Year 2017 will not have any turn towards better data security. The internet is rife with such well-known than the unknown threats. The company’s systems are supposed to be protected.Hackers are going to continue to look for new ways to extort and steal information from businesses and organizations, which unfortunately means those businesses and organizations will have to continue to look for new ways to protect themselves.
Critical infrastructure cames under attack in 2017. Critical infrastructures must be better protected from criminals and terrorists who take advantage of modern technologies that are essential for the functioning of society and the economy. IT security functions of industrial control systems (ICS), energy grids and IoT networks needs to be improved in 2017.
There is push for better web security in 2017. Starting New Year’s Day, Google’s Chrome will begin labeling as “insecure” all websites that transmit passwords or ask for credit card details over plain text HTTP. Beginning in January 2017 (Chrome 56), HTTP sites that transmit passwords or credit cards are marked as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.
SHA-1 is insecure. Starting on Jan 1, 2017, most CAs will migrate to SHA-2 certificates, and major browser makers have already announced plans to adopt the change, including Microsoft, Google, and Mozilla. Their browsers will no longer trust sites that use SHA-1 starting with that date, and they will mark these websites as insecure. 1/3 of Websites Use SHA-1 Certificates Despite Looming Deadline. SHA-1 will still hang around, like a fart in a spacesuit, for many years to come because some people are lazy enough not to make the change.
There will be changes in how security is viewed in 2017 by businesses. We will likely see cloud adoption continue to grow across the United States, network visibility will no longer just be an option, AI and machine learning will shake old security models, and IoT-powered attacks will continue to rise. All of this will factor into how businesses set up, monitor and secure their networks.
The Commoditization of Cyberattacks Will Make Them More Frequent in 2017. More and more companies suffer from disruption to business due to cyber attacks. Cyber-attacks cause companies significant financial losses, but the studies shows that companies are not prepared for attacks. According to Gartner, by 2018 only 40 per cent of large companies have official plans in case of cyber attacks. Last year, the percentage was zero.
Strap yourself in for a bumpy ride in 2017. 2016 sucked. 2017 won’t be much better, sorry. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. DDoS attack toolkits have been around for years, as have services that will enable you to pay for an attack. Expect to see more of them. It seems that 2017 promises to be the most dramatic year yet in DDoS conflict. Whale-sized DDoS attacks will increase, the IoT will become a bigger factor in DDoS and DDoS will overshadow ransomware attacks and is used for extortion. Expect to see the Internet of Things (IoT) and other connected devices play an important part in these attacks.
Biometric identification will become more common in 2017, but it will not replace passwords. Fingerprint identification has become increasingly common in smartphones and already the technology is fast and reliable. This year biometric identification devices were sold for 4.5 billion dollars (most of them go to smart phones and laptops). 91 percent of biometric sales were fingerprint sensors, four per cent of face detection and three per cent iris detection.
Biometrics Won’t Kill Passwords any time soon. Even though PIN codes and passwords are actually pretty lousy protection case against skilled cybercriminal, the password will never disappear entirely, as two per cent of the world’s population is persons with a fingerprint not suitable for biometric identifier to work. Other biometric identification systems have also similar limitations and/or are not yet commonly available at reasonable cost. While biometrics, including fingerprint-, face-, iris-, palm- and speech-recognition, will continue to grow as a more secure substitute for passwords, they will not render passwords obsolete. Until the other common biometrics become commonplace, passwords are here to stay until circa 2030.
Fights with encryption and backdoors for them is not over in 2017. Many public figures in law enforcement have consistently argued that device encryption presents a new threat to police powers of investigation. On the other side House Judiciary Committee’s Encryption Working Group report says encryption backdoors pose a security threat, siding with tech experts in their latest report . The problem is that any system allowing police to get into those encrypted system (let it be phone, computer or communications) could also be exploited by criminals. Any action in this space should weigh any short-term benefits against the longterm impacts. Many industry experts will rightly tell you there is no such thing as partial data encryption. You either have a fully capable system or none at all.
Given the security events of 2016, coupled with the rapid advancements and adoption of cloud computing, 2017 will be the year in which many finally accept that network infrastructure and security will have to be rethought from the ground up. In 2017 the cloud will become a risk for users: The cloud becoming insecure – extortion and IoT openings.
The rivalry between the network attacks and network security is in acceleration. Crippling Internet services with denial of service attacks are becoming more common throughout the world. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. IoT-powered attacks will continue to rise and stopping the attack is not easy. For most companies the key thing is that the attack traffic is stopped before it reaches the company’s Internet connection or servers (needs to use telecom operator and external services increase). In addition to service disturbion Denial of Service Attacks are often used as distraction during the actual data burglary.DDoS may take over from ransomware as a cause for concern.
In 2017 the IT and security professionals talk about more about business risks. Historically, firewalls, DLP, antivirus, SIEM and other technical point solutions have been the centerpiece of security conversations, but the mindset is slowly shifting from technology to risk. The goal of stopping all attacks and preventing all business impact has been recognized as a fool’s errand, and has shifted to measuring risk and minimizing business impacts. Cyber security is increasingly being viewed as a risk management problem.
In 2017 ‘Security’ Must be Added to our Existing Ethical and Philosophic Concerns Over Artificial Intelligence and Algorithms. Algorithms soon run the world. They present problems that are seriously questioned on both ethical and philosophic grounds; and they have become the basis of fictional Armageddons.
Cyber insurance will be more thoughs as on solution for handling cyber risks in 2017. The global cyber insurance market is expected to generate $14 billion by 2022, according to a new report published by Allied Market Research (AMR). That figure represents an impressive compound annual growth rate (CAGR) of nearly 28% from 2016 to 2022.
In 2017 Big Brother will be watching you 24/7.Those of you who’ve read George Orwell’s book 1984 or seen the movie ,will remember how the citizens of the fictitious totalitarian state of Oceana are constantly under surveillance by order of its dictator, Big Brother. So now swap your home desktop computer, laptop or smart phone for the fictitious telescreen and not only are you sitting in front of what is a modern day version of the Big Brother telescreen you are also walking around with one in your pocket or handbag. Sound a bit far fetched to you? Well it’s set to become a reality in many countries.
Users will want better security or at least to feell more secure in 2017. Many people are prepared to to extremes for better security. According to a recent survey of over 2,000 adults conducted by Harris Poll Nearly 40% of Americans Would Give Up Sex for a Year or eating their favourite food in Exchange for Better Online Securit, meant they’d never have to worry about being hacked. When you consider that 87 percent of U.S. adults use the internet, it makes sense that cyber security is one of the biggest concerns today. The single biggest thing people can do to help keep their online identity safe is probably the easiest – a solid password – and not giving it to other people. Still nearly 50% of people have shared a password to an e-mail account or to an account like Netflix.
Security Becomes A Multi-System Issue and more people talking about the issue. Design teams will have to bake strategies in from the start, no matter how insignificant the device.The good news is that it more people talking about the issue. The real challenge is packing enough security features into designs to prevent security breaches of every sort, including those that can come from other electronics that weren’t even considered as part of the design process. Just as devices get more sophisticated, so do hackers.The reality is that security breaches can even cause physical harm. It’s time to look at this at a multi-system, multi-disciplinary level. Otherwise, we literally could be playing with fire.
Block chains have been a big trend for several years. The block chain market is divided now when 2017 starts. During the autumn 2016, we have seen a number of initiatives on cooperation between the financial sector and consulting companies. Microsoft has chosen a platform for Ethereum-block chain and offers it to the Azure cloud service. IBM has jumped Hyperledger consortium bandwagon and offering their own block chains to Bluemix service. Google and Amazon still shine by their absence. Even banks may prefer to see the use of cloud for the block chains.
Other prediction articles worth to look:
What Lies Ahead for Cybersecurity in 2017?
