Security trends 2017

Year 2017 will not have any turn towards better data security. The internet is rife with such well-known than the unknown threats. The company’s systems are supposed to be protected.Hackers are going to continue to look for new ways to extort and steal information from businesses and organizations, which unfortunately means those businesses and organizations will have to continue to look for new ways to protect themselves.

Critical infrastructure cames under attack in 2017. Critical infrastructures must be better protected from criminals and terrorists who take advantage of modern technologies that are essential for the functioning of society and the economy. IT security functions of industrial control systems (ICS), energy grids and IoT networks needs to be improved in 2017.

There is push for better web security in 2017. Starting New Year’s Day, Google’s Chrome will begin labeling as “insecure” all websites that transmit passwords or ask for credit card details over plain text HTTP. Beginning in January 2017 (Chrome 56), HTTP sites that transmit passwords or credit cards are marked as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.

SHA-1 is insecure. Starting on Jan 1, 2017, most CAs will migrate to SHA-2 certificates, and major browser makers have already announced plans to adopt the change, including Microsoft, Google, and Mozilla. Their browsers will no longer trust sites that use SHA-1 starting with that date, and they will mark these websites as insecure. 1/3 of Websites Use SHA-1 Certificates Despite Looming Deadline. SHA-1 will still hang around, like a fart in a spacesuit, for many years to come because some people are lazy enough not to make the change.

There will be changes in how security is viewed in 2017 by businesses. We will likely see cloud adoption continue to grow across the United States, network visibility will no longer just be an option, AI and machine learning will shake old security models, and IoT-powered attacks will continue to rise. All of this will factor into how businesses set up, monitor and secure their networks.

The Commoditization of Cyberattacks Will Make Them More Frequent in 2017. More and more companies suffer from disruption to business due to cyber attacks. Cyber-attacks cause companies significant financial losses, but the studies shows that companies are not prepared for attacks. According to Gartner, by 2018 only 40 per cent of large companies have official plans in case of cyber attacks. Last year, the percentage was zero.

Strap yourself in for a bumpy ride in 2017. 2016 sucked. 2017 won’t be much better, sorry. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. DDoS attack toolkits have been around for years, as have services that will enable you to pay for an attack. Expect to see more of them. It seems that 2017 promises to be the most dramatic year yet in DDoS conflict. Whale-sized DDoS attacks will increase, the IoT will become a bigger factor in DDoS and DDoS will overshadow ransomware attacks and is used for extortion. Expect to see the Internet of Things (IoT) and other connected devices play an important part in these attacks.

Biometric identification will become more common in 2017, but it will not replace passwords. Fingerprint identification has become increasingly common in smartphones and already the technology is fast and reliable. This year biometric identification devices were sold for 4.5 billion dollars (most of them go to smart phones and laptops). 91 percent of biometric sales were fingerprint sensors, four per cent of face detection and three per cent iris detection.

Biometrics Won’t Kill Passwords any time soon. Even though PIN codes and passwords are actually pretty lousy protection case against skilled cybercriminal, the password will never disappear entirely, as two per cent of the world’s population is persons with a fingerprint not suitable for biometric identifier to work. Other biometric identification systems have also similar limitations and/or are not yet commonly available at reasonable cost. While biometrics, including fingerprint-, face-, iris-, palm- and speech-recognition, will continue to grow as a more secure substitute for passwords, they will not render passwords obsolete. Until the other common biometrics become commonplace, passwords are here to stay until circa 2030.

Fights with encryption and backdoors for them is not over in 2017. Many public figures in law enforcement have consistently argued that device encryption presents a new threat to police powers of investigation. On the other side House Judiciary Committee’s Encryption Working Group report says encryption backdoors pose a security threat, siding with tech experts in their latest report . The problem is that any system allowing police to get into those encrypted system (let it be phone, computer or communications) could also be exploited by criminals. Any action in this space should weigh any short-term benefits against the longterm impacts. Many industry experts will rightly tell you there is no such thing as partial data encryption. You either have a fully capable system or none at all.

Given the security events of 2016, coupled with the rapid advancements and adoption of cloud computing, 2017 will be the year in which many finally accept that network infrastructure and security will have to be rethought from the ground up. In 2017 the cloud will become a risk for users: The cloud becoming insecure – extortion and IoT openings.

The rivalry between the network attacks and network security is in acceleration. Crippling Internet services with denial of service attacks are becoming more common throughout the world. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. IoT-powered attacks will continue to rise and stopping the attack is not easy. For most companies the key thing is that the attack traffic is stopped before it reaches the company’s Internet connection or servers (needs to use telecom operator and external services increase). In addition to service disturbion Denial of Service Attacks are often used as distraction during the actual data burglary.DDoS may take over from ransomware as a cause for concern.

In 2017 the IT and security professionals talk about more about business risks. Historically, firewalls, DLP, antivirus, SIEM and other technical point solutions have been the centerpiece of security conversations, but the mindset is slowly shifting from technology to risk. The goal of stopping all attacks and preventing all business impact has been recognized as a fool’s errand, and has shifted to measuring risk and minimizing business impacts. Cyber security is increasingly being viewed as a risk management problem.

In 2017 ‘Security’ Must be Added to our Existing Ethical and Philosophic Concerns Over Artificial Intelligence and Algorithms. Algorithms soon run the world. They present problems that are seriously questioned on both ethical and philosophic grounds; and they have become the basis of fictional Armageddons.

Cyber insurance will be more thoughs as on solution for handling cyber risks in 2017. The global cyber insurance market is expected to generate $14 billion by 2022, according to a new report published by Allied Market Research (AMR). That figure represents an impressive compound annual growth rate (CAGR) of nearly 28% from 2016 to 2022.

In 2017 Big Brother will be watching you 24/7.Those of you who’ve read George Orwell’s book 1984 or seen the movie ,will remember how the citizens of the fictitious totalitarian state of Oceana are constantly under surveillance by order of its dictator, Big Brother. So now swap your home desktop computer, laptop or smart phone for the fictitious telescreen and not only are you sitting in front of what is a modern day version of the Big Brother telescreen you are also walking around with one in your pocket or handbag. Sound a bit far fetched to you? Well it’s set to become a reality in many countries.

Users will want better security or at least to feell more secure in 2017. Many people are prepared to to extremes for better security. According to a recent survey of over 2,000 adults conducted by Harris Poll Nearly 40% of Americans Would Give Up Sex for a Year or eating their favourite food in Exchange for Better Online Securit, meant they’d never have to worry about being hacked. When you consider that 87 percent of U.S. adults use the internet, it makes sense that cyber security is one of the biggest concerns today. The single biggest thing people can do to help keep their online identity safe is probably the easiest – a solid password – and not giving it to other people. Still nearly 50% of people have shared a password to an e-mail account or to an account like Netflix.

Security Becomes A Multi-System Issue and more people talking about the issue. Design teams will have to bake strategies in from the start, no matter how insignificant the device.The good news is that it more people talking about the issue. The real challenge is packing enough security features into designs to prevent security breaches of every sort, including those that can come from other electronics that weren’t even considered as part of the design process. Just as devices get more sophisticated, so do hackers.The reality is that security breaches can even cause physical harm. It’s time to look at this at a multi-system, multi-disciplinary level. Otherwise, we literally could be playing with fire.

