Year 2017 will not have any turn towards better data security. The internet is rife with such well-known than the unknown threats. The company’s systems are supposed to be protected.Hackers are going to continue to look for new ways to extort and steal information from businesses and organizations, which unfortunately means those businesses and organizations will have to continue to look for new ways to protect themselves.
Critical infrastructure cames under attack in 2017. Critical infrastructures must be better protected from criminals and terrorists who take advantage of modern technologies that are essential for the functioning of society and the economy. IT security functions of industrial control systems (ICS), energy grids and IoT networks needs to be improved in 2017.
There is push for better web security in 2017. Starting New Year’s Day, Google’s Chrome will begin labeling as “insecure” all websites that transmit passwords or ask for credit card details over plain text HTTP. Beginning in January 2017 (Chrome 56), HTTP sites that transmit passwords or credit cards are marked as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.
SHA-1 is insecure. Starting on Jan 1, 2017, most CAs will migrate to SHA-2 certificates, and major browser makers have already announced plans to adopt the change, including Microsoft, Google, and Mozilla. Their browsers will no longer trust sites that use SHA-1 starting with that date, and they will mark these websites as insecure. 1/3 of Websites Use SHA-1 Certificates Despite Looming Deadline. SHA-1 will still hang around, like a fart in a spacesuit, for many years to come because some people are lazy enough not to make the change.
There will be changes in how security is viewed in 2017 by businesses. We will likely see cloud adoption continue to grow across the United States, network visibility will no longer just be an option, AI and machine learning will shake old security models, and IoT-powered attacks will continue to rise. All of this will factor into how businesses set up, monitor and secure their networks.
The Commoditization of Cyberattacks Will Make Them More Frequent in 2017. More and more companies suffer from disruption to business due to cyber attacks. Cyber-attacks cause companies significant financial losses, but the studies shows that companies are not prepared for attacks. According to Gartner, by 2018 only 40 per cent of large companies have official plans in case of cyber attacks. Last year, the percentage was zero.
Strap yourself in for a bumpy ride in 2017. 2016 sucked. 2017 won’t be much better, sorry. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. DDoS attack toolkits have been around for years, as have services that will enable you to pay for an attack. Expect to see more of them. It seems that 2017 promises to be the most dramatic year yet in DDoS conflict. Whale-sized DDoS attacks will increase, the IoT will become a bigger factor in DDoS and DDoS will overshadow ransomware attacks and is used for extortion. Expect to see the Internet of Things (IoT) and other connected devices play an important part in these attacks.
Biometric identification will become more common in 2017, but it will not replace passwords. Fingerprint identification has become increasingly common in smartphones and already the technology is fast and reliable. This year biometric identification devices were sold for 4.5 billion dollars (most of them go to smart phones and laptops). 91 percent of biometric sales were fingerprint sensors, four per cent of face detection and three per cent iris detection.
Biometrics Won’t Kill Passwords any time soon. Even though PIN codes and passwords are actually pretty lousy protection case against skilled cybercriminal, the password will never disappear entirely, as two per cent of the world’s population is persons with a fingerprint not suitable for biometric identifier to work. Other biometric identification systems have also similar limitations and/or are not yet commonly available at reasonable cost. While biometrics, including fingerprint-, face-, iris-, palm- and speech-recognition, will continue to grow as a more secure substitute for passwords, they will not render passwords obsolete. Until the other common biometrics become commonplace, passwords are here to stay until circa 2030.
Fights with encryption and backdoors for them is not over in 2017. Many public figures in law enforcement have consistently argued that device encryption presents a new threat to police powers of investigation. On the other side House Judiciary Committee’s Encryption Working Group report says encryption backdoors pose a security threat, siding with tech experts in their latest report . The problem is that any system allowing police to get into those encrypted system (let it be phone, computer or communications) could also be exploited by criminals. Any action in this space should weigh any short-term benefits against the longterm impacts. Many industry experts will rightly tell you there is no such thing as partial data encryption. You either have a fully capable system or none at all.
Given the security events of 2016, coupled with the rapid advancements and adoption of cloud computing, 2017 will be the year in which many finally accept that network infrastructure and security will have to be rethought from the ground up. In 2017 the cloud will become a risk for users: The cloud becoming insecure – extortion and IoT openings.
The rivalry between the network attacks and network security is in acceleration. Crippling Internet services with denial of service attacks are becoming more common throughout the world. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. IoT-powered attacks will continue to rise and stopping the attack is not easy. For most companies the key thing is that the attack traffic is stopped before it reaches the company’s Internet connection or servers (needs to use telecom operator and external services increase). In addition to service disturbion Denial of Service Attacks are often used as distraction during the actual data burglary.DDoS may take over from ransomware as a cause for concern.
In 2017 the IT and security professionals talk about more about business risks. Historically, firewalls, DLP, antivirus, SIEM and other technical point solutions have been the centerpiece of security conversations, but the mindset is slowly shifting from technology to risk. The goal of stopping all attacks and preventing all business impact has been recognized as a fool’s errand, and has shifted to measuring risk and minimizing business impacts. Cyber security is increasingly being viewed as a risk management problem.
In 2017 ‘Security’ Must be Added to our Existing Ethical and Philosophic Concerns Over Artificial Intelligence and Algorithms. Algorithms soon run the world. They present problems that are seriously questioned on both ethical and philosophic grounds; and they have become the basis of fictional Armageddons.
Cyber insurance will be more thoughs as on solution for handling cyber risks in 2017. The global cyber insurance market is expected to generate $14 billion by 2022, according to a new report published by Allied Market Research (AMR). That figure represents an impressive compound annual growth rate (CAGR) of nearly 28% from 2016 to 2022.