Network Infrastructure, Visibility and Security in 2017
DDoS in 2017: Strap yourself in for a bumpy ride
Cybersecurity Industry Outlook: 2017 to 2021 | CSO Online
IBM’s Cybersecurity Predictions for 2017 – eForensics
https://eforensicsmag.com/ibms-cybersecurity-predictions-2017/
Top 5 Cybersecurity Threats to Watch Out for in 2017
Experts Hopeful as Confidence in Risk Assessment Falls
3,151 Comments
Tomi Engdahl says:
SNMP Authentication Bypass Plagues Numerous Devices
http://www.securityweek.com/snmp-authentication-bypass-plagues-numerous-devices
The Simple Network Management Protocol (SNMP) embedded in some Internet connected devices allows an attacker to bypass authentication by simply sending random values in specific requests, security researchers have discovered.
SNMP is a popular protocol for network management that features support for three ways to authenticate the client and requests on remote SNMP devices. The first two of these are vulnerable to an authentication bypass if random values are sent in requests, security researchers Ezequiel Fernandez (Argentina) and Bertin Bervis (Costa Rica) argue.
The issue, the researchers say, resides in the manner in which the SNMP agent in different devices (usually cable modems) handles a human-readable string datatype value called “community string” that SNMP version 1 and 2 use.
Called StringBleed and tracked as CVE 2017-5135, the vulnerability is referred to as Incorrect Access Control and could allow an attacker to execute code remotely on the vulnerable device. Successful exploitation would provide them with “full read/write remote permissions using any string/integer value,” the researchers argue.
https://github.com/string-bleed/StringBleed-CVE-2017-5135
Tomi Engdahl says:
New SCADA Flaws Allow Ransomware, Other Attacks
http://www.securityweek.com/new-scada-flaws-allow-ransomware-other-attacks
SINGAPORE — SECURITYWEEK 2017 ICS CYBER SECURITY CONFERENCE | SINGAPORE — Mission-critical control systems that don’t pose an obvious risk can be hijacked and leveraged for attacks by profit-driven cybercriminals and other threat actors, researchers warned.
Tomi Engdahl says:
State-Affiliated Hackers Responsible for Nearly 1 in 5 External Data Breaches: Verizon DBIR
http://www.securityweek.com/state-affiliated-hackers-responsible-nearly-1-5-external-data-breaches-verizon-dbir
The Verizon Data Breach Investigations Report (DBIR) is industry’s go-to analysis of security incidents and successful breaches over the previous year. The latest report was published Thursday.
The 2017 DBIR (PDF) marks the report’s 10-year anniversary. Over the last decade, it has grown from an analysis of Verizon’s own breach data knowledgebase to now include breach data from 65 different organizations. The latest report includes analyses of 42,068 incidents and 1,935 breaches from 84 countries.
Highlights show that the insider threat remains fairly constant as the cause of 25% of breaches, but with 75% being perpetrated by outsiders. The externally-caused breaches, according to Verizon, comprise 51% involving organized crime groups, 18% from state-affiliated actors, 3% comprising multiple parties, and 2% involving partners.
Sixty-two percent of all breaches involved hacking; and 81% of those leveraged either stolen and/or weak passwords. The clear implication is that both organizations and individuals are still, or at least in 2016, were still not exercising adequate password hygiene; that is, strong and regularly changed passwords.
http://www.verizonenterprise.com/resources/reports/rp_DBIR_2017_Report_en_xg.pdf
Tomi Engdahl says:
Mysterious Hajime Botnet Grows to 300,000 IoT Devices: Kaspersky
http://www.securityweek.com/mysterious-hajime-botnet-grows-300000-iot-devices-kaspersky
Tomi Engdahl says:
Get Your Security in Shape for the Public Cloud
http://www.securityweek.com/get-your-security-shape-public-cloud
A framework should be a vehicle for action – a way to structure how you think about the public cloud, breaking the transition down into phases and approaching it in an organized way, but flexible enough to accommodate change. It must help you address questions like: What infrastructure, apps, and data are moving to the public cloud and when? Are the controls we have sufficient and if so how do they translate to the cloud? If they aren’t sufficient, or if shifting to the cloud will introduce gaps in our defenses, what security precautions can we take? As we consume new apps and services from the cloud can we adapt security easily and cost-effectively?
Providers of cloud services are building security into their SaaS offerings which can get you started. But think about the many different ways users will want to use services like Office 365, Google, Box, Dropbox, Salesforce, etc. For example, accessing email and documents from an unmanaged PC, sharing data with third parties, or tracking sales and forecasting which includes sensitive customer information and credit card data. How well do your current cloud services address these use cases and are there gaps?
Not only do you have to consider boosting protection for sanctioned app usage, you also have to contend with shadow IT. Users can easily purchase whatever tools they feel they need to get their jobs done without ever involving the IT organization. Obviously, you can’t protect what you can’t see. What tools are available to protect all the cloud apps in your environment?
According to Gartner, by 2018, the 60% of enterprises that implement appropriate cloud visibility and control tools will experience one-third fewer security failures. Looking at just Office 365 deployments, by 2018, 40% will rely on third-party tools to fill in gaps in security and compliance, which is a major increase from fewer than 10% in 2015.
Tomi Engdahl says:
Jeff John Roberts / Fortune:
Google and Facebook were victims of a $100M phishing scam by a Lithuanian man arrested in March 2017; both companies say they have recouped the funds
Exclusive: Facebook and Google Were Victims of $100M Payment Scam
http://fortune.com/2017/04/27/facebook-google-rimasauskas/
When the Justice Department announced the arrest last month of a man who allegedly swindled more than $100 million from two U.S. tech giants, the news came wrapped in a mystery. The agency didn’t say who was robbed, and nor did it identify the Asian supplier the crook impersonated to pull off the scheme.
The mystery is now unraveled. A Fortune investigation
The criminal case shows how scams involving email phishing and fake suppliers can victimize even the most sophisticated, tech-savvy corporations. But the crime also raises questions about why the companies have so far kept silent and whether—as a former head of the Securities and Exchange Commission observes—it triggers an obligation to tell investors about what happened.
The Heist
In 2013, a 40-something Lithuanian named Evaldas Rimasauskas allegedly hatched an elaborate scheme to defraud U.S. tech companies. According to the Justice Department, he forged email addresses, invoices, and corporate stamps in order to impersonate a large Asian-based manufacturer with whom the tech firms regularly did business. The point was to trick companies into paying for computer supplies.
The scheme worked. Over a two-year span, the corporate imposter convinced accounting departments at the two tech companies to make transfers worth tens of millions of dollars. By the time the firms figured out what was going on, Rimasauskas had coaxed out over $100 million in payments, which he promptly stashed in bank accounts across Eastern Europe.
the feds hailed cooperation among international law enforcement, and said they had recovered much of the money.
Rimasauskas, however, denies the allegations.
Company 1 and Company 2
Quanta Computer, which has founded in Taiwan in 1988, is a major supplier of parts to U.S. tech companies. Its contracts have included parts for Apple watches (aapl, +0.14%) and for Amazon’s Kindle e-reader (amzn, +3.93%).
In the Justice Department’s indictment, Quanta simply appears as “Company-1..an Asian-based manufacturer of computer hardware… established in or about the late 1980s.”
In late March, Quanta publicly acknowledged it was the innocent supplier named in the indictment
In response to an email from Fortune, Facebook confirmed it was one of the victims of the fraud.
“Facebook recovered the bulk of the funds shortly after the incident and has been cooperating with law enforcement in its investigation,” said a company spokesperson.
Google this week confirmed it had been targeted.
“We detected this fraud against our vendor management team and promptly alerted the authorities. We recouped the funds and we’re pleased this matter is resolved,” said a Google spokesperson.