Block chains have been a big trend for several years. The block chain market is divided now when 2017 starts. During the autumn 2016, we have seen a number of initiatives on cooperation between the financial sector and consulting companies. Microsoft has chosen a platform for Ethereum-block chain and offers it to the Azure cloud service. IBM has jumped Hyperledger consortium bandwagon and offering their own block chains to Bluemix service. Google and Amazon still shine by their absence. Even banks may prefer to see the use of cloud for the block chains.

 

Other prediction articles worth to look:

What Lies Ahead for Cybersecurity in 2017?

Network Infrastructure, Visibility and Security in 2017

DDoS in 2017: Strap yourself in for a bumpy ride

Cybersecurity Industry Outlook: 2017 to 2021 | CSO Online

IBM’s Cybersecurity Predictions for 2017 – eForensics

https://eforensicsmag.com/ibms-cybersecurity-predictions-2017/

Top 5 Cybersecurity Threats to Watch Out for in 2017

Experts Hopeful as Confidence in Risk Assessment Falls

 

 

3,151 Comments

  1. Tomi Engdahl says:

    Hillary email aka DNC hacking didn’t happen from overseas, but locally, probably by a person who had physical access to the computer and was using an USB drive:
    “Due to the estimated speed of transfer (23 MB/s) calculated in this study, it is unlikely that this initial data transfer could have been done remotely over the Internet.”

    BOMBSHELL: New Report Shows Guccifer 2.0-DNC Files Were Copied Locally—Not Hacked
    http://www.thegatewaypundit.com/2017/07/bombshell-new-report-shows-guccifer-2-0-dnc-files-copied-locally-not-hacked/

    A mysterious IT specialist, who goes by the name The Forensicator, published a detailed report that appears to disprove the theory that the DNC was hacked by Russia.

    The most important aspect about the report is the “estimated speed of transfer (23 MB/s)” at which the documents were copied. It’s inconceivable DNC documents could have been copied at such speed from a remote location.

    Reply
  2. Tomi Engdahl says:

    How to prepare and use Docker for web pentest by Júnior Carreiro
    https://pentestmag.com/prepare-use-docker-web-pentest-junior-carreiro/

    Reply
  3. Tomi Engdahl says:

    Trump hotel guests had their credit card information hacked (again)
    https://techcrunch.com/2017/07/11/trump-hotel-guests-had-their-credit-card-information-hacked-again/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook

    Search
    SEARCH
    Trump hotel guests had their credit card information hacked (again)
    Posted 13 hours ago by Taylor Hatmaker (@tayhatmaker)

    According to a new report from The Washington Post, Trump Hotels has been hacked again. The 14 affected properties include Trump Central Park, Trump Chicago, Trump Las Vegas and Trump DC, with most of the hacks occurring between November 2016 and March 2017.

    The hack, confirmed by the luxury hotel chain, reportedly compromised the credit card numbers, names, addresses and phone numbers of guests who booked using the hotel’s third-party booking system known as Sabre Hospitality Solutions.

    Reply
  4. Tomi Engdahl says:

    Kaspersky Lab Has Been Working With Russian Intelligence
    https://www.bloomberg.com/news/articles/2017-07-11/kaspersky-lab-has-been-working-with-russian-intelligence

    Emails show the security-software maker developed products for the FSB and accompanied agents on raids.

    Reply
  5. Tomi Engdahl says:

    Nick Statt / The Verge:
    Report: Amazon is considering giving Alexa developers access to transcripts of what people say when their applications are used

    Amazon may give app developers access to Alexa audio recordings
    A substantial shift in Amazon’s stance on consumer privacy
    https://www.theverge.com/2017/7/12/15960596/amazon-alexa-echo-speaker-audio-recordings-developers-data

    Amazon is considering granting third-party app developers access to transcripts of audio recordings saved by Alexa-powered devices, according to a report from The Information today. The change would be aimed at enticing developers to continue investing in Alexa as a voice assistant platform, by giving those app makers more data that could help improve their software over time. Amazon’s goal, according to The Information, is to stay competitive with more recent entrants in the smart speaker market, like Apple and Google.

    “When you use a skill, we provide the developer the information they need to process your request. We do not share customer identifiable information to third-party skills without the customer’s consent,” an Amazon spokesperson told The Verge. “We do not share audio recordings with developers.”

    Facing New Rivals, Amazon May Open Up Alexa Data for Developers
    https://www.theinformation.com/facing-new-rivals-amazon-may-open-up-alexa-data-for-developers

    Amazon.com is mulling a far-reaching policy change that would give Alexa developers access to raw transcripts of what people say when using Alexa applications, said three people familiar with the matter.

    Reply
  6. Tomi Engdahl says:

    Zack Whittaker / ZDNet:
    14M+ records of Verizon users who called customer service, including phone numbers, addresses, PINs, were left exposed for over week after telecom was notified

    Millions of Verizon customer records exposed in security lapse
    http://www.zdnet.com/article/millions-verizon-customer-records-israeli-data/

    Customer records for at least 14 million subscribers, including phone numbers and account PINs, were exposed.

    An Israeli technology company has exposed millions of Verizon customer records, ZDNet has learned.

    As many as 14 million records of subscribers who called the phone giant’s customer services in the past six months were found on an unprotected Amazon S3 storage server controlled by an employee of Nice Systems, a Ra’anana, Israel-based company.

    The data was downloadable by anyone with the easy-to-guess web address.

    Nice, which counts 85 of the Fortune 100 as customers, plays in two main enterprise software markets: customer engagement and financial crime and compliance including tools that prevent fraud and money laundering. Nice’s 2016 revenue was $1.01 billion,

    Privacy watchdogs have linked the company to several government intelligence agencies, and it’s known to work closely with surveillance and phone cracking firms Hacking Team and Cellebrite.

    Chris Vickery, director of cyber risk research at security firm UpGuard, who found the data, privately told Verizon of the exposure shortly after it was discovered in late-June.

    Cloud Leak: How A Verizon Partner Exposed Millions of Customer Accounts
    https://www.upguard.com/breaches/verizon-cloud-leak

    UpGuard’s Cyber Risk Team can now report that a misconfigured cloud-based file repository exposed the names, addresses, account details, and account personal identification numbers (PINs) of as many as 14 million US customers of telecommunications carrier Verizon, per analysis of the average number of accounts exposed per day in the sample that was downloaded. The cloud server was owned and operated by telephonic software and data firm NICE Systems, a third-party vendor for Verizon.

    The data repository, an Amazon Web Services S3 bucket administered by a NICE Systems engineer based at their Ra’anana, Israel headquarters, appears to have been created to log customer call data for unknown purposes; Verizon, the nation’s largest wireless carrier, uses NICE Systems technology in its back-office and call center operations. In addition, French-language text files stored in the server show internal data from Paris-based telecommunications corporation Orange S.A.—another NICE Systems partner that services customers across Europe and Africa.

