Year 2017 will not have any turn towards better data security. The internet is rife with such well-known than the unknown threats. The company’s systems are supposed to be protected.Hackers are going to continue to look for new ways to extort and steal information from businesses and organizations, which unfortunately means those businesses and organizations will have to continue to look for new ways to protect themselves.
Critical infrastructure cames under attack in 2017. Critical infrastructures must be better protected from criminals and terrorists who take advantage of modern technologies that are essential for the functioning of society and the economy. IT security functions of industrial control systems (ICS), energy grids and IoT networks needs to be improved in 2017.
There is push for better web security in 2017. Starting New Year’s Day, Google’s Chrome will begin labeling as “insecure” all websites that transmit passwords or ask for credit card details over plain text HTTP. Beginning in January 2017 (Chrome 56), HTTP sites that transmit passwords or credit cards are marked as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.
SHA-1 is insecure. Starting on Jan 1, 2017, most CAs will migrate to SHA-2 certificates, and major browser makers have already announced plans to adopt the change, including Microsoft, Google, and Mozilla. Their browsers will no longer trust sites that use SHA-1 starting with that date, and they will mark these websites as insecure. 1/3 of Websites Use SHA-1 Certificates Despite Looming Deadline. SHA-1 will still hang around, like a fart in a spacesuit, for many years to come because some people are lazy enough not to make the change.
There will be changes in how security is viewed in 2017 by businesses. We will likely see cloud adoption continue to grow across the United States, network visibility will no longer just be an option, AI and machine learning will shake old security models, and IoT-powered attacks will continue to rise. All of this will factor into how businesses set up, monitor and secure their networks.
The Commoditization of Cyberattacks Will Make Them More Frequent in 2017. More and more companies suffer from disruption to business due to cyber attacks. Cyber-attacks cause companies significant financial losses, but the studies shows that companies are not prepared for attacks. According to Gartner, by 2018 only 40 per cent of large companies have official plans in case of cyber attacks. Last year, the percentage was zero.
Strap yourself in for a bumpy ride in 2017. 2016 sucked. 2017 won’t be much better, sorry. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. DDoS attack toolkits have been around for years, as have services that will enable you to pay for an attack. Expect to see more of them. It seems that 2017 promises to be the most dramatic year yet in DDoS conflict. Whale-sized DDoS attacks will increase, the IoT will become a bigger factor in DDoS and DDoS will overshadow ransomware attacks and is used for extortion. Expect to see the Internet of Things (IoT) and other connected devices play an important part in these attacks.
Biometric identification will become more common in 2017, but it will not replace passwords. Fingerprint identification has become increasingly common in smartphones and already the technology is fast and reliable. This year biometric identification devices were sold for 4.5 billion dollars (most of them go to smart phones and laptops). 91 percent of biometric sales were fingerprint sensors, four per cent of face detection and three per cent iris detection.
Biometrics Won’t Kill Passwords any time soon. Even though PIN codes and passwords are actually pretty lousy protection case against skilled cybercriminal, the password will never disappear entirely, as two per cent of the world’s population is persons with a fingerprint not suitable for biometric identifier to work. Other biometric identification systems have also similar limitations and/or are not yet commonly available at reasonable cost. While biometrics, including fingerprint-, face-, iris-, palm- and speech-recognition, will continue to grow as a more secure substitute for passwords, they will not render passwords obsolete. Until the other common biometrics become commonplace, passwords are here to stay until circa 2030.
Fights with encryption and backdoors for them is not over in 2017. Many public figures in law enforcement have consistently argued that device encryption presents a new threat to police powers of investigation. On the other side House Judiciary Committee’s Encryption Working Group report says encryption backdoors pose a security threat, siding with tech experts in their latest report . The problem is that any system allowing police to get into those encrypted system (let it be phone, computer or communications) could also be exploited by criminals. Any action in this space should weigh any short-term benefits against the longterm impacts. Many industry experts will rightly tell you there is no such thing as partial data encryption. You either have a fully capable system or none at all.
Given the security events of 2016, coupled with the rapid advancements and adoption of cloud computing, 2017 will be the year in which many finally accept that network infrastructure and security will have to be rethought from the ground up. In 2017 the cloud will become a risk for users: The cloud becoming insecure – extortion and IoT openings.
The rivalry between the network attacks and network security is in acceleration. Crippling Internet services with denial of service attacks are becoming more common throughout the world. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. IoT-powered attacks will continue to rise and stopping the attack is not easy. For most companies the key thing is that the attack traffic is stopped before it reaches the company’s Internet connection or servers (needs to use telecom operator and external services increase). In addition to service disturbion Denial of Service Attacks are often used as distraction during the actual data burglary.DDoS may take over from ransomware as a cause for concern.
In 2017 the IT and security professionals talk about more about business risks. Historically, firewalls, DLP, antivirus, SIEM and other technical point solutions have been the centerpiece of security conversations, but the mindset is slowly shifting from technology to risk. The goal of stopping all attacks and preventing all business impact has been recognized as a fool’s errand, and has shifted to measuring risk and minimizing business impacts. Cyber security is increasingly being viewed as a risk management problem.
In 2017 ‘Security’ Must be Added to our Existing Ethical and Philosophic Concerns Over Artificial Intelligence and Algorithms. Algorithms soon run the world. They present problems that are seriously questioned on both ethical and philosophic grounds; and they have become the basis of fictional Armageddons.
Cyber insurance will be more thoughs as on solution for handling cyber risks in 2017. The global cyber insurance market is expected to generate $14 billion by 2022, according to a new report published by Allied Market Research (AMR). That figure represents an impressive compound annual growth rate (CAGR) of nearly 28% from 2016 to 2022.
In 2017 Big Brother will be watching you 24/7.Those of you who’ve read George Orwell’s book 1984 or seen the movie ,will remember how the citizens of the fictitious totalitarian state of Oceana are constantly under surveillance by order of its dictator, Big Brother. So now swap your home desktop computer, laptop or smart phone for the fictitious telescreen and not only are you sitting in front of what is a modern day version of the Big Brother telescreen you are also walking around with one in your pocket or handbag. Sound a bit far fetched to you? Well it’s set to become a reality in many countries.
Users will want better security or at least to feell more secure in 2017. Many people are prepared to to extremes for better security. According to a recent survey of over 2,000 adults conducted by Harris Poll Nearly 40% of Americans Would Give Up Sex for a Year or eating their favourite food in Exchange for Better Online Securit, meant they’d never have to worry about being hacked. When you consider that 87 percent of U.S. adults use the internet, it makes sense that cyber security is one of the biggest concerns today. The single biggest thing people can do to help keep their online identity safe is probably the easiest – a solid password – and not giving it to other people. Still nearly 50% of people have shared a password to an e-mail account or to an account like Netflix.
Security Becomes A Multi-System Issue and more people talking about the issue. Design teams will have to bake strategies in from the start, no matter how insignificant the device.The good news is that it more people talking about the issue. The real challenge is packing enough security features into designs to prevent security breaches of every sort, including those that can come from other electronics that weren’t even considered as part of the design process. Just as devices get more sophisticated, so do hackers.The reality is that security breaches can even cause physical harm. It’s time to look at this at a multi-system, multi-disciplinary level. Otherwise, we literally could be playing with fire.
Block chains have been a big trend for several years. The block chain market is divided now when 2017 starts. During the autumn 2016, we have seen a number of initiatives on cooperation between the financial sector and consulting companies. Microsoft has chosen a platform for Ethereum-block chain and offers it to the Azure cloud service. IBM has jumped Hyperledger consortium bandwagon and offering their own block chains to Bluemix service. Google and Amazon still shine by their absence. Even banks may prefer to see the use of cloud for the block chains.
Other prediction articles worth to look:
What Lies Ahead for Cybersecurity in 2017?
Network Infrastructure, Visibility and Security in 2017
DDoS in 2017: Strap yourself in for a bumpy ride
Cybersecurity Industry Outlook: 2017 to 2021 | CSO Online
IBM’s Cybersecurity Predictions for 2017 – eForensics
https://eforensicsmag.com/ibms-cybersecurity-predictions-2017/
Top 5 Cybersecurity Threats to Watch Out for in 2017
Experts Hopeful as Confidence in Risk Assessment Falls
3,151 Comments
Tomi Engdahl says:
Unprotected Hadoop Servers Expose 5 PB of Data: Shodan
http://www.securityweek.com/unprotected-hadoop-servers-expose-5-pb-data-shodan
Hadoop servers that are not securely configured expose vast amounts of data, according to an analysis conducted using the Internet search engine Shodan.
A Shodan search uncovered nearly 4,500 servers with the Hadoop Distributed File System (HDFS), the primary distributed storage used by Hadoop applications. These servers were found to expose 5,120 TB (5.12 PB) of data.