A Material Event?
When a publicly traded company experiences a significant event, federal securities law requires it to disclose this to investors. Such an incident (a “material event” in legal lingo) might include the departure of an executive or a problem with an important product—or a fraud worth tens of millions of dollars.
A review of public records from Facebook (fb, +1.53%) and Google (googl, +4.23%) indicate neither company has disclosed the wire fraud incident at all.
This omission does not necessarily violate SEC guidelines.
But the “material event” in this case may amount to more than the company losing some money
“I think companies need to be looking more broadly than that – not just at operational direct loss,” said White. “There’s the possibility of reputational damage. What does this say about internal controls over assets?”
Tomi Engdahl says:
Hackers uncork experimental Linux-targeting malware
SSH… it’s Shishiga
https://www.theregister.co.uk/2017/04/25/linux_malware/
Linux/Shishiga malware uses four different protocols (SSH, Telnet, HTTP and BitTorrent) and Lua scripts for modularity
Shishiga relies on the use of weak, default credentials in its attempts to plant itself on insecure systems through a bruteforcing attack, a common hacker tactic. A built-in password list allows the malware to try a variety of different passwords to see if any allow it in.
“to prevent your devices from being infected by Shishiga and similar worms, you should not use default Telnet and SSH credentials.”
Tomi Engdahl says:
Lily Hay Newman / Wired:
Cloudflare announces Orbit, a security solution for IoT devices
A Clever Plan to Secure the Internet of Things Could Still Have Big Drawbacks
https://www.wired.com/2017/04/clever-plan-fix-iot-security-still-drawbacks/
The Internet of Things security crisis continues apace. New botnets crop up to conscript routers and security cameras, hackers exploit medical devices to compromise entire hospital networks, and smart toys still creep on kids. Internet infrastructure company Cloudflare, though, has spent the last 18 months working on a fix.
Cloudflare’s traditional offerings range from content delivery to DDoS defense, but today it’s announcing a service called Orbit, which it conceives as a new layer of defense for IoT. It has the potential to make connected devices more secure than ever—but also raises a few questions in the process.
A VPN for IoT
Instead of focusing on patches and protections on individual devices, Orbit provides a sort of tunnel that they can automatically use to access the internet. Think of it as a VPN between IoT devices and the internet.
“The traffic to and from [IoT devices] will pass through Cloudflare’s global network. The idea is we’ll patch it in place,” says Cloudflare CEO Matthew Prince. “What sits behind us might still be vulnerable, but it buys some time for the software developer or the hardware developer to get the patch itself right and for people to apply that patch over time. So it’s an additional layer of security.”
Cloudflare will offer multiple data security options (from IP verification up to full cryptographic connection signing) to ensure that data moving through the security layer is protected. The company adds that it doesn’t keep data logs.
Orbit has already attracted at least one high-profile client in Qualcomm, along with the smart lock company Lockitron, and the industrial control company Swift Sensors. The service doesn’t replace firmware updates and other important endpoint protections (security on individual units), but should provide some structure to an out-of-control security climate. Many IoT companies simply don’t have a solid grasp on security; partnering with Cloudflare at least gives a measure of protection. One fear might be that companies will rely on Orbit as a panacea, but given that the alternative too often constitutes no investment in security at all, any protective step could be an improvement.
Tomi Engdahl says:
Charlie Savage / New York Times:
NSA halts “about the target” collection, which picked up Americans’ messages to and from people overseas that mentioned foreigners targeted for surveillance — WASHINGTON — The National Security Agency is stopping one of the most disputed forms of its warrantless surveillance program …
N.S.A. Halts Collection of Americans’ Emails About Foreign Targets
https://www.nytimes.com/2017/04/28/us/politics/nsa-surveillance-terrorism-privacy.html?_r=0
The National Security Agency said Friday that it had halted one of the most disputed practices of its warrantless surveillance program, ending a once-secret form of wiretapping that dates to the Bush administration’s post-Sept. 11 expansion of national security powers.
The agency is no longer collecting Americans’ emails and texts exchanged with people overseas that simply mention identifying terms — like email addresses — for foreigners whom the agency is spying on, but are neither to nor from those targets.
The decision is a major development in American surveillance policy.
Tomi Engdahl says:
New MacOS Malware, Signed With Legit Apple ID, Found Spying On HTTPS Traffic
http://thehackernews.com/2017/04/apple-mac-malware.html?m=1
Tomi Engdahl says:
Turkey blocks Wikipedia under law designed to protect national security
https://www.theguardian.com/world/2017/apr/29/turkey-blocks-wikipedia-under-law-designed-to-protect-national-security
Users trying to access online encyclopaedia via Turkish internet providers receive ‘connection timed out’ error message
Turkey has blocked Wikipedia, the country’s telecommunications watchdog said on Saturday, citing a law that allows it to ban access to websites deemed obscene or a threat to national security.
“After technical analysis and legal consideration … an administrative measure has been taken for this website,” the BTK watchdog said in a statement on its website.
The government has in the past denied doing so, blaming the blackouts on spikes in usage after major events. Technical experts at watchdog groups, however, say they are intentional, aimed in part at stopping the spread of militant images and propaganda.
Tomi Engdahl says:
Todd Spangler / Variety:
Hacker leaks stolen “Orange Is the New Black” season 5 episodes after Netflix failed to pay ransom; Netflix says a production vendor was compromised
Hacker Leaks Stolen ‘Orange Is the New Black’ Season 5 Episodes to Piracy Network
http://variety.com/2017/digital/news/orange-is-the-new-black-season-5-hacker-piracy-leak-1202403760/
An anonymous hacker has carried through on a threat to release “Orange Is the New Black” season five episodes online — after Netflix allegedly failed to respond to the cybercriminal’s shakedown demands.
Variety was unable to verify the authenticity of the “OITNB” episodes the hacker claimed to have shared on popular file-sharing site the Pirate Bay.
The first 10 episodes of season 5 were apparently shared shortly before 6 a.m. ET Saturday,
The content appears to have been stolen in an attack on post-production studio Larson Studios in late 2016, according to piracy-news site TorrentFreak.
In a statement Friday, Netflix said: “We are aware of the situation. A production vendor used by several major TV studios had its security compromised and the appropriate law enforcement authorities are involved.”
Tomi Engdahl says:
Lory Gil / iMore:
Check Point researchers detail Dok, OS X malware that uses a signed Apple developer certificate to bypass Gatekeeper
PSA: Again, another reason not to open attachments from strangers
http://www.imore.com/psa-again-another-reason-not-open-attachments-strangers
Don’t be scared but be aware, there’s a new malware in town and it wants your Mac.
Check Point Technologies has released detailed information about a a new malware attack that is directed at Mac users. It’s being called Dok and it has the potential to access a user’s online communication, including secure sites. According to Check Point, it affects all versions of OS X and is not yet detectable by anti-virus software.
Tomi Engdahl says:
Flaw in Popular Framework Exposes Many ICS Devices to Attacks
http://www.securityweek.com/flaw-popular-framework-exposes-many-ics-devices-attacks
Hundreds of thousands of Industrial Internet of Things (IIoT) and industrial control systems (ICS) products could be exposed to hacker attacks due to critical vulnerabilities affecting a widely used piece of software from Germany-based 3S-Smart Software Solutions.
The flaws affect the CODESYS automation software for developing and engineering controller applications, specifically the Web Server component of the CODESYS WebVisu visualization software. The issues have been fixed by 3S-Smart Software Solutions, but experts believe it will take some time until the patch reaches all vulnerable devices.
The security holes, discovered by researchers at industrial cybersecurity startup CyberX, affect CODESYS Web Server 2.3 and prior, and they have been addressed with patch version 1.1.9.18. ICS-CERT has published an advisory describing the flaws.