    Beyond the risks of exposed names, addresses, and account information being made accessible via the S3 bucket’s URL, the exposure of Verizon account PIN codes used to verify customers, listed alongside their associated phone numbers, is particularly concerning. Possession of these account PIN codes could allow scammers to successfully pose as customers in calls to Verizon, enabling them to gain access to accounts—an especially threatening prospect, given the increasing reliance upon mobile communications for purposes of two-factor authentication.

    Finally, this exposure is a potent example of the risks of third-party vendors handling sensitive data. The long duration of time between the initial June 13th notification to Verizon by UpGuard of this data exposure, and the ultimate closure of the breach on June 22nd, is troubling. Third-party vendor risk is business risk; sharing access to sensitive business data does not offload this risk, but merely extends it to the contracted partner, enabling cloud leaks to stretch across several continents and involve multiple enterprises.

    NICE Systems’ history of supplying technology for use in intrusive, state-sponsored surveillance is an unsettling indicator of the severity of this breach of privacy. This offshore logging of Verizon customer information in a downloadable repository should be alarming to all consumers who entrust their private data to major US companies, only to see it shared with unknown parties.

    Reply
  7. Tomi Engdahl says:

    Reuters:
    Apple to set up first data center in China to comply with new cybersecurity laws, is the first foreign firm to announce amendments to its data storage for China — 3 MIN READ — BEIJING (Reuters) – Apple Inc on Wednesday said it is setting up its first data center in China …

    Apple sets up China data center to meet new cyber-security rules
    http://www.reuters.com/article/us-china-apple-idUSKBN19X0D6

    BEIJING (Reuters) – Apple Inc on Wednesday said it is setting up its first data center in China, in partnership with a local internet services company, to comply with tougher cyber-security laws introduced last month.

    Reply
  8. Tomi Engdahl says:

    U.S. Bans Kaspersky Software Amid Concerns Over Russia Ties
    http://www.securityweek.com/us-bans-kaspersky-software-amid-concerns-over-russia-ties

    The US government has moved to block federal agencies from buying software from Russia-based Kaspersky Lab, amid concerns about the company’s links to intelligence services in Moscow.

    The General Services Administration, which handles federal government purchasing contracts, said in a statement to AFP that Kaspersky Lab, a major global provider of cybersecurity software, has been removed from its list of approved vendors, making it more difficult to obtain Kaspersky products.

    “GSA’s priorities are to ensure the integrity and security of US government systems and networks and evaluate products and services available on our contracts using supply chain risk management processes,” the agency said in a statement.

    The action came weeks after top US intelligence agency and law enforcement officials publicly expressed concerns about use of Kaspersky software.

    The officials, appearing at a congressional hearing in May, stopped short of offering specifics but appeared to suggest concerns over the computer security firm’s alleged links to Russian defense and intelligence bodies.

    Reply
  9. Tomi Engdahl says:

    Kaspersky Lab response clarifying the inaccurate statements published in a Bloomberg Businessweek article on July 11, 2017
    https://usa.kaspersky.com/about/press-releases/2017_kaspersky-lab-response-clarifying-inaccurate-statements-published-in-bloomberg-businessweek-on-july-11-2017

    “Regardless of how the facts are misconstrued to fit in with a hypothetical, false theory, Kaspersky Lab, and its executives, do not have inappropriate ties with any government. The company does regularly work with governments and law enforcement agencies around the world with the sole purpose of fighting cybercrime.

    “In the internal communications referenced within the recent article, the facts are once again either being misinterpreted or manipulated to fit the agenda of certain individuals desperately wanting there to be inappropriate ties between the company, its CEO and the Russian government, but no matter what communication they claim to have, the facts clearly remain there is no evidence because no such inappropriate ties exist.”

    Reply
  10. Tomi Engdahl says:

    Microsoft Patches LDAP Relay Vulnerability in NTLM
    http://www.securityweek.com/microsoft-patches-ldap-relay-vulnerability-ntlm

    Microsoft resolved over 50 bugs with its July 2017 set of security patches, one being a vulnerability where the Lightweight Directory Access Protocol (LDAP) wasn’t protected from Microsoft NT LAN Manager (NTLM) relay.

    Reply
  11. Tomi Engdahl says:

    PSD2 and Open Banking Bring Problems and Opportunities for Global Banks
    http://www.securityweek.com/psd2-and-open-banking-brings-problems-and-opportunities-global-banks

    Global Banks Should Not Ignore Europe’s Payment Services Directive 2 (PSD2)

    Payment Services Directive 2 (PSD2) is a new EU banking/finance regulation coming into force in January 2018. It is designed to shake up the finance sector — perhaps even designed to weaken the overall strength of the banks following the 2008 crash. While being European in origin, American and other global banks should not — and perhaps cannot — ignore it.

    The banks are considered to be too powerful and monolithic with sole and complete ownership of their customers financial data. The European bureaucrats want to introduce some competition. Their chosen route is to force the banks to provide APIs that will allow third-party apps to access customer data and provide new services not currently offered by the banks. The bureaucrats then believe third-parties will re-invigorate the payments and finance markets for end users.

    There are enormous difficulties for the banks — for while they are required to give third-party access to customer data, they will remain liable for the security of that data under the General Data Protection Regulation (GDPR).

    Consider if this is done via a social media organization. That organization will build an app that provides access to, and uses, its customers’ financial data. The banks can authenticate the social media organization; but the social media app authenticates the user. It is possible, then, that access to customer financial data will be controlled only by social media logon; and that will almost certainly be less secure than the multi-factor and behavioral security measures that many banks currently use.

    Reply
  12. Tomi Engdahl says:

    HPE Addresses Vulnerabilities in Several Products
    http://www.securityweek.com/hpe-addresses-vulnerabilities-several-products

    Hewlett Packard Enterprise (HPE) has informed customers of security bypass, information disclosure, remote code execution, cross-site scripting (XSS) and URL redirection vulnerabilities in several of its products. Advisories for each of the affected products were published this week on the Full Disclosure mailing list.

    Samba component of HPE NonStop Server is affected by access restriction bypass (CVE-2017-2619) and remote code execution flaws (CVE-2017-7494).

    The HPE SiteScope application monitoring software is affected by four vulnerabilities, including remote code execution and security restrictions bypass flaws rated “high severity.”

    Reply
  13. Tomi Engdahl says:

    Microsoft Patches Over 50 Vulnerabilities
    http://www.securityweek.com/microsoft-patches-over-50-vulnerabilities

    Microsoft has patched more than 50 vulnerabilities in its products, including Windows, Internet Explorer, Edge, Office, SharePoint, .NET, Exchange and HoloLens. While some of them have already been disclosed, the tech giant is not aware of any malicious attacks exploiting these flaws.

    One of the weaknesses whose details have already been publicly disclosed is CVE-2017-8584, a critical remote code execution vulnerability affecting HoloLens, Microsoft’s mixed reality headset.

