby motivating cloud providers to have robust compliance solutions in place, it actually could be a simpler, less-expensive route to look at a cloud or hybrid solution.
Tomi Engdahl says:
Don’t Buy the Latest Trump Surveillance Hype
https://www.wired.com/2017/03/dont-buy-latest-trump-surveillance-hype/
Tomi Engdahl says:
Don’t Leave Security to Luck – 5 Security Controls to Implement in 2017
http://www.securityweek.com/dont-leave-security-luck-5-security-controls-implement-2017
Like burglars looking for the soft target in the neighborhood, such as the house without cameras or newspapers piled up indicating a family on vacation, cyber criminals are constantly probing for vulnerabilities.
Whether or not you avoid a breach sometimes comes down to “luck.” Maybe attackers won’t notice you haven’t patched OpenSSL with the Heartbleed vulnerability. More likely, that’s just wishful thinking.
Few, if any, organizations have all the security resources necessary to absolutely prevent a successful attack. But by analyzing the trends from many of the top industry surveys and reports, we can prioritize the security investments needed to harden our environments against the opportunistic attackers and perhaps make a bit of our own luck.
Harden credentials used to access sensitive information and beyond
Reduce the attack surface of credentials
Isolate – and monitor – the problem children
Concentrate encryption on the crown jewels – and everything else
Trust, but verify
The Cyberthreat Defense Report showed that “only 30 percent of respondents are confident that their organization has made adequate investments to monitor the activities of privileged users.” That number is too low for what can be the most devastating of attacks. Consider how leaks by Edward Snowden or the anonymous administrator at Mossack Fonseca have impacted those organizations.
http://www.securityweek.com/are-we-dawn-endpoint-protection-revolution
Tomi Engdahl says:
Are We at the Dawn of an Endpoint Protection Revolution?
http://www.securityweek.com/are-we-dawn-endpoint-protection-revolution
For the past several years, enterprise security leaders have been challenged with the task of locking down endpoints with traditional security solutions that are proving to be ineffective against todays threats.
According to the results of a just-released survey of 1,000 IT security decision makers and practitioners, nearly 9 of ten respondents said their organization plans to replace or augment their current endpoint security defenses, maintaining the belief that current solutions in place are not providing adequate protection. That figure is up from nearly 7 of 10 respondents in last year’s report.
Tomi Engdahl says:
Brain-Inspired System Aims to Improve Threat Detection
http://www.securityweek.com/brain-inspired-system-aims-improve-threat-detection
A new “brain-inspired” computer system promises improved detection of cyber threats by looking for specific patterns that can more efficiently reveal indicators of compromise in a network.
Dubbed the Neuromorphic Cyber Microscope, the system was designed by Lewis Rhodes Labs in partnership with Sandia National Laboratories and aims to address the limitation current systems have when it comes to the detection of more complex indicators of compromise, which the researchers call “new species of ‘bad apples’.”
The designers of the system explain that many modern cybersecurity systems might be looking for general indicators of compromise or only for specific patterns, and often require interaction from security analysts to correctly sort the real dangers from false alarms.
By using its brain-inspired design, the new system promises not only to address this limitation by looking for complex patterns that indicate specific “bad apples,” but also to offer energy consumption savings, as it requires “less electricity than a standard 60-watt light bulb,” its creators claim.
The Microscope’s processor is based on the neuroscience research of Dr. Pamela Follett, a co-founder of Lewis Rhodes Labs.
While conventional detection systems compare the received data against a library of malicious patterns, the Neuromorphic Cyber Microscope was designed to compare streaming data to suspicious patterns in a time-dependent manner, which should improve its detection efficiency.
Tomi Engdahl says:
Senators Reintroduce Bills to Improve Cybersecurity of Vehicles and Airplanes
http://www.securityweek.com/senators-reintroduce-bills-improve-cybersecurity-vehicles-and-airplanes
Legislation Would Protect Drivers From Auto Security and Privacy Risks, Implement Cybersecurity Standards for Aircraft
The Security and Privacy in Your Car (SPY Car) Act directs the National Highway Traffic Safety Administration and the Federal Trade Commission to establish federal standards to secure our cars and protect drivers’ privacy, as well as establishes a rating system – or “cyber dashboard” – that informs consumers about how well the vehicle protects drivers’ security and privacy beyond those minimum standards. In 2014, Senator Markey released the report “Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk,” which detailed major gaps in how auto companies are securing connected features in cars against hackers.