Tomi Engdahl says:
THE SHADOW BROKERS
This Is How the NSA Infiltrated a Huge Banking Network in the Middle East
https://motherboard.vice.com/en_us/article/nsa-eastnets-hack-banking-network-middle-east
The NSA hacking tools dumped by The Shadow Brokers show how the spy agency broke into the major Dubai-based EastNets system.
The firm vehemently denied any breach, despite the fact that the documents appeared undeniable.
Tomi Engdahl says:
With the war far from over, privacy activists cautiously celebrate a battle won
https://techcrunch.com/2017/04/30/privacy-organizations-react-to-nsa-section-702-surveillance-change/?ncid=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook
After the NSA’s surprise announcement that it would pull back on a contentious surveillance tactic, privacy advocates found themselves in a strange place in 2017: They’d actually won a thing.
Tomi Engdahl says:
THE INTERNET OF SHIT
‘World’s Most Secure’ Email Service Is Easily Hackable
https://motherboard.vice.com/en_us/article/worlds-most-secure-email-service-is-easily-hackable
A service that claims to be the only way to do email in a secure way is actually riddled with flaws, opening it up to hackers, according to a researcher.
“DID YOU KNOW THAT EVERY SINGLE MAJOR EMAIL PROVIDER HAS BEEN HACKED?” shouts the site, whose tagline is “everything else is insecure.”
As it turns out, Nomx ain’t that secure either.
Nomx sells a $199 device that essentially helps you set up your own email server in an attempt to keep your emails away from mail exchange (or MX)—hence the brand name—servers, which the company claims to be inherently “vulnerable.”
The worst issue, Helme explained, is that the Nomx’s web application had a vulnerability that allowed anyone to take full control of the device remotely just by tricking someone to visit a malicious website.
Tomi Engdahl says:
Charlie Demerjian / SemiAccurate:
Intel patches remote exploit that affects chips from 2008-2017 with Active Management Technology option enabled — Nehalem through Kaby all remotely and locally hackable — Every Intel platform from Nehalem to Kaby Lake has a remotely exploitable security hole.
Remote security exploit in all 2008+ Intel platforms
Updated: Nehalem through Kaby all remotely and locally hackable
http://semiaccurate.com/2017/05/01/remote-security-exploit-2008-intel-platforms/
Every Intel platform from Nehalem to Kaby Lake has a remotely exploitable security hole. SemiAccurate has been begging Intel to fix this issue for literally years and it looks like they finally listened.
Update May 1, 2017 # 3:35pm: Intel just confirmed it, but not to SemiAccurate. You can read their advisory here.
The short version is that every Intel platform with AMT, ISM, and SBT from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole in the ME (Management Engine) not CPU firmware. If this isn’t scary enough news, even if your machine doesn’t have SMT, ISM, or SBT provisioned, it is still vulnerable, just not over the network. For the moment. From what SemiAccurate gathers, there is literally no Intel box made in the last 9+ years that isn’t at risk. This is somewhere between nightmarish and apocalyptic.
Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability Escalation of Privilege
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr
There is an escalation of privilege vulnerability in Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology versions firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 that can allow an unprivileged attacker to gain control of the manageability features provided by these products. This vulnerability does not exist on Intel-based consumer PCs.
There are two ways this vulnerability may be accessed please note that Intel® Small Business Technology is not vulnerable to the first issue.
An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel® Active Management Technology (AMT) and Intel® Standard Manageability (ISM).
CVSSv3 9.8 Critical /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology (SBT).
CVSSv3 8.4 High /AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Tomi Engdahl says:
Home Alarms Ring Up Sales
http://www.eetimes.com/author.asp?section_id=36&doc_id=1331669&
Alarm systems are becoming more valuable as products expand to include detection of fire, carbon monoxide and water leaks, as well as home automation features such as smart plugs, locks, cameras, lighting and thermostat control.
The number of monitored alarm systems in Europe is forecast to grow from 8.7 million in 2016 at a compound annual growth rate (CAGR) of 4.0 percent to reach 10.6 million in 2021, according to a new research report by Berg Insight. In North America, the number of monitored alarm systems is forecasted to grow at a CAGR of 2.9 percent from 32.1 million at the end of 2016 to 37.1 million at the end of 2021.
Small alarm systems for businesses and private homes can be divided into two main categories – local alarms and monitored alarms. The simplest type of local alarm only reacts to activation by ringing bells to scare off intruders.
A more advanced type of local alarm is a self-monitoring alarm. Upon activation, this type of alarm informs the owner of the premises by sending a text message or notification. Monitored alarms are connected to a center that can respond to an activated alarm by contacting the police or dispatching a security patrol.
Tomi Engdahl says:
IBM Supply Chain Breached as Storwize USBs Ship With Malware
http://www.securityweek.com/ibm-supply-chain-breached-storwize-usbs-ship-malware
The need to maintain security over the supply chain has been confirmed by alerts issued at the end of last week by both IBM and Lenovo. IBM has been shipping malware-infected initialization USBs for its Storwize storage systems which are used by Lenovo.
“IBM has detected that some USB flash drives containing the initialization tool shipped with the IBM Storwize V3500, V3700 and V5000 Gen 1 systems contain a file that has been infected with malicious code,” warns IBM in its alert.
Lenovo published a similar alert: “Some USB flash drives containing the initialization tool shipped with the IBM Storwize for Lenovo V3500, V3700 and V5000 Gen 1 storage systems manufactured by IBM contain a file that has been infected with malicious code. The malicious file does not in any way affect the integrity or performance of the storage systems.”
Tomi Engdahl says:
Hackers Threaten Media Firms After Stealing Unreleased TV Shows
http://www.securityweek.com/hackers-threaten-media-firms-after-stealing-unreleased-tv-shows
A group of hackers has threatened to leak unreleased TV shows and movies belonging to Netflix and various television networks after breaching the systems of a production company. The incident once again underscores the security risks posed by third-party vendors.
The hacker group calling itself “TheDarkOverlord” has leaked several unreleased episodes from season 5 of Netflix’s “Orange is the new black” TV show. They obtained the files after reportedly breaching the systems of Larson Studios, an audio post-production company in Hollywood.
The hackers told DataBreaches.net that after they breached Larson Studios in December, the company had agreed to pay them 50 bitcoins to avoid having the stolen movies leaked to the public. TheDarkOverlord said Larson later changed its mind about giving in to the extortion demand.
Tomi Engdahl says:
Researchers Expose Huge Ad Scam Operation
http://www.securityweek.com/researchers-expose-huge-ad-scam-operation
Researchers from security frim RiskIQ recently discovered a large ad scam operation where cybercriminals employed advanced automation techniques to deliver scam ads from millions of different domain names.
Tomi Engdahl says:
New controversial powers granted to Europol. Will the agency’s database soon include innocent people reported by Facebook or Twitter?
https://www.linkedin.com/pulse/new-controversial-powers-granted-europol-agencys-soon-marco-mazzeschi
Tomi Engdahl says:
Europol Probing IS Setting Up of Social Network
http://www.securityweek.com/europol-probing-setting-social-network
The Hague – European police are probing whether the Islamic State group and other extremists are setting up a social network to spread propaganda, gain funding and avoid security crackdowns, an official said Wednesday.
“We are investigating the possibility that IS and other terror groups are setting up a social media platform,” said Jan Op Gen Oorth, communications officer for the Europol policing agency.
“We are still working on identifying the full details of the account, including who has set it up and for what purpose,” Oorth told AFP, but added that it showed likely links to IS and other extremists.
The investigation comes as Europe’s policing agency struck out at online radical groups last week in a two-day operation.
Tomi Engdahl says:
WordPress Attacks Powered by Router Botnet Drop Rapidly
http://www.securityweek.com/wordpress-attacks-powered-router-botnet-drop-rapidly
A botnet powered by compromised home routers has been apparently shut down. It is unclear if the botnet operators decided to pull the plug on their operation or if the disruption was caused by law enforcement.