    Reply
  14. Tomi Engdahl says:

    Strengthening U.S. Cybersecurity Requires Looking Beyond Nation-State Threats
    http://www.securityweek.com/strengthening-us-cybersecurity-requires-looking-beyond-nation-state-threats

    President Trump’s executive order (EO) on “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure” is a commendable first step in bolstering the nation’s federal defenses against large-scale cyber attacks and state-sponsored cyber adversaries. The need to combat these types of threats and threat actors has only become more pressing following the recent WannaCry and Petya ransomware attacks — both of which wreaked havoc worldwide within weeks of the EO’s May 11, 2017 debut. Indeed, it’s exactly these sorts of attacks — high-profile, allegedly linked to foreign governments, and with widespread damages that spill over into the physical world — that tend to spark change and mobilize leaders and decision-makers to take action.

    The challenge is high-profile cyber attacks and state-sponsored cyber adversaries represent a relatively small portion of the cyber threats and threat actors infringing upon the collective well-being and security of the nation and its constituents. In order to lay the groundwork for a more secure, informed, and resilient nation, the Trump administration should consider supplementing the existing EO with plans to address another type of threat: cybercrime.

    http://www.securityweek.com/industry-reactions-trumps-cybersecurity-executive-order

    Reply
  15. Tomi Engdahl says:

    Solving Cyberwar the Old Fashioned Way – Via Diplomacy
    http://www.securityweek.com/solving-cyberwar-old-fashioned-way-diplomacy

    What is Essentially Needed is a NATO or Similar Structure Organization for Cyberwarfare

    In case you missed it, Canada and China have just announced signing an agreement vowing not to hack each other for the purpose of economic espionage. The agreement specifically cites confidential business information and stealing trade secrets. It does not refer to national intelligence gathering or espionage.

    Worryingly, the majority of attacks against manufacturing and pharmaceutical companies are not opportunistic. Due to the fact that trade secrets are obviously a valuable and critical data type, and also actively developed and kept in specific business units and assets, they are better secured than most companies infrastructure.

    R&D is expensive. It can require many years of iterative research that is difficult to begin from scratch or catch up, and can also frequently be a gamble without a guaranteed payoff. In the pharmaceutical industry for example, the success rate of a new medication getting through FDA approval is only 9.6%. This makes R&D a very lucrative and worthwhile target of cyberwar.

    Reply
  16. Tomi Engdahl says:

    Trust Attacks Pose Novel Challenge for Companies
    http://www.securityweek.com/trust-attacks-pose-novel-challenge-companies

    Novel cyber-attacks will ruin reputations and erode customer trust, but can humans keep up in the cyber arms race?

    In the face of advanced threats like these, words can only go so far to assuage the fears of clients and investors. At some point, they demand results, and in cyber security, the only result that matters is whether or not you’ve stayed safe from data breaches. Unless organizations start taking proactive security measures, they risk losing one of their most important commodities – public trust.

    Reply
  17. Tomi Engdahl says:

    Stepping Up Cybersecurity This Summer
    http://www.securityweek.com/stepping-cybersecurity-summer

    It’s summertime, and everyone’s on vacation. What could possibly go wrong?

    For the security team, the answer is “plenty.” Summer brings a set of new challenges to security organizations including employees taking more time off, often with their corporate laptops. Our own security personnel are taking vacation time, too, which makes staffing the security operations center (SOC) more challenging. More laptops in less secure locations plus less security staff on hand can add up to greater risk.

    Thus, with summer fully upon us, we in the security profession need to make sure the change in season doesn’t create additional vulnerabilities.

    With employees travelling, it’s important to address your security posture. Are your assets patched, encrypted and up to date with the latest protection updates as driven by your security posture? If not, can you make this a priority before those assets start traveling to unknown locations in employees’ luggage and carry-on bags?

    Within the security organization specifically, have you planned for personnel shortages and coverage while employees take vacation? Do you have contact information for all critical members of the organization and their backups in case a significant incident is discovered? The threat actors in today’s environment recognize that organizations may not be as diligent about monitoring alerts over the summer, and they’ll take advantage of the potential opportunity for increased dwell time.

    Reply
  18. Tomi Engdahl says:

    Cisco acquires network security startup Observable Networks
    https://techcrunch.com/2017/07/13/cisco-acquires-network-security-startup-observable-networks/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&sr_share=facebook

    Cisco has made another acquisition in the enterprise security space — underscoring the ongoing market demand for security services amid a growing threat of cyber breaches and malicious hacking among businesses that are moving to cloud-based infrastructures.

    Today, the IT giant announced that it has acquired Observable Networks, a company based out of St Louis that provides real-time network behaviour monitoring

    Reply
  19. Tomi Engdahl says:

    With cybercrime projected to reap some $6 trillion in damages by 2021, and businesses likely to invest around $1 trillion over the next five years to try to mitigate that, we’re seeing a rise of startups that are building innovative ways to combat malicious hackers.

    Source: https://techcrunch.com/2017/07/11/more-funding-for-ai-cybersecurity-darktrace-raises-75m-at-an-825m-valuation/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook

    Reply
  20. Tomi Engdahl says:

    Research: The wall keeps, but the data leaks

    Last year, nearly 1.4 billion data records were stolen from companies. Nonetheless, 94 percent of IT experts interviewed by Gemalton considered that the company’s network was well protected against intrusions.

    On the other hand, 65% are not very convinced that information, for example, within business premises, is very well protected. 68 percent say that their networks can access unauthorized users.

    Over the last year, 28% of businesses have been subjected to data hijacking. Only 8 percent of the stolen data was encrypted, the study says.

    Source: http://www.etn.fi/index.php/13-news/6559-tutkimus-muuri-pitaa-mutta-data-vuotaa

    Reply
  21. Tomi Engdahl says:

    Eduard Kovacs / SecurityWeek:
    Info on millions of Verizon users, including phone numbers, addresses, PINs were left exposed online; Verizon disputes early reports of 14M, says it affected 6M — The personal details of millions of Verizon customers were exposed online due to a misconfigured Amazon Web Services (AWS) …

    Verizon Downplays Leak of Millions of Customer Records
    http://www.securityweek.com/verizon-downplays-leak-millions-customer-records

    The personal details of millions of Verizon customers were exposed online due to a misconfigured Amazon Web Services (AWS) S3 bucket operated by a third-party vendor, but the telecoms giant has downplayed the incident.

    Cyber resilience firm UpGuard reported on Wednesday that its researchers discovered an unprotected AWS S3 bucket containing information on as many as 14 million Verizon customers, including names, addresses, phone numbers, PINs used for identity verification purposes, customer satisfaction data, and service purchases.

    The data, which appears to represent daily logs collected over the first six months of 2017, was not exposed by Verizon itself, but by NICE Systems, an Israel-based partner that provides call center services. UpGuard reported the leak to Verizon on June 13, but the exposed database was only protected on June 22.

    “Beyond the sensitive details of customer names, addresses, and phone numbers—all of use to scammers and direct marketers—the prospect of such information being used in combination with internal Verizon account PINs to takeover customer accounts is hardly implausible.

    In a statement published on its corporate website, Verizon downplayed the incident, claiming that the details of only 6 million unique customers were exposed. The company blamed the leak on human error, and pointed out that no one other than UpGuard had accessed the unprotected cloud storage area.

    Experts believe this is a serious incident, even if no one else downloaded the data from the cloud storage.

