Year 2017 will not have any turn towards better data security. The internet is rife with such well-known than the unknown threats. The company’s systems are supposed to be protected.Hackers are going to continue to look for new ways to extort and steal information from businesses and organizations, which unfortunately means those businesses and organizations will have to continue to look for new ways to protect themselves.
Critical infrastructure cames under attack in 2017. Critical infrastructures must be better protected from criminals and terrorists who take advantage of modern technologies that are essential for the functioning of society and the economy. IT security functions of industrial control systems (ICS), energy grids and IoT networks needs to be improved in 2017.
There is push for better web security in 2017. Starting New Year’s Day, Google’s Chrome will begin labeling as “insecure” all websites that transmit passwords or ask for credit card details over plain text HTTP. Beginning in January 2017 (Chrome 56), HTTP sites that transmit passwords or credit cards are marked as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.
SHA-1 is insecure. Starting on Jan 1, 2017, most CAs will migrate to SHA-2 certificates, and major browser makers have already announced plans to adopt the change, including Microsoft, Google, and Mozilla. Their browsers will no longer trust sites that use SHA-1 starting with that date, and they will mark these websites as insecure. 1/3 of Websites Use SHA-1 Certificates Despite Looming Deadline. SHA-1 will still hang around, like a fart in a spacesuit, for many years to come because some people are lazy enough not to make the change.
There will be changes in how security is viewed in 2017 by businesses. We will likely see cloud adoption continue to grow across the United States, network visibility will no longer just be an option, AI and machine learning will shake old security models, and IoT-powered attacks will continue to rise. All of this will factor into how businesses set up, monitor and secure their networks.
The Commoditization of Cyberattacks Will Make Them More Frequent in 2017. More and more companies suffer from disruption to business due to cyber attacks. Cyber-attacks cause companies significant financial losses, but the studies shows that companies are not prepared for attacks. According to Gartner, by 2018 only 40 per cent of large companies have official plans in case of cyber attacks. Last year, the percentage was zero.
Strap yourself in for a bumpy ride in 2017. 2016 sucked. 2017 won’t be much better, sorry. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. DDoS attack toolkits have been around for years, as have services that will enable you to pay for an attack. Expect to see more of them. It seems that 2017 promises to be the most dramatic year yet in DDoS conflict. Whale-sized DDoS attacks will increase, the IoT will become a bigger factor in DDoS and DDoS will overshadow ransomware attacks and is used for extortion. Expect to see the Internet of Things (IoT) and other connected devices play an important part in these attacks.
Biometric identification will become more common in 2017, but it will not replace passwords. Fingerprint identification has become increasingly common in smartphones and already the technology is fast and reliable. This year biometric identification devices were sold for 4.5 billion dollars (most of them go to smart phones and laptops). 91 percent of biometric sales were fingerprint sensors, four per cent of face detection and three per cent iris detection.
Biometrics Won’t Kill Passwords any time soon. Even though PIN codes and passwords are actually pretty lousy protection case against skilled cybercriminal, the password will never disappear entirely, as two per cent of the world’s population is persons with a fingerprint not suitable for biometric identifier to work. Other biometric identification systems have also similar limitations and/or are not yet commonly available at reasonable cost. While biometrics, including fingerprint-, face-, iris-, palm- and speech-recognition, will continue to grow as a more secure substitute for passwords, they will not render passwords obsolete. Until the other common biometrics become commonplace, passwords are here to stay until circa 2030.
Fights with encryption and backdoors for them is not over in 2017. Many public figures in law enforcement have consistently argued that device encryption presents a new threat to police powers of investigation. On the other side House Judiciary Committee’s Encryption Working Group report says encryption backdoors pose a security threat, siding with tech experts in their latest report . The problem is that any system allowing police to get into those encrypted system (let it be phone, computer or communications) could also be exploited by criminals. Any action in this space should weigh any short-term benefits against the longterm impacts. Many industry experts will rightly tell you there is no such thing as partial data encryption. You either have a fully capable system or none at all.
Given the security events of 2016, coupled with the rapid advancements and adoption of cloud computing, 2017 will be the year in which many finally accept that network infrastructure and security will have to be rethought from the ground up. In 2017 the cloud will become a risk for users: The cloud becoming insecure – extortion and IoT openings.
The rivalry between the network attacks and network security is in acceleration. Crippling Internet services with denial of service attacks are becoming more common throughout the world. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. IoT-powered attacks will continue to rise and stopping the attack is not easy. For most companies the key thing is that the attack traffic is stopped before it reaches the company’s Internet connection or servers (needs to use telecom operator and external services increase). In addition to service disturbion Denial of Service Attacks are often used as distraction during the actual data burglary.DDoS may take over from ransomware as a cause for concern.
In 2017 the IT and security professionals talk about more about business risks. Historically, firewalls, DLP, antivirus, SIEM and other technical point solutions have been the centerpiece of security conversations, but the mindset is slowly shifting from technology to risk. The goal of stopping all attacks and preventing all business impact has been recognized as a fool’s errand, and has shifted to measuring risk and minimizing business impacts. Cyber security is increasingly being viewed as a risk management problem.
In 2017 ‘Security’ Must be Added to our Existing Ethical and Philosophic Concerns Over Artificial Intelligence and Algorithms. Algorithms soon run the world. They present problems that are seriously questioned on both ethical and philosophic grounds; and they have become the basis of fictional Armageddons.
Cyber insurance will be more thoughs as on solution for handling cyber risks in 2017. The global cyber insurance market is expected to generate $14 billion by 2022, according to a new report published by Allied Market Research (AMR). That figure represents an impressive compound annual growth rate (CAGR) of nearly 28% from 2016 to 2022.
In 2017 Big Brother will be watching you 24/7.Those of you who’ve read George Orwell’s book 1984 or seen the movie ,will remember how the citizens of the fictitious totalitarian state of Oceana are constantly under surveillance by order of its dictator, Big Brother. So now swap your home desktop computer, laptop or smart phone for the fictitious telescreen and not only are you sitting in front of what is a modern day version of the Big Brother telescreen you are also walking around with one in your pocket or handbag. Sound a bit far fetched to you? Well it’s set to become a reality in many countries.
Users will want better security or at least to feell more secure in 2017. Many people are prepared to to extremes for better security. According to a recent survey of over 2,000 adults conducted by Harris Poll Nearly 40% of Americans Would Give Up Sex for a Year or eating their favourite food in Exchange for Better Online Securit, meant they’d never have to worry about being hacked. When you consider that 87 percent of U.S. adults use the internet, it makes sense that cyber security is one of the biggest concerns today. The single biggest thing people can do to help keep their online identity safe is probably the easiest – a solid password – and not giving it to other people. Still nearly 50% of people have shared a password to an e-mail account or to an account like Netflix.
Security Becomes A Multi-System Issue and more people talking about the issue. Design teams will have to bake strategies in from the start, no matter how insignificant the device.The good news is that it more people talking about the issue. The real challenge is packing enough security features into designs to prevent security breaches of every sort, including those that can come from other electronics that weren’t even considered as part of the design process. Just as devices get more sophisticated, so do hackers.The reality is that security breaches can even cause physical harm. It’s time to look at this at a multi-system, multi-disciplinary level. Otherwise, we literally could be playing with fire.