Making a comparison to MongoDB deployments, which are also known to expose a lot of data, Shodan found 47,820 servers, but only 25 TB of exposed data.
Of all the Hadoop servers that expose data, 1,900 are located in the United States and 1,426 in China. The next on the list are Germany and South Korea, with 129 and 115 servers, respectively. A majority of the HDFS instances spotted by Shodan are hosted in the cloud, mainly Amazon (1,059 instances) and Alibaba (507).
When researchers first reported seeing attacks targeting HDFS installations, they pointed out that, in some cases, attackers erased most directories and created a single directory named “NODATA4U_SECUREYOURSHIT,” without asking for a ransom.
Shodan searches for the “NODATA4U_SECUREYOURSHIT” string show that, currently, there are more than 200 such HDFS clusters.
Tomi Engdahl says:
FBI Helping Qatar in ‘Hacking’ Probe: Source
http://www.securityweek.com/fbi-helping-qatar-hacking-probe-source
The FBI is helping Qatar investigate the source of an alleged “hack” of state media which sparked diplomatic tensions in the Gulf, a source with knowledge of the probe said Friday.
An FBI team has been in Doha for the past week after the Qatari government asked for US help following the claim of an unprecedented security breach by hackers last month, the source told AFP.
“American support was requested and a team sent which has been in Doha since last Friday, working with Qatar’s interior ministry,” the source said.
Tomi Engdahl says:
What Romeo and Juliet Can Teach Us About Security Market Confusion
http://www.securityweek.com/what-romeo-and-juliet-can-teach-us-about-security-market-confusion
After reviewing the different security markets, there were four main observations that I made:
● Number of Markets: I knew there were a lot of markets. But I didn’t understand the magnitude of the chaos until I took the time to comb through it all in detail. Independent of the various different players, just the sheer number of security markets alone is staggering.
● Overlap and Redundancy: You can’t really appreciate how much confusion and overlap there is between security markets until you take the time to review them thoroughly. In many instances, the line between two or more markets is blurring, or even disappearing entirely. Additionally, the number of products that claim to play in three, four, or even more markets is eye opening.
● Name Game: In some instances, products are simply named after the market they most closely align with at the moment they are released.. That is all well and good, but as markets merge, blend, or otherwise move around, this just adds to the confusion. Additionally, in some markets, there may be 10 or more vendors with the exact same product name.
● Copy Room: Nearly every vendor uses just about the same marketing and messaging, right down to the buzz words. On the vendor side, it has become nearly impossible to differentiate and stand out from the crowd. On the customer side, it has become nearly impossible to understand which solution or solutions may be the best fit for the organization and its specific needs.
The above observations certainly complicate the vendor-customer relationship enough.
The language of customers speaks of problems, challenges, and issues. It focuses on strategic, operational, and tactical goals. It identifies gaps and sets priorities to fill those gaps. It orients itself towards obtaining results and measuring success around improving the organization’s security posture.
The language of vendors speaks of products and technology. It focuses on capabilities and features. It identifies shortcomings and focuses on beating the competition. It orients itself towards results and measuring success around revenue and market share.
Of course, each of these languages has its purpose, but there is a disconnect between the two sides that I’ve seen manifest itself over and over again. There are people who understand how to bridge the disconnect, but they are, unfortunately, relatively few and far between.
Tomi Engdahl says:
BA IT systems failure: Uninterruptible Power Supply was interrupted
Potentially by a panicking contractor, if reports are to be believed
https://www.theregister.co.uk/2017/06/02/british_airways_data_centre_configuration/
An IT bod from a data centre consultancy has been fingered as the person responsible for killing wannabe budget airline British Airways’ Boadicea House data centre – and an explanation has emerged as to what killed the DC.
Earlier this week Alex Cruz, BA’s chief exec, said a major “power surge” at 0930 on Saturday 27 May caused the airline’s systems to “collapse”. Its Boadicea House (BoHo) data centre went down for around a quarter of an hour, seemingly taking the airline’s failover systems with it.
“The power surge that BA is referring to could have taken place at the customer side of the meter.”
Informed sources told us that the power failure did occur as described by BA – but they weren’t sure how or why the failover DC itself promptly keeled over when called upon.
The airline’s UK IT infrastructure is said to span more than 500 cabinets in six halls across two different data centres, both of which are no more than a mile from the eastern end of Heathrow’s two runways.
BoHo’s uninterruptible power supplies (UPSes) were replaced three years ago
A very rough rule of thumb for DC power consumption is around 900kW per 10,000 square feet,
We are told that the two DCs normally operate in active:active configuration.
When mains feed is lost, the UPS (if properly specified) should have enough battery power to keep the DC running in the minute or two it normally takes the backup generators to spool up to full power
In most common setups, we were told, backup power, regardless of whether it is from the standby batteries or the generators, flows through the UPS.
“A data failure is quicker to fix than a hardware failure,” commented our source. “How has a power surge at one site killed the other? That sounds like data, not hardware and software, and that suggests [in relation to BA’s lack of communication about the cause of the failure] they’re worried about a PR problem.”
An uncommanded shutdown of the data centre may have caused corrupted data to be synchronised between the two as BoHo died.
There is a possibility that BA was operating an active:active:passive configuration, with the third DC acting as a cold standby populated with backed-up data, our source said.
Outsourcing not to blame, says everyone involved in it
Tomi Engdahl says:
Theresa May says the internet must now be regulated following London Bridge terror attack
The Prime Minister said terrorists had ‘safe spaces’ online
http://www.independent.co.uk/news/uk/politics/theresa-may-internet-regulated-london-bridge-terror-attack-google-facebook-whatsapp-borough-security-a7771896.html
New international agreements should be introduced to regulate the internet in the light of the London Bridge terror attack, Theresa May has said.
The Prime Minister said introducing new rules for cyberspace would “deprive the extremists of their safe spaces online” and that technology firms were not currently doing enough.
“We cannot allow this ideology the safe space it needs to breed – yet that is precisely what the internet, and the big companies that provide internet-based services provide,” Ms May said.
“We need to work with allied democratic governments to reach international agreements to regulate cyberspace to prevent the spread of extremist and terrorism planning.”
The Act, championed by Ms May, requires internet service providers to maintain a list of visited websites for all internet users for a year and gives intelligence agencies more powers to intercept online communications. Police can access the stored browsing history without any warrant or court order.
Tomi Engdahl says:
‘Tallinn Manual 2.0′ – the Rulebook for Cyberwar
http://www.securityweek.com/tallinn-manual-20-rulebook-cyberwar
Tallinn – With ransomware like “WannaCry” sowing chaos worldwide and global powers accusing rivals of using cyberattacks to interfere in domestic politics, the latest edition of the world’s only book laying down the law in cyberspace could not be more timely.
The Tallinn Manual 2.0 is a unique collection of law on cyber-conflict, says Professor Michael Schmitt from the UK’s University of Exeter, who led work on the tome.
Tallinn Manual 2.0 Cover
Published by Cambridge University Press and first compiled by a team of 19 experts in 2013, the latest updated edition aims to pin down the rules that governments should follow when doing battle in virtual reality.
The manual was among the hot topics this week as over 500 IT security experts from across the globe gathered at NATO’s Cycon cyber security conference in Tallinn.
Schmitt says his team’s work is intended to tame the “digital wild west” that emerged with the advent of cyberspace.
But the virtually limitless range of possibilities in cyber-conflict raises a long laundry list of legal questions and dilemmas and the Tallinn Manual certainly cannot answer them all.
The legal experts, mostly professors of international law, filled its 642 pages with existing jurisprudence applying to cyberspace from across the globe, and did not shy away from laying out conflicting views on certain issues.
NATO Publishes Tallinn Manual 2.0 on International Law Applicable to Cyber Ops
http://www.securityweek.com/nato-publishes-tallinn-manual-20-international-law-applicable-cyber-ops
Tomi Engdahl says:
Botnet attack map
https://intel.malwaretech.com/pewpew.html
Tomi Engdahl says:
Theresa May wants to ban crypto: here’s what that would cost, and here’s why it won’t work anyway
https://boingboing.net/2017/06/04/theresa-may-king-canute.html
Aaron Swartz once said, “It’s no longer OK not to understand how the Internet works.”
He was talking to law-makers, policy-makers and power-brokers, people who were, at best, half-smart about technology — just smart enough to understand that in a connected world, every problem society has involves computers, and just stupid enough to demand that computers be altered to solve those problems.
Paging Theresa May.
Theresa May says that last night’s London terror attacks mean that the internet cannot be allowed to provide a “safe space” for terrorists and therefore working cryptography must be banned in the UK.