    “Sure, a mid-air miss is better than an air flight disaster, but neither should ever happen,”

    Willy Leichter, vice president of marketing at Virsec, believes “this will be a heated board-level issue for a $1 billion company like Nice, and a $125 billion-plus company like Verizon.”

    “If the European General Data Protection Regulation (GDPR) was in effect (it is starting in May 2018) there could be a fine as large at $5 billion (4% of annual revenue) for this single incident,” Leichter said.

    Verizon responds to report: Confirms no loss or theft of customer information
    http://www.verizon.com/about/news/verizon-responds-report-confirms-no-loss-or-theft-customer-information

    Reply
  22. Tomi Engdahl says:

    Authentication Bypass On Uber’s Single Sign-On Via Subdomain Takeover
    https://www.arneswinnen.net/2017/06/authentication-bypass-on-ubers-sso-via-subdomain-takeover/?lipi=urn%3Ali%3Apage%3Ad_flagship3_feed%3BLT10wd4tSV%2BUk74%2BUHBVJg%3D%3D

    Uber was vulnerable to subdomain takeover on saostatic.uber.com via Amazon CloudFront CDN. Moreover, Uber’s recently deployed Single Sign-On (SSO) system at auth.uber.com, which is based on shared cookies between all *.uber.com subdomains, was found vulnerable to session cookie theft by any compromised *.uber.com subdomain. Therefore, the impact of the subdomain takeover could be increased to Authentication Bypass of Uber’s full SSO system.

    Uber resolved the subdomain takeover vulnerability and granted a $5.000 bounty.

    Uber used OAuth as an SSO system.

    However recently, they’ve changed (reverted?) to a SSO system based on shared session cookies among subdomains of *.uber.com.

    Reply
  23. Tomi Engdahl says:

    Rod McGuirk / AP News:
    The Australian government proposes a new cybersecurity law, modeled after UK’s Investigatory Powers Act, to force tech companies to decrypt messages

    Australia plans law to force tech giants to decrypt messages
    https://apnews.com/621e0913072a4cb5a1a7f7338721b059/Australia-plans-law-to-force-tech-giants-to-decrypt-messages

    CANBERRA, Australia (AP) — The Australian government on Friday proposed a new cybersecurity law to force global technology companies such as Facebook and Google to help police by unscrambling encrypted messages sent by suspected extremists and other criminals.

    But some experts, as well as Facebook, warned that weakening end-to-end encryption services so that police could eavesdrop would leave communications vulnerable to hackers.

    The new law would be modeled on Britain’s Investigatory Powers Act, which was passed by the British Parliament in November and gave intelligence agencies some of the most extensive surveillance powers in the Western world, the government said.

    The Australian bill that would allow courts to order tech companies to quickly unlock communications will be introduced to Parliament by November, officials said.

    Reply
  24. Tomi Engdahl says:

    E.D. Cauchi / NBC News:
    In letter to Sen. Wyden, CBP says it lacks authority to search travelers’ cloud services at border but can search devices’ local data without consent

    Border Patrol Says It’s Barred From Searching Cloud Data on Phones
    http://www.nbcnews.com/news/us-news/border-patrol-says-it-s-barred-searching-cloud-data-phones-n782416

    U.S. border officers aren’t allowed to look at any data stored only in the “cloud” — including social media data — when they search U.S. travelers’ phones, Customs and Border Protection acknowledged in a letter obtained Wednesday by NBC News.

    The letter (PDF), sent in response to inquiries by Sen. Ron Wyden, D-Ore., and verified by Wyden’s office, not only states that CBP doesn’t search data stored only with remote cloud services, but also — apparently for the first time — declares that it doesn’t have that authority in the first place.

    In April, Wyden and Sen. Rand Paul, R-Ky., introduced legislation to make it illegal for border officers to search or seize cellphones without probable cause.

    McAleenan’s letter cites several laws that he contends allow officers to search any traveler’s phone without probable cause when the traveler enters or leaves the United States.The agency says the practice protects against child pornography, drug trafficking, terrorism and other threats.

    But the question of whether that broad authority extends to data linked to on remote servers but not physically stored on a phone had remained unclear

    McAleenan’s letter says officers can search a phone without consent and, except in very limited cases, without a warrant or even suspicion — but only for content that is saved directly to the device, like call histories, text messages, contacts, photos and videos.

    Travelers don’t even have to unlock their devices or hand over their passwords when asked — but if they refuse, officers can “detain” the phone, McAleenan wrote.

    In general, McAleenan wrote, cellphone searches of U.S. citizens are “exceedingly rare.”

    Reply
  25. Tomi Engdahl says:

    Wall Street Journal:
    Sources: dark web market AlphaBay shut down by law enforcement in US, Canada, and Thailand; one of alleged operators was arrested, later found hanged in prison — Site allegedly sold counterfeit credit cards, illegal drugs — An online marketplace that sold illegal goods on the so-called Dark Web …

    Illegal-Goods Website AlphaBay Shut Following Law-Enforcement Action
    Site allegedly sold counterfeit credit cards, illegal drugs
    https://www.wsj.com/articles/illegal-goods-website-alphabay-shut-following-law-enforcement-action-1499968444

    Reply
  26. Tomi Engdahl says:

    Inadequate Boundary Protections Common in Critical Infrastructure: ICS-CERT
    http://www.securityweek.com/inadequate-boundary-protections-common-critical-infrastructure-ics-cert

    The assessments conducted by the U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) in 2016 showed that inadequate boundary protection has remained the most prevalent weakness in critical infrastructure organizations.

    ICS-CERT conducted 130 assessments in the fiscal year 2016, which is more than in any previous year. Monitor newsletters published by ICS-CERT this year show that it has already conducted 74 assessments in the first half of 2017.

    Assessments are offered to both government organizations and private sector companies whose owners and operators request them. Last year, the CERT conducted assessments in 12 of the 16 critical infrastructure sectors, including chemical, commercial facilities, communications, critical manufacturing, emergency services, dams, energy, food and agriculture, IT, government facilities, transportation, and water and wastewater systems.

    Similar to the previous two years, inadequate boundary protection remained the most common flaw – 94 discoveries representing more than 13 percent of all weaknesses identified during assessments.

    The second most prevalent type of vulnerability, with 42 discoveries, is “least functionality.” This refers to organizations failing to implement controls to ensure that unnecessary services, ports, protocols or applications that can be exploited to gain access to ICS are disabled.

    https://ics-cert.us-cert.gov/monitors

    Reply
  27. Tomi Engdahl says:

    EFF Reviews Privacy Practices of Online Service Providers
    http://www.securityweek.com/eff-reviews-privacy-practices-online-service-providers

    Each year, the Electronic Frontier Foundation (EFF) publishes an annual ‘Who Has Your Back’ analysis of the basic privacy policy of major online service providers. It looks at five primary characteristics:

    • Best privacy practices (including a satisfactory public, published policy and a published transparency rep ort)

    • Informs users about government data requests (in advance of actually handing over any data)

    • Refusal to hand over data without legal requirement (including by leakage or sale to third parties)

    • Stands up National Security Letter (NSL) gag orders (with a public pledge to invoke the right to seek judicial review of all indefinite gag orders)

    • Has a pro-user public policy (including support for reform of Section 702 of the FISA Amendments Act that will reduce the collection of information on innocent people).