In 2017 Big Brother will be watching you 24/7.Those of you who’ve read George Orwell’s book 1984 or seen the movie ,will remember how the citizens of the fictitious totalitarian state of Oceana are constantly under surveillance by order of its dictator, Big Brother. So now swap your home desktop computer, laptop or smart phone for the fictitious telescreen and not only are you sitting in front of what is a modern day version of the Big Brother telescreen you are also walking around with one in your pocket or handbag. Sound a bit far fetched to you? Well it’s set to become a reality in many countries.
Users will want better security or at least to feell more secure in 2017. Many people are prepared to to extremes for better security. According to a recent survey of over 2,000 adults conducted by Harris Poll Nearly 40% of Americans Would Give Up Sex for a Year or eating their favourite food in Exchange for Better Online Securit, meant they’d never have to worry about being hacked. When you consider that 87 percent of U.S. adults use the internet, it makes sense that cyber security is one of the biggest concerns today. The single biggest thing people can do to help keep their online identity safe is probably the easiest – a solid password – and not giving it to other people. Still nearly 50% of people have shared a password to an e-mail account or to an account like Netflix.
Security Becomes A Multi-System Issue and more people talking about the issue. Design teams will have to bake strategies in from the start, no matter how insignificant the device.The good news is that it more people talking about the issue. The real challenge is packing enough security features into designs to prevent security breaches of every sort, including those that can come from other electronics that weren’t even considered as part of the design process. Just as devices get more sophisticated, so do hackers.The reality is that security breaches can even cause physical harm. It’s time to look at this at a multi-system, multi-disciplinary level. Otherwise, we literally could be playing with fire.
Block chains have been a big trend for several years. The block chain market is divided now when 2017 starts. During the autumn 2016, we have seen a number of initiatives on cooperation between the financial sector and consulting companies. Microsoft has chosen a platform for Ethereum-block chain and offers it to the Azure cloud service. IBM has jumped Hyperledger consortium bandwagon and offering their own block chains to Bluemix service. Google and Amazon still shine by their absence. Even banks may prefer to see the use of cloud for the block chains.
Other prediction articles worth to look:
What Lies Ahead for Cybersecurity in 2017?
Network Infrastructure, Visibility and Security in 2017
DDoS in 2017: Strap yourself in for a bumpy ride
Cybersecurity Industry Outlook: 2017 to 2021 | CSO Online
IBM’s Cybersecurity Predictions for 2017 – eForensics
https://eforensicsmag.com/ibms-cybersecurity-predictions-2017/
Top 5 Cybersecurity Threats to Watch Out for in 2017
Experts Hopeful as Confidence in Risk Assessment Falls
3,151 Comments
Tomi Engdahl says:
Mortgage Phishing Scams Target Big Payouts
http://www.securityweek.com/mortgage-phishing-scams-target-big-payouts
Over the last few years, business email compromise (BEC) scams have rocketed — costing victims $1.45 billion in 2016 alone (FBI report). Now a new related threat has emerged — the mortgage phishing scam — that seems likely to follow a similar trajectory.
It is early days and the scam — like BEC in its early days — goes by various names: mortgage phish, mortgage escrow scam, real estate wire transfer scam, and mortgage wiring scam. But it is growing. In June 2017, during National Homeownership Month, the FTC issued a warning: “the FTC and the National Association of Realtors want to remind you that scammers sometimes use emails to rob home buyers of their closing costs and personal information.”
FBI: $1.45 Billion in Losses to Internet Crime Reported in 2016
http://www.securityweek.com/fbi-145-billion-losses-internet-crime-reported-2016
Tomi Engdahl says:
ICS-CERT Warns of CAN Bus Vulnerability
http://www.securityweek.com/ics-cert-warns-can-bus-vulnerability
The United States Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an alert on Friday to warn relevant industries about a vulnerability affecting the Controller Area Network (CAN) bus standard.
CAN is a high-reliability serial bus communications standard. It’s present in most modern cars – it allows various components of a vehicle to communicate with each other – and it’s also used in the healthcare and other sectors.
A team of Italian researchers published a paper last year describing various CAN weaknesses and an attack method that can be leveraged for denial-of-service (DoS) attacks. They also published a proof-of-concept (PoC) exploit and a video showing how they managed to exploit the flaw to disable the parking sensors on a 2012 Alfa Romeo Giulietta.
A Stealth, Selective, Link-layer Denial-of-Service Attack Against Automotive Networks
https://www.politesi.polimi.it/bitstream/10589/126393/1/tesi_palanca.pdf
Tomi Engdahl says:
The Dark Arts – Remote File Inclusion
http://hackaday.com/2017/07/31/the-dark-arts-remote-file-inclusion/
In the waning hours of 2010, a hacking group known as Lulzsec ran rampant across the Internet, leaving a path of compromised servers, a trail of defaced home pages, leaked emails, and login information in their wake. They were eventually busted via human error, and the leader of the group becoming an FBI informant.
In this Dark Arts series, we have taken a close look at the primary techniques the Luzsec hackers used to gain illegal access to servers. We’ve covered two them – SQL injection (SQLi) and cross-site scripting (XSS). In this article, we’ll go over the final technique called remote file inclusion (RFI).
RFI attacks are not as well-known as their SQLi and XSS counterparts. However, it’s a very effective way to get malicious code to run on a vulnerable target server. It works by including a remote file in an HTTP request. Its basic form is to append a URL to include a file from a remote server.
As you see, the attack is simple enough to construct a program that can look for pages that are susceptible to RFI, and then run code to extract information from the vulnerable server. And that’s exactly what happened in the early part of the decade.