“Whether in their cars on the road or in aircraft in the sky, Americans should be protected from cyberattack and violations of their privacy,” said Senator Markey. “If hackers access the critical systems of a car or plane, disaster could ensue and our public safety could be compromised. We must ensure that as technologies change, our safety and privacy is maintained. I thank Senator Blumenthal for his partnership on this critical issue.”
“This critical legislation will help protect the public against cybercriminals who exploit advances in technology like wireless-connected aircraft and self-driving cars,”
Tomi Engdahl says:
Vulnerabilities Found in Popular Solar Park Monitoring System
http://www.securityweek.com/vulnerabilities-found-popular-solar-park-monitoring-system
Researchers at IT security services company SEC Consult have discovered several potentially serious vulnerabilities in solar park monitoring systems from Solar-Log. The vendor has released a firmware update to patch the flaws.
Tomi Engdahl says:
Intrusions Without Malware: Don’t Forget the Other Sixty Percent
http://www.securityweek.com/intrusions-without-malware-dont-forget-other-sixty-percent
How do attackers manage to be so successful without using any malware at all? That is a great question, and it is one that would take quite a bit of detail to answer in depth and properly. At a high level though, the answer is related to a trend we’ve been seeing in information security over the last few years. Although attackers still use malicious code quite often, they have been relying less and less on it. While certainly not the only way to intrude, attackers seem to be having a field day stealing credentials, using legitimate tools, and masquerading as legitimate users. It turns out that it is fairly easy for them to do so using a variety of different techniques.
On the technology side, I am increasingly confused by how many companies focus solely on building a better malware mousetrap. That isn’t to say that we can’t continually improve our detection and prevention capabilities around malicious code. Rather, my point is that even if a given technology is 100% effective at preventing and/or detecting malware (which is never going to be the case of course), it is still only solving 40% of the problem.
Simply put, detection and prevention technologies that don’t also have the ability to grapple with intrusions that involve no malware at all are partially effective technologies at best. Even more so if they are stovepiped and operate in a vacuum.
Way back, when information security was a relatively new profession, we were primarily focused on signature-based detection.
Signature-based detection does provide good value for detecting certain types of attacks, so there is no reason to throw it away. Rather, what we soon realized is that we needed to supplement our signature-based detection with another detection approach. Enter detonation-based (sandbox-based) detection.
Indeed, detonation-based detection has been a resounding success within the information security community.
This is why I believe that the time has come to add a third layer to our detection approach: analytics-based detection. In my experience, analytics is the best way to detect intrusions that involve no malware at all. In order to do this, we need to look at behaviors on the network, across user and system accounts, and elsewhere.
Granted, analytics means many different things to many different people. But to me, analytics means taking a deep understanding of attacker behavior and producing accurate models to identify when activity matching those behaviors occurs. In other words, analytics shouldn’t just be a bunch of fancy math looking for a problem to solve. It should be focused on attacker behavior and oriented towards detecting it.
Tomi Engdahl says:
LastPass Flaws Allow Hackers to Steal Passwords
http://www.securityweek.com/lastpass-flaws-allow-hackers-steal-passwords
Critical vulnerabilities found in the Chrome and Firefox extensions of the LastPass password manager can be exploited to steal passwords, warned Google Project Zero researcher Tavis Ormandy.
Tomi Engdahl says:
Malvertising Campaign Targets Adult Websites to Distribute Ramnit Worm
http://www.securityweek.com/malvertising-campaign-targets-adult-websites-distribute-ramnit-worm
A new malvertising campaign has been discovered using popular adult websites (each with several million visits per month) to target primarily Canadian and UK visitors. Using pop-under ads, victims were ultimately directed to the RIG exploit kit which sought to drop Ramnit.
Tomi Engdahl says:
“Swearing Trojan” Tactics Could Become Global Threat: Researchers
http://www.securityweek.com/swearing-trojan-tactics-could-become-global-threat-researchers
Check Point security researchers have warned that tactics employed by a mobile Trojan targeting users in China might become a worldwide threat when adopted by Western malware.