    A star is awarded for each category satisfied by the provider. This year (PDF), nine out of 26 evaluated companies have been awarded five stars: Adobe, Credo, Dropbox, Lyft, Pinterest, Sonic, Uber, Wickr, and WordPress.

    https://www.eff.org/files/2017/07/08/whohasyourback_2017.pdf

    Reply
  28. Tomi Engdahl says:

    Old Kerberos Bypass Flaw Patched in Windows, Linux
    http://www.securityweek.com/old-kerberos-bypass-flaw-patched-windows-linux

    A 20-year-old authentication bypass vulnerability affecting some implementations of the Kerberos protocol has been patched in Windows, Linux and BSD operating systems.

    Kerberos, whose name stems from the mythological three-headed hound Cerberus, is an authentication protocol that uses “tickets” to allow nodes to communicate securely over a non-secure network.

    The flaw has been dubbed Orpheus’ Lyre because similar to how the bard Orpheus managed to get past Cerberus by putting it to sleep with his lyre, the vulnerability can be used to bypass Kerberos.

    https://www.orpheus-lyre.info/

    Reply
  29. Tomi Engdahl says:

    Free Scanner Finds 50,000 EternalBlue-Vulnerable Systems
    http://www.securityweek.com/free-scanner-finds-50000-eternalblue-vulnerable-systems

    More than 50,000 computers vulnerable to the NSA-linked EternalBlue exploit were found by a free vulnerability scanner in recent weeks.

    Dubbed Eternal Blues, the tool was designed to provide network administrators with visibility into the EternalBlue-vulnerable machines in their networks, but without actually exploiting the flaw. In the wake of WannaCry, NotPetya, and other global infections leveraging the NSA-linked exploit, knowing whether a network is vulnerable or not is certainly a good idea.

    Eternal Blues – Worldwide Statistics
    http://omerez.com/eternal-blues-worldwide-statistics/

    Reply
  30. Tomi Engdahl says:

    Dell Launches Endpoint Security Product for Air-Gapped Systems
    http://www.securityweek.com/dell-launches-endpoint-security-product-air-gapped-systems

    Dell announced on Thursday the availability of a new version of its Endpoint Security Suite Enterprise product designed specifically for air-gapped systems.

    The solution is designed to protect isolated computers from malware, insiders and other threats using artificial intelligence and predictive mathematical models provided by endpoint security firm Cylance.

    Researchers demonstrated in the past years that malware can leverage several methods to exfiltrate sensitive data from air-gapped systems, including through noise, LEDs, heat and radio frequencies.

    Since isolated systems are not connected to the Internet, the security products installed on them cannot automatically receive regular malware definitions and other updates. By teaming up with Cylance, whose mathematical models only require a few updates per year, Dell has developed a solution that can protect a device without requiring an Internet connection.

    The air gap version of Dell Endpoint Security Suite Enterprise is available now in the United States and other select countries around the world.

    Reply
  31. Tomi Engdahl says:

    Google To Replace SMS Codes With Mobile Prompts in 2-Step-Verification Procedure
    https://m.slashdot.org/story/328735

    Starting next week Google will overhaul its two-step verification (2SV) procedure and replace one-time codes sent via SMS with prompts shown on the user’s smartphone. From a report:
    This change in the Google 2SV scheme comes after an increase in SS7 telephony protocol attacks that have allowed hackers to take over people’s mobile phone numbers to receive one-time codes via SMS and break into user accounts.

    https://www.bleepingcomputer.com/news/google/google-to-replace-sms-codes-with-mobile-prompts-in-2-step-verification-procedure/

    Reply
  32. Tomi Engdahl says:

    White House releases sensitive personal information of voters worried about their sensitive personal information
    https://www.washingtonpost.com/news/wonk/wp/2017/07/14/white-house-releases-sensitive-personal-information-of-voters-worried-about-their-sensitive-personal-information/?utm_term=.d60ab406b726

    The White House on Thursday made public a trove of emails it received from voters offering comment on its Election Integrity Commission. The commission drew widespread criticism when it emerged into public view by asking for personal information, including addresses, partial social security numbers and party affiliation, on every voter in the country.

    It further outraged voters by planning to post that information publicly.

    “You will open up the entire voting population to a massive amount of fraud if this data is in any way released,” one voter wrote.

    “Many people will get their identity stolen, which will harm the economy,” wrote another.

    Unfortunately for these voters and others who wrote in, the Trump administration did not redact any of their personal information from the emails before releasing them to the public.

    “This request is very concerning,” wrote one. “The federal government is attempting to get the name, address, birth date, political party, and social security number of every voter in the country.”

    Federal agencies often solicit and release public comments on proposed legislation.

    Reply
  33. Tomi Engdahl says:

    Hackers can take a hidden test to become mid-grade officers in the US Army’s Cyber Command
    http://www.businessinsider.com/hidden-easter-egg-us-army-cyber-command-puzzle-2017-7?IR=T

    As cyberattacks on the US become commonplace, disorienting, and potentially damaging to the US’s fundamental infrastructure, the US Army’s Cyber Command reached out to civilian hackers in a language they could understand – hidden hacking puzzles online.

    With Russia’s attempts to hack into voting systems during the 2016 presidential election and its alleged infiltration of US nuclear power plants keeping the US’s cyber vulnerabilities constantly in the news, Nakasone said Cyber Command will put together 133 teams to do battle in the cyber realm.

    in the next few months qualified hackers could undergo “direct commissioning” and find themselves as “mid-grade officers” in the Army’s Cyber Command.

    Reply
  34. Tomi Engdahl says:

    Want to kill your IT security team? Put the top hacker in charge
    BSides spills the beans on how to manage white hats at work
    https://www.theregister.co.uk/2017/07/14/managing_white_hats_at_work/

    Managing an IT department at the best of times can be a struggle, and managing a security team has its own special challenges.

    But whatever you do, don’t put an engineer, even your best, in charge, unless their people management skills are as good as their infosec knowhow.

    The skill sets required to be a good security engineer bear very little relation to those needed for managing a department, but some businesses insist on following procedure. Appointing them boss, Murray said, almost always ends in failure.

    Thankfully companies are now recognizing this, he said, and are running twin career tracks in IT security. Those who want to slip into a suit and manage can do so. There are also a lot of distinguished engineers making as much money as a VP and still getting down and dirty with security code.

    For those managing security teams there are two key mistakes to avoid, Murray said. The first – an error he himself made early in his career – is to not manage enough and just trust that it’ll all work out. It’s tempting to think that such highly skilled individuals could work on their own, but guidance needs to be given.

    The other mistake is to go too far in the other direction – to micromanage and go fully corporate. Nothing is going to get your staff demoralized and moving on like making them fill out timesheets, he said.