Security firm Wordfence warned last month that tens of thousands of vulnerable routers from dozens of ISPs worldwide had been abused for brute-force and other types of attacks aimed at WordPress websites.
Researchers said the attackers may have hijacked the devices by exploiting some known vulnerabilities that users and ISPs had failed to patch, including the flaw dubbed “Misfortune Cookie.”
However, on Tuesday, Wordfence reported that the volume of attacks had started to drop significantly over the weekend
Tomi Engdahl says:
Netgear Patches RCE Flaws in Routers, Switches
http://www.securityweek.com/netgear-patches-rce-flaws-routers-switches
Netgear recently informed customers that it has released firmware updates for some of its routers and switches to address remote code execution and other types of vulnerabilities.
Netgear announced the launch of a bug bounty program in early January and the company has been regularly publishing security advisories and notifications over the past months. The firm has been offering between $150 and $15,000 for responsibly disclosed vulnerabilities, and it already claims to have rewarded more than 150 bug reports.
In the most recent advisories, Netgear informed users about the existence of CVE-2017-6862, a buffer overflow vulnerability that can be exploited by a remote attacker to bypass authentication and execute arbitrary commands.
The flaw, discovered by Maxime Peterlin of ON-X, affects WNR2000v3, WNR2000v4, WNR2000v5 and R2000 routers. Firmware updates that patch the vulnerability are available for all impacted models.
Tomi Engdahl says:
Fuze Collaboration Platform Allowed Anyone to Download Recorded Meetings
http://www.securityweek.com/fuze-collaboration-platform-allowed-anyone-download-recorded-meetings
As globalization and mobility both advance, organizations are turning to web-based unified communications systems as a means of improving collaboration and reducing costs. Fuze is one such service. It offers voice (with conferencing), video (with conferencing) and messaging, all from anywhere at any time and any device.
The security of web-based third-party service providers is a major concern for business, where security audits are difficult and expensive. It often comes down to reputation: if other major businesses are using a particular service, it must be good.
Fuze has a number of major clients, including Associated Press, USAuto Sales and ThoughtWorks. But reputation does not equal security, as Rapid7 researcher Samuel Huckins discovered in February 2017 and disclosed today. Huckins discovered ‘improper access control’ of Fuze meetings.
Tomi Engdahl says:
Evolution and Escalation: Two Key Cyber Threat Trends
http://www.securityweek.com/evolution-and-escalation-two-key-cyber-threat-trends
Existing threats escalated and new threats emerged in a turbulent 2016. Ransomware spiked, IoT-based DDoS threatened the internet, political subversion and sabotage grew, and hackers moved towards non-malware based attacks — or ‘living off the land’. These and more threats are highlighted in Symantec’s new Internet Security Threat Report (ISTR).
https://www.symantec.com/content/dam/symantec/docs/reports/istr-22-2017-en.pdf
Tomi Engdahl says:
Intel Warns of Critical Vulnerability in Processor Firmware
http://www.securityweek.com/intel-warns-critical-vulnerability-processor-firmware
Nine-Year-Old Critical Vulnerability Affects Intel Active Management Technology
Intel issued a critical alert Monday concerning an escalation of privilege vulnerability affecting Intel Active Management Technology (AMT), Intel Small Business Technology (SBT), and Intel Standard Manageability. Firmware updates are available in all cases — but that’s not the end of the story.
While the Intel alert states, “This vulnerability does not exist on Intel-based consumer PCs,” security commentators such as Charlie Demerjian suggest “there is literally no Intel box made in the last 9+ years that isn’t at risk. This is somewhere between nightmarish and apocalyptic.” The vulnerability affects every Intel system from Nehalem in 2008 to Kaby Lake in 2017.
According to Intel, the vulnerability (CVE-2017-5689) can be accessed in two ways. Where AMT and ISM have been provisioned, an unprivileged network attacker could gain system privileges. Where not provisioned, a local attacker could provision them and gain local system privileges on AMT, ISM and SBT. Intel gives no details on the vulnerability itself.
AMT is intended to give IT departments a means to manage client systems. When enabled, packets sent to ports 16992 or 16993 are redirected through Intel’s Management Engine (a small, separate processor independent of the main CPU) and passed to AMT. The operating system never sees these packets. AMT can be used to install media, reboot the machine and more, remotely. It requires a password for access; but this vulnerability suggests that the password can be bypassed.
Tomi Engdahl says:
Fail of the Week: New Hackerspace Burglarized Days Before Opening
http://hackaday.com/2017/05/03/fail-of-the-week-new-hackerspace-burglarized-days-before-opening/
Starting up a new hackerspace from the ground up is a daunting task. Before you even think about the fun stuff like tools and a space, you’ve got a ton of social engineering to do. Finding like-minded people with the drive and passion for seeing the project through is a major stumbling block where many projects falter. If you get past that, then figuring out a corporate structure and getting funds together to start building something can be difficult, as can local permits and the endless red tape that always seems to accompany anything seen as new or innovative.
I learned long ago — the hard way — that criminals like to do their business unobserved as much as possible, and to leave their options open for getting away quickly.
Is Your Space Secure?
If I had one criticism for The Humble Makers, it would be not looking for a commercial alarm system right off the bat. I know it’s hard to prioritize something like that ahead of getting tools and a space together — after all, that’s what will drive membership, not a panel with blinky lights on the wall near the door. But the alarm will protect the things that matter to the space, and in the end the expense of installing a system and having it monitored will seem like small change compared to the potential to lose everything.
Whether you have an alarm system or not, at a bare minimum you owe it to your members to do some kind of security audit. Walk around, wiggle door knobs, try to force windows open — look for weak point
Tomi Engdahl says:
IT security from the start: 3 ways to make it a business priority
https://enterprisersproject.com/article/2017/3/it-security-start-3-ways-make-it-business-priority?sc_cid=7016000000127f3AAA
Why is IT security so challenging?
Communication is a big part of the problem. The language of IT is different than the language of the business. Making a case for information security as a broader issue outside of IT is always a challenge. As a preventative measure, we have to weave IT security into the stories we tell across lines of business in order to relate the issues back to the people we are talking to, make it relevant for them, and help them understand what we’re trying to achieve.
Of course, compounding the challenge is the fact that IT people, in general, are under a lot of pressure. Security doesn’t always make it to the top of their priority list for the day.
Security is not just an “IT problem”
Do a better job explaining the risks: Outside of IT, there is typically a lack of understanding related to the risks of an IT failure.
Create a cross-functional team that reports to the top. The other key is to formalize a team and process around security preparedness across the organization.
Make security a priority from the start. Finally, you can combat a lot of security issues by implementing and reinforcing a “secure from the start” mentality throughout IT. Applications developers should be trained, incentivized, and rewarded on their ability to develop secure code.
Tomi Engdahl says:
Iain Thomson / The Register:
Hackers exploited SS7, a protocol used by cellphone providers, to intercept two-factor codes sent to online banking customers, letting them empty bank accounts
After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts
O2 confirms online thefts using stolen 2FA SMS codes
http://www.theregister.co.uk/2017/05/03/hackers_fire_up_ss7_flaw/
Experts have been warning for years about security blunders in the Signaling System 7 protocol – the magic glue used by cellphone networks to communicate with each other.
These shortcomings can be potentially abused to, for example, redirect people’s calls and text messages to miscreants’ devices. Now we’ve seen the first case of crooks exploiting the design flaws to line their pockets with victims’ cash.
O2-Telefonica in Germany has confirmed to Süddeutsche Zeitung that some of its customers have had their bank accounts drained using a two-stage attack that exploits SS7.