Called the “Swearing Trojan”, the threat was discovered not long ago by Tencent Security researchers, who revealed that the threat can steal bank credentials and other sensitive personal information from Android devices. The malware’s name comes from Chinese swear words that were found inside the malware’s code.
The Swearing Trojan can also bypass 2-factory authentication (2FA) security by replacing the original SMS app on the infected devices with an altered version, which allows it to intercept the one-time codes banks send to their users.
Tomi Engdahl says:
From XP to 10, DoubleAgent pwns all your Windows?
http://hackaday.com/2017/03/22/from-xp-to-10-doubleagent-pwns-all-your-windows/
The Cybellum team published a new 0-day technique for injecting code and maintaining persistency on a target computer, baptized DoubleAgent. This technique uses a feature that all Windows versions since XP provide, that allows for an Application Verifier Provider DLL to be installed for any executable. The verifier-provider DLL is just a DLL that is loaded into the process and is supposedly responsible for performing run-time verifications for the application. However, its internal behaviour can be whatever an attacker wants, since he can provide the DLL himself.
DoubleAgent: Zero-Day Code Injection and Persistence Technique
https://cybellum.com/doubleagentzero-day-code-injection-and-persistence-technique/
We’d like to introduce a new Zero-Day technique for injecting code and maintaining persistency on a machine (i.e. auto-run) dubbed DoubleAgent.
DoubleAgent can exploit:
Every Windows version (Windows XP to Windows 10)
Every Windows architecture (x86 and x64)
Every Windows user (SYSTEM/Admin/etc.)
Every target process, including privileged processes (OS/Antivirus/etc.)
DoubleAgent exploits a 15 years old legitimate feature of Windows and therefore cannot be patched.
Code Injection
DoubleAgent gives the attacker the ability to inject any DLL into any process. The code injection occurs extremely early during the victim’s process boot, giving the attacker full control over the process and no way for the process to protect itself.
Tomi Engdahl says:
Data Leakage And The IIoT
http://semiengineering.com/data-leakage-and-the-iiot/
Connecting industrial equipment to the Internet offers big improvements in uptime and efficiency, but it adds security issues
The Internet of Things has raised concerns about people hacking into home networks or using armies of bots to disrupt communications. But with the Industrial IoT, the stakes are significantly higher—and the effects can last much longer.
Security tops the list of concerns as more industrial equipment is connected to the Internet, according to numerous industry insiders. That hasn’t stopped companies connecting industrial equipment to the Internet, because there are documented gains in efficiency, uptime and quality. But it has cast a shadow over these efforts, tempering how quickly companies add that connectivity and how they implement it. This is particularly true for large companies, which have more to lose, not to mention a long history of jealously guarding their data.
There is plenty of documentation for what can go wrong. The number of cyberattacks on industry is growing as more equipment is connected to the Internet, and so is the dollar value of those attacks. A Ponemon Institute study commissioned last year by IBM concluded that the average total cost of a single data breach is $4 million, up 29% since 2013.
“If you look at individual IIoT events, they often aren’t that important,” said Michael Ford, senior marketing development manager for Mentor Graphics‘ Valor Division. “But taken together, they can create a much bigger problem for companies.”
In the past, the complexity and size of an operation generally provided safeguards against data theft or leakage. But with commonly used data mining tools, it’s now possible to separate out meaningless shop floor data and hone in on the important events, which roughly adhere the 80/20 rule.
“It used to be that an employee would take out data they downloaded onto a USB,” said Ford. “But now a disgruntled employee can download the whole company’s data. Or worse, they can add data in. It would take a while before a company realizes all of the data is useless, or that everything is pointed to a competitor.”
Tomi Engdahl says:
Zack Whittaker / ZDNet:
Tests show 10 of 54 passwords are valid in sample set from hackers claiming to have 250M iCloud records; users should change passwords — ZDNet has uncovered several loose ends with a claim regarding millions of iCloud accounts held for ransom, and questions remain.