    Reply
  35. Tomi Engdahl says:

    UK spookhaus GCHQ can crack end-to-end encryption, claims Australian A-G
    Antipodean not-backdoors plan will mirror UK Investigatory Powers Act, ensure law of land trumps laws of mathematics
    https://www.theregister.co.uk/2017/07/14/uk_spookhas_gchq_can_crack_endtoend_encryption_says_australian_ag/

    British signals intelligence agency Government Communications Headquarters (GCHQ) can crack end-to-end encrypted messages sent using WhatsApp and Signal, according to Australian attorney-general George Brandis.

    Brandis made the claim speaking to the Australian Broadcasting Corporation’s AM program, on the occasion of Australia announcing it would adopt laws mirroring the UK’s Investigatory Powers Act. Brandis said the proposed law will place “an obligation on device manufacturers and service providers to provide appropriate assistance to intelligence and law enforcement on a warranted basis where it is necessary to interdict or in the case of a crime that may have been committed.”

    “Last Wednesday I met with the chief cryptographer at GCHQ … And he assured me that this was feasible.”

    The first is that Brandis says Australia already has mechanisms to allow law enforcement authorities to intercept electronic communications. Extending that power to encrypted traffic just brings that power up to date, he argues.

    Turnbull said that encrypted messaging services are used by ordinary citizens, they are also used “ … by people who seek to do us harm. They’re being used by terrorists, they’re being used by drug traffickers, they’re being used by paedophile rings.”

    Pushed on how encrypted messages could be read when service providers don’t hold the keys necessary decryption, and Turnbull had this to say:

    Well, the laws of Australia prevail in Australia, I can assure you of that. The laws of mathematics are very commendable but the only laws that applies in Australia is the law of Australia.

    Reply
  36. Tomi Engdahl says:

    Oz government wants its own definition of what ‘backdoor’ means
    When the good guys use backdoors, they’re not backdoors, understand?
    https://www.theregister.co.uk/2017/07/07/oz_governments_definition_of_backdoor/

    Australia’s federal government has shifted its ground on the encryption debate, and is now working to hem in the debate by constraining the definition of “backdoor”.

    The technologist’s understanding is that anything that compromises encryption represents a “backdoor” of some kind, from NSA-style bug-hoarding to key escrow to cryptographers planting “magic keys” in an application (which somehow, improbably, manage to remain secret).

    The Australian government’s idea is that if it describes “backdoors” only in terms of NSA hacks or deliberately planned weaknesses, it can convince everyone that it’s not looking for backdoors.

    However, he repeatedly trips up in explaining why the government isn’t seeking some kind of “backdoor” – because every “not-a-backdoor” example described some kind of backdoor

    Apple or WhatsApp or Signal might know how to crack encrypted communications because they made the device or the software. Just don’t call that a backdoor, because the government says it’s not.

    He just wants businesses to help governments exploit vulnerabilities they know about.

    With that position worked out in Canberra, it’s no surprise that Prime Minister Malcolm Turnbull is practising the same semantic hair-splitting in his public statements.

    “Backdoors” are what the NSA does – all the government wants is to have encryption broken under due process, and encryption is somehow special to messaging platforms like WhatsApp or Signal or Telegram. In other words: Citizen Bloggs probably doesn’t know that messaging apps and platforms like Facebook or Twitter or Google use the same end-to-end encryption that protects Internet banking.

    Citizen Bloggs also doesn’t understand that the phone or laptop manufacturer didn’t write the SSL/TLS implementation that puts “HTTPS” at the start of a URL – and a compromise to SSL/TLS is a compromise to everything that uses it.

    Why should citizens need to know? Developers have spent more than two decades making encryption accessible to everyone to protect them from malice.

    The government can’t get around this by imposing its own definition of “backdoor”.

    Reply
  37. Tomi Engdahl says:

    The F-Secure Sense security router represents a new product group, which will surely be heard with increased intelligence.

    Sense is a device that combines a wireless (and wired) wifi router, a traditional security program, and cloud-based threat detection. The device protects devices such as smartphones and surveillance cameras, for which no separate security software exists, in addition to phones and computers on their network.

    The delay in the device is not surprising, as the authors have had two projects: the development of a new type of product group and the fact that it is so simple that they can use them other than themselves.

    Additionally, the project has undoubtedly stretched its mammothness: Sense has wanted to download full features, but at this point F-Secure has blown the game and some of the features planned will be upgraded later.

    The device and software protection for the year cost 199 euros. Then the price is € 9.90 per month. If the subscription is disconnected, Sense then acts as a normal router without security features.

    Installation is made easy. The application on your cell phone, the Sense network, and then the wizard, will take you to the end, and the router automatically updates itself. The whole process takes less than 10 minutes.

    The application is available for Windows computers, Android and iOS.

    F-Secure has determined that a single IOS or Android device will work as a network management device. This app offers views that detail details about devices on Sense network and allow, among other things, to protect the security and block individual devices.

    Unfortunately, the security can not be adjusted per device, but the whole network at a time. For example, browsing protection that prevents devices from ending up as a dangerous classified site applies to all network devices at one time.

    Color codes tell the software about the severity of the threats detected. Notifications are visible only on a mobile device that manages the network.
    When Sense detects threats, it notifies them in the network manager device.

    The router can either be plugged directly into a modem or other internet connection via the online cable. Another option is to bring the network Senseen wirelessly. However, Sense always creates its own network, which ends up with two network configurations. Because Sensen Network Scanning only covers its own network, it should be careful that devices do not interfere with the networks.
    Sense creates 2.4 and 5 gigahertz nets.
    Sense’s performance as a router is good. Connected to the Gigabit interface it gave up to 256 megabytes in the same room

    Sensse Browser Protection prevents access to websites F-Secure has listed as “bad”. This is not going to be ignored except by removing the browsing protection from the entire network.

    The Sense application does not yet have vpn protection, which creates a small practical problem in managing the network.

    In any case, Sense is a very promising product in the new product group. With the increase in intelligence, we hear more about this kind of twitch, and some have already been seen. Norton has released the corresponding Core and the market is also a Bitdefender Box device.

    Source: http://www.is.fi/digitoday/testit/art-2000005291056.html?ref=rss

    Reply
  38. Tomi Engdahl says:

    Border Patrol Says It’s Barred From Searching Cloud Data on Phones
    http://www.nbcnews.com/news/us-news/border-patrol-says-it-s-barred-searching-cloud-data-phones-n782416

    U.S. border officers aren’t allowed to look at any data stored only in the “cloud” — including social media data — when they search U.S. travelers’ phones, Customs and Border Protection acknowledged in a letter obtained Wednesday by NBC News.

    Reply
  39. Tomi Engdahl says:

    Alexandra Ellerbeck / Committee to Protect Journalists:
    Recent US Senate report on leaks and national security used unscientific methodology, created false paradigm between national security and press freedom, more

    US Senate report on leaks and national security is deeply flawed
    https://cpj.org/blog/2017/07/us-senate-report-on-leaks-and-national-security-is-1.php

    Last week, Republicans on the Senate Committee on Homeland Security and Governmental Affairs released a report on leaks to the media. The report, which was led by Chairman Ron Johnson, asserts that “an avalanche” of leaks under the Trump Administration is harming national security. It lists at least 125 news articles and their bylines – meaning a group of Senators has publicized the names over 100 reporters whom they allege have harmed U.S national security.