Block chains have been a big trend for several years. The block chain market is divided now when 2017 starts. During the autumn 2016, we have seen a number of initiatives on cooperation between the financial sector and consulting companies. Microsoft has chosen a platform for Ethereum-block chain and offers it to the Azure cloud service. IBM has jumped Hyperledger consortium bandwagon and offering their own block chains to Bluemix service. Google and Amazon still shine by their absence. Even banks may prefer to see the use of cloud for the block chains.
Other prediction articles worth to look:
What Lies Ahead for Cybersecurity in 2017?
Network Infrastructure, Visibility and Security in 2017
DDoS in 2017: Strap yourself in for a bumpy ride
Cybersecurity Industry Outlook: 2017 to 2021 | CSO Online
IBM’s Cybersecurity Predictions for 2017 – eForensics
https://eforensicsmag.com/ibms-cybersecurity-predictions-2017/
Top 5 Cybersecurity Threats to Watch Out for in 2017
Experts Hopeful as Confidence in Risk Assessment Falls
3,151 Comments
Tomi Engdahl says:
This Man’s Bank Wanted To Read All His Emails To Approve A Credit Card
https://www.buzzfeed.com/pranavdixit/this-mans-bank-wanted-to-read-all-his-emails-to-approve-a-cr?utm_term=.oq4A2bo2R3#.jevaEXAEKG
It turns out that his bank, HDFC, used a third-party company called Verifi.Me, whose website describes it as a verification service that lets users “prove their identities and fast-track their applications.”
Here’s everything that Verifi.Me collects
That’s pretty much everything important. Worse, the policy says that the company may share this information with people “who are required to know such information in order provide [services] to you.”
Privacy activists in India blamed the situation on the country’s lack of privacy laws.
Tomi Engdahl says:
Donald Trump will take cybersecurity advice from, um, Rudy Giuliani
♪ Stop your messin’ around, better think of your future ♪
http://www.theregister.co.uk/2017/01/12/trump_appoints_giuliani_head_of_cybersecurity/
The transition team for US president-elect Donald Trump has announced that former New York City mayor Rudy Giuliani will advise the incoming administration on how to secure America’s digital infrastructure.
We’re told that the Donald may hold meetings with senior private industry executives with experience in online security. Giuliani will be in charge of organizing those confabs, based on his extensive experience in the infosec industry.
“As the use of modern communications and technology has moved forward at unparalleled speed, the necessary defenses have lagged behind,” the statement reads.
Giuliani does have a long career in law enforcement as a lawyer in district attorney offices. After retiring as New York City mayor, he helped set up Giuliani Partners LLC, a management consulting and security business. While Giuliani was the front man for the operation, it’s unclear what specific computer security knowledge he has, if any.
Tomi Engdahl says:
ISC squishes BIND packet-of-death bugs
DNS servers are crashable until they’re patched
http://www.theregister.co.uk/2017/01/13/isc_fixes_bind_denialofservice_vuls/
BIND administrators, get patching: there are three irritating flaws you need to splat.
The denial-of-service vulnerabilities in question are CVE-2016-9131, CVE-2016-9147, and CVE-2016-9444.
Common to all three is that they’re exploitable denial-of-service bugs that predominantly affect BIND-based DNS servers running in recursive mode (that is, if the DNS server doesn’t have an answer locally, it passes the query upstream).
In CVE-2016-9131, if a BIND recursive server can be crashed by a malformed query response. The vulnerability note says the “combination of properties” that triggers the bug shouldn’t occur in normal traffic, but an attacker could engineer a scenario that breaks the target.
The Internet Systems Consortium has issued fixes here
http://www.theregister.co.uk/2017/01/13/isc_fixes_bind_denialofservice_vuls/
Tomi Engdahl says:
It’s not just your browser: Your machine can be fingerprinted easily
Anonymity just got harder
http://www.theregister.co.uk/2017/01/13/its_not_just_your_browser_your_machine_can_be_fingerprinted_easily/
It just got a lot harder to evade browser fingerprinting: a bunch of boffins have worked out how to fingerprint the machine behind the browser, using only information provided by browser features.
Like so many ideas, it’s obvious once someone’s thought of it: activities that aren’t processed in the browser are treated the same whether the page is rendered in (say) Chrome, Firefox, IE or Edge.
The group – Yinzhi Cao and Song Li of from Lehigh University in Pennsylvania, and Erik Wijmans from Washington University in St. Louis – have worked out how to access various operating system and hardware-level features that can fingerprint an individual machine, regardless of browser.
Tomi Engdahl says:
Europe Calls For Mandatory ‘Kill Switches’ On Robots
https://hardware.slashdot.org/story/17/01/12/2013246/europe-calls-for-mandatory-kill-switches-on-robots?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
To combat the robot revolution, the European Parliament’s legal affairs committee has proposed that robots be equipped with emergency “kill switches” to prevent them from causing excessive damage. Legislators have also suggested that robots be insured and even be made to pay taxes. “A growing number of areas of our daily lives are increasingly affected by robotics,” said Mady Delvaux, the parliamentarian who authored the proposal.
Europe calls for mandatory ‘kill switches’ on robots
http://money.cnn.com/2017/01/12/technology/robot-law-killer-switch-taxes/index.html
Europe is preparing for a robot revolution.
European lawmakers have proposed that robots be equipped with emergency “kill switches” to prevent them from causing excessive damage. Legislators have also suggested that robots be insured and even be made to pay taxes.
The proposal on robot governance was approved by the European Parliament’s legal affairs committee on Thursday. The issue will now be considered by the European Commission, which is the bloc’s top regulator.
“A growing number of areas of our daily lives are increasingly affected by robotics,” said Mady Delvaux, the parliamentarian who authored the proposal. “To ensure that robots are and will remain in the service of humans, we urgently need to create a robust European legal framework.”
Kill switch
The proposal calls for a new charter on robotics that would give engineers guidance on how to design ethical and safe machines.
For example, designers should include “kill switches” so that robots can be turned off in emergencies. They must also make sure that robots can be reprogrammed if their software doesn’t work as designed.
Stop the killer robots
The proposal states that designers, producers and operators of robots should generally be governed by the “laws of robotics” described by science fiction writer Isaac Asimov.
Asimov’s laws stipulate that a robot must never harm or kill a human and always obey orders from its creator. Robots must protect their own existence — unless doing so would cause harm to a human.
Remember: It’s just a robot
The proposal also says that robots should always be identifiable as mechanical creations. That will help prevent humans from developing emotional attachments.
Who’s responsible for misbehaving robots?
The proposal calls for a compulsory insurance scheme — similar to car insurance — that would require producers and owners to take out insurance to cover the damage caused by their robots.
Tomi Engdahl says:
Trump’s cyber-guru Giuliani runs ancient ‘easily hackable website’
Stunned security experts tear strips off president-elect pick hours after announcement
13 Jan 2017
http://www.theregister.co.uk/2017/01/13/giuliani_joomla_outdated_site/
US president-elect Donald Trump’s freshly minted cyber-tsar Rudy Giuliani runs a website with a content management system years out of date and potentially utterly hackable.
Former New York City mayor and Donald loyalist Giuliani was today unveiled by Trump’s transition team as the future president’s cybersecurity adviser – meaning Giuliani will play a crucial role in the defense of America’s computer infrastructure.
Giulianisecurity.com, the website for the ex-mayor’s eponymous infosec consultancy firm, is powered by a roughly five-year-old build of Joomla! that is packed with vulnerabilities. Some of those bugs can be potentially exploited by miscreants using basic SQL injection techniques to compromise the server.