Apple iCloud ransom demands: The facts you need to know
Welcome to the wonderful world of security nuance.
http://www.zdnet.com/article/apple-icloud-ransom-what-you-need-to-know/
Hackers are demanding Apple pay a ransom in bitcoin or they’ll blow the lid off millions of iCloud account credentials.
Beyond the primary headline, however, there are a bevy of loose ends and nuances to ponder.
So far, we know that a London-based hacker group, calling itself the Turkish Crime Family, has claimed to have access to 250 million accounts (at the time of writing). The hackers are threatening to reset the passwords on those iCloud accounts and remotely wipe iPhones if Apple doesn’t pay a ransom by April 7. Those demands have since changed and increased.
For its part, Apple has said it hasn’t been hacked. In a brief statement to sister-site CNET, the company said the data came from “previously compromised third-party services,” and that it is “actively monitoring to prevent unauthorized access to user accounts.”
ZDNet obtained a set of 54 credentials from the hacker group for verification. All the 54 accounts were valid
data “could be aggregated from various sources.”
We started working to contact each person, one by one, to confirm their password.
However, 10 people in total confirmed that their passwords were accurate, and have now changed them.
According to the responses, most of the people had the same passwords on their accounts for “about four or five years” since iCloud’s debut.
Most of the people we spoke to confirmed that they used their iCloud email address and password on other sites, such as Facebook and Twitter.
It’s clear that there’s something to the hackers’ claims, given that they have some working iCloud account credentials. But it’s not known exactly how many
it’s evident that the group is naïve and inexperienced
The group also appears disorganized
“A breach means nothing in 2017 when you can just pull the exact same user information in smaller scales through companies that aren’t as secure,” said the group in a Pastebin post.
Tomi Engdahl says:
Google proposes sending Symantec to TLS sin bin
http://www.zdnet.com/article/google-proposes-sending-symantec-to-tls-sin-bin/
Certificates from Symantec would have their trust period reduced to nine months under Google’s plan.
Google has announced plans to reduce the trust in Symantec TLS certificates until a point is reached in early 2018 where Chrome 64 will only trust certificates issued for 279 days or less from the security giant and its subsidiaries.
Posting to the Blink development mailing list, Google engineer Ryan Sleevi said that following a “series of failures” by Symantec, Google believes its users face significant risk.
“Over the course of this investigation, the explanations provided by Symantec have revealed a continually increasing scope of misissuance
“Symantec allowed at least four parties access to their infrastructure in a way to cause certificate issuance
Sleevi proposed removing Symantec’s Extended Validation status for at least one year, and requiring all existing valid certificates issued by the company to be reissued.
Sleevi pointed out that due to Symantec providing more than 30 percent of all certificates, an outright and immediate ban would not work, hence the gradual reduction in trust.
“Distrusting such CAs creates further difficulty for providing secure connections to both old and new devices alike, due to the need to ensure the CA a site operator uses is recognised across these devices.”
In October 2015, Google fired a warning shot at Symantec
Earlier this year, Symantec revoked a number of misused certificates
Tomi Engdahl says:
Sascha Segan / PC Magazine:
T-Mobile introduces Scam ID to flag scam calls, and opt-in Scam Block service to block them
T-Mobile Will Now Flag Scam Calls
http://uk.pcmag.com/cell-phone-service-providers-products/88521/news/t-mobile-will-now-flag-scam-calls
T-Mobile has a new feature that will flag “known scam” calls for its wireless users, according to Grant Castle, the company’s VP of engineering services.
Scam ID will pop up an indicator that a call is a “likely scam” if it’s coming from a number identified in PrivacyStar’s database of scam callers, Castle said. T-Mobile won’t block those calls, because FCC regulations prohibit carriers from blocking calls automatically. But subscribers can opt into “Scam Block,” which uses PrivacyStar’s database to block numbers listed there.
This won’t affect telemarketing calls, Castle said. It’s just about stopping scammers, such as those posing as IRS agents.
T-Mobile’s move comes a day after the FCC put out a press release floating new ways to stop robocalls, most of which involve lightening up on the regulations preventing carriers from blocking calls.
The agency said it’s looking at letting carriers block calls from numbers that couldn’t possibly dial out, from area codes that don’t exist, or from numbers that haven’t been assigned to anyone yet.