Fortunately it is relatively trivial to stop RFI attacks. The absolute best way is to go into your php.ini file and set allow_url_fopen and allow_url_include to off.
They should be off by default if you keep your server updated, but check anyway. Another way is to sanitize the inputs, much in the same you would to prevent SQLi.
Tomi Engdahl says:
Man-Machine Teamwork Needed for Effective Threat Hunting: Report
http://www.securityweek.com/man-machine-teamwork-needed-effective-threat-hunting-report
Seven hundred IT and security professionals were surveyed by McAfee to understand the current state and future development of threat hunting — the active search for existing network breaches.
For this purpose, a threat hunter is defined as an analyst who focuses on clues and hypotheses (rather than waiting for binary alerts from rule-based detections); is human-centric (rather than tool-centric); and works from the assumption of an existing breach. The hunting process is defined as the military OODA concept: observe, orient, decide, act.
Level 1 hunters operate largely on an ad hoc basis; for level 2 hunters it is an organized process; but for the most successful hunters at level 4, it is a mix of both.
Looking to improve their maturity, the top four strategies overall are better automation of threat hunting processes, increased use of data analytics, hiring of more experienced employees, and more precise diagnostic tools. Noticeably, and perhaps naturally, the lower level SOCs place hiring staff as the priority, followed by improved use of data analytics. Level 3, which is probably better staffed by definition, seeks first better automation and second increased analytics.
https://www.mcafee.com/us/resources/reports/rp-disrupting-disruptors.pdf
Tomi Engdahl says:
Putin bans VPNs to stop Russians accessing prohibited websites
http://www.reuters.com/article/us-russia-internet-idUSKBN1AF0QI
MOSCOW (Reuters) – President Vladimir Putin has signed a law that prohibits technology that provides access to websites banned in Russia, the government’s website showed on Sunday.
The law, already approved by the Duma, the lower house of parliament, will ban the use of virtual private networks (VPNs) and other technologies, known as anonymizers, that allow people to surf the web anonymously. It comes into force on Nov. 1.
Tomi Engdahl says:
It is easy to expose users’ secret web habits, say researchers
http://www.bbc.com/news/technology-40770393
Tomi Engdahl says:
A Hacker Turned an Amazon Echo Into a ‘Wiretap’
https://www.wired.com/story/amazon-echo-wiretap-hack
Every good paranoiac sees an always-listening device like an Amazon Echo as a potential spy sitting in plain sight. Now one security researcher has shown exactly how fine the line is between countertop computer and surveillance tool. With just a few minutes of hands-on time, a hacker could turn an Echo into his or her personal eavesdropping microphone without leaving any physical trace.
On Tuesday, British security researcher Mark Barnes detailed a technique anyone can use to install malware on an Amazon Echo, along with his own proof-of-concept code that would silently stream audio from the hacked device to his own faraway server. The technique requires gaining physical access to the target Echo, and it only works on devices sold before 2017. But there’s no software fix for older devices, Barnes warns, and the attack can be performed without leaving any sign of hardware intrusion.
“We present a technique for rooting an Amazon Echo and then turning it into a ‘wiretap’,”
The method takes advantage of a physical security vulnerability Amazon left in its pre-2017 Echo units: Remove the rubber base of the device, and underneath hides a small grid of tiny metal pads that act as connections into its internal hardware, likely used for testing and fixing bugs in the devices before they were sold.
Tomi Engdahl says:
YouTube Blog:
YouTube details additional steps to tackle terrorist content, including machine learning-based detection, consultation with wider panel of experts, more
An update on our commitment to fight terror content online
http://youtube.googleblog.com/2017/08/an-update-on-our-commitment-to-fight.html
A little over a month ago, we told you about the four new steps we’re taking to combat terrorist content on YouTube: better detection and faster removal driven by machine learning, more experts to alert us to content that needs review, tougher standards for videos that are controversial but do not violate our policies, and more work in the counter-terrorism space. We wanted to give you an update on these commitments:
Better detection and faster removal driven by machine learning: We’ve always used a mix of technology and human review to address the ever-changing challenges around controversial content on YouTube. We recently began developing and implementing cutting-edge machine learning technology designed to help us identify and remove violent extremism and terrorism-related content in a scalable way.
More experts: Of course, our systems are only as good as the the data they’re based on. Over the past weeks, we have begun working with more than 15 additional expert NGOs and institutions
Tougher standards: We’ll soon be applying tougher treatment to videos that aren’t illegal but have been flagged by users as potential violations of our policies on hate speech and violent extremism.
Early intervention and expanding counter-extremism work: We’ve started rolling out features from Jigsaw’s Redirect Method to YouTube. When people search for sensitive keywords on YouTube, they will be redirected towards a playlist of curated YouTube videos that directly confront and debunk violent extremist messages.
Tomi Engdahl says:
‘Real People’ Don’t Need End-To-End Encryption In Their Messaging Apps, UK Home Secretary Says
https://news.slashdot.org/story/17/08/01/1924247/real-people-dont-need-end-to-end-encryption-in-their-messaging-apps-uk-home-secretary-says
UK home secretary Amber Rudd has called on messaging apps like WhatsApp to ditch end-to-end encryption, arguing that it aids terrorists. From a report:
The major technology companies must step up their fight against extremism or face new laws, the home secretary has told the BBC. Amber Rudd said technology companies were not doing enough to beat “the enemy” on the internet. Encryption tools used by messaging apps had become a “problem,” she added. Ms Rudd is meeting with representatives from Google, Facebook, Twitter, Microsoft and others at a counter-terrorism forum in San Francisco.