This seemingly insecure system also has a surprising number of network ports open – from MySQL and anonymous LDAP to a very out-of-date OpenSSH 4.7 that was released in 2007.
Tomi Engdahl says:
Microsoft sued by staff traumatized by child sex abuse vids stashed on OneDrive accounts
Document police with ‘god-like’ access denied therapy – claim
http://www.theregister.co.uk/2017/01/11/microsoft_sued_failing_to_protect_workers/
Two former Microsoft employees have sued the Windows giant seeking compensation for the mental trauma of screening child sex abuse photos, murder videos, and other extreme content flowing through the company’s online services.
Henry Soto and Greg Blauert were assigned to Microsoft’s Online Safety Team, formed in 2008 following a federal requirement that unlawful material like child pornography must be reported to the National Center for Missing & Exploited Children (NCMEC).
“was required to view many thousands of photographs and videos of the most horrible, inhumane, and disgusting content one can imagine.”
Ben W Wells, the attorney representing Soto, in a phone interview with The Register explained that Microsoft reviews content listed in Bing and stored in OneDrive.
“That’s where people store things and sometimes they store very inappropriate things,” said Wells. “There are laws that require Microsoft, if they see something, to report it.”
Redmond staffers and software tools sniff out banned material
In 2009, the same year it introduced its PhotoDNA project to help automatically detect child exploitation, Microsoft began providing counseling for members of the Online Safety Team, to address a condition the company allegedly referred to as “compassion fatigue.” But the complaint claims the services were inadequate.
Wells said Soto and Blauert have suffered serious mental anguish as a result of their exposure to graphic imagery, which their doctors have diagnosed as Post-Traumatic Stress Syndrome.
Trauma arising from exposure to graphic imagery has been documented in academic research.
Tomi Engdahl says:
Joseph Cox / Motherboard:
Hacker steals 900GB of data from Cellebrite, the Israeli company that makes products for breaking into mobile phones — This is part of an ongoing Motherboard series on the proliferation of phone cracking technology, the people behind it, and who is buying it.
Hacker Steals 900 GB of Cellebrite Data
http://motherboard.vice.com/read/hacker-steals-900-gb-of-cellebrite-data
The hackers have been hacked. Motherboard has obtained 900 GB of data related to Cellebrite, one of the most popular companies in the mobile phone hacking industry. The cache includes customer information, databases, and a vast amount of technical data regarding Cellebrite’s products.
The breach is the latest chapter in a growing trend of hackers taking matters into their own hands, and stealing information from companies that specialize in surveillance or hacking technologies.
Cellebrite is an Israeli company whose main product, a typically laptop-sized device called the Universal Forensic Extraction Device (UFED), can rip data from thousands of different models of mobile phones. That data can include SMS messages, emails, call logs, and much more, as long as the UFED user is in physical possession of the phone.
Cellebrite is popular with US federal and state law enforcement
Tomi Engdahl says:
Charlie Savage / New York Times:
New rules allow National Security Agency to share raw intercepted communications with other 16 US intelligence agencies before applying privacy protections
N.S.A. Gets More Latitude to Share Intercepted Communications
https://www.nytimes.com/2017/01/12/us/politics/nsa-gets-more-latitude-to-share-intercepted-communications.html
In its final days, the Obama administration has expanded the power of the National Security Agency to share globally intercepted personal communications with the government’s 16 other intelligence agencies before applying privacy protections.
The new rules significantly relax longstanding limits on what the N.S.A. may do with the information gathered by its most powerful surveillance operations, which are largely unregulated by American wiretapping laws.
The change means that far more officials will be searching through raw data. Essentially, the government is reducing the risk that the N.S.A. will fail to recognize that a piece of information would be valuable to another agency, but increasing the risk that officials will see private information about innocent people.
Tomi Engdahl says:
Moxie Marlinspike / Open Whisper Systems:
Contrary to Guardian’s report, Signal Protocol contains no “backdoor”; WhatsApp’s encryption implementation is appropriate given the company’s scale
There is no WhatsApp ‘backdoor’
https://whispersystems.org/blog/there-is-no-whatsapp-backdoor/
Today, the Guardian published a story falsely claiming that WhatsApp’s end to end encryption contains a “backdoor.”
WhatsApp’s encryption uses Signal Protocol, as detailed in their technical whitepaper. In systems that deploy Signal Protocol, each client is cryptographically identified by a key pair composed of a public key and a private key. The public key is advertised publicly, through the server, while the private key remains private on the user’s device.
The WhatsApp clients have been carefully designed so that they will not re-encrypt messages that have already been delivered.
The fact that WhatsApp handles key changes is not a “backdoor,” it is how cryptography works. Any attempt to intercept messages in transmit by the server is detectable by the sender, just like with Signal, PGP, or any other end-to-end encrypted communication system.
The only question it might be reasonable to ask is whether these safety number change notifications should be “blocking” or “non-blocking.”
Given the size and scope of WhatsApp’s user base, we feel that their choice to display a non-blocking notification is appropriate.
Tomi Engdahl says:
Dan Goodin / Ars Technica:
After failing to get 10K bitcoins for stolen NSA exploits, Shadow Brokers post farewell message, dump a cache of Windows hacking tools online
NSA-leaking Shadow Brokers lob Molotov cocktail before exiting world stage
With 8 days before inauguration of Donald Trump, leak is sure to inflame US officials.
http://arstechnica.com/security/2017/01/nsa-leaking-shadow-brokers-lob-molotov-cocktail-before-exiting-world-stage/
Shadow Brokers, the mysterious group that gained international renown when it published hundreds of advanced hacking tools belonging to the National Security Agency, says it’s going dark. But before it does, it’s lobbing a Molotov cocktail that’s sure to further inflame the US intelligence community.
In a farewell message posted Thursday morning, group members said they were deleting their accounts and making an exit after their offers to release their entire cache of NSA hacking tools in exchange for a whopping 10,000 bitcoins (currently valued at more than $8.2 million) were rebuffed. While they said they would still make good on the offer should the sum be transferred into their electronic wallet, they said there would be no more communications.
Tomi Engdahl says:
McDonald’s forget hash, browns off security experts
Golden Arches website’s security doesn’t pass the sensible surfing taste test
http://www.theregister.co.uk/2017/01/16/xssive_thick_mistake_sees_mcdonalds_forget_hash_browns_off_hacker/
Dutch software engineer Tijme Gommers has revealed a still-active reflected cross-site scripting vulnerability and borked password controls in McDonald’s main website that could be fodder for phishing attacks.
The attack, reported on Gommers’ blog, is possible thanks to an Angular expression injection vuln present in mcdonalds.com and could be used to steal and ship logins to attackers along with account information should users follow links.
Reflected XSS through AngularJS sandbox bypass causes password exposure of McDonald users
https://finnwea.com/blog/stealing-passwords-from-mcdonalds-users
By abusing an insecure cryptographic storage vulnerability (link) and a reflected server cross-site-scripting vulnerability (link) it is possible to steal and decrypt the password from a McDonald’s user. Besides that, other personal details like the user’s name, address & contact details can be stolen too.
Tomi Engdahl says:
Marijuana dispensaries hit by hack of sales system
https://www.bostonglobe.com/business/2017/01/09/pot-dispensaries-hit-hack-sales-system/ZJ6lfVUmsfu9PqppNaPfOO/story.html
MJ Freeway, a Denver company whose tracking software is used by hundreds of marijuana companies to comply with state regulations, said its main servers and backup system each went down Sunday morning and remained offline as of Monday afternoon.