Testing this concept reduced IRS scam calls by about 90 percent in the third quarter of 2016, according to the agency.
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Chrome to immediately stop recognizing extended validation status of Symantec-issued certs and gradually nullify all currently valid certs of Symantec-owned CAs
Google takes Symantec to the woodshed for mis-issuing 30,000 HTTPS certs [updated]
Chrome to immediately stop recognizing EV status and gradually nullify all certs.
https://arstechnica.com/security/2017/03/google-takes-symantec-to-the-woodshed-for-mis-issuing-30000-https-certs/
In a severe rebuke of one of the biggest suppliers of HTTPS credentials, Google Chrome developers announced plans to drastically restrict transport layer security certificates sold by Symantec-owned issuers following the discovery they have allegedly mis-issued more than 30,000 certificates.
Effective immediately, Chrome plans to stop recognizing the extended validation status of all certificates issued by Symantec-owned certificate authorities, Ryan Sleevi, a software engineer on the Google Chrome team, said Thursday in an online forum. Extended validation certificates are supposed to provide enhanced assurances of a site’s authenticity by showing the name of the validated domain name holder in the address bar. Under the move announced by Sleevi, Chrome will immediately stop displaying that information for a period of at least a year. In effect, the certificates will be downgraded to less-secure domain-validated certificates.
More gradually, Google plans to update Chrome to effectively nullify all currently valid certificates issued by Symantec-owned CAs. With Symantec certificates representing more than 30 percent of the Internet’s valid certificates by volume in 2015, the move has the potential to prevent millions of Chrome users from being able to access large numbers of sites.
Thursday’s announcement is only the latest development in Google’s 18-month critique of practices by Symantec issuers.
Tomi Engdahl says:
Garrett M. Graff / Wired:
Inside the FBI’s hunt for notorious Russian hacker and Zeus malware creator Evgeniy Bogachev, who has intelligence ties and a $3M bounty on his head
Inside the Hunt for Russia’s Most Notorious Hacker
https://www.wired.com/2017/03/russian-hacker-spy-botnet/
On the morning of December 30, the day after Barack Obama imposed sanctions on Russia for interfering in the 2016 US election, Tillmann Werner was sitting down to breakfast in Bonn
The news about the sanctions had broken overnight, so Werner, a researcher with the cybersecurity firm CrowdStrike, was still catching up on details. Following a link to an official statement, Werner saw that the White House had targeted a short parade’s worth of Russian names and institutions—two intelligence agencies, four senior intelligence officials, 35 diplomats, three tech companies, two hackers. Most of the details were a blur. Then Werner stopped scrolling. His eyes locked on one name buried among the targets: Evgeniy Mikhailovich Bogachev.
Tomi Engdahl says:
Dishwasher has directory traversal bug
Thanks a Miele-on for making everything dangerous, Internet of things security slackers
https://www.theregister.co.uk/2017/03/26/miele_joins_internetofst_hall_of_shame/
Don’t say you weren’t warned: Miele went full Internet-of-Things with a dishwasher, gave it a web server and now finds itself on the wrong end of a bug report and it’s accused of ignoring.
The utterly predictable bug report at Full Disclosure details CVE-2017-7240, “Miele Professional PG 8528 – Web Server Directory Traversal”.
“The corresponding embedded Web server ‘PST10 WebServer’ typically listens to port 80 and is prone to a directory traversal attack, therefore an unauthenticated attacker may be able to exploit this issue to access sensitive information to aide in subsequent attacks.”
[CVE-2017-7240] Miele Professional PG 8528 – Web Server Directory Traversal
http://seclists.org/fulldisclosure/2017/Mar/63
Miele Professional PG 8528 (washer-disinfector) with ethernet interface.
The corresponding embeded webserver “PST10 WebServer” typically listens
to port 80 and is prone to a directory traversal attack, therefore an
unauthenticated attacker may be able to exploit this issue to access
sensitive information to aide in subsequent attacks.
Tomi Engdahl says:
North Korea’s Rising Ambition Seen in Bid to Breach Global Banks
https://www.nytimes.com/2017/03/25/technology/north-korea-hackers-global-banks.html?_r=1
When hackers associated with North Korea tried to break into Polish banks late last year they left a trail of information about their apparent intentions to steal money from more than 100 organizations around the world, according to security researchers.