Real people often prefer ease of use and a multitude of features to perfect, unbreakable security … Who uses WhatsApp because it is end-to-end encrypted, rather than because it is an incredibly user-friendly and cheap way of staying in touch with friends and family? Companies are constantly making trade-offs between security and ‘usability,’ and it is here where our experts believe opportunities may lie.
Message encryption a problem – Rudd
http://www.bbc.com/news/technology-40788180
The major technology companies must step up their fight against extremism or face new laws, the home secretary has told the BBC.
Amber Rudd said technology companies were not doing enough to beat “the enemy” on the internet.
Encryption tools used by messaging apps had become a “problem”, she added.
In a joint statement, the companies taking part said they were co-operating to “substantially disrupt terrorists’ ability to use the internet in furthering their causes, while also respecting human rights”.
WhatsApp must not be ‘place for terrorists to hide’
Euro MPs back end-to-end encryption for all citizens
Australian PM seeks access to encrypted messages
Ms Rudd is expected to tell companies that extremists should not be allowed to upload content at all.
“That’s what we’re really trying to achieve,” she told the BBC.
Tomi Engdahl says:
White House Officials Tricked By Email Prankster
https://yro.slashdot.org/story/17/08/01/1448209/white-house-officials-tricked-by-email-prankster?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
A self-described “email prankster” in the UK fooled a number of White House officials into thinking he was other officials, including an episode where he convinced the White House official tasked with cyber security that he was Jared Kushner and received that official’s private email address unsolicited.
White House officials tricked by email prankster
http://edition.cnn.com/2017/07/31/politics/white-house-officials-tricked-by-email-prankster/
A self-described “email prankster” in the UK fooled a number of White House officials into thinking he was other officials, including an episode where he convinced the White House official tasked with cyber security that he was Jared Kushner and received that official’s private email address unsolicited.
Bossert wrote back: “Thanks, Jared. With a promise like that, I can’t refuse. Also, if you ever need it, my personal email is” (redacted).
White House officials acknowledged the incidents and said they were taking the matter seriously. “We take all cyber related issues very seriously and are looking into these incidents further,” White House press secretary Sarah Huckabee Sanders told CNN.
Tomi Engdahl says:
‘App DDoS bombs’ that slam into expensive APIs worry Netflix
Attackers can look legit while hitting APIs that make the most work for an app
https://www.theregister.co.uk/2017/08/01/application_ddos/
Netflix has identified denial of service threat to microservices architectures that it’s labelled “application DDoS”.
Traditional DDoS attacks flood networks with bogus traffic so that infrastructure runs out of resources to serve legitimate users. Netflix characterises an application DDoS attack as one in which attackers “focus on expensive API calls, using their complex interconnected relationships to cause the system to attack itself.”
Netflix’s Scott Behrens and Bryan Payne describe a scenario in which attackers figure out which API calls create the most work inside an application, then send plenty of requests to that API.
“A single request at the edge can fan out into thousands of requests for the middle tier and backend microservices,”
The pair say the potential for application DDoS is caused in part by web application firewalls not being aware of the potential impact of mass API calls. Traffic crafted to look legitimate, but maliciously targeting the APIs that make the most work, could therefore have very nasty consequences
Tomi Engdahl says:
McAfee online scan used plain old HTTP to fetch screen elements
38 lines of code later, you’re owned. Good thing the fix is in, eh?
https://www.theregister.co.uk/2017/08/01/mcafee_online_scan_insecure/
McAfee has moved to patch a bug that falls under the “didn’t you get the memo?” category: among other things, its free Security Scan Plus online tool retrieved information over HTTP – that is, in plain text.
The potential man-in-the-middle vector exists not in the operation of the free online scan, but in the house ads and UI design elements it serves.
A SecuriTeam-penned advisory on the problems notes that the tool “retrieves promotional and UI design information from different mcafee.com domains and displays them to the user, typically in the main application window.”
Tomi Engdahl says:
Brian Krebs / Krebs on Security:
Senators debut a bill requiring IoT devices sold to government are patchable and conform to basic security best practices, like avoiding hard-coded passwords
New Bill Seeks Basic IoT Security Standards
http://krebsonsecurity.com/2017/08/new-bill-seeks-basic-iot-security-standards/
Lawmakers in the U.S. Senate today introduced a bill that would set baseline security standards for the government’s purchase and use of a broad range of Internet-connected devices, including computers, routers and security cameras. The legislation, which also seeks to remedy some widely-perceived shortcomings in existing cybercrime law, was developed in direct response to a series of massive cyber attacks in 2016 that were fueled for the most part by poorly-secured “Internet of Things” (IoT) devices.
The IoT Cybersecurity Improvement Act of 2017 seeks to use the government’s buying power to signal the basic level of security that IoT devices sold to Uncle Sam will need to have. For example, the bill would require vendors of Internet-connected devices purchased by the federal government make sure the devices can be patched when security updates are available; that the devices do not use hard-coded (unchangeable) passwords; and that vendors ensure the devices are free from known vulnerabilities when sold.
The bill’s provisions would seem to apply to virtually any device that has an Internet connection and can transmit data. Under the proposal, an IoT device has a fairly broad definition, being described as “a physical object that is capable of connecting to and is in regular connection with the Internet;” and one that “has computer processing capabilities that can collect, send or receive data.”
Specifically, the bill would “exempt cybersecurity researchers engaging in good-faith research from liability under the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act when in engaged in research pursuant to adopted coordinated vulnerability disclosure guidelines,” according to a statement released by Sen. Warner (link added).
The measure also directs the Department of Homeland Security to issue guidelines regarding cybersecurity coordinated vulnerability disclosure policies to be required by contractors providing connected devices to the U.S. government.