The software is a major tool for marijuana dispensaries
A spokeswoman for MJ Freeway said the outage, first reported by the industry publication Marijuana Business Daily, was the work of unknown hackers.
“It was a cyber-attack, and it was targeted at us specifically,”
Tomi Engdahl says:
Adobe Sneaks a Google Chrome Extension in Latest Security Update to Collect Data
Ouch! Adobe turning to unusual tactics in security patch
http://news.softpedia.com/news/adobe-sneaks-a-google-chrome-extension-in-latest-security-update-to-collect-data-511807.shtml
Adobe rolled out security updates for its software on Tuesday, but in addition to fixes for vulnerabilities, users also received something they didn’t actually quite expect: a Google Chrome extension that was sneakily installed on their systems.
SwiftOnSecurity reveals on Twitter that the latest Adobe Reader update also deploys a Google Chrome extension that includes telemetry features to collect data from users’ computers.
Adobe Releases Flash Player 24.0.0.194 to Fix 13 Security Flaws
New Flash Player version now available for download
http://news.softpedia.com/news/adobe-releases-flash-player-24-0-0-194-to-fix-13-security-flaws-511728.shtml
Tomi Engdahl says:
Thursday, Jan 12, 2017 – Petah Tikvah, IL
Cellebrite Statement on Information Security Breach
http://www.cellebrite.com/Mobile-Forensics/News-Events/Press-Releases/cellebrite-statement-on-information-security-breach
Petah Tikvah, IL—January 12, 2017—Cellebrite recently experienced unauthorized access to an external web server. The company is conducting an investigation to determine the extent of the breach. The impacted server included a legacy database backup of my.Cellebrite, the company’s end user license management system.
Tomi Engdahl says:
Cellebrite Sold Phone Hacking Tech to Repressive Regimes, Data Suggests
http://motherboard.vice.com/read/cellebrite-sold-phone-hacking-tech-to-repressive-regimes-data-suggests
Cellebrite’s hacking kit is one of the most popular forensics tools on the market, capable of circumventing passcodes and extracting a wealth of data from seized cellphones. US law enforcement agencies have invested heavily in the tech, but Cellebrite may have also sold its wares to authoritarian regimes with abysmal human rights records, such as Turkey, the United Arab Emirates, and Russia, according to a large cache of data obtained by Motherboard.
This is part of an ongoing Motherboard series on the proliferation of phone cracking technology, the people behind it, and who is buying it. Follow along here.
http://motherboard.vice.com/cellebrite-phone-crackers
Tomi Engdahl says:
Rudi Giuliani to Advise Trump on Cyber Security
http://www.securityweek.com/rudi-giuliani-advise-trump-cyber-security
President-elect Donald Trump’s transition team announced Thursday that former New York mayor Rudi Giuliani “will be sharing his expertise and insight as a trusted friend concerning private sector cyber security problems and emerging solutions developing in the private sector.” The details of this new role are vague and sparse; but it would be fair to say that it has raised eyebrows in the security industry.
it would appear that Giuliani’s role is primarily that of a facilitator for meetings between the administration and private industry to discuss problems and practical solutions in cyber security
Tomi Engdahl says:
Elasticsearch Servers Latest Target of Ransom Attacks
http://www.securityweek.com/elasticsearch-servers-latest-target-ransom-attacks
An estimated 35,000 Elasticsearch clusters exposed to the public Internet are potential victims to a series ransom attacks that have already hit over 33,000 MongoDB databases.
The attacks, which security researchers Victor Gevers and Niall Merrigan call a “ransack,” have been ongoing for the past several weeks, but targeted only MongoDB databases until late. To conduct the attack, adversaries discover exposed, insecure databases, (supposedly) steal their contents, and then demand a ransom to return the data.
33,000 Databases Fall in MongoDB Massacre
http://www.securityweek.com/33000-databases-fall-mongodb-massacre
Tomi Engdahl says:
Mobile Forensics Firm Cellebrite Hacked
http://www.securityweek.com/mobile-forensics-firm-cellebrite-hacked
A hacker claims to have stolen hundreds of gigabytes of data from Cellebrite, the Israel-based mobile forensics company rumored to have helped the FBI hack an iPhone belonging to the terrorist Syed Rizwan Farook.
Vice’s Motherboard reported that an unnamed hacker breached Cellebrite’s systems and managed to steal 900 Gb of data, including customer usernames and passwords, databases, data collected by the company from mobile devices, and other technical information.
Tomi Engdahl says:
Shadow Brokers “Retire” Awaiting Offer of 10,000 Bitcoins for Cache of Exploits
http://www.securityweek.com/shadow-brokers-retire-awaiting-offer-10000-bitcoins-cache-exploits
The mysterious hacking group calling themselves “The Shadow Brokers” has apparently decided to put an end to their failed attempts to sell exploits and hacking tools they claimed to have stolen from the NSA-linked Equation Group.
Tomi Engdahl says:
US Marines seek more than a few good men (3,000 men and women, actually) for cyber-war
From the phones of Montezuma to the servers of Tripoli
http://www.theregister.co.uk/2017/01/14/us_marines_seek_more_than_a_few_good_men_for_cyber_warfare/
The head of the US Marines wants to recruit about 3,000 troops skilled in online warfare and espionage to make sure the Corps is ready for 21st-century battle.
On Thursday, General Robert Neller told the Surface Navy Association’s annual convention that he was looking to raise his numbers from 182,000 to 185,000 in the next Defense Appropriations Bill – and wants to use the extra heads to beef up online and electronic warfare capabilities.
Tomi Engdahl says:
Promising compsci student sold key-logger, infects 16,000 machines, pleads guilty, faces jail
What a Shames
http://www.theregister.co.uk/2017/01/14/students_keylogger_guilty/
A 21-year-old computer science student, who won a Programmer of the Year Award in high school, has admitted selling key-logging malware out of his college dorm room.
According to the Eastern Virginia district attorney’s office, Shames was responsible for developing and selling more than 3,000 copies of a key-logger program called Limitless Logger that was used to infect at least 16,000 machines.
Tomi Engdahl says:
Windows 10 Anniversary Update crushed exploits without need of patches
Microsoft security boffins throw fresh CVEs at unpatched OS, emerge smiling
http://www.theregister.co.uk/2017/01/16/windows_10_anniversary_update_crushed_exploits_without_need_of_patches/
Microsoft says its Windows 10 Anniversary Update squashes more exploit delivery chains than ever.
The August updates brought in a series of operating system security improvements including boosts to Windows Defender and use of AppContainer, designed to raise the difficulty of having zero day exploits execute on patched systems.
Redmond’s security team tested its exploit mitigations against two kernel-level then zero-day exploits (CVE-2016-7255, CVE-2016-7256) used by active hacking groups that offer privilege escalation.
Tomi Engdahl says:
Disaster Recovery for Mobile Users
http://it.toolbox.com/blogs/itmanagement/disaster-recovery-for-mobile-users-75329?mid=6158450&lgid=3441165&mailing_id=2623844&list=it-reg&mailing=manualoffers&tfso=147247&engine_id=1
Disaster recovery used to be the domain of desktops. Companies had a security strategy in case their computers were infected by malware or a flood swamped the office, damaging monitors and processors. Now, more brands are investing in mobile disaster recovery — a contingency plan for mobile continuity after an emergency.