This is a golden oldie, a classic piece of foolish political grandstanding. May’s predecessor, David Cameron, repeatedly campaigned on this one
Theresa May says there should be no “means of communication” which “we cannot read” — and no doubt many in her party will agree with her, politically. But if they understood the technology, they would be shocked to their boots.
It’s impossible to overstate how bonkers the idea of sabotaging cryptography is to people who understand information security. If you want to secure your sensitive data either at rest – on your hard drive, in the cloud, on that phone you left on the train last week and never saw again – or on the wire, when you’re sending it to your doctor or your bank or to your work colleagues, you have to use good cryptography. Use deliberately compromised cryptography, that has a back door that only the “good guys” are supposed to have the keys to, and you have effectively no security. You might as well skywrite it as encrypt it with pre-broken, sabotaged encryption.
There are two reasons why this is so. First, there is the question of whether encryption can be made secure while still maintaining a “master key” for the authorities’ use. As lawyer/computer scientist Jonathan Mayer explained, adding the complexity of master keys to our technology will “introduce unquantifiable security risks”.
What Theresa May thinks she’s saying is, “We will command all the software creators we can reach to introduce back-doors into their tools for us.” There are enormous problems with this: there’s no back door that only lets good guys go through it.
But this is just for starters. Theresa May doesn’t understand technology very well, so she doesn’t actually know what she’s asking for.
For Theresa May’s proposal to work, she will need to stop Britons from installing software that comes from software creators who are out of her jurisdiction. The very best in secure communications are already free/open source projects, maintained by thousands of independent programmers around the world. They are widely available, and thanks to things like cryptographic signing, it is possible to download these packages from any server in the world (not just big ones like Github) and verify, with a very high degree of confidence, that the software you’ve downloaded hasn’t been tampered with.
May is not alone here. The regime she proposes is already in place in countries like Syria, Russia, and Iran (for the record, none of these countries have had much luck with it).
Theresa May has already shown that she believes she can order the nation’s ISPs to block access to certain websites (again, for the record, this hasn’t worked very well). The next step is to order Chinese-style filtering using deep packet inspection, to try and distinguish traffic and block forbidden programs. This is a formidable technical challenge.
More ambitious is a mandate over which code operating systems in the UK are allowed to execute. This is very hard.
But there is the problem of more open platforms, like GNU/Linux variants, BSD and other unixes, Mac OS X, and all the non-mobile versions of Windows. All of these operating systems are already designed to allow users to execute any code they want to run.
More difficult is the world of free/open operating systems like GNU/Linux and BSD. These operating systems are the gold standard for servers, and widely used on desktop computers
There is no legal or technical mechanism by which code that is designed to be modified by its users can co-exist with a rule that says that code must treat its users as adversaries and seek to prevent them from running prohibited code.
Tomi Engdahl says:
Putin Now Argues Russia Could’ve Been Framed For Election Meddling By The CIA
https://news.slashdot.org/story/17/06/04/2154247/putin-now-argues-russia-couldve-been-framed-for-election-meddling-by-the-cia
In a news magazine show premiering tonight, Megyn Kelly reports that Russian president Vladimir Putin “has denied Russian involvement in the hacking and interference with our U.S. presidential eletion for some time. That changed earlier this week, and the story appears to be evolving yet again.”
“Hackers can be anywhere. They can be in Russia, in Asia…even in America, Latin America,” he said. “They can even be hackers, by the way, in the United States who very skillfully and professionally shifted the blame, as we say, onto Russia. Can you imagine something like that? In the midst of a political battle…?”
Vladimir Putin Tells Megyn Kelly: U.S. Hackers Could Have Framed Russia
http://www.nbcnews.com/news/world/vladimir-putin-tells-megyn-kelly-u-s-hackers-could-have-n767641
Tomi Engdahl says:
Oracle Improves Cloud Security Offering
http://www.securityweek.com/oracle-improves-cloud-security-offering
Oracle on Monday announced enhancements to its Identity-based Security Operations Center (SOC) cloud services, including improvements to machine learning, artificial intelligence and contextual awareness.
The Oracle Identity SOC offering includes several cloud services, including the Cloud Access Security Broker (CASB), Identity, Security and Monitoring Analytics, and Configuration and Compliance.
An improvement to the Oracle Identity Cloud Service is the addition of adaptive access capabilities, which aim to address the risks posed by compromised credentials by evaluating each login attempt and providing real-time risk analysis based on factors such as location, device and time of day.
The Oracle CASB Cloud Service can now detect abnormal and risky behavior using supervised and unsupervised machine learning techniques.
Tomi Engdahl says:
Government Contractors Required to Provide Insider Threat Awareness Training
http://www.securityweek.com/government-contractors-required-provide-insider-threat-awareness-training
Change Two to the National Industrial Security Program Operating Manual (NISPOM 2) came into force at the end of May 2017. One of the biggest changes involves a new requirement for contractors to implement extensive insider threat training for all staff with access to government classified information. These new requirements are specified in section 3-103.
NISPOM 2 (PDF) defines the insider threat as “The likelihood, risk, or potential that an insider will use his or her authorized access, wittingly or unwittingly, to do harm to the national security of the United States.” Section 3-103 places new burdens on contractors to mitigate this threat.
https://fas.org/sgp/library/nispom/nispom2006.pdf
Tomi Engdahl says:
New Method Used to Deliver Malware via PowerPoint Files
http://www.securityweek.com/new-method-used-deliver-malware-powerpoint-files
Cybercriminals have been leveraging a new technique, which involves PowerPoint files and mouseover events, to get users to execute arbitrary code on their systems and download malware.
It’s not uncommon for malicious actors to deliver malware using specially crafted Office files, particularly Word documents. These attacks typically rely on social engineering to trick the targeted user into enabling VBA macros embedded in the document.
However, researchers recently spotted several malicious PowerPoint files that use mouseover events to execute PowerShell code. These files, named “order.ppsx” or “invoice.ppsx,” have been distributed via spam emails with subject lines such as “Purchase Order #130527” and “Confirmation.”
If the user hovers the mouse over the link – even without clicking it – the execution of PowerShell code is triggered. The Protected View security feature, which is enabled by default in most supported versions of Office, informs the user of the risks and prompts them to enable or disable the content.
https://www.dodgethissecurity.com/2017/06/02/new-powerpoint-mouseover-based-downloader-analysis-results/
Tomi Engdahl says:
BI Helping Qatar in ‘Hacking’ Probe: Source
http://www.securityweek.com/fbi-helping-qatar-hacking-probe-source
The FBI is helping Qatar investigate the source of an alleged “hack” of state media which sparked diplomatic tensions in the Gulf, a source with knowledge of the probe said Friday.
An FBI team has been in Doha for the past week after the Qatari government asked for US help following the claim of an unprecedented security breach by hackers last month, the source told AFP.
“American support was requested and a team sent which has been in Doha since last Friday, working with Qatar’s interior ministry,” the source said.
Two other unnamed countries are also helping with the probe.
Doha launched the probe after accusing hackers of publishing false and explosive remarks attributed to Emir Sheikh Tamim bin Hamad Al-Thani on the Qatar News Agency website last month.
Doha has denied all the comments and said it had been the victim of a “shameful cybercrime”.
At the same time, the tiny Gulf state said it had also been the victim of a hostile media campaign, particularly in the US over the issue of its supposed support for Islamist groups.
Qatar has so far given no indication of where the alleged cyber attack, which happened on May 24, originated.
But regional powers including Saudi Arabia and the United Arab Emirates have used the comments to demonstrate that Qatar is out of line with Gulf foreign policy, especially regarding Iran.
Media organisations in several countries in the region reported the emir’s comments as fact, despite an official denial by Qatar.
Qatari broadcasters and websites were blocked in several countries after the alleged comments were reported.
Some experts fear the current situation could trigger a repeat of the crisis in 2014, when several Gulf countries recalled their ambassadors from Doha, ostensibly over its support for the Muslim Brotherhood.
Tomi Engdahl says:
BBC:
Following London terror attack, tech giants reject UK Prime Minister Theresa May’s claims that they provided a “safe space” for terrorist ideology — Technology companies have defended their handling of extremist content following the London terror attack.
London attack: Tech firms fight back in extremism row
http://www.bbc.com/news/business-40149649
Technology companies have defended their handling of extremist content following the London terror attack.
Prime Minister Theresa May called for areas of the internet to be closed because tech giants had provided a “safe space” for terrorist ideology.
But Google said it had already spent hundreds of millions of pounds on tackling the problem.
Facebook and Twitter said they were working hard to rid their networks of terrorist activity and support.
Google, which owns Youtube, along with Facebook, which owns WhatsApp, and Twitter were among the tech companies already facing pressure to tackle extremist content.