In other words, thieves exploited SS7 to intercept two-factor authentication codes sent to online banking customers, allowing them to empty their accounts. The thefts occurred over the past few months, according to multiple sources.
Tomi Engdahl says:
Ken Schwencke / ProPublica:
Cloudflare shares personal information of those who complain about hosted sites like Daily Stormer; Cloudflare GC says policy lets users “face their accusers”
How One Major Internet Company Helps Serve Up Hate on the Web
Cloudflare, a prominent San Francisco outfit, provides services to neo-Nazi sites like The Daily Stormer, including giving them personal information on people who complain about their content.
https://www.propublica.org/article/how-cloudflare-helps-serve-up-hate-on-the-web
The widespread use of Cloudflare’s services by racist groups is not an accident. Cloudflare has said it is not in the business of censoring websites and will not deny its services to even the most offensive purveyors of hate.
“A website is speech. It is not a bomb,” Cloudflare’s CEO Matthew Prince wrote in a 2013 blog post defending his company’s stance. “There is no imminent danger it creates and no provider has an affirmative obligation to monitor and make determinations about the theoretically harmful nature of speech a site may contain.”
ProPublica reached out to a handful of people targeted by The Daily Stormer after they or someone close to them complained to Cloudflare about the site’s content
For the most part, Sommers said, a lot of companies don’t want “this stuff” on their networks. He said those companies resist having their networks become “a hive of hate speech.”
Company officials have said Cloudflare’s core belief is in the free and open nature of the internet. But given its outsize role in protecting a range of websites, Cloudflare has found itself the target of critics.
In 2015, the company came under fire from the hacker collective Anonymous for reportedly allowing ISIS propaganda sites on its network. At the time, Prince, the company’s CEO, dismissed the claim as “armchair analysis by kids,” and told Fox Business that the company would not knowingly accept money from a terrorist organization.
Amazon Web Services, one of the most popular web hosts and content delivery networks, would not say how they handle abuse complaints beyond pointing to an “acceptable use” policy that restricts objectionable, abusive and harmful content. They also pointed to their abuse form, which says the company will keep your contact information private.
Tomi Engdahl says:
Hey FCC, when you’re not busy screwing our privacy, how about those SS7 cell network security flaws, huh?
No one else seems to care, sniff politicians
http://www.theregister.co.uk/2017/03/30/fcc_must_act_on_ss7/
US Democrats have written to America’s communications watchdog the FCC complaining the mobile industry needs a kick up the backside to fix serious flaws in its networks.
Last week the FCC’s Communications Security, Reliability and Interoperability Council (CSRIC) published its final report [PDF] into the Signaling System 7 protocol, which (among many things) allows cellular networks to talk to one another. It concluded that the FCC needs to act to fix SS7′s long-standing security shortcomings.
The protocol, designed in the 1980s, is fundamentally insecure, and can allow an attacker or rogue insider with access to a telco’s backend to track the location of any mobile phone user, read their messages, and listen in on calls. Security weaknesses in SS7 were exploited in 2014, but so far there has been little effort to replace SS7 with something more secure.
“It is clear that industry self-regulation isn’t working when it comes to telecommunications cybersecurity,” wrote Senator Ron Wyden (D-OR) and Representative Ted Lieu (D-CA) in an open letter [PDF] to the FCC on Tuesday.
Tomi Engdahl says:
Chance Miller / 9to5Google:
Google rolling out new anti-phishing security check in Gmail for Android with pop-up warnings when users click on suspicious links — Google today has announced a new security feature for Gmail on Android that makes it easier for users to protect themselves against phishing attempts.
Gmail for Android adds new anti-phishing security check for external links
https://9to5google.com/2017/05/03/gmail-for-android-anti-phishing/
Google today has announced a new security feature for Gmail on Android that makes it easier for users to protect themselves against phishing attempts. Google revealed the new feature in a post on its G Suite updates blog.
Starting this week, when you click a suspicious link in an email, Gmail will show a new pop-up warning explaining that what’s on the other side of the link might be dangerous
Here is the message that will be presented;
The site you are trying to visit has been identified as forgery, intended to trick you into disclosing financial, personal, or other sensitive information.
Tomi Engdahl says:
Reuters:
Sources: Justice Department opens criminal probe into Uber’s use of Greyball software to evade regulators
Exclusive: Uber faces criminal probe over software used to evade authorities
http://www.reuters.com/article/us-uber-tech-crime-exclusive-idUSKBN1802U1
The U.S. Department of Justice has begun a criminal investigation into Uber Technologies Inc’s use of a software tool that helped its drivers evade local transportation regulators, two sources familiar with the situation said.
Uber has acknowledged the software, known as “Greyball,” helped it identify and circumvent government officials who were trying to clamp down on Uber in areas where its service had not yet been approved, such as Portland, Oregon.
Tomi Engdahl says:
Reuters:
State Department wants ~0.5% of visa applicants to supply five years’ worth of social media handles, seeks public comment and approval by OMB May 18
State Dept. seeks tougher visa scrutiny, including social media checks
http://www.reuters.com/article/us-usa-immigration-visa-idUSKBN18020A
The U.S. Department of State has proposed tougher questioning of visa applicants believed to warrant extra scrutiny, according to a document published Thursday, in a push toward the “extreme vetting” that President Donald Trump has said is necessary to prevent terrorist attacks.
Tomi Engdahl says:
Security
You only need 60 bytes to hose Linux’s rpcbind
Sigh … people just leave it on without blocking the port world+dog knows it uses. So patch it or close it, people
https://www.theregister.co.uk/2017/05/04/linux_rpcbind_vulnerability/
A 60 byte payload sent to a UDP socket to the rpcbind service can crash its host by filling up the target’s memory.
Shodan turned up 1.8 million hosts running with rpcbind’s Port 111 open to the Internet. Many or most of these are on mass hosts like AWS, where the user has configured a default Linux distribution.
If you really need to run rpcbind (which binds RPC calls to addresses), put it behind a firewall limiting Port 111 to the outside world. Better yet, turn the daemon off.
Tomi Engdahl says:
Cyberspies Use KONNI Malware to Target North Korea
http://www.securityweek.com/cyberspies-use-konni-malware-target-north-korea
A remote access Trojan (RAT) that managed to stay under the radar for more than 3 years has been used by cyberspies to target organizations linked to North Korea, Cisco’s Talos research and intelligence group reported on Wednesday.
The malware, dubbed by researchers “KONNI,” has evaded detection likely due to the fact that it has only been used in highly targeted attacks. The malware has evolved over the years, with recent versions capable of stealing data and executing arbitrary code on infected systems.
Talos is aware of several campaigns using this piece of malware over the past years. The first, likely launched in September 2014, involved an SRC file acting as a dropper for two other files: a picture that served as a decoy and the KONNI executable.
Tomi Engdahl says:
eDiscovery – An Enterprise Issue That Can’t be Ignored
http://www.securityweek.com/ediscovery-enterprise-issue-cant-be-ignored
eDiscovery is a concept born from litigation. It describes the need to find and retain electronic data that might be required in litigation ― whether for the plaintiff, the defendant or a third party. In recent years, eDiscovery has become considerably more complex.
In its original sense, eDiscovery is the process of fulfilling the legal requirement to locate and present documents pertinent to a legal case; that is, litigation support. It goes beyond simple discovery to include the concept of ‘litigation hold’; that is, the safe preservation of such documents.
The need to do this is growing.
For FoIA
While litigation eDiscovery is governed by the Federal Rules, FoIA requests are governed directly by the Freedom of Information Act. The FoIA establishes a statutory right of public access to Executive Branch information in the federal government.
For GDPR
GDPR is a new type of eDiscovery driver that applies only to companies operating in, or with operations in (such as trading with) the European Union. It includes facets of both litigation discovery and FoIA discovery. Like FoIA, it does not require litigation, but it does require relevancy (that is, a customer or customer’s representative).