The list of targets, which has not been previously reported, is part of a growing body of evidence showing how North Korea, a country that is cut off from much of the global economy, is increasingly trying to use its cyberattack abilities to bring in cash — and making progressively bolder attempts to do so.
North Korea’s hacking network is immense, encompassing a group of 1,700 hackers aided by more than 5,000 trainers, supervisors and others in supporting roles, South Korean officials estimate. Because of the country’s poor infrastructure, the hackers typically work abroad, in places like China, Southeast Asia and Europe. Like other North Koreans allowed to work abroad, the hackers are constantly monitored by minders for possible breaches in allegiance to the government.
The security firm Symantec said it believed that the hackers behind the Poland attack were also behind two other major breaches: the theft of $81 million from the central bank of Bangladesh and a 2014 attack on Sony Pictures, which rocked the film industry.
Tomi Engdahl says:
Exclusive: Some Bangladesh Bank officials involved in heist – investigator
Mon Dec 12, 2016
http://www.reuters.com/article/us-cyber-heist-bangladesh-exclusive-idUSKBN1411ST
Some Bangladesh central bank officials deliberately exposed its computer systems and enabled hackers to steal $81 million from its account at the Federal Reserve Bank of New York in February, a top police investigator in Dhaka told Reuters on Monday.
Tomi Engdahl says:
Bank hackers tried to stage a Russian – in the background really North Korea?
For example, in banks around the world attacked by hackers tried to blame intrusions venäläishakkereiden neck. Sets the company has found cases examined by the security company BAE Systems, which analyzes malware samples from 31 different countries and 104 different organizations.
Security company found the samples of Russian words and phrases that contributed to the translation tools in the output. In many places, the translation tools yields did not sound at all reasonable.
Banks in Poland, Mexico and Uruguay have been attacks and malware used in the attacks has found similarities between Lazarus in the past using a tool, BAE’s researchers have found.
Source: http://www.tivi.fi/Kaikki_uutiset/pankkeihin-hyokanneet-hakkerit-yrittivat-lavastaa-venalaisia-taustalla-oikeasti-pohjois-korea-6626585
Tomi Engdahl says:
London terror attack: Encryption on messaging services unacceptable, says UK home secretary
http://www.firstpost.com/world/westminister-attack-encryption-on-messaging-services-unacceptable-says-uk-home-secretary-3353062.html
London: Encrypted messaging services like WhatsApp must make their platforms accessible to intelligence agencies, a top British security official declared on Sunday, amid reports that the Westminster attacker used the service minutes before his assault on Parliament.
Home Secretary Amber Rudd said it is “completely unacceptable” for messaging services to provide end-to-end encryption that means security services cannot listen to plots being discussed.
“We need to make sure that organisations like WhatsApp, and there are plenty of others like that, don’t provide a secret place for terrorists to communicate with each other,” she said. Rudd also urged technology companies to do a better job at preventing the publication of material that promote extremism.
Tomi Engdahl says:
Over 14K ‘Let’s Encrypt’ SSL Certificates Issued To PayPal Phishing Sites
https://it.slashdot.org/story/17/03/25/2222246/over-14k-lets-encrypt-ssl-certificates-issued-to-paypal-phishing-sites
During the past year, Let’s Encrypt has issued a total of 15,270 SSL certificates that contained the word ‘PayPal’ in the domain name or the certificate identity. Of these, approximately 14,766 (96.7%) were issued for domains that hosted phishing sites, according to an analysis carried out on a small sample of 1,000 domains, by Vincent Lynch, encryption expert for The SSL Store… Lynch, who points out the abuse of Let’s Encrypt’s infrastructure, doesn’t blame the Certificate Authority (CA), but nevertheless, points out that other CAs have issued a combined number of 461 SSL certificates containing the term “PayPal” in the certificate information, which were later used for phishing attacks…
14,766 Let’s Encrypt SSL Certificates Issued to PayPal Phishing Sites
https://www.bleepingcomputer.com/news/security/14-766-lets-encrypt-ssl-certificates-issued-to-paypal-phishing-sites/
During the past year, Let’s Encrypt has issued a total of 15,270 SSL certificates that contained the word “PayPal” in the domain name or the certificate identity.