‘No place on our platform’
Google said it had invested heavily to fight abuse on its platforms and was already working on an “international forum to accelerate and strengthen our existing work in this area”.
The firm added that it shared “the government’s commitment to ensuring terrorists do not have a voice online”.
Facebook said: “Using a combination of technology and human review, we work aggressively to remove terrorist content from our platform as soon as we become aware of it – and if we become aware of an emergency involving imminent harm to someone’s safety, we notify law enforcement.”
Meanwhile, Twitter said “terrorist content has no place on” its platform.
Home Secretary Amber Rudd said on Sunday that tech firms needed to take down extremist content and limit the amount of end-to-end encryption that terrorists can use.
End-to-end encryption renders messages unreadable if they are intercepted, for example by criminals or law enforcement.
Silicon Valley is both on the offensive and defensive.
Defensive in that they are protecting their reputations as companies that put in a lot of work to stamp out extremist content online, but offensive in making it clear they do not feel “kneejerk” regulation is the way to solve the issue.
The tech industry is mostly in agreement on this. They believe that end-to-end encryption, while perhaps frustrating to police, is a technology that means everyone’s communications are far more secure.
‘Intellectually lazy’
The Open Rights Group, which campaigns for privacy and free speech online, warned that politicians risked pushing terrorists’ “vile networks” into the “darker corners of the web” by more regulation.
“Blaming social media platforms is politically convenient but intellectually lazy.”
Tomi Engdahl says:
TOP-SECRET NSA REPORT DETAILS RUSSIAN HACKING EFFORT DAYS BEFORE 2016 ELECTION
https://theintercept.com/2017/06/05/top-secret-nsa-report-details-russian-hacking-effort-days-before-2016-election/
RUSSIAN MILITARY INTELLIGENCE executed a cyberattack on at least one U.S. voting software supplier and sent spear-phishing emails to more than 100 local election officials just days before last November’s presidential election, according to a highly classified intelligence report obtained by The Intercept.
The top-secret National Security Agency document, which was provided anonymously to The Intercept and independently authenticated, analyzes intelligence very recently acquired by the agency about a months-long Russian intelligence cyber effort against elements of the U.S. election and voting infrastructure. The report, dated May 5, 2017, is the most detailed U.S. government account of Russian interference in the election that has yet come to light.
Tomi Engdahl says:
Department of Justice charges government contractor for leaking to The Intercept under Espionage Act
http://www.poynter.org/2017/department-of-justice-charges-government-contractor-for-leaking-to-the-intercept/462266/
The Department of Justice on Monday announced that it had filed charges against a government contractor named Reality Winner for providing a news outlet with a classified document.
The charges were announced shortly after The Intercept published a report, based on a highly classified intelligence report, that alleged Russian military intelligence carried out a cyberattack against a U.S. voting software supplier.
“It’s a shame that the federal government does not understand the difference between journalism and espionage,” said Peter Sterne, senior reporter at the Freedom of the Press Foundation. “Reality Leigh Winner is accused of sharing documents with an American media outlet about a topic of public concern, yet the Department of Justice is charging Winner under the Espionage Act, a 100-year-old statute intended for use against spies and saboteurs working on behalf of foreign governments.”
“Winner’s actions helped journalists inform the American people about a topic that is clearly in the public’s interest,”
Tomi Engdahl says:
The Intercept:
Leaked top-secret NSA doc: Russian military intelligence sent spear-phishing emails to 100+ local election officials days before the US presidential election — Russian military intelligence executed a cyberattack on at least one U.S. voting software supplier and sent spear-phishing emails …
Top-Secret NSA Report Details Russian Hacking Effort Days Before 2016 Election
https://theintercept.com/2017/06/05/top-secret-nsa-report-details-russian-hacking-effort-days-before-2016-election/
Tomi Engdahl says:
U.S. Department of Justice:
DOJ charges federal government contractor Reality Leigh Winner with removing classified material from government facility and mailing it to a news outlet — A criminal complaint was filed in the Southern District of Georgia today charging Reality Leigh Winner, 25, a federal contractor from Augusta …
Federal Government Contractor in Georgia Charged With Removing and Mailing Classified Materials to a News Outlet
https://www.justice.gov/opa/pr/federal-government-contractor-georgia-charged-removing-and-mailing-classified-materials-news
A criminal complaint was filed in the Southern District of Georgia today charging Reality Leigh Winner, 25, a federal contractor from Augusta, Georgia, with removing classified material from a government facility and mailing it to a news outlet, in violation of 18 U.S.C. Section 793(e).
Tomi Engdahl says:
Peplink patches SD-WAN routers
Get busy: SQL injection, XSS, CSRF and more
https://www.theregister.co.uk/2017/06/06/peplink_patches_sdwan_routers/
SD-WAN company Peplink has patched its load-balancing routers against vulnerabilities turned up by a German pentest company.
The bugs discovered by X41 Security centre, as is so often the case, around the products’ Web admin interface, with seven individual bugs reported (CVE-2017-8835 to CVE-2017-8841).
The vulnerabilities include a critical SQL injection attack via the bauth cookie; a lack of cross-site request forgery protection; clear text password storage; two cross-site scripting bugs; a file deletion vulnerability; and an information disclosure bug.
X41-2017-005 – Multiple Vulnerabilities in peplink balance routers
http://seclists.org/bugtraq/2017/Jun/1
Tomi Engdahl says:
The internet may well be the root cause of today’s problems… but not in the way you think
May’s scapegoat and Trump’s Twitter rants are damaging society
https://www.theregister.co.uk/2017/06/06/internet_root_cause_of_current_problems/
In a predictable but still shocking pronouncement, UK Prime Minister Theresa May has put much of the blame of recent terror attacks in London and Manchester on the internet and internet companies like Google and Facebook.
“We cannot allow this ideology the safe space it needs to breed,” she argued in a speech
At the same time, US president Donald Trump used his preferred method of communication – Twitter – to post a series of messages about the attacks that have sparked widespread anger over their selfish and callous nature.
Trump argued that the attacks were evidence that his Muslim travel ban should be enforced
To May, the internet represents everything wrong and dangerous in her world: it is a largely uncontrollable meeting place of people, many of whom disagree wildly with what she believes. Anything that she cannot control is dangerous.
Trump, on the other hand, is an agent of chaos. He does not fear people or ideas in the abstract – in fact, he thrives on the kind of misinformation and fact-flipping that the internet makes all too easy. Trump fears people only in person.
Inevitably, and correctly, many commentators have lined up to criticize both leaders over their views. The internet is no more to blame for terrorism than mobile phones were to blame for football hooligans (but it didn’t stop politicians calling for a ban on them because they were being used to arrange fights).
May’s critics have pointed out that she was responsible, as home secretary, for slashing the police force’s numbers and budget – surely that was a greater contributor to problems than the fact that Facebook takes more than a day to take down an offensive video?
The internet is a convenient scapegoat, and it is not the root cause of our problems.
Except that’s not entirely true.
Without the internet and its unusual ability to find people that are difficult to reach otherwise, it is debatable that May and Trump would be prime minister and president. Both leaders are manifestations of the very things they claim to fear.
The same instant, one-to-one, unfiltered communication that has turned ordinary people into individuals willing to commit atrocities has been a factor in the election of both leaders.
And when the larger world tells you that your thoughts are wrong, your group assures you that it is them that are wrong.
That sense of power in a joint belief is very fortifying; strong enough to expand beyond small groups into larger groups. And when those larger groups are focused on specific goals, it can become extremely effective.
But the big, dangerous beliefs incorporate the ability to both hate and get revenge on other human beings. If you win, they lose.
This behavior is nothing new in the broader arc of human history – the same process was behind many of the religious wars that have ravaged the human race throughout history.
Killing yourself in the name of a belief is obviously much more extreme than voting for a foolish economic policy or electing a wholly unqualified leader. But then when it comes to terrorism the whole point is that it only requires a very small number of people to have a big impact.
The co-creator of the internet as we know it today, Vint Cerf – the man who devised the protocols that make the spread of information so fast and simple – once famously observed: “The internet is a reflection of our society and that mirror is going to be reflecting what we see. If we do not like what we see in that mirror the problem is not to fix the mirror, we have to fix society.”
Cerf’s mirror analogy is good – but it fails to properly account for human behavior. What we see in the mirror changes as our perception of ourselves changes.
What the internet has done is remove the delay
It has also made it possible to listen to as many different voices – and to pick what those voices will say. You are free to reinforce your beliefs in a way that was never possible outside of tightly knit communities before.
So Theresa May may be right. In theory at least. If you remove those “safe spaces” you remove the ability for people to develop extreme positions. Except someone has to decide which spaces are allowed and which are not. And then someone else has to check on everyone’s behavior. And that is the path to authoritarianism.