Mobile disaster recovery lets companies back up valuable data, collaborate on projects, and save money after an emergency. This new technology provides a lifeline for companies that want to retain customers, share files and access documents and emails when the unexpected happens. Only 25 percent of businesses that close as a result of a major disaster ever reopen, so a mobile disaster recovery strategy could be essential to keep your business running.
Tomi Engdahl says:
How to Ensure you’re Not Part of the Next Botnet
https://hosteddocs.ittoolbox.com/HowtoensureYou%E2%80%99reNotBotnet.pdf
Botnets are covert armies of compromised networked computers
and devices (bots) that have been subverted by malware to enable
remote control by a cybercriminal. Botnets are bred and nurtured by
hackers to provide a powerful, dark cloud computing network used
to conduct cybercrime attacks, like the recent DDoS attack
Best-practices to consider (both for your organization and for your home):
• Immediately change the default passwords for all your network devices to a unique
complex password, and use a password manager if necessary.
• Minimize the use of IoT devices and keep your essential devices up to date.
Disconnect any unnecessary devices, upgrade older devices to newer more secure
models, and keep all your devices up to date with the latest firmware updates.
• Avoid IoT devices that require ports opened in your Firewall or router to provide
remote access. Instead, use cloud-based devices that connect only to the cloud
provider’s servers and don’t offer any direct remote access.
• Do not enable UPnP on your firewall or router. This protocol enables devices to open
ports on your firewall on demand without your knowledge increasing your surface
area of attack.
• Use secure VPN technologies to manage devices remotely.
How to protect your organization
- Advanced Threat Protection
- Intrusion prevention
- Sandboxing
- Web and email protection
- Web Application Firewall
Tomi Engdahl says:
TruffleHog Sniffs Github for Secret Keys
http://hackaday.com/2017/01/13/trufflehog-sniffs-github-for-secret-keys/
Secret keys are quite literally the key to security in software development. If a malicious actor gains access to the keys securing your data, you’re toast. The problem is, to use keys, you’ve got to write them down somewhere – oftentimes in the source code itself. TruffleHog has come along to sniff out those secret keys in your Github repository.
It’s an ingenious trick — a Python script goes through the commit history of a repository, looking at every string of text greater than 20 characters, and analyzing its Shannon entropy.
Searches through git repositories for high entropy strings, digging deep into commit history
https://github.com/dxa4481/truffleHog
Tomi Engdahl says:
Simon Sharwood / The Register:
Google publishes paper detailing its cloud security strategy, including the deployment of custom chips on servers and peripherals — Even the servers it colocates (!) says new docu revealing Alphabet sub’s security secrets — Google has published a Infrastructure Security Design Overview …
Google reveals its servers all contain custom security silicon
Even the servers it colocates (!) says new doc detailing Alphabet sub’s security secrets
http://www.theregister.co.uk/2017/01/16/google_reveals_its_servers_all_contain_custom_security_silicon/
Google has published a Infrastructure Security Design Overview that explains how it secures the cloud it uses for its own operations and for public cloud services.
Revealed last Friday, the document outlines six layers of security and reveals some interesting factoids about the Alphabet subsidiary’s operations, none more so than the revelation that “we also design custom chips, including a hardware security chip that is currently being deployed on both servers and peripherals. These chips allow us to securely identify and authenticate legitimate Google devices at the hardware level.”
Google Infrastructure Security Design Overview
https://cloud.google.com/security/security-design/
The content contained herein is correct as of January 2017, and represents the status quo as of the time it was written. Google’s security policies and systems may change going forward, as we continually improve protection for our customers.
CIO-level summary
Google has a global scale technical infrastructure designed to provide security through the entire information processing lifecycle at Google. This infrastructure provides secure deployment of services, secure storage of data with end user privacy safeguards, secure communications between services, secure and private communication with customers over the internet, and safe operation by administrators.
Google uses this infrastructure to build its internet services, including both consumer services such as Search, Gmail, and Photos, and enterprise services such as G Suite and Google Cloud Platform.
The security of the infrastructure is designed in progressive layers starting from the physical security of data centers, continuing on to the security of the hardware and software that underlie the infrastructure, and finally, the technical constraints and processes in place to support operational security.
Google invests heavily in securing its infrastructure with many hundreds of engineers dedicated to security and privacy distributed across all of Google, including many who are recognized industry authorities.
Tomi Engdahl says:
Microsoft Says Windows 7 Has Outdated Security, Wants You to Move to Windows 10
Redmond starts the Windows 10 offensive against Windows 7
http://news.softpedia.com/news/microsoft-says-windows-7-has-outdated-security-wants-you-to-move-to-windows-10-511835.shtml
Windows 10 is now running on more than 20 percent of the world’s desktop computers, and yet, Microsoft’s biggest challenge isn’t necessarily to boost the market share of its latest operating system, but to convince those on Windows 7 to upgrade.
Even with Windows 10 on the market, Windows 7 continues to be the preferred desktop operating system across the world, and third-party data shows that it’s still close to 50 percent market share.
With Windows 7 support coming to an end in 3 years, Microsoft is well aware that it could experience another Windows XP moment when users might refuse to upgrade despite the obvious security risks.
So it shouldn’t come as a big surprise that Microsoft has already started the offensive against Windows 7, with a blog post published by the German subsidiary of the software giant pointing to the setbacks of this old operating system as compared to Windows 10.
Tomi Engdahl says:
This is why you should never Instagram your boarding pass
http://www.theverge.com/2017/1/10/14226034/instagram-boarding-pass-security-problem-bad-idea
There’s a problem with the way airlines manage passenger information — and Instagram is making it worse. After decades of technological progress, airline’s proof that you are who you say you are still boils down to a single six-digit number, encoded in the barcode on your boarding pass. And because of Instagram (particularly #boardingpass), those bar codes are easy to find.
The vulnerability itself is old news
The systems are complicated, but the larger takeaway is simple: your boarding pass has a lot of private information coded onto it. You shouldn’t put pictures of it on the internet. That’s true even after the flight itself has taken place, since a lot of personal detail is still extractable.
Tomi Engdahl says:
ISIS Is Dropping Bombs With Drones In Iraq
https://tech.slashdot.org/story/17/01/16/2131229/isis-is-dropping-bombs-with-drones-in-iraq
In addition to rifles, mortars, artillery and suicidal car bombs, ISIS has recently added commercial drones, converted into tiny bombs, into the mix of weapons it uses to fight in Iraq. In October, The New York Times reported that the Islamic State was using small consumer drones rigged with explosives to fight Kurdish forces in Iraq.
ISIS is dropping bombs with drones in Iraq
The quadcopter menace
http://www.popsci.com/isis-is-dropping-bombs-with-drones-in-iraq?dom=rss-default&src=syn
The latest bomber to make its debut over Iraq has four engines, no cockpit, and a flight time limited by the length of its battery.
Previously, we’ve seen ISIS scratch-build drones
These drone bombers recently captured by Iraqi forces and shared with American advisors appear to be commercial, off-the-shelf models, adapted to carry grenade-sized payloads.
“It’s not as if it is a large, armed UAV [unmanned aerial vehicle] that is dropping munitions from the wings—but literally, a very small quadcopter that drops a small munition in a somewhat imprecise manner,” [Col. Brett] Sylvia, commander of an American military advising mission in Iraq, told Military Times. “They are very short-range, targeting those front-line troops from the Iraqis.”