Tomi Engdahl says:
Tools for a Safer PC
http://krebsonsecurity.com/tools-for-a-safer-pc/
An important aspect of securing any system is the concept of “defense-in-depth,” or having multiple layers of security and not depending on any one approach or technology to block all attacks. Here are some links to tools and approaches that I have found useful in stopping malware from invading a PC. Your mileage may vary.
Tomi Engdahl says:
The Scrap Value of a Hacked PC, Revisited
https://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/
a chart listing the various ways that miscreants can monetize hacked PCs. The project was designed to explain simply and visually to the sort of computer user who can’t begin to fathom why miscreants would want to hack into his PC.
recently updated the graphic to include some of the increasingly prevalent malicious uses for hacked PCs, including hostage attacks — such as ransomware — and reputation hijacking on social networking forums.
nearly every aspect of a hacked computer and a user’s online life can be and has been commoditized. If it has value and can be resold, you can be sure there is a service or product offered in the cybercriminal underground to monetize it. I haven’t yet found an exception to this rule.
Tomi Engdahl says:
Can a Nation Attack a Company?
http://blog.dilbert.com/post/163603161786/can-a-nation-attack-a-company#_=_
North Korea keeps testing missiles that can reach the United States. China could turn off trade with North Korea, and effectively force them to stop, but that isn’t happening. Why the hell not?
A story in Newsweek says the bulk of Chinese trade with North Korea involves just ten Chinese companies. The working assumption is that those ten companies are so “connected” and powerful that even the Chinese government can’t influence them, or might not want to try.
Fair enough. That makes the government of China common observers in this drama. Embarrassing for them.
But those ten companies are certainly our enemies. I’d say those ten companies are fair game for a cyberattack, a financial attack, competitive attack, and any other kind of non-military attack we can mount.
Tomi Engdahl says:
Getting Data Out Of Air-Gapped Networks Through The Power Cable
http://hackaday.com/2017/08/01/getting-data-out-of-air-gapped-networks-through-the-power-cable/
If you are an organisation that is custodian of sensitive information or infrastructure, it would be foolhardy of you to place it directly on the public Internet. No matter how good your security might be, there is always the risk that a miscreant could circumvent it, and perform all sorts of mischief. The solution employed therefore is to physically isolate such sensitive equipment from the rest of the world, creating an air gap. Nothing can come in and nothing can go out, or so goes the theory.
Well, that’s the theory, anyway. [Davidl] sends us some work that punches a hole in some air-gapped networks, allowing low-speed data to escape the air gap even if it doesn’t allow the reverse.
So how is this seemingly impossible task performed? The answer comes through the mains electrical infrastructure, if the air gap is bridged by a mains cable then the load on that mains cable can be modulated by altering the work undertaken by a computer connected to it. This modulation can then be detected with a current transformer, or even by compromising a UPS or electricity meter outside the air gap.
Data Exfiltration from air gapped systems using power line communication
https://pushstack.wordpress.com/2017/07/24/data-exfiltration-from-air-gapped-systems-using-power-line-communication/
To prove this attack actually works a small proof-of-concept implementation was written. For this POC BPSK modulation is used with a configurable carrier frequency and baud rate. All tools have been developed and tested on Linux.
The tools are available for download on Github
The sending side consists of a POSIX C program that generates a carrier with a phase shift dependent on the symbol to send. To generate the carrier a POSIX interval timer is used. Multiple threads are used to generate load on the various processor cores. Each load generating thread constantly locks and unlocks a mutex in an endless loop. To stop generating load the controlling thread will lock all mutexes. This causes the load generating threads to sleep till the mutexes are unlocked again.
Data is packed in a simple packet format with preamble and length prepended. This is done to allow the receiver to identify which phase represents a ‘1’ and which is a ‘0’, ie. to overcome the twofold phase ambiguity introduced by PSK modulation.
The program allows the carrier frequency and carrier periods per bit to be configured. This means that the carrier will always be an integer multiple of the baud rate.
It was found that to get the best signal the Linux performance governor has to be set to performance.
At the receiving end a split core current transformer is used connected to a sound card with a small resistor to dampen the signal to prevent clipping. The soundcard is sampled at 48 kHz and down sampled to 2 kHz using the sox program.
In the first test a fixed baud rate of 6 baud was used.
The test results show that there are big differences between the tested machines.
UPS based receiver
Similar tests as above were run with a APC Back-UPS RS 500 uninterruptible power supply as signal receiver. This UPS has a management port that connects to a computer as a USB HID device. The UPS allows reading out the UPS load in percent of the maximum load.
The fixed baud rate test shows that with the Dell PowerEdge 1950 it is possible to get reliable communication. The other machines however were almost unable to communicate.
In this POC modulating the cpu load was used to generate electric load.
Alternative methods of generating electric load exist but have not been tested.
This attack has four important prerequisites:
Malware infection of air gapped system
Way to influence system power usage
A way to measure current or power on a power line
Not to much noise on power line
Tomi Engdahl says:
Power line communication through processor load modulation
https://github.com/dimhoff/powercom
Tomi Engdahl says:
Iran-Linked Hackers Use “Mia Ash” Honey Trap to Compromise Targets
http://www.securityweek.com/iran-linked-hackers-use-mia-ash-honey-trap-compromise-targets
A threat group said to be associated with Iranian government-directed cyber operations is believed to be operating a fake online persona to target organizations in the Middle East with malware, SecureWorks researchers say.
Known as COBALT GYPSY or TG-2889, the threat group was previously associated with various campaigns, including Shamoon attacks, which were apparently orchestrated by multiple groups working together.