What is the solution? Well, the end of religious wars came about largely because of two things: greater personal and economic freedom and better education.
Censoring social media, listening in to everyone’s conversations and using the internet as a political scapegoat are very convenient solutions for someone who will never recognize that they are part of the problem.
Tomi Engdahl says:
Ingrid Lunden / TechCrunch:
Cloud security broker Netskope raises $100M Series E led by previous investors Lightspeed and Accel — As enterprises continue to move more of their computing to the cloud, and across an ever-expanding range of devices from computers to phones and tablets and more, hackers continue to find ways …
Cloud security broker Netskope raises $100m more led by Lightspeed and Accel
https://techcrunch.com/2017/06/06/cloud-security-broker-netskope-raises-100m-more-led-by-lightspeed-and-accel/
As enterprises continue to move more of their computing to the cloud, and across an ever-expanding range of devices from computers to phones and tablets and more, hackers continue to find ways to break into those systems — resulting an unprecedented number of breaches globally. Now, one of the more prominent security startups fighting this has raised a significant round of funding to help tackle the issue head-on.
Netskope — a cloud-access security broker that has developed a platform to monitor a company’s disparate apps and devices, and set security policies to identify and prevent breaches — has raised $100 million in new funding.
Fast forward to today, and the use of apps and multiple devices and access points, often outside of physical offices, is commonplace at many businesses, and this has had a knock-on affect at Netskope.
Beri said the company processes “tens of billions” of cloud transactions per day from its customers, which includes the likes of Toyota, Nvidia, Levi’s and Intercontinental Hotels, New York Life and a number of health organizations — “more than any other company in the world”.
That processing has highlighted some scary numbers: for example 26.5 percent of all malware files are shared by employees in the cloud. “In other words, one quarter of files infected are exposed and shared.”
“Security has become one of the top topics businesses have to think about when they consider mobile and cloud and remote working. Security officers realise that they can’t use their old systems. The old way doesn’t work for the cloud.” The old way includes incumbents like Symantec, which Beri considers a key competitor.
The key behind Netskope’s platform is that it’s based around the principle of “privacy by design”, Beri noted, meaning that it’s not necessarily crawling everything that is passing through a network, but is rather based around policies created by the company: for example keywords and actions that might relate to health records and personal information, and how and where that data might be shared.
Tomi Engdahl says:
Leaked Documents Show US Vote Hacking Risks
http://www.securityweek.com/leaked-documents-show-us-vote-hacking-risks
Security experts have warned for years that hackers could penetrate electronic voting systems, and now, leaked national security documents suggest a concerted effort to do just that in the 2016 US election.
An intelligence report revealed this week showed a cyberattack that targeted more than 100 local election officials and software vendors, raising the prospect of an attempt, possibly led by Russia, to manipulate votes.
The top-secret document from the National Security Agency, published by online news outlet The Intercept, stops short of drawing any conclusions about the impact of the attacks and whether it affected any ballots. But it suggests hackers got deeper into US voting systems than previously believed.
“These are our worst fears,” said Joseph Hall, chief technologist at the Center for Democracy and Technology, who researches voting systems.
“For over 15 years, I and a lot of other people have said we had never seen a confirmed hack of voting systems. We’re not going to say that anymore.”
Hall said systems could be vulnerable because localities that manage elections rely on private software sellers that may lack resources against a well-funded cyber adversary.
“A lot of those vendors are quite small,”
Hacking elections “has always been thought of as a theoretical possibility, but now we know it is a real threat,” said Susan Greenhalgh, a researcher with the Verified Voting Foundation, an election systems monitor.
“We need to ensure our voting systems are resilient going into 2018 and 2020″ elections, she added.
While voting machines are not connected to the internet, most of the electronic systems need to be programmed with computers which are connected, opening up security holes.
“If you can manipulate that ballot programming you can often exploit the vulnerabilities,”
But Appel said any tampering with vote systems could have serious and far-reaching effects.
“If this kind of attack had taken place weeks before the election, it would be cause for significant concern” for the outcome, he said.
“And it’s many weeks now before the next election, and if there has been Russian penetration of our election software systems or anyone else’s penetration, it could continue to affect vote counting for years.”
Appel said that if ballots are manipulated within a voting machine, “it won’t be obvious, people won’t know about it” unless there is an audit or recount.
Bruce Schneier, chief technology officer of IBM Resilient and a fellow at Harvard’s Berkman Klein Center for Internet & Society, said the report shows the weaknesses of US election systems.
“This (attack) feels more exploratory than operational, but this is just one piece. There are lots of vulnerabilities,” Schneier said. “Election officials are largely in denial. The next election will be no more secure than this election.”
Russia Tried to Hack US Voting Systems for Months: Report
http://www.securityweek.com/russia-tried-hack-us-voting-systems-months-report
Tomi Engdahl says:
Kremlin ‘Resolutely’ Denies Russia Hacked US Vote
http://www.securityweek.com/kremlin-resolutely-denies-russia-hacked-us-vote
The Kremlin on Tuesday strongly denied a leaked US report that Russian military intelligence hackers tried to infiltrate into US voting systems before last year’s presidential election.
“Apart from this claim which absolutely does not conform to reality, we have not seen any other information nor heard any arguments for the reliability of this information,” Kremlin spokesman Dmitry Peskov told journalists.
“We resolutely deny the possibility that such a thing could have happened,” he said, adding that he had not read the report.
President Vladimir Putin last week said that hackers can come from any country since they are “free people like artists” and conceded it was theoretically possible that a “patriotically minded” hacker could decide to act against those critical of Russia.
He insisted however that “we never get involved in this on a state level.”
Russian Outsourcing Provides Plausible Deniability for State-Sponsored Hacking
http://www.securityweek.com/russian-outsourcing-provides-plausible-deniability-state-sponsored-hacking
Last week, Russian president Vladimir Putin apparently conceded that patriotic Russian hackers may have been involved in the DNC hacks last year. “If they are patriotically minded, they start making their contributions – which are right, from their point of view – to the fight against those who say bad things about Russia.”
Putin served in the KGB, Russia’s primary security agency, for 16 years, leaving with the rank of Lieutenant Colonel in 1991. He understands international intelligence and espionage. When he suggested the DNC hacks could have been done by patriotic Russian hackers, it was almost a taunt: I know the truth; you know the truth; but you cannot prove anything.
The reality is that all nations have their own ‘patriotic hackers’.
The US has The Jester (@th3j35t3r), who describes himself as a ‘hacktivist for good’.
This is the dilemma caused by ‘patriotic hackers’. Was Jester sponsored by the US government? Almost certainly not. Is he tolerated by the US government? Almost certainly yes. At what point, if ever, does tolerance become sponsorship?
While outsourcing hacking now seems to be common practice for many nations, Cybereason suggests that Russia has been doing it longer, and does it better.
The effect of this formal/informal relationship between the state and cybercriminals has developed a sophisticated and semi-protected criminal industry. Provided that the hackers do not break the rules, they will be tolerated: patriotic hacking is tolerated and even guided while internal cybercriminal activity is not. This is tantamount to Russian hackers being able to hack the Five Eyes nations and Europe with a degree of impunity provided they do not embarrass the state.
It also means that outsourced Russian hackers are able to mix business and personal profit.
Russia, it continues, “has the most technically advanced and bold cybercriminal community in the world and are more than capable of causing significant damage with whomever they attack from countries to corporations.”
Meanwhile, this ‘proxy’ cyberwarfare provides all nations with plausible deniability. Attribution in cyberspace is almost impossible. Only the intelligence agencies with physical assets and the ability to directly eavesdrop on suspects will know the truth — and they can never publicly declare those assets for fear of losing them.
Tomi Engdahl says:
Russia and nation-state hacking tactics: A report from Cybereason Intelligence Group
https://www.cybereason.com/blog-russia-nation-state-hacking-the-countrys-dedicated-policy-of-strategic-ambiguity/
Policy versus Happenstance: Russia’s Dedicated Policy of Strategic Ambiguity
In our latest report, Cybereason Intelligence Group examines Russia and the tactics and procedures they use to conduct global attacks on nations and corporations. An earlier report issued by Cybereason Intelligence Group focused on China and a new breed of cyber privateer leading the increase in nation states contracting private companies to accomplish intelligence operations. These groups operate with incredible sophistication, while enjoying a cloak of semi-protected “status” for their malicious activities.
From China to Russia
The Russian Security Services (formerly the KGB) have long standing ties to Russian national criminal and hacktivist communities.
This programmatic effort by the Kremlin has been long standing and differs significantly from the likes of China and India.
This trend is relatively new and accelerating in China where the security community is observing a shift in the activities of groups that freelance for the state.
No longer do companies need to go to the Dark Web to gain an unfair advantage over their competition, they simply need to search Baidu for the dozens of companies offering these services.