Because the drones used are commercial models, it likely means that anti-drone weapons already on hand with the American advisors are sufficient to stop them.
It’s worth noting that the bomb-dropping drones are just a small part of how ISIS uses the cheap, unmanned flying machines. Other applications include scouts and explosive decoys, as well as one-use weapons.
ISIS Is Using Exploding Consumer Drones To Kill Enemy Fighters
https://news.slashdot.org/story/16/10/12/2150211/isis-is-using-exploding-consumer-drones-to-kill-enemy-fighters?sdsrc=rel
Tomi Engdahl says:
Is your browser safe against tracking?
https://panopticlick.eff.org/
When you visit a website, online trackers and the site itself may be able to identify you – even if you’ve installed software to protect yourself. It’s possible to configure your browser to thwart tracking, but many people don’t know how.
Panopticlick will analyze how well your browser and add-ons protect you against online tracking techniques. We’ll also see if your system is uniquely configured—and thus identifiable—even if you are using privacy-protective software.
Tomi Engdahl says:
Firefox Update Will Kill This Sneaky Tracking Technique
http://www.forbes.com/sites/leemathews/2017/01/16/firefox-update-kills-sneaky-tracking/2/#685c531f6278
While that may allow, say, an advertiser to gain some insight as to who you are it greatly reduces the level of precision. It’s worth noting that another web browser already features this functionality: the privacy-focused Tor browser.
These 6 Simple Tools Help Protect Your Online Privacy
http://www.forbes.com/sites/leemathews/2016/11/14/these-6-easy-tools-will-help-protect-your-online-privacy/#25dcb1f96b57
Tomi Engdahl says:
The Big List of Naughty Strings is a list of strings which have a high probability of causing issues when used as user-input data.
https://github.com/minimaxir/big-list-of-naughty-strings
Tomi Engdahl says:
This is how corporate networks will change this year
1. Clouds merge
Companies increasingly rely on cloud infrastructure, and they are already using fluent in several different clouds. In 2017 the practices of individuals and businesses are changing fundamentally, when various clouds begin to blend together.
2. The importance of digital edge rises
Business models are changing, forcing the companies to change their conduct. In a multi-cloud convergence means in today’s digital business frontiers natural enlargement towards the edges of the network, where users and data are located.
3. The interconnection traffic comes from the digital business with central nervous system
Companies seeking to combine physical and digital operations, because it supports global business. However, the management of different cloud environments with many suppliers and solutions can cause administrators of gray hair.
4. Information security is acquired as a service
The authorities requirements, such as the EU’s new Data Protection Regulation, and Running a successful business are forcing companies to think about solutions for distributed environments security. Hybrid cloud growing popularity makes companies realize that the cloud service providers do not offer comprehensive security solutions.
5. E-commerce interconnected era begins
The payment of the world is changing more and more quickly than ever since the Phoenicians invented money. Trading becomes global and mobile
6. A software-based infrastructure is progressing
the massive growth of telecommunications has paved the way for global backbone network era, consisting of underwater cables, wireless 5G networks and satellites. Talking about the software-guided networks (software defined networking, SDN) and network functions virtualization (network virtualization functions, NFV).
7. The IoT will be working days
So far, the Internet of Things applications consists of individual applications, but the situation is changing. Applications begin to talk to each other using the same data.
Source: http://www.etn.fi/index.php/13-news/5677-naein-yritysverkot-muuttuvat-taenae-vuonna
Tomi Engdahl says:
Lithuania halts data center construction, fears Russia will hack fiber-optic cables
http://www.cablinginstall.com/articles/pt/2017/01/lithuania-halts-data-center-construction-fears-russia-will-hack-fiber-optic-cables.html?cmpid=enl_cim_cimdatacenternewsletter_2017-01-17
Reuters reports that the government of Lithuania ordered a halt to construction of a data center because of fears a planned fiber-optic network link to Russia would risk the nation’s security.
Reuters quotes a spokesman for Darius Jauniskis, Lithuania’s counter-intelligence head, as saying they alerted the government that if the data center were linked to Russia via a fiber-optic link, it could be linked by Russia’s Federal Security Service to its radio electronic reconnaissance network.
Tomi Engdahl says:
McDonald’s Website Flaws Allow Phishing Attacks
http://www.securityweek.com/mcdonalds-website-flaws-allow-phishing-attacks
A researcher has disclosed a couple of unpatched vulnerabilities affecting the official McDonald’s website after the company ignored his attempts to responsibly report the issues.
Dutch security enthusiast Tijme Gommers discovered a reflected cross-site scripting (XSS) vulnerability in the search functionality of the McDonald’s website. The flaw can be exploited through a known sandbox escape method in the AngularJS JavaScript framework, and it allows an attacker to load an external JavaScript file that can be designed to steal a user’s password.
Stealing passwords from McDonald’s users
https://finnwea.com/blog/stealing-passwords-from-mcdonalds-users
Tomi Engdahl says:
Russian State Television Blames Hackers for BBC Sherlock Finale Leak
http://www.securityweek.com/russian-state-television-blames-hackers-bbc-sherlock-finale-leak
A Russian state-controlled broadcaster on Monday blamed hackers for the embarrassing leak online of the final episode of the BBC drama Sherlock a day before it was due to air.
Russia’s Channel One was set to broadcast the final episode of the fourth series of the popular detective drama starring Benedict Cumberbatch on Monday just after midnight Moscow time (2100 GMT), simultaneously with Britain.
But the full episode professionally dubbed into Russian by the channel was leaked online Saturday and swiftly copied across numerous sites.
“According to preliminary findings, the cause was a hacker attack,” Channel One spokeswoman Larisa Krymova said in a statement sent to AFP.
The BBC said Sunday that it had launched a full investigation, the Telegraph website reported, also citing a source at the corporation as claiming that the leak was “more than an accident.”
Tomi Engdahl says:
It’s estimated that cybersecurity breaches will cost global businesses more than $2 trillion by 2019 – more than four times the costs registered in 2015. In enterprises both large and small, the cost of protecting critical data has become one of the most crucial – and unpredictable – risks faced by the business.
Source: http://info.interop.com/itx/2017/scheduler/track/security/
Tomi Engdahl says:
Farhad Manjoo / New York Times:
The centralization of the internet via app stores has made government censorship easier, as shown by the removal of LinkedIn and NYT apps in Russia and China
Clearing Out the App Stores: Government Censorship Made Easier
https://www.nytimes.com/2017/01/18/technology/clearing-out-the-app-stores-government-censorship-made-easier.html
There’s a new form of digital censorship sweeping the globe, and it could be the start of something devastating.
In the last few weeks, the Chinese government compelled Apple to remove New York Times apps from the Chinese version of the App Store. Then the Russian government had Apple and Google pull the app for LinkedIn, the professional social network, after the network declined to relocate its data on Russian citizens to servers in that country. Finally, last week, a Chinese regulator asked app stores operating in the country to register with the government, an apparent precursor to wider restrictions on app marketplaces.
Here’s the thing: It’s a more effective form of censorship.
Blocking a website is like trying to stop lots of trucks from delivering a banned book; it requires an infrastructure of technical tools (things like China’s “Great Firewall”), and enterprising users can often find a way around it. Banning an app from an app store, by contrast, is like shutting down the printing press before the book is ever published. If the app isn’t in a country’s app store, it effectively doesn’t exist. The censorship is nearly total and inescapable.