Of these, approximately 14,766 (96.7%) were issued for domains that hosted phishing sites, according to an analysis carried out on a small sample of 1,000 domains, by Vincent Lynch, encryption expert for The SSL Store.
Tomi Engdahl says:
IoT Devices are Dramatically Expanding Your Digital Footprint
http://www.securityweek.com/iot-devices-are-dramatically-expanding-your-digital-footprint
IoT Devices are Dramatically Expanding Your Digital Footprint IoT devices are the rage for consumers and business alike. While sound business has always been data-driven, consumers have latched onto data and remote control capabilities. IoT devices are convenient, giving us access and availability to things previously not possible unless you were physically in front of the device. They also can produce useful data for us to process and use to make better decisions.
IoT devices are giving me a sense of Déjà vu… like I have had to deal with this before … a few times.
Circa 2000-2005 when Virtual Machines started to become the go-to technology of the time, many a CIO was raising their fist in victory by consolidating physical hardware into a virtualized environment and claiming cost savings. Only the cost savings were negligible or non-existent when you factored in the massive expansion of the digital footprint that now had to be secured and managed.
Fast forward to the 2009’ish timeframe and a magical term called BYOD started to show up.
Just like VM’s and BYOD/Mobile, IoT devices can also create a major risk for organizations – by dramatically expanding their level of presence. All of these devices create more opportunities for cybercriminals to exploit. And I’ve read many reports projecting the number of “smart” devices to double or triple within the next four years. Most of these devices are consumer-based, lack basic cybersecurity features and are not under centralized management. Just look around your office and what do you see?
Not only are there more devices expanding your digital footprint, business and personal devices, apps and data are being co-mingled more than ever. What this all adds up to is potentially the largest digital footprint that is NOT under proper security management.
Cybercriminals recognize this!
And right now there is huge opportunity to cause harm via IoT devices, which is why I wrote that we will see more increasingly creative IoT attacks in the coming year.
The latest IoT-related threat to emerge in 2017 is Imeij, which has been detected in the wild targeting equipment made by Taiwanese manufacturer AVTech. Proof of concepts are also occurring with researchers highlighting how PLC controllers can be hacked and potentially taint water supply.
The reality is that IoT devices will continue to grow and be used by more individuals and businesses. The challenge is to account for these devices in your overall security and risk management process.
1. Get your policy in place. At the end of the day, it all starts with policy. This first step an organization needs to undertake is to define what IoT is and how it should be utilized within the organization via a policy that everyone can reference.
2. Designate clear ownership and accountability. For example, IoT devices intersect physical and logical security, so who in your organization owns this risk? Who is accountable?
3. Segment your network. The trusted cybersecurity best practice of network segmentation applies to IoT device risk.
Devices designated as IoT should live in their own zone and not be co-mingled with other traditional IT devices.
4. Information Technology Governance. In relation to item #1 above, IoT devices should be put through an IT Governance process before they can be placed into production – and that starts with procurement.
To be clear, I think IoT devices provide many productivity and information benefits. I’m for them. But, as with anything new, you need to prepare and plan for these devices being in your environment to maximize the value they provide, while minimizing the inherent risk of these network-enabled devices.
Tomi Engdahl says:
Google Stops Trusting Symantec-Issued Certificates
http://www.securityweek.com/google-stops-trusting-symantec-issued-certificates
Google is displeased with the fact that Symantec has failed to ensure that its partners don’t improperly issue digital certificates, which is why the tech giant has announced its intent to gradually stop trusting all of the company’s existing certificates in Chrome.
Symantec, and particularly some of its subsidiaries and WebTrust audited partners, have been caught by Google and others wrongly issuing certificates. In 2015, Google told Symantec to step up its game after a subsidiary certificate authority (CA) issued unauthorized google.com certificates.
More recently, Symantec’s GeoTrust and Thawte were found to have wrongly issued more than 100 certificates, including for domains such as test.com and example.com.