Tomi Engdahl says:
VTT Cyber Security Services presents: A short movie about the good guys
https://www.youtube.com/watch?v=ZCbTVj0cHlM
Building a safer and more stable future. VTT cyber security experts are here to help!
Cyber security
http://www.vttresearch.com/services/digital-society/cyber-security
Prevent cyber security attacks against your products, communication systems and manufacturing operations
VTT supports companies in developing trustworthy platforms and services and ensuring the implementation of a sufficient security level at an early phase in the development process. We have a state of the art testing laboratory
Tomi Engdahl says:
Protecting your data center before, during and after a cyber attack: Cisco advises
http://www.cablinginstall.com/articles/pt/2017/05/protecting-your-data-center-before-during-and-after-a-cyber-attack-cisco-advises.html?cmpid=enl_cim_cimdatacenternewsletter_2017-06-06
Business costs from the recent WannaCry ransomware attack are still being tallied and data center managers are quickly assessing their vulnerabilities within their data center infrastructure. There are two immediate questions to think about when evaluating your operating environment and the applications that run on these systems.
1. Are they running on current software releases?
2. Is the underlying infrastructure of switches, routers and servers updated to their latest firmware releases?
There are three immediate benefits to having pervasive visibility and control in your data center in real-time:
1. The ability to create policies around all your information which enforces tighter security between applications running across data centers, segments applications between various business entities, and applies an overall white-list model to the entire data center.
2. Automatically enforces a dynamically created policy in the hosts, no matter where they’re deployed – on premise, in the cloud, or a combination of the two.
3. Monitors the system to make sure the policies that are in place are, in fact, enforced and more important, see who is trying to work around those policies to create security breaches within your data center.
How to Protect Your Data Center – Before, During and After a Cyber Attack
https://blogs.cisco.com/datacenter/how-to-protect-your-data-center-before-during-and-after-a-cyber-attack-part-1
Tomi Engdahl says:
Chrome 59 Patches 30 Vulnerabilities
http://www.securityweek.com/chrome-59-patches-30-vulnerabilities
Google announced on Monday the availability of Chrome 59, a version that brings several design and functionality improvements, and fixes for tens of vulnerabilities.
According to Google, a total of 30 flaws have been fixed in the latest version of the popular web browser, including many reported by external researchers. The experts who contributed to making Chrome more secure earned a total of more than $23,000.
Tomi Engdahl says:
Head to the Cloud for a Head’s Up on Fraud
http://www.securityweek.com/head-cloud-heads-fraud
When it Comes to Finding Fraudsters, You Must Keep Your Head Above the Clouds.
Modern online fraud attacks are enormous in scale. They are orchestrated by organized crime rings who control large “armies” of fake user accounts to do their bidding. These coordinated malicious user accounts, either created new or obtained via user hijacking, actively target the various features of modern online services for some type of real-world financial gain. This type of attack can include everything from fake reviews to boost business reputation, promotional credits abused to gain an unfair advantage within games, and stolen credit cards used in fraudulent online transactions. Such attacks can cause millions of dollars of loss to the service, in addition to severely degrading brand name reputation and platform integrity.
With the commoditization of cloud computing in recent years, fraudsters and cybercriminals alike have started to take advantage of public cloud services and dedicated/virtual hosting to conduct attacks. Just like how the cloud helps businesses expand their operation without the maintenance overhead, they also allow attackers to significantly scale up their operation, due to the elasticity and compute capacity of these services. In a recent analysis of more than 500 billion events collected from multiple global online services, 18% of user accounts that originated from cloud service IP ranges were fraudulent.
The cloud can do more for the fraudsters than increase the number of attack campaigns they can conduct. It also helps them evade detection by traditional anti-fraud solutions. Traditional solutions rely on patterns or rules of known bad activities such as blacklisted IP address ranges or device fingerprints. However, there is little they can provide on new attack patterns, and fraudsters exploit this greatly to their advantage.
Tomi Engdahl says:
1.92 Seconds, On Repeatability
http://www.securityweek.com/192-seconds-repeatability
The Williams Grand Prix Engineering team currently owns the record for the fastest pit stop in Formula One at 1.92 seconds. Think about that. In the time it takes you to blink twice, a car pulls in, has 4 wheels taken off and a fresh set put on and drives away. That’s mind-blowingly fast.
In order to get to 1.92s for a pit stop the Williams crew practiced. And practiced. And practiced until they had it down to muscle memory. Hundreds maybe even thousands of times.
There is a lesson to be learned here for security professionals and leaders. That lesson is really three-fold.
First, there is the lesson of specialization.
They have one role to play, and they specialize in it. That’s all they train for. That’s all they do.
In our field, you specialize, too. But realistically you’re never just going to be a forensics acquisition specialist – and that’s all you’ll ever do.
The second lesson is repeatability through process. Yes, that sounds complicated – but it’s actually quite simple. Develop a process that is as simple as possible to accomplish the task at hand. Then take that process apart and find efficiency gains you can get by making adjustments. After that, what’s left is automation. Automate using whatever you have available – commercial and open source tools included.
Repeatability is so critical, I urge you to spend a lot of your energy and time here. As much as you need to do. Don’t overlook the importance of having something that’s repeatable. To be repeatable, a process must be well-documented, well-understood and well-practiced
Process flow diagrams are always preferable in the heat of the moment because no one wants to have to skim through a 40-page manual to figure out what to do when any particular thing goes wrong. Trust me.
Finally, the last lesson is practice. No one on that Williams team was at 1.92s on their first try.
But after practicing a thousand times the likelihood of getting it wrong drops off a cliff. Not to say that they won’t ever get it wrong, but the likelihood is dramatically lower.
Practice is one of those things people say we can’t really do. How do you really practice for a situation when your CEO is compromised and the board memos are being leaked to the Internet? Simulations are nice, but they don’t simulate the pressure of real-life. There is no substitute for real-life situations. So, to that I say, practice in real-life.
Once you have some confidence (and not a moment before) had someone from one of the many red teams out there hit you with what they’ve got. Then go into battle mode. Practice, find your failures and have someone write them down. Then practice those pieces until you’ve got it right, without thinking.
Tomi Engdahl says:
RIG Exploit Kit Infrastructure Disrupted
http://www.securityweek.com/rig-exploit-kit-infrastructure-disrupted
A group of researchers and security firms led by RSA delivered a significant blow to the infrastructure used by the notorious RIG exploit kit and the operation has allowed experts to learn more about the threat.
RSA announced the results of the operation, which it has dubbed “Shadowfall,” on Monday. Several independent researchers and employees of Malwarebytes, Palo Alto Networks and Broad Analysis have contributed to the project.
Following the disappearance of Angler, RIG managed to secure the top position in the exploit kit market, being used to deliver various pieces of malware, including Cerber and CryptoMix ransomware, and the SmokeLoader backdoor. RIG has leveraged several Flash Player, Silverlight, Internet Explorer and Microsoft Edge exploits, which it mainly delivers by injecting malicious iframes into compromised websites.
Tomi Engdahl says:
Organizations Failing to Upgrade Systems, Enforce Patches
http://www.securityweek.com/organizations-failing-upgrade-systems-enforce-patches
Organizations Are Still Failing to Upgrade Systems and Enforce Patches, Study Finds
For example, although the uptake of Microsoft’s latest Windows 10 (Win10) operating system has doubled from 15% last year to 31% this year, that still means that the vast majority of Windows usage in business is using old and sometimes unsupported versions of Windows. More than half (59%) of business Windows systems are still using Windows 7; and 1% are still using XP.
The importance of upgrading to W10 is illustrated by the recent WannaCry ransomware outbreak — which rapidly infected more than 200,000 computers in 150 countries. W10 with automatic patching was protected; unpatched W7 (and unsupported W7 on Intel 7th Generation Core processors and AMD Ryzen systems); and all XT systems were vulnerable.
It is noticeable that healthcare continues to run a higher percentage of W7 than business overall (76% compared to 59%), and a higher percentage of XP (3% compared to 1%) — and healthcare (especially the UK’s National Health Service) was especially affected by WannaCry.
It seems that many firms are relying on the standard business hardware refresh cycle to effect their upgrade to Windows 10. “This will eventually get us to full Windows 10 adoption; but how long will that take?”
But it’s not just aging operating systems that are a cause for concern. Duo also analyzed the results from its free simulated phishing solution, Duo Insight. This analysis looked at 3,575 simulated phishing campaigns with more than 80,000 recipients run over the last 12 months; and found that 62% of campaigns captured at least one credential and 68% had at least one out-of-date device.
The combination of successful phishing and out-of-date browsers is important.