But that’s not the end of this story. The banning of apps highlights a deeper flaw in our modern communications architecture: It’s the centralization of information, stupid.
“I think the app store censorship issue is one layer of ice on the surface of the iceberg above the waterline,”
For more than a decade, we users of digital devices have actively championed an online infrastructure that now looks uniquely vulnerable to the sanctions of despots and others who seek to control information.
Compared with older forms of distributing software, apps downloaded from app stores are more convenient for users and often more secure from malware, and they can be more lucrative for creators.
The internet’s earliest boosters considered it a magical tool to liberate people from restrictions on speech. The easy banning of apps suggests that if we let it, the internet could instead become something quite the opposite — one of the most efficient choke points of communication the world has ever seen.
Tomi Engdahl says:
Hackers Steal Forum Accounts From ‘Clash of Clans’ Creator Supercell
http://motherboard.vice.com/read/hackers-steal-Forum-accounts-from-clash-of-clans-creator-supercell
Data traders are allegedly swapping the details of over one million user accounts belonging to Supercell, the company behind hit mobile games such as Clash of Clans. The user accounts relate to Supercell’s community forum.
“Our preliminary investigation suggests that the breach happened in September 2016 and it has since been fixed,” Supercell told Motherboard in a statement. The company also posted the statement onto the affected forums, and warned users to change their passwords.
Important: your Supercell forum password may be at risk – change it immediately
https://forum.supercell.com/showthread.php/1392034-Important-your-Supercell-forum-password-may-be-at-risk-%C2%96-change-it-immediately
Dear Supercell Forum user,
As we’ve said before, to provide our forum service we use software from vbulletin.com. We’re currently looking into report that a vulnerability allowed third party hackers to gain illegal access to some forum user information, including a number of emails and encrypted passwords. Our preliminary investigation suggests that the breach happened in September 2016 and it has since been fixed.
Please note that this breach only affects our Forum service. Game accounts have not been affected.
To make sure your account is not being accessed without your knowledge, please change the password you are using on this forum as soon as possible.
Tomi Engdahl says:
Turns Out Banks Use Cellebrite Phone Cracking Tech Too
http://motherboard.vice.com/read/banks-use-cellebrite-phone-cracking-tech-too?trk_source=recommended
This is part of an ongoing Motherboard series on the proliferation of phone cracking technology, the people behind it, and who is buying it.
The biggest customer base for phone cracking technology is likely law enforcement: cops who need to circumvent passcodes on seized devices, and extract data like SMS, emails, and more from mobile phones.
But this sort of tech is also in the hands of banks. It’s perhaps common knowledge within information security circles, though the wider public is probably much less aware that private companies, which will have different forms of oversight than the police, use phone cracking products to conduct their own investigations.
“The larger banks have internal fraud and investigation teams. Just like an external consulting team,”
One of the most popular mobile phone forensics companies generally is Cellebrite, an Israeli firm that has law enforcement customers all over the world. Cellebrite’s flagship device, the Universal Forensic Extraction Device (UFED), can pull data from thousands of different mobile phone brands and versions.
The Bank of America message was related to extracting passcodes from mobile phones.
Why would banks need phone cracking devices, anyway?
“A lot of different types of companies do their own internal investigations,” Jon Zdziarski, a forensic scientist, told Motherboard in a Signal message. “For example a sexual harassment claim that took place using employee equipment. Not something for the police to deal with, but an internal team. Or fraud sure.”
Tomi Engdahl says:
PureVPN + NoScript = Ultimate Security
https://www.purevpn.com/vpn-service/noscript-special.php
PureVPN equips you with sophisticated military graded data tunneling protocols and data encryption techniques.
Go get your privacy back from the hands of Hackers, Surveillance Agencies and Cybercriminals!
Stay secure and private with a hidden IP address and online encrypted traffic.
Tomi Engdahl says:
College fires IT admin, loses access to Google email, successfully sues IT admin for $250,000
Sacked techie claims school retaliated over race complaint
https://www.theregister.co.uk/2017/01/18/school_fires_sues_it_admin/
Shortly after the American College of Education (ACE) in Indiana fired IT administrator Triano Williams in April, 2016, it found that it no longer had any employees with admin access to the Google email service used by the school.
In a lawsuit [PDF] filed against Williams in July, 2016, the school alleges that it asked Williams to return his work laptop, which was supposed to have the password saved.
ACE claimed that its students could not access their Google-hosted ACE email accounts or their online coursework.
The school appealed to Google, but Google at the time refused to help because the ACE administrator account had been linked to William’s personal email address.
“By setting up the administrator account under a non-ACE work email address, Mr Williams violated ACE’s standard protocol with respect to administrator accounts,” the school’s complaint states. “ACE was unaware that Mr Williams’ administrator account was not linked to his work address until after his employment ended.”
According to the school’s court filing, Williams, through his attorney, said he would help the school reinstate its Google administrator account, provided the school paid $200,000 to settle his dispute over the termination of his employment.
That amount is less than half the estimated $500,000 in harm the school says it has suffered due to its inability to access its Google account, according to a letter from William’s attorney in Illinois, Calvita J Frederick.
he was told he had to relocate to Indianapolis
“His working remotely has always been a condition of his employment.”
Frederick said the school has been subject to several discrimination claims over the past two years.
Fired IT employee offered to unlock data — for $200,000
http://www.indystar.com/story/news/2017/01/17/after-his-firing-employee-unlock-data-200000/96487962/
Indianapolis-based American College of Education fired its information technology employee last year, according to court documents, but not before an administrative password was changed.
The online college then asked the man to unlock the Google account that stored email and course material for 2,000 students, according to a lawsuit filed by the college. The man said he’d be willing to help — if the college paid him $200,000.
Welcome to the new frontier of tech concerns in a business world that has come to depend on the cloud.
The college’s IT employees had been spread across the country, too, but the school decided early last year to give them the choice to move to Indianapolis or resign and take a severance deal. Other IT workers resigned, according to court records, leaving Triano Williams as the sole systems administrator when he was fired on April 1 after he refused to relocate from his home in suburban Chicago.
School officials asked Google for help. Google, the college said, refused to grant access to anyone other than Williams, who was listed as the account’s sole administrator.
When officials called Williams, he directed them to his lawyer.
Tomi Engdahl says:
That critical “ImageTragick” bug Ars warned you about? It cost Facebook $40k
Widely used image-processing app left site vulnerable to code-execution exploits.
http://arstechnica.com/security/2017/01/that-critical-imagetragick-bug-ars-warned-you-about-it-cost-facebook-40k/
Last May, Ars reported that a critical vulnerability in a widely used image-processing application left a huge number of websites open to attacks that allowed hackers to execute malicious code on the underlying servers. More than five months later, Facebook paid a $40,000 bounty after discovering it was among those at risk.
On Tuesday, researcher Andrey Leonov, said he was able to exploit the vulnerability in the ImageMagick application by using a tunneling technique based on the domain name system that bypassed Facebook firewalls. The firewalls had successfully protected against his earlier exploit attempts. Large numbers of websites use ImageMagick to quickly resize images uploaded by users.
Facebook’s ImageTragick story
http://4lemon.ru/2017-01-17_facebook_imagetragick_remote_code_execution.html
Tomi Engdahl says:
Paul Sawers / VentureBeat:
In an effort to avoid governments shutting off access, encrypted email service ProtonMail now supports Tor
Encrypted email service ProtonMail now supports Tor to thwart meddling governments
http://venturebeat.com/2017/01/19/encrypted-email-service-protonmail-now-supports-tor-to-thwart-meddling-governments/
Encrypted email service ProtonMail is doubling down on its privacy credentials today with the news that it will now allow users to connect their email accounts through the Tor network.