According to Google software engineer Ryan Sleevi, an investigation revealed that Symantec’s partners misissued at least 30,000 certificates in the past years.
Tomi Engdahl says:
What CISOs Can Learn from ER Doctors
http://www.securityweek.com/what-cisos-can-learn-er-doctors
By Working Together and Sharing Missteps, Defenders Can Gain Crucial Security Insights and Prevent the Spread of Attacks
One of the areas that is still a major sore point in the security industry is cross-organization knowledge sharing. Most organizations operate in silos, unwilling to discuss their approach to security with any others for a variety of reasons. Part of this is to maintain security in itself – if others know what they are doing to protect themselves, potentially that knowledge could be exploited. But more often, it’s a fear of judgment or retribution that prevents companies from openly discussing their security tactics with others.
Tomi Engdahl says:
JobLink Breach Affects Job Seekers in 10 States
http://www.securityweek.com/joblink-breach-affects-job-seekers-10-states
America’s JobLink (AJL), a multi-state online service that connects job seekers with employers, informed users last week that a malicious hacker breached the company’s systems.
the breach could impact as many as 4.8 million accounts across the ten states.
At least one law firm is urging affected job seekers to step forward, which indicates that AJL is facing a lawsuit.
Tomi Engdahl says:
Windows Zero-Day Exploited by AdGholas, Neutrino EK
http://www.securityweek.com/windows-zero-day-exploited-adgholas-neutrino-ek
One of the Windows zero-day vulnerabilities patched by Microsoft this month has been exploited by cybercriminals since last summer, Trend Micro said on Friday.
Microsoft fixed many vulnerabilities with the March 2017 Patch Tuesday updates, including three flaws that had been exploited in the wild before patches were made available.
One of the flaws, tracked as CVE-2017-0022, has been described as an XML Core Services information disclosure vulnerability that can be exploited through Internet Explorer by getting the targeted user to click on a specially crafted link.
Tomi Engdahl says:
Researcher Builds WMI-Based Hacking Tool in PowerShell
http://www.securityweek.com/researcher-builds-wmi-based-hacking-tool-powershell
Researcher Builds WMI-Based RAT in PowerShell
Security researcher Christopher Truncer released a WMI-based agentless post-exploitation RAT that he developed in PowerShell.
Last year, Truncer released a PowerShell script capable of carrying out different actions via Windows Management Instrumentation (WMI), both on the local and on remote machines. Dubbed WMImplant, the newly released Remote Access Tool (RAT) builds on that script, says Truncer, who is security researcher and Red Teamer at Mandiant.
Tomi Engdahl says:
14,766 Let’s Encrypt SSL Certificates Issued to PayPal Phishing Sites
https://www.bleepingcomputer.com/news/security/14-766-lets-encrypt-ssl-certificates-issued-to-paypal-phishing-sites/
During the past year, Let’s Encrypt has issued a total of 15,270 SSL certificates that contained the word “PayPal” in the domain name or the certificate identity.
Of these, approximately 14,766 (96.7%) were issued for domains that hosted phishing sites, according to an analysis carried out on a small sample of 1,000 domains, by Vincent Lynch, encryption expert for The SSL Store.
Tomi Engdahl says:
Olivia Solon / The Guardian:
Facial recognition databases used by FBI have photos of about half of US adults without consent; algorithm for matches more likely to misidentify black people
Facial recognition database used by FBI is out of control, House committee hears
https://www.theguardian.com/technology/2017/mar/27/us-facial-recognition-database-fbi-drivers-licenses-passports
Database contains photos of half of US adults without consent, and algorithm is wrong nearly 15% of time and is more likely to misidentify black people
Approximately half of adult Americans’ photographs are stored in facial recognition databases that can be accessed by the FBI, without their knowledge or consent, in the hunt for suspected criminals. About 80% of photos in the FBI’s network are non-criminal entries, including pictures from driver’s licenses and passports. The algorithms used to identify matches are inaccurate about 15% of the time, and are more likely to misidentify black people than white people.
These are just some of the damning facts presented at last week’s House oversight committee hearing, where politicians and privacy campaigners criticized the FBI and called for stricter regulation of facial recognition technology at a time when it is creeping into law enforcement and business.