Phishing campaigns observed in early 2017 and aimed at entities in the Middle East and North Africa (MENA), with a focus on Saudi Arabian organizations, used the PupyRAT open-source remote access Trojan have also been associated with the COBALT GYPSY, SecureWorks says.
These likely unsuccessful campaigns were followed by “highly targeted spearphishing and social engineering attacks” from an entity using the online persona Mia Ash.
Tomi Engdahl says:
Amazon Suspends Sales of BLU Smartphones Over Security, Privacy Concerns
http://www.securityweek.com/amazon-suspends-sales-blu-smartphones-over-security-privacy-concerns
Amazon has suspended the sale of BLU Android smartphones after learning that there might be a potential security issue on select devices.
The giant online retailer has decided to make the BLU phones unavailable on its website despite their great popularity after Kryptowire security researchers revealed at the Black Hat conference last week that some devices gather a great deal of sensitive information and send it to servers in China
Tomi Engdahl says:
Indonesia to Deport 153 Chinese for $450 Million Scam
http://www.securityweek.com/indonesia-deport-153-chinese-450-million-scam
Indonesia will deport 153 Chinese nationals arrested for alleged involvement in a multimillion-dollar cyber fraud ring targeting wealthy businessmen and politicians in China, police said Tuesday.
The syndicate, who ran their operation from abroad to avoid detection by Chinese officials but did not target any victims in their host country, made around six trillion rupiah ($450 million) since beginning operations at the end of 2016, Indonesia police said.
Tomi Engdahl says:
Malware Attack Disrupts Merck’s Worldwide Operations
http://www.securityweek.com/malware-attack-disrupts-mercks-worldwide-operations
American pharmaceutical giant Merck revealed in its financial results announcement for the second quarter of 2017 that a recent cyberattack has disrupted its worldwide operations, including manufacturing, research and sales.
While Merck has not provided details about the incident in its financial report, the June 27 attack referenced by the company is most likely the NotPetya malware outbreak that affected tens of thousands of systems in more than 65 countries. Many of the victims were located in Ukraine, the home of a tax software firm whose product was used as the main attack vector.
Researchers initially believed NotPetya (aka PetrWrap, exPetr, GoldenEye and Diskcoder.C) was a piece of ransomware, similar to WannaCry. However, a closer analysis revealed that it was actually a wiper and it was unlikely that victims could recover their files, even if they paid the ransom.
Tomi Engdahl says:
Saving face: Facebook wants access without limits
https://www.publicintegrity.org/2017/07/31/21027/saving-face-facebook-wants-access-without-limits?utm_source=Watchdog&utm_campaign=cdcfe50455-EMAIL_CAMPAIGN_2017_06_26&utm_medium=email&utm_term=0_ffd1d0160d-cdcfe50455-102383385&mc_cid=cdcfe50455&mc_eid=a9eedfa4a0
Social network giant lobbies to prevent state limits on facial recognition
Facebook is working on advanced facial recognition technology to identify users by creating digital faceprints. The company has begun lobbying state legislatures feverishly to protect its investments in the technology.
Tomi Engdahl says:
Kevin Collier / Gizmodo:
DEF CON hackers find unencrypted data of 650K Tennessee voters, including names, addresses, political affiliation, on a decommissioned poll machine sold on eBay
Personal Info of 650,000 Voters Discovered on Poll Machine Sold on Ebay
http://gizmodo.com/personal-info-of-650-000-voters-discovered-on-poll-mach-1797438462
When 650 thousand Tennesseans voted in the Memphis area, they probably didn’t expect their personal information would eventually be picked apart at a hacker conference at Caesars Palace Las Vegas.
The strength of the US voting system, according to former FBI director James Comey, is that it’s “clunky”—every state and often every district can choose its own setup and whether to use paper or electronic machines. And there are over a dozen different manufacturers supplying voting machines to electoral districts. While that clunkiness helps prevent large-scale voter hacking, it provides more opportunities for hackers to access polling data.
When US government workers decommission old voting equipment and auction them off to the public, they’re supposed to wipe voter information from the device’s memory.
Election Systems and Software (ES&S), which makes the ExpressPoll-5000, is one of the most popular e-poll book manufacturers in the country
After being sold at government auction, many machines are later resold, often for a few hundred dollars. Harri Hursti, a voting machine expert who famously found a critical flaw in Diebold voting systems, helped coordinate the machines’ purchase for the conference by scouring eBay. The one seller he visited in person before buying had filled an entire warehouse with voting machines bought at auction, he said.
Anyone with access to such a device—whether on Election Day or while playing with an ExpressPoll-5000 at home—would need only moderate computer skills to check for those records. They’re stored on a removable memory card. Anyone who pulls out the drive and reads the memory card with their computer will see the drive’s contents, including the giant database of personal records, if it hasn’t been wiped.
“It’s just on the drive,” Palmer said. “There was no password on it.” ES&S “could have encrypted it,” to at least give a baseline protection for voters, Palmer said. “They chose not to encrypt it.”
If someone were to covertly access the memory card before the election, they could mark some or all users as having already voted absentee, preventing them from casting their actual vote. “I could write a script to do that in seconds,” Palmer said.
Tomi Engdahl says:
Should I be worried of tracking domains on a banking website?
https://security.stackexchange.com/questions/166340/should-i-be-worried-of-tracking-domains-on-a-banking-website
Finland’s largest bank OP (former Osuuspankki) has added tracking domains (all three owned by Adobe) in their website redesign
This happened with another Finnish bank, S-Pankki, a couple years ago.