    Reply
  40. Tomi Engdahl says:

    20 years-old Orpheus’ Lyre vulnerability in Kerberos fixed this week
    http://securityaffairs.co/wordpress/60989/hacking/orpheus-lyre-vulnerability.html

    A 20 years-old vulnerability in Kerberos, dubbed Orpheus’ Lyre, was parched this week for both Microsoft and Linux distros.

    The flaw, tracked as CVE-2017-11103, was found in Heimdal, an open-source implementation of Kerberos, like the mythological character Orpheus played his lyre with such grace that it lulled Cerberus to sleep, this issue can bypass Kerberos.

    The issue could result in remote privilege escalation and credential theft, an attacker can trigger it to access the target network.

    Reply
  41. Tomi Engdahl says:

    Maria Armental / Wall Street Journal:
    Ruby Corp., Ashley Madison’s parent company, says it will pay $11.2M to some US users in data-breach class action suit, won’t admit wrongdoing

    Ashley Madison Parent Nears Settlement in Data-Breach Class-Action Suit
    Ruby Corp. to pay $11.2 million to compensate losses to some U.S. customers, won’t admit wrongdoing
    https://www.wsj.com/articles/ashley-madison-parent-nears-settlement-in-data-breach-class-action-suit-1500071644

    Reply
  42. Tomi Engdahl says:

    Globes Online:
    Deep Instinct raises $32M Series B from NVIDIA, others for its deep learning cybersecurity software that works on devices and does not require cloud connection — The Tel Aviv based startup says it is the first company to apply deep learning to cybersecurity.

    Cybersecurity co Deep Instinct raises $32m
    http://www.globes.co.il/en/article-israeli-cybersecurity-co-deep-instinct-raises-32m-1001196898

    Reply
  43. Tomi Engdahl says:

    How Security Pros Can Help Protect Patients from Medical Data Theft
    http://www.darkreading.com/attacks-breaches/how-security-pros-can-help-protect-patients-from-medical-data-theft/a/d-id/1329326

    The healthcare industry has been slow to address the dangers of hacking, and breaches are on the rise. Security pros must be more proactive in keeping people safe

    Most consumers are aware of the risks of online transactions, but far fewer are aware of how susceptible they are to medical identity theft — and the damage it could cause — leaving room for security professionals to help promote stronger anti-theft measures, and allowing hospitals to better manage breaches when and before they occur.

    Medical data is made up of test results and diagnoses, but it also includes Social Security numbers, dates of birth, contact information, and driver’s license numbers. Together, this information creates an online identity.

    Other industries are stepping up their games in terms of data security, so hackers coveting personal data have had to look elsewhere. And, with most health information held electronically and dating back years, the medical sector is a sitting duck. In 2016, there were 377 data breaches in the healthcare/medical industry — 34.5% of all data attacks. In 2017, there had already been 144 breaches by the middle of February. It appears that this trend is accelerating.

    According to Accenture’s research, breaches were most likely to occur in hospitals, followed by urgent-care clinics, pharmacies, physicians’ offices, and health insurers. Often, organizations are late to detecting a problem: half of U.S. consumers who experienced a breach discovered it themselves through an error on their credit card statement or benefits explanation. Only a third were alerted to the breach by the organization where it occurred, and just 15% were alerted by a government agency.

    Accenture research indicates that many affected consumers will take action. Affected respondents either changed healthcare providers (25%) or insurance plans (21%), or sought legal counsel (19%).

    It’s time for providers to take data theft more seriously, and for security professionals to recognize an opportunity to build greater trust between patients and healthcare entities.

    Reply
  44. Tomi Engdahl says:

    Exclusive: Japan’s plan to boost cybersecurity before the 2020 Olympics
    https://govinsider.asia/innovation/william-saito-japan-cybersecurity-talent-tokyo-2020-olympics/

    Interview with William Saito, Special Advisor to the Cabinet Office of Japan.

    13 JUL 2017

    Japan is a high-tech haven, but has more to do on cybersecurity.

    The government has found that “34% of Japanese business executives do not consider cybersecurity as part of their business challenges”.

    “The World Economic Forum has a statistic that shows that Japan is the country that most lacks IT and cybersecurity talent,” says William Saito, special technology adviser to the Prime Minister of Japan. “We have an Olympics coming up in three years, so it’s urgent.”

    Reply
  45. Tomi Engdahl says:

    Dean Takahashi / VentureBeat:
    New line of IBM Z mainframes offer pervasive, full-time encryption to hinder data breaches

    IBM Z mainframe brings end-to-end encryption to all your data
    https://venturebeat.com/2017/07/16/ibm-z-mainframe-brings-end-to-end-encryption-to-all-your-data/

    Big Blue announced that its latest IBM Z mainframe computer will be able to encrypt all of the data in an enterprise all of the time, bringing encryption to everything from cloud services to databases. The IBM Z can run more than 12 billion encrypted transactions per day.

    This kind of encryption makes sense for security, but it wasn’t done in the past because it is very expensive to do and takes a lot of computing cycles. It represents IBM’s response to the problem of data breaches and enterprise compliance. The company noted that, in 2016, more than 4 billion data records were compromised, a 556 percent increase over 2015. Of the 9 billion records breached the past 5 years, only 4 percent were encrypted.

    Reply
  46. Tomi Engdahl says:

    Karen DeYoung / Washington Post:
    US intel officials say UAE orchestrated hacking of Qatar News Agency and social media sites in late May to plant false statements, sparking regional crisis
    http://www.washingtonpost.com/world/national-security/uae-hacked-qatari-government-sites-sparking-regional-upheaval-according-to-us-intelligence-officials/2017/07/16/00c46e54-698f-11e7-8eb5-cbccc2e7bfbf_story.html

    Reply
  47. Tomi Engdahl says:

    Security Researchers Don’t Think Apple Pays Enough for Bug Bounties
    https://www.macrumors.com/2017/07/06/apple-bug-bounties-dont-pay-enough/

    Apple’s bug bounty program has been available to select security researchers for almost a year now, but according to a new report from Motherboard, most researchers prefer not to share bugs with Apple due to low payouts. More money can be obtained from third-party sources for bugs in Apple software.

    Reply
  48. Tomi Engdahl says:

    Alexandria Arnold / Bloomberg:
    A startup named CoinDash halts its ICO, saying a hacker stole $7M by simply changing the ethereum address on its site that was intended to receive ICO funds — Social trading platform tells investors to stop sending money — Token sale garnered $6.4 million from early participants

    CoinDash Says Hacker Stole $7 Million at Initial Coin Offering
    https://www.bloomberg.com/news/articles/2017-07-17/coindash-says-hacker-stole-7-million-at-initial-coin-offering

    CoinDash, a blockchain technology startup that bills itself as a social-trading platform, said that its website was hacked Monday and $7 million was stolen from investors trying to participate in the company’s initial coin offering.

    Investors had been instructed to pay with ethereum and send funds to the token sale’s smart contact address. In an email, CoinDash said it appeared that the sending address was hacked and changed to a fraudulent address.

    The company doesn’t know who is responsible for the attack, which is still ongoing, according to a statement on its website.

    https://www.coindash.io/

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*