GDPR is a user-centric privacy law. It gives users greater control over how their personal information is used by commerce; with potentially huge sanctions on companies that break the law. Two example requirements will demonstrate the need for efficient eDiscovery: the so-called right-to-be-forgotten; and the requirement for unambiguous and revocable informed consent from the user to the company collecting and using personal data.
The Scope of the Difficulty
“eDiscovery is a term that seems simple in conversation ― but no one is truly ready for what it really means,” warns Drew Koenig, security solutions architect at Magenic. “Off the record, I’ve seen a 200% increase in the last 3 years with Lit Holds and eDiscovery involved cases,” commented a CISO who did not wish to be named.
Tomi Engdahl says:
Unpatched WordPress Password Reset Flaw Disclosed
http://www.securityweek.com/unpatched-wordpress-password-reset-flaw-disclosed
A researcher has disclosed the details of a WordPress vulnerability that can be exploited by an unauthenticated attacker to reset a targeted user’s password. The flaw was reported to WordPress months ago, but it still has not been patched.
Security researcher Dawid Golunski, known for finding serious vulnerabilities in MySQL and some popular email-sending PHP libraries, published an advisory on Wednesday detailing a weakness in the WordPress password reset feature.
Successful exploitation of the vulnerability allows an unauthenticated attacker to obtain the password reset link for a targeted WordPress account and change its password. The issue, tracked as CVE-2017-8295, has been classified by Golunski as “medium/high severity.”
The problem, according to the expert, is related to the fact that WordPress uses a variable named SERVER_NAME to obtain the hostname of a server when setting the From/Return-Path header in password reset emails sent to users.
Since the value of this variable is often set using the hostname supplied by the client via the HTTP_HOST header, an attacker can inject an arbitrary domain by sending a specially crafted request to the targeted WordPress website.
In an attack scenario described by Golunski, the attacker sends a specially crafted request to the targeted WordPress site in order to trigger a password reset.
According to Golunski, the vulnerability affects all versions of WordPress, including 4.7.4, released two weeks ago. The researcher said he reported the security hole to WordPress’ security team several times since July 2016, and decided to make his findings public after no progress was made.
Until a patch is released, Golunski has proposed a temporary solution. Users have also discussed possible mitigations and workarounds on Reddit.
https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html
Tomi Engdahl says:
WordPress Core <= 4.7.4 Potential Unauthorized Password Reset (0day)
https://www.reddit.com/r/netsec/comments/692w7m/wordpress_core_474_potential_unauthorized/
What isn't explicitly said is that this attack fails if the site is hosted using virtual host. I suspect the majority do.
Am I correct?
You are still vulnerable if you your application is the default virtual host (typically the first one defined) in the server config. See http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html for further details.
Try sending a curl request with a random host header to confirm which application is the default vhost.
Tomi Engdahl says:
Threat Modeling the Internet of Things
http://www.securityweek.com/threat-modeling-internet-things
Interrupting the Interruption
The Internet of Things (where non-humans are the clients as well as the servers) is now on the verge of interrupting the Internet. Like the original Internet, the Internet of Things has grown somewhat organically with apparently very little consideration for security.
We have an opportunity to learn from the mistakes of the original Internet and build some security into the Internet of Things, if we act quickly.
One of the lessons that we can apply immediately is the concept of threat modeling. Threat modeling is a process fundamental to the Software Development Lifecycle (SDLC), but it is a broad process that actually doesn’t have to be specific to software at all.
It’s Not Just Internet-connected Toasters
Don’t dismiss the IoT as just a consumer security problem. IoT security is critical for other sectors beyond retail. Consider:
Government: City planners are busily designing so-called smart cities replete with sensors and connectors to make services more efficient. IoT can optimize ground transportation, shipping and power for smart cities, and all of these services will be using the IoT.
Industrial: Heavy industries will monitor workers’ exposure to dangerous natural or synthetic chemicals with internet-connected sensor networks. Sensors in factories will assist with predictive maintenance and feed operational data into analytic engines. General Electric jet engines already produce terabits of data that airlines use to optimize flight paths and fuel plans.
Enterprise: The new world of soft perimeters will be complicated by the IoT. Nearly half of all new tech workers are remote employees who often work from their domiciles. Imagine their houses full of hundreds of quasi-secure IoT devices hoping to catch a ride into the corporate VPN
Let’s Fix IoT Now Before We Go Back to Space
Like the original Internet, the IoT might revolutionize everything. Unlike with the original Internet, we have an awareness about security and the opportunity to build security into the Internet of Things.
Tomi Engdahl says:
What’s Up with Your Mobile Apps? Identifying and Mitigating Digital Risk
http://www.securityweek.com/whats-your-mobile-apps-identifying-and-mitigating-digital-risk
I’ll venture to guess you’re using a mobile device to read this. In the most recent Ericsson Mobility Report (PDF), the total number of mobile subscriptions at the end of 2016 was approximately 7.5 billion and growing around 4 percent year-on-year. Greater speed, power and storage capabilities of mobile devices means they are used more frequently for activities previously reserved for laptops or PCs.
In this increasingly mobile-first world, organizations are turning to mobile applications that enable them to better interact with their customers and provide new tools for employees. While mobile applications offer a host of new opportunities, they can also introduce risk.
At the end of last year, the US Federal Trade Commission warned of fake apps impersonating well-known retailers and stealing consumers’ personal information. More recently, the UK’s National Cyber Security Centre (NCSC) and the National Crime Agency (NCA) released a joint paper on the cyber threats to UK businesses.
https://www.ericsson.com/assets/local/mobility-report/documents/2017/emr-interim-february-2017.pdf
Tomi Engdahl says:
How to Stop a Hacker: Disincentivizing Cybercriminals
http://www.securityweek.com/how-stop-hacker-disincentivizing-cybercriminals
As long as computers have been in existence, there have been people trying to hack them. As technology has evolved and improved, so has the advancements for keeping cyberattacks at bay. But of course, as technology gets smarter, so do the hackers. For years, there has been a ceaseless cycle of organizations finding new ways to secure their data, while hackers continue to find ways to break in and access it.
Cybercriminals, or the “bad” hackers, hack because it’s profitable. A recent report showed that 72 percent of hackers are financially motivated. That means that if the economic incentives were minimized, many may find that it is no longer worthwhile to attempt a cyberattack. Of course, there are many nation state attackers and “hacktivists” who choose to hack for other, non-financial reasons. But for the large majority of cybercriminals attempting to make a buck, it’s important to find ways to deter these criminals from putting forth the effort to attack in the first place.
Rather than focusing our efforts on stopping cyberattacks, what if we were to instead turn our focus to stopping the attackers themselves from having the incentive to attack in the first place? Here are a few ways to lessen these incentives in an effort to stop cybercrime at the source.
Make examples out of hackers. Hacking is unlike many other forms of crime in that it can entirely be done from the safety of your own home, behind the confines of a computer screen. The lack of public exposure leads many cybercriminals to believe they are above the law or otherwise safe from prosecution.
Make hacking more costly. Hacking can be expensive, time-consuming work. Many attackers are put off by the possibility that they may spend countless hours of their lives developing a singular botnet or malicious website, only to have it stopped immediately.
Harden infrastructure. A common practice among cybercriminals is a reconnaissance phase, in which hackers do broad scans for systems that appear to be vulnerable. Implementing strong safeguards to make your organization appear secure is a key way to deter the economically-minded hackers who are looking for a quick payday.
De-value data. Many hackers these days choose to focus their efforts on accumulating data that may be useful down the road – whether to exploit, sell or otherwise leverage the information they obtained through illegal means. However, if the data they are looking to acquire becomes much less valuable, they won’t be as motivated to acquire it.