It looks like the main site is embedding script from Adobe Marketing Cloud directly into the page. While these scripts are loaded from the same server as the main site it looks like that these scripts communicate with external servers using XHR and also download new script from demdex.net and 2o7.net according to the logs of uBlock Origin.
Especially the loading and executing of new scripts from a third party outside the control of your bank is a huge security problem. Essentially these scripts can get full control over the web site, including reading what you enter, changing submitted or displayed content etc. These are essentially cross site scripting, only that they did not happen by accident but the developers of the banking site explicitly invited these third parties to do cross site scripting.
While such use of third party services might be acceptable on a site where no sensitive information is entered, it is absolutely not acceptable whenever sensitive information is transferred or when it unexpectedly changes to the content of a web site (like showing a different account balance) and might cause unwanted actions from the visitor.
Banking sites are hardly monolithic. A bank usually relies on dozens or even hundreds of third party systems in their overall solution.
It is not at all uncommon for banking sites to involve third parties on the front end as well. This could range from third party libraries just to render a calendar control to systems that provide user behavior analytics and risk decisions. Many of these vendors offer script and content via content delivery networks (CDNs), meaning that the files might come from a third party domain.
Is this dangerous? It can be. If the third party resources are not verified via Subresource integrity, they could be modified by hackers (via Man-in-the-middle) or even the third party itself (e.g. malicious employee). So any online banking implementation will either host the content themselves (i.e. copy and paste the third party files onto their own web server) or in some cases deliver the content with a cryptographic hash, notated via the integrity attribute of the script node or link node that references the external file.
Tomi Engdahl says:
NSA Unlawfully Surveilled Kim Dotcom In New Zealand, Says Report
https://hardware.slashdot.org/story/17/08/01/2019230/us-nuclear-comeback-stalls-as-two-reactors-are-abandoned?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+((Title)Slashdot+(rdf))
According to new documents from New Zealand’s Government Communications Security Bureau (GCSB), the NSA illegally used technology to spy on Megaupload founder Kim Dotcom. “The New Zealand Herald first reported that the GCSB told the nation’s high court that it ceased all surveillance of Dotcom in early 2012, but that ‘limited’ amounts of communications from Dotcom were later intercepted by its technology without the bureau’s knowledge,” reports The Hill.
http://thehill.com/policy/cybersecurity/344742-nsa-unlawfully-surveiled-kim-dotcom-in-new-zealand
Tomi Engdahl says:
‘Invisible Man’ malware runs keylogger on your Android banking apps
Top tip: Don’t fetch and install dodgy Flash updates from random websites
https://www.theregister.co.uk/2017/08/02/banking_android_malware_in_uk/
A new breed of Android malware is picking off mobile banking customers, particularly those in the UK and Germany, we’re told.
Tomi Engdahl says:
HBO hacked: Upcoming episodes, Game of Thrones data leaked online
HBO chairman: ‘Disruptive, unsettling, and disturbing for all of us’
http://ew.com/tv/2017/07/31/hbo-hacked-game-of-thrones/
HBO has joined the ranks of Hollywood entertainment companies to suffer a major cyber attack.
EW has learned that upcoming episodes of a couple series and at least one alleged script or treatment have been put online by hackers who breached the company’s systems — with more threatened to be coming soon.
“HBO recently experienced a cyber incident, which resulted in the compromise of proprietary information,” the network confirmed in a statement.
Tomi Engdahl says:
Apple Caved to China, Just Like Almost Every Other Tech Giant
https://www.wired.com/story/apple-china-censorship
Apple recently removed some of the virtual private networks from the App Store in China, making it harder for users there to get around internet censorship. Amazon has capitulated to China’s censors as well; The New York Times reported this week that the company’s China cloud service instructed local customers to stop using software to circumvent that country’s censorship apparatus. While caving to China’s demands prompts a vocal backlash, for anyone who follows US tech companies in China, it was anything but surprising. Apple and Amazon have simply joined the ranks of companies that abandon so-called Western values in order to access the huge Chinese market.
Tomi Engdahl says:
Janko Roettgers / Variety:
HBO security contractor says hackers stole “thousands of internal documents” in addition to episodes and have leaked personal info of a senior HBO executive — The HBO hack may have been worse than the initial leaks of a few unaired TV show episodes suggested.
HBO Security Contractor: Hackers Stole ‘Thousands of Internal Documents’ (EXCLUSIVE)
http://variety.com/2017/digital/news/hbo-hack-thousands-of-documents-stolen-1202513573/
The HBO hack may have been worse than the initial leaks of a few unaired TV show episodes suggested. A security company hired by HBO to scrub search results for the hacked files from search engines has told Google that the hackers stole “thousands of Home Box Office (HBO) internal company documents.”
The disclosure came as part of a DMCA take-down notice sent to Google Tuesday to force the search engine to take down links to the leaked files. The take-down notice also detailed that the hackers did away with “masses of copyrighted items including documents, images, videos and sound.”
The company in question, IP Echelon, is frequently being used by HBO to remove links to infringing material from Google. An HBO spokesperson declined to comment on the take-down notice and the nature of any files stolen by the hackers when contacted by Variety Wednesday “due to an ongoing investigation.”
Word of HBO getting hacked first broke Monday morning, when the hackers approached media outlets with the news that they had broken into HBO’s networks and released episodes of “Ballers,” “Insecure,” and “Room 104” as well as the script for an upcoming episode of “Game of Thrones.”
Also released by the hackers: Two episodes of “Barry,” the hit man comedy starring Bill Hader that is not scheduled to air until 2018 on the network.
The hackers appear to have also leaked personal information of a senior HBO executive.
The perpetrators of the hack have claimed that they were able to access some of HBO’s key network infrastructure, and steal a total of 1.5 terabyte of data, and have suggested that they will release additional information in the near future.
An image file published as part of the leaks seems to corroborate at least the first part of that claim, as it appears to show screenshots of HBO’s internal administration tools, listing employee names and email addresses and their functions within the organization.
Tomi Engdahl says:
Interpol, Group-IB Unmask Pro-ISIS Hackers
http://www.securityweek.com/interpol-group-ib-unmask-pro-isis-hackers
Interpol has teamed up with Russian security firm Group-IB in an effort to identify the members of a pro-ISIS hacker group that has taken credit for many website defacements and distributed denial-of-service (DDoS) attacks.
The group, calling itself the United Islamic Cyber Force (UICF), has carried out numerous attacks since January 2014. It has contributed to hacktivist campaigns such as OpFrance, which included attacks on the TV5Monde TV station and Notepad++, OpIsrael, OpIndia, Operation Free Palestine and Operation Free Al-Aqsa.
According to Group-IB, UICF has had over the years at least 40 members who were connected to over 60 pro-Islamic hacker groups from around the world. The security firm has traced the online monikers used by UICF hackers to individuals in Indonesia, Pakistan, Morocco, Algeria, Nigeria, India and Kosovo.
“Their low level of technical training, a sense of impunity and excessive ambitions cause hacktivists not to pay due attention to their own security, despite the various instructions for ensuring anonymity popular in their milieu,”
“From their profiles, none of the hacktivists from the United Islamic Cyber Force looks like professional cybercriminals who attack banks, government institutions or strategic infrastructure facilities,”
Tomi Engdahl says:
User Security is a Responsibility, Not an Excuse, Part 2
http://www.securityweek.com/user-security-responsibility-not-excuse-part-2
It’s no big secret the majority of security incidents companies grapple with are a result of human error. Maybe a user opens the wrong email attachment. Or maybe they visit the wrong website or plug in the wrong USB drive. People are people. They’re going to make mistakes. Cyber criminals know this and actively prey on user error as the path of least resistance inside any network they’re targeting.
In the first post in this two-part series, I offered recommendations to make users more aware of the threats they’re most likely to be exposed to, ways to increase their awareness and lower their risk. In this post, I’d like to cover why awareness alone isn’t enough.
Counterfeit emails and websites have gotten far more personal and convincing
Gone are the days when the only malicious emails in a user’s inbox were poorly constructed spam messages, in marginal English, from fake Nigerian princes. Today’s most advanced phishing attacks leverage information from social media accounts, company websites, and previously compromised inboxes. As a result, well-crafted phishing emails appear to come from a contact you know and may even include a file attachment shared between the two of you sometime in the recent past.
Getting locked out of critical files and systems is increasingly likely following a successful phishing attack, but as prominent as ransomware has become, there are other types of infections that are equally damaging but far more stealthy.
The latest wave of ransomware attacks have not relied on users at all
While phishing and other attacks that rely on tricking users still pose a significant risk, some of the most prominent and widespread recent infection scenarios haven’t involved users at all. Take the WannaCry and NotPetya outbreaks, for example. Following initial infections, both exploited vulnerable, unpatched, remote systems to spread the infection, while NotPetya also abused otherwise legitimate system tools like PsExec and WMIC to move laterally across compromised networks.
Tomi Engdahl says:
DOJ Helps Organizations Build Vulnerability Disclosure Programs
http://www.securityweek.com/doj-helps-organizations-build-vulnerability-disclosure-programs
The U.S. Department of Justice (DOJ) Criminal Division’s Cybersecurity Unit has created a framework designed to help organizations develop formal vulnerability disclosure programs.
An increasing number of organizations have come to realize that bug bounty programs can be highly efficient for finding security holes in their networks and applications. Most of the major companies in the private sector have been running such initiatives for years and the U.S. government has also taken some important steps in this direction.
The Department of Defense has run, via the HackerOne platform, three bug bounty programs: Hack the Pentagon, Hack the Army, and Hack the Air Force.
Tomi Engdahl says:
Cobalt Hackers Now Using Supply Chain Attacks
http://www.securityweek.com/cobalt-hackers-now-using-supply-chain-attacks
After expanding operations to Americas earlier this year, the financially-motivated “Cobalt” cybercriminal group has changed techniques and is now using supply chain attacks to target an organization’s partners, Positive Technologies reveals.
First described in 2016 and currently active worldwide, Cobalt is quick to react to banks’ protective measures, and the use of the infrastructure and accounts of a company’s employees for nefarious operations is proof of that. To trick recipients into opening phishing messages from illegitimate domains, the group also uses the names of regulatory authorities or security topics, researchers say.
The group is targeting banks, financial exchanges, insurance companies, investment funds, and other financial organizations. The attackers use phishing messages disguised as mailings from financial regulators and employ various types of malicious attachments, including malicious documents or ZIP archives packing executables or shortcut files.
The hackers, Positive Technologies says, were among the first to have access to the latest version of the Microsoft Word Intruder 8 exploit builder, which allowed them to create files exploiting CVE-2017-0199, a vulnerability patched in April. The group also abuses poorly protected public sites to drop files onto the victims’ computers, and delivers the phishing messages to both corporate and personal addresses of targeted employees.
Tomi Engdahl says:
Remotely Exploitable Flaws Found in Popular IP Cameras
http://www.securityweek.com/remotely-exploitable-flaws-found-popular-ip-cameras
Bitdefender and Checkmarx have each published reports describing remotely exploitable vulnerabilities found by their researchers in popular VStarcam, Loftek and Neo IP cameras.
As part of its research into IoT security, Bitdefender discovered several buffer overflow