Tomi Engdahl says:
Router LEDs Allow Data Theft From Air-Gapped Computers
http://www.securityweek.com/router-leds-allow-data-theft-air-gapped-computers
The status LEDs present on networking equipment such as routers and switches can be abused to exfiltrate sensitive data from air-gapped systems at relatively high bit rates, researchers have demonstrated.
A paper published this week by the Cyber Security Research Center at the Ben-Gurion University of the Negev in Israel shows how data can be transferred from an air-gapped computer by modulating it using the blinking of a router’s LEDs.
The attack can be carried out either by planting malicious firmware on the targeted router or remotely using a software exploit. The firmware attack may be more difficult to carry out as the router needs to be infected either via the supply chain or social engineering, but the software attack could be easier to conduct given that many devices are affected by remotely exploitable vulnerabilities.
Once the targeted router or switch has been compromised, the attacker can take control of how the LEDs blink. Then, using various data modulation methods, each LED or a combination of LEDs can be used to transmit data to a receiver, which can be a camera or a light sensor.
xLED: Covert Data Exfiltrationfrom Air-Gapped NetworksviaRouter LEDs
http://cyber.bgu.ac.il/advanced-cyber/system/files/xLED-Router-Guri_0.pdf
Tomi Engdahl says:
Data Center Incident Reporting Network announced
https://thestack.com/data-centre/2017/06/06/data-center-incident-reporting-network-announced/
The UK Data Center Interest Group, a not-for-profit organization focused on data center technologies, best practices and policy, has announced the formation of the Data Center Incident Reporting Network (DCIRN).
The incident reporting network will be a resource for operators to share information about data center failures confidentially so that the industry as a whole can learn from the failures that have occurred. The goal of the DCIRN is to improve the reliability of data centers worldwide by collecting and analyzing information related to failures.
Tomi Engdahl says:
White House, intel chiefs want to make internet spying law permanent
http://www.reuters.com/article/us-usa-intelligence-idUSKBN18Y21E
The White House and U.S. intelligence community on Wednesday said they backed making permanent a law that allows for the collection of digital communications of foreigners overseas and that pass through U.S. phone or internet providers, escalating a fight in Congress over privacy and security.
The law, which is due to expire on December 31 unless Congress votes to reauthorize it, has been criticized by privacy advocates who argue it allows for the incidental collection of data belonging to millions of Americans without a warrant.
Tomi Engdahl says:
Molly Jackman / Facebook:
Facebook to share location density, movement, safety check maps based on aggregated location data with Red Cross, UNICEF, others during disaster relief efforts
Using Data to Help Communities Recover and Rebuild
https://newsroom.fb.com/news/2017/06/using-data-to-help-communities-recover-and-rebuild/
After a flood, fire, earthquake or other natural disaster, response organizations need accurate information, and every minute counts in saving lives. Traditional communication channels are often offline and it can take significant time and resources to understand where help is desperately needed.
Facebook can help response organizations paint a more complete picture of where affected people are located so they can determine where resources — like food, water and medical supplies — are needed and where people are out of harm’s way.
Today, we are introducing disaster maps that use aggregated, de-identified Facebook data to help organizations address the critical gap in information they often face when responding to natural disasters.
Tomi Engdahl says:
Amid fresh NSA leak, why you should start taking printer security seriously
http://www.zdnet.com/article/printer-security-may-move-to-fore-after-nsa-doc-leak-russian-spearphishing-of-election/
A leaked NSA report highlights the need for better printer security, logging jobs, and tracking documents. Here are three lessons for enterprises to ponder.
Newer printers print yellow dots that can track down when and where a document was printed. The NSA was able to track Winner down because it tracks printing jobs and can match a person with the document.
As if you needed another reminder: Make sure your employee and contractor security policies are up to date and actually followed.
The lesson here is that anything connected is vulnerable to tampering and cyberattacks. Voting machines — despite precautions and hardened systems — are no different.
Tomi Engdahl says:
CNN Exclusive: US suspects Russian hackers planted fake news behind Qatar crisis
http://edition.cnn.com/2017/06/06/politics/russian-hackers-planted-fake-news-qatar-crisis/index.html
US investigators believe Russian hackers breached Qatar’s state news agency and planted a fake news report that contributed to a crisis among the US’ closest Gulf allies, according to US officials briefed on the investigation.
Tomi Engdahl says:
Linux Trojans are attacking Raspberry Pi cards
The Russian security company Doctor Web has found and investigated two linux malware programs. One of them hits the popular Raspberry Pi PCs and installs a crimping program on the card.
For malicious software Dr. Web has named Linux.Muldrop.14. Its recession began in the latter half of May. It is a trojan script that contains a password and a compressed application.
The Trojan changes the password of the card, unpacks and installs the mining program, and starts endlessly searching for open network nodes through open port 22. If a disadvantage is created for an SSH connection to another card, it copies itself to a new card.
Another found trojan is called Linux.ProxyM
Source: http://www.etn.fi/index.php/13-news/6440-linux-troijalainen-hyokkaa-raspberry-pi-korteille
Tomi Engdahl says:
Philippine Bank Chaos as Money Goes Missing From Accounts
http://www.securityweek.com/philippine-bank-chaos-money-goes-missing-accounts
A major Philippine bank shut down online transactions and cash machines on Wednesday after money went missing from accounts, triggering fears it had been hacked even as company officials said it was an internal computer error.
Customers of Bank of the Philippine Islands (BPI) were shocked on Wednesday morning to see unauthorized withdrawals and deposits from their accounts.
BPI said in a statement the problem was caused by an “internal data processing error” that had been identified.
Tomi Engdahl says:
Russian Hackers ‘Planted False Story’ Behind Mideast Crisis
http://www.securityweek.com/russian-hackers-planted-false-story-behind-mideast-crisis
US intelligence officials believe Russian hackers planted a false news story that led Saudi Arabia and several allies to sever relations with Qatar, prompting a diplomatic crisis, CNN reported Tuesday.
FBI experts visited Qatar in late May to analyze an alleged cyber breach that saw the hackers place the fake story with Qatar’s state news agency, the US broadcaster said.
Saudi Arabia then cited the false item as part of its reason for instituting a diplomatic and economic blockade against Qatar, the report said.
Qatar’s government said the May 23 news report attributed false remarks to the emirate’s ruler that appeared friendly to Iran and Israel, and questioned whether US President Donald Trump would last in office, according to CNN.
Qatari Foreign Minister Sheikh Mohammed Bin Abdulrahman al-Thani told the broadcaster that the FBI has confirmed the hack and the planting of fake news.
The CNN report quoted the Qatari government communications office as saying it was working with the FBI and Britain’s National Crime Agency on an ongoing hacking investigation.
Tomi Engdahl says:
Russian Hackers Target Montenegro as Country Joins NATO
http://www.securityweek.com/russian-hackers-target-montenegro-country-joins-nato
Hackers linked to Russia launched cyberattacks on the Montenegro government just months before the country joined the North Atlantic Treaty Organization (NATO) and experts believe these attacks will likely continue.
Despite strong opposition from Russia, Montenegro officially joined NATO on June 5. Russia has threatened to retaliate but it may have already taken action against Montenegro in cyberspace.
Attacks aimed at the Montenegro government spotted earlier this year by security firm FireEye leveraged malware and exploits associated with the Russia-linked threat group known as APT28, Fancy Bear, Pawn Storm, Strontium, Sofacy, Sednit and Tsar Team.
APT28 has been known to target Montenegro.
The malware delivered in these attacks is tracked by FireEye as GAMEFISH and it has been exclusively used by APT28. GAMEFISH is a backdoor that is tracked by other security firms as Sednit, Seduploader, JHUHUGIT and Sofacy.
The malicious documents delivered the malware via a Flash exploit framework.
Read said it was unclear if APT28’s attacks against the Montenegro government were successful.
“It’s likely that this activity is a part of APT28’s continued focus on targeting various NATO member states, as well as the organization itself,”
Tomi Engdahl says:
Leaked Documents Show US Vote Hacking Risks
http://www.securityweek.com/leaked-documents-show-us-vote-hacking-risks
Security experts have warned for years that hackers could penetrate electronic voting systems, and now, leaked national security documents suggest a concerted effort to do just that in the 2016 US election.
An intelligence report revealed this week showed a cyberattack that targeted more than 100 local election officials and software vendors, raising the prospect of an attempt, possibly led by Russia, to manipulate votes.
https://theintercept.com/2017/06/05/top-secret-nsa-report-details-russian-hacking-effort-days-before-2016-election/
Tomi Engdahl says:
Turla Malware Obtains C&C Address From Instagram Comments
http://www.securityweek.com/turla-malware-obtains-cc-address-instagram-comments
A piece of malware used in attacks by the Russia-linked cyberespionage group known as Turla is designed to obtain the address of its command and control (C&C) servers from comments posted to Instagram.