While there is no singular solution for stopping hackers in their tracks, by implementing a few of these measures, we can work to put an end to the real incentives that exist for hackers today. By removing the allure of hacking, we can hopefully incentivize cybercriminals to instead use their skills in a positive way, to benefit not only themselves but also the greater good.
Tomi Engdahl says:
Study Reveals the Age, Nationality, and Motivation of Hackers
by Alyssa Newcomb
http://www.nbcnews.com/tech/security/study-reveals-age-nationality-motivation-hackers-n647171
A new report from HackerOne, a company that helps connect businesses with hackers who can expose vulnerabilities in their systems, is painting a new portrait of who the typical hacker really is.
It’s probably not news that the typical hacker is male and under the age of 34 — but nationalities and motivations for hacking may come as a surprise.
The company’s “2016 Bug Bounty Hacker Report” surveyed 617 hackers who had submitted at least one vulnerability through HackerOne and found that while many do it for money, fun is also a motivator.
According to the report, 72 percent of respondents said they hack for money, but 70 percent agreed they do it for fun, and 66 percent said they thrived on the challenge.
More than half of those surveyed, 51 percent, also said they hack “to do good in the world.”
Tomi Engdahl says:
Securing Medical Devices – The Need for a Different Approach – Part 1
http://intelligentsystemssource.com/securing-medical-devices-the-need-for-a-different-approach-part-1/
problem of what to do about securing medical devices in our hospitals. Most healthcare
executives are acutely aware of the problem (to some degree at least), but very few have an effective or scalable solution at hand to address this ever-growing risk.
The problem as far as risk is concerned, is not just the growth of these standalone devices and the difficulty managing so many, but the fact
that these systems, many of which are critical to patient well-being, by and large have ALMOST NO BUILT-IN SECURITY CAPABILITY. Nor can they
be secured by standard compute endpoint tools like anti-virus / anti-malware. They are a huge vulnerability, not only to themselves, but also
to everything else attached to the network on one side of the device, and the patient on the other side.
Standalone medical devices are designed, built and FDA approved to perform a very narrow and specific function, and to do so reliably for long continuous periods of operation
What’s more, medical devices are rarely retired and withdrawn from service, which means many hospitals
are still using devices designed and built twenty years ago – at a time when Windows 95 had just been released and most of us weren’t even on
the ‘World Wide Web’ as we called it then! How could they POSSIBLY be secured and prepared to defend against the types of cyber attack we see today?
Many standalone medical devices leave the manufacturing plant with all kinds of security vulnerabilities
any of
today’s mass-produced, quick-to-market commercial devices run on Windows 9 Embedded – nothing more than a cut-down version of the hugely vulnerable and highly insecure Windows XP operating system.
Securing Medical Devices – The Need for a Different Approach – Part 2
http://intelligentsystemssource.com/securing-medical-devices-the-need-for-a-different-approach-part-2/
I suggested that he abandon entirely all thoughts of securing individual endpoints by locally hardening devices, and by disabling services
like
I suggested that he use his network as the control point rather than attempt to manage so many individual endpoints. By enabling TrustSec – a
built-in access system in his newer Cisco switches and routers, he could lock down each endpoint device whether wired or wirelessly attached
to the network, and control in a uniformed manner, which ports and protocols each device could communicate on, which users could administer
each device, and which other devices each medical device could communicate with, i.e. specifically authorized canister, gateway or clinical
information systems only…. and nothing else!
By employing ISE (Cisco Identity Services Engine) to set access policy, which would then be enforced by TrustSec,
Furthermore ISE could be used to profile each of model of medical device, such that a profile could be developed and assigned once for each
model, and applied globally across the entire enterprise of 350,000+ medical devices, thus automating security for the almost un-securable!
A large number of leading US healthcare delivery organizations are already using ISE and TrustSec to secure their medical devices, research
and intellectual property, PHI, PII and other confidential information, by security segmentation of their networks and IT systems. Many are
working towards micro-segmentation at the individual device level. Many more are using the same segmentation approach and technology to
isolate their PCI payment systems, their guest and contractor network access, and for network access quarantine to perform posture
assessments on laptops and mobile devices re-attaching to the network after being used to treat patients in the community.
Tomi Engdahl says:
Protecting Firmware that Can’t Be Un-Hacked
Infected operating systems can be ditched and reloaded, but firmware isn’t so soft. Once hacked, it’s unfixable.
https://www.designnews.com/content/protecting-firmware-can-t-be-un-hacked/17739891756710?cid=nl.x.dn14.edt.aud.dn.20170504.tst004t
Cybersecurity has become a critical issue in recent years. Attackers have gone professional. Some seek riches, while others desire to crush political foes. Either way, attacks have become deliberate, focused, and unrelenting. When the attack penetrates firmware, the result is particularly grim, since firmware can’t be scrubbed clean.
When sophisticated attacks are launched on network equipment, strong protection is required for network equipment, both on the device and service level. The industry consortium, Trusted Computing Group (TCG), provides security standards to keep networking services free of disruption. Membership in TCG includes the leading computer and network companies.
On a Mission to Protect Firmware
TCG is focused on protecting against the attack itself, since there is little ability to recover from a deliberate attack on firmware. “The thing that’s different about firmware, is that once it gets hacked, it may be impossible to un-hack it,” Guy Fedorkow, a distinguished engineer at Juniper Networks who works with TCG, told Design News. “If your laptop is infected, you might have to re-install the operating system. Then, whatever was hacked in the OS is gone. That’s not true of firmware. You can’t just remove it.”
TCG’s goal is to create security specifications and promote best practices for cybersecurity protection that involves firmware. TCG’s Network Equipment Working Group is tasked with providing guidance in the security design for communication devices and in the application of Trusted Computing standards within network infrastructure.
Tomi Engdahl says:
Industrial Robots, Hacking and Sabotage
http://hackaday.com/2017/05/04/industrial-robots-hacking-and-sabotage/
Everything is online these days creating the perfect storm for cyber shenanigans. Sadly, even industrial robotic equipment is easily compromised because of our ever increasingly connected world. A new report by Trend Micro shows a set of attacks on robot arms and other industrial automation hardware.
This may not seem like a big deal but image a scenario where an attacker intentionally builds invisible defects into thousands of cars without the manufacturer even knowing. Just about everything in a car these days is built using robotic arms. The Chassis could be built too weak, the engine could be built with weaknesses that will fail far before the expected lifespan. Even your brake disks could have manufacturing defects introduced by a computer hacker causing them to shatter under heavy braking. The Forward-looking Threat Research (FTR) team decided to check the feasibility of such attacks and what they found was shocking. Tests were performed in a laboratory with a real in work robot. They managed to come up with five different attack methods.
Why are these robots even connected? As automated factories become more complex it becomes a much larger task to maintain all of the systems. The industry is moving toward more connectivity to monitor the performance of all machines on the factory floor, tracking their service lifetime and alerting when preventive maintenance is necessary. This sounds great for its intended use, but as with all connected devices there are vulnerabilities introduced because of this connectivity. This becomes especially concerning when you consider the reality that often equipment that goes into service simply doesn’t get crucial security updates for any number of reasons (ignorance, constant use, etc.).
https://documents.trendmicro.com/assets/wp/wp-industrial-robot-security.pdf
Tomi Engdahl says:
Can Robots Be Compromised?
https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/rogue-robots-testing-industrial-robot-security
The modern world relies heavily on industrial robots. But is the current robotics ecosystem secure enough to withstand a cyber attack?
Industrial robots have replaced humans in a lot of large-scale production and manufacturing activities because of their efficiency, accuracy, and safety. These mechanical, programmable devices can now be seen in practically all industrial sectors―making cars, fabricating airplane parts, assembling food products, and even providing critical public services