Founded out of CERN in Switzerland back in 2013, ProtonMail launched globally last year with the promise of client-side encryption, meaning that all data is encrypted before it arrives on the company’s servers. A few months back, the company added two-factor authentication (2FA) to its service for added security.
Tomi Engdahl says:
‘I’ll make you famous’: Alberta man turns table on laptop thief, takes it over remotely and posts her info online
http://news.nationalpost.com/news/canada/ill-make-you-famous-b-c-man-turns-the-table-on-laptop-thief-takes-it-over-remotely-and-posts-her-info-online
Cochrane’s Stu Gale couldn’t believe his eyes when a notification popped up on his computer telling him someone had logged on to his recently stolen laptop.
The Alberta-based 51-year-old computer security and automation expert couldn’t let the opportunity to try to find out something about the apparent thief pass him by, so he attempted to remotely log on to the pilfered laptop.
And that’s when he discovered the less-than-tech-savvy suspect was logging into her Facebook account before his eyes.
Although she kept closing the pop-up window whenever he tried to log on to his missing laptop, she eventually left the room, leaving the computer logged in to her Facebook account — and Gale free rein to scour its contents.
“I went through and got her phone numbers, friends list and pictures”
“I called one of them and told her (the thief) was on a stolen laptop and told her I’d give her the opportunity to return it.”
When the woman returned, realizing that the stolen computer had been hijacked by its owner, she immediately shut it down. But Gale still left a chat message addressed to the thief and sent a text message to all her listed mobile devices.
Tomi Engdahl says:
Data network company secured the Finnish data connection to an exceptional solution, “perhaps the only one in the whole world”
Cinia made in the spring of 2015 an exceptional solution: it established its own cyber security management counselor.
“We are perhaps the only company in Finland, in Europe or in the world that has such a Council,” says Ari-Jussi Knaapila.
Knaapila and Hyvärinen brainstorm Council shall consist of five apart from that, the company’s external kyberturvan experts. Also Cinian Board of Directors and Executive Committee members are closely involved in the work of the Council.
“The identified cyber threats we have dealt with in the Council, for example, unauthorized data acquisition companies, the risk of IoT devices and physical risks to the ICT infrastructure,” he explains.
PwC’s Jani Arnell has been involved since the beginning of Cinia cyber security council according to him, especially US companies have recently woken up to cyber threats and their impact on business: “Many have now raised his cabinet, tough cyber security experts.”
Source: http://www.tivi.fi/Kaikki_uutiset/tietoverkkoyhtio-turvasi-suomen-datayhteyden-poikkeuksellisella-ratkaisulla-ehka-ainoa-koko-maailmassa-6616753
Tomi Engdahl says:
Kate Conger / TechCrunch:
Security and privacy experts raise questions about viral selfie app Meitu’s app permissions like GPS, call and carrier info, more that are unrelated to core use
The cost of hot selfie app Meitu? A healthy dose of your personal info
https://techcrunch.com/2017/01/19/meitu-app-collects-personal-data/
You’ve probably seen a Meitu selfie in your Instagram or Facebook feed in the past 24 hours. The app smoothes skin, slims down faces, and even applies a layer of virtual blush and lipgloss, adding a beautifying effect to your photos. And although the app has been popular in China for years — Meitu went public in Hong Kong last month — it only recently caught on with American users.
But security experts quickly pointed out that Meitu, which is free to download in Google Play and the App Store, requires way more data from users’ phones than is necessary for a simple photo app and contains some allegedly sketchy code.
It’s normal for a photo app to require permission to access a phone’s camera and camera roll, so that it can take pictures or edit ones already on the device.
Android version of Meitu wants a lot more than that: the app can access information about what other apps users are running, their precise locations, their unique device identifier numbers (IMSIs), call information, carrier information and wifi connections.
The iOS version is similarly data-hungry
The problem of abusing app permissions isn’t unique to Meitu — lots of free apps require users to hand over more data than necessary for the app’s core functions. The information could be sold to marketers, or otherwise repurposed to turn a profit.
“It’s becoming the new normal,” Linares says of invasive free apps. “It’s because we’re at this point in society, people want to generate their likes and retweets. People download this app and put security in the backseat to make sure they have their social media presence.”
Tomi Engdahl says:
Kim Zetter / The Intercept:
Lavabit e-mail service, which shut down in 2013 to avoid court order connected to Snowden investigation, relaunches with features to thwart surveillance
Encrypted Email Service Once Used by Edward Snowden Relaunches
https://theintercept.com/2017/01/20/encrypted-email-service-once-used-by-edward-snowden-to-relaunch/
In 2013, Ladar Levison, founder of the encrypted email service Lavabit, took the defiant step of shutting down the company’s service rather than comply with a federal law enforcement request that could compromise its customers’ communications.
The FBI had sought access to the email account of one of Lavabit’s most prominent users — Edward Snowden. Levison had custody of his service’s SSL encryption key that could help the government
Lavabit had 410,000 user accounts at the time.
Rather than undermine the trust and privacy of his users, Levison ended the company’s email service entirely, preventing the feds from getting access to emails stored on his servers. But the company’s users lost access to their accounts as well.
Levison, who became a hero of the privacy community for his tough stance
On Friday, he’s relaunching Lavabit with a new architecture that fixes the SSL problem and includes other privacy-enhancing features as well
The new service addresses what has become a major fault line between tech companies and the government: the ability to demand backdoor access to customer data.
Lavabit has a particular claim to fame: It was an encrypted email service that Snowden used before the shutdown.
Snowden told The Intercept that he plans on reactivating his Lavabit account once it relaunches, “if only to show support for their courage.”
Today’s launch is only for existing users to reinstate their old accounts under the new architecture so they will work with the end-to-end encryption client software when it’s rolled out.
Levison isn’t sure if they will migrate old emails to the new platform
With the new architecture, Lavabit will no longer be able to hand over its SSL key, because the key is now stored in a hardware security module
“Once it’s in there we cannot pull that SSL key back out,” says Sean, a Lavabit developer who asked to be identified only by his first name.
The hardware security module is a temporary solution, however, until end-to-end encryption is available, which will encrypt email on the user’s device and make the SSL encryption less critical.
Tomi Engdahl says:
Zeynep Tufekci / technosociology:
Open letter signed by 60+ security experts calls for The Guardian to retract story about alleged WhatsApp backdoor vulnerability
In Response to Guardian’s Irresponsible Reporting on WhatsApp: A Plea for Responsible and Contextualized Reporting on User Security
http://technosociology.org/?page_id=1687
Dear Guardian Editors,
You recently published a story with the alarming headline “WhatsApp backdoor allows snooping on encrypted messages.” This story included the phrasing “security loophole”.
Unfortunately, your story was the equivalent of putting “VACCINES KILL PEOPLE” in a blaring headline over a poorly contextualized piece. While it is true that in a few cases, vaccines kill people through rare and unfortunate side effects, they also save millions of lives.
The behavior described in your article is not a backdoor in WhatsApp. This is the overwhelming consensus of the cryptography and security community. It is also the collective opinion of the cryptography professionals
The behavior you highlight is a measured tradeoff that poses a remote threat in return for real benefits that help keep users secure, as we will discuss in a moment.