The security firm ESET has been monitoring this campaign and noticed that the hackers have once again started abusing social media.
The campaign has involved watering hole attacks, where the group planted malicious code on compromised websites in an effort to redirect their visitors to a server that delivered a JavaScript tool designed for profiling victims.
Tomi Engdahl says:
Multiple Vulnerabilities Found in Popular IP Cameras
http://www.securityweek.com/multiple-vulnerabilities-found-popular-ip-cameras
Multiple vulnerabilities have been found in China’s Foscam-made IP cameras. The vulnerabilities were reported to the manufacturer several months ago, but no fixes have been made available. Foscam cameras are sold under different brand names, such as OptiCam. Users are advised to check on the manufacture of any IP cameras, and if necessary, take their own mitigation steps.
The vulnerabilities, 18 in all, were discovered by F-Secure, who specifically found them in the Opticam i5 and Foscam C2 cameras. F-Secure warns, however, that these vulnerabilities will likely exist throughout the Foscam range and potentially in all 14 separate brand names that it knows to sell Foscam cameras.
The flaws include insecure default credentials, hard-coded credentials, hidden and undocumented Telnet functionality, command injection flaws, missing authorization, improper access control, cross-site scripting, and a buffer overflow. All are detailed in a report (PDF) published today.
“Security has been ignored in the design of these products,” said Janne Kauhanen, cyber security expert at F-Secure. “The developers’ main concern is to get them working and ship them. This lack of attention to security puts users and their networks at risk. The irony is that this device is marketed as a way of making the physical environment more secure — however, it makes the virtual environment less so.”
While attention on IoT device security — especially cameras — has been focused by the Mirai botnet and the largest DDoS attack against the internet infrastructure in history, the quantity and severity of the Foscam vulnerabilities is particularly concerning. “These vulnerabilities are as bad as it gets,”
VULNERABILITIES IN FOSCAM IP CAMERAS
http://images.news.f-secure.com/Web/FSecure/%7B43df9e0d-20a8-404a-86d0-70dcca00b6e5%7D_vulnerabilities-in-foscam-IP-cameras_report.pdf
F-Secure’s discovery of multiple flaws in two models of Foscam-made IP cameras is another example of a poorly engineered device that offers attackers an easy target. Should an attacker infiltrate the company network and find such a device, they could infect it with malware that would not only fully compromise the device, but also grant free reign inside the network, including access to network systems and resources.
This paper details the vulnerabilities inside the Foscam IP cameras and their impact, and offers mitigation recommendations.
Tomi Engdahl says:
Threat Modeling the Internet of Things Part 2: Three Steps to Pizza
http://www.securityweek.com/threat-modeling-internet-things-part-2-three-steps-pizza
One way to apply security to the development of any system is through the process of threat modeling. A threat model assessment (TMA) brings together system designers and security experts to:
1. Catalogue the assets in play
2. Identify potential threats
3. Score the threats vs. the assets
Sounds complex, right? It doesn’t really have to be, and when done with the right attitude and the right people, it can be inspiring and, gasp, even fun. Let’s have a look at the mechanics of threat modeling, and then drop some tips about how to initiate a new threat model program.
Step One: Catalogue the Assets at Play
For an Internet of Things project, the scope of the assets includes not just the device itself, but all the systems that the support that device.
The OWASP IoT Project page identifies many of the assets of an IoT system.
Step Two: Identify Potential Threats
You’ve gotten lucky, again. Many potential threats are already known; you just have to apply them to your project. One of the early “models” in threat modeling is STRIDE threat classification. The STRIDE acronym is designed to help you remember to ask these questions:
• (S)poofing – can an attacker pretend to be someone he’s not?
• (T)ampering – can an attacker successfully inject tampered data into the system?
• (R)epudiation – can a user pretend that a transaction didn’t happen?
• (I)nformation Disclosure – is the application leaking data to outside parties?
• (D)enial of Service – how can the application be shut down maliciously?
• (E)scalation of Privilege – can users gain superuser powers?
Step Three: Score the Threats versus the Assets
Once all of the threats have been brainstormed and recorded, it’s time to score them. Go back through the list and determine a risk assessment for each threat. Choose an ascending numbering system of 1-3, 1-5, or 1-10 where 1 is the least bad. Then use the DREAD acronym to give scores to each of these variables:
• (D)amage – how much damage could this threat cause?
• (R)eproducability – how reproducible is this threat?
• (E)xploitability – is this a boundary condition that is unlikely to be exploited?
• (A)ffected Users – are all users affected? Some? Or just a single user?
• (D)iscoverability – what is the likelihood that this threat would be discovered?
Threat Modeling the IoT—with Pizza
If you’re setting up a threat modeling system, here are some informal tips.
• Remember that you’re analyzing threats and assets, not people.
• Don’t use the second person (“you”) as in saying things like, “You’re doing it wrong.”
• Have a kickoff luncheon where you model something politically safe (like a doghouse or a competitor’s product), and bring pizza.
OWASP Internet of Things Project
https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project
Tomi Engdahl says:
Security Incidents Can Cost Industrial Firms $500K Per Year: Kaspersky
http://www.securityweek.com/security-incidents-can-cost-industrial-firms-500k-year-kaspersky
While a majority of industrial companies claim they are well prepared to handle a cyber security incident, many have admitted experiencing at least one incident in the past 12 months, and the annual cost can be as high as half a million dollars, according to a new report from Kaspersky Lab.
The security firm has conducted a survey of 359 industrial cybersecurity practitioners across 21 countries, mainly from the manufacturing, construction and engineering, and oil and gas sectors.
A majority of the respondents (83%) said they were prepared to deal with cybersecurity incidents within their industrial control systems (ICS) environment, and 86 percent claimed they had a dedicated policy or program in place.
Tomi Engdahl says:
List of Printers Which Do or Do Not Display Tracking Dots
https://w2.eff.org/Privacy/printers/list.php
List of Printers Which Do or Do Not Display Tracking Dots
https://www.eff.org/pages/list-printers-which-do-or-do-not-display-tracking-dots
(Added 2015) Some of the documents that we previously received through FOIA suggested that all major manufacturers of color laser printers entered a secret agreement with governments to ensure that the output of those printers is forensically traceable. Although we still don’t know if this is correct, or how subsequent generations of forensic tracking technologies might work, it is probably safest to assume that all modern color laser printers do include some form of tracking information that associates documents with the printer’s serial number.
Forensic investigations of the source of documents produced with other printing technologies are also possible, but, as far as we know, other kinds of printers do not deliberately encode their serial numbers in their output.
This is a list of color laser printer models that do or do not print yellow tracking dots on their output.
A “no” simply means that we couldn’t see yellow dots; it does not prove that there is no forensic watermarking present.
A “yes” simply means that we (or another source, as noted) saw yellow dots that appeared anomalous to us.
Tomi Engdahl says:
Security Incidents Can Cost Industrial Firms $500K Per Year: Kaspersky
http://www.securityweek.com/security-incidents-can-cost-industrial-firms-500k-year-kaspersky
The companies surveyed by Kaspersky said they spent a lot of money dealing with cybersecurity incidents. The average financial loss was roughly $347,000 per year, but organizations with more than 500 employees claimed they had spent nearly $500,000. These costs include the bill for addressing the consequences of the incident, software upgrades, staff and training.
As for the ICS security measures taken by organizations, two-thirds of respondents said they rely on anti-malware solutions and security awareness training. Roughly half of companies also leverage intrusion detection and prevention systems, security audits, unidirectional gateways, vulnerability scanning and patch management, asset identification and management, and anomaly detection.
Kaspersky pointed out that the move towards more advanced security technologies in favor of the traditional air-gapping is a good sign.
Tomi Engdahl says:
Hotel guest goes broke after booking software gremlin makes her pay for strangers’ rooms
‘Anomaly’ drained my bank account, techie complains
https://www.theregister.co.uk/2017/06/06/hotel_guest_charged_for_all_customers/
An eBay staffer says her bank account was wiped out and her rent check bounced – after the New York hotel she stayed in started charging other guests’ reservations to her card.
She had stayed at the hotel a month earlier and the card was not her credit card but a debit card attached to her checking account. The next day, the hotel got back in touch to say they had figured out that only pre-paid reservations to their Brooklyn hotel were being charged to her card
“I had to call them, then call again, then complain on Twitter, and then someone in a leadership role finally called me back,”
Tomi Engdahl says:
FireEye admits filtering out legitimate emails in sniffer snafu
Benign messages frogmarched into quarantine
https://www.theregister.co.uk/2016/08/02/fireeye_filtering_snafu/
FireEye has admitted that a snafu involving its email filtering technology meant harmless messages were shuffled off to quarantine for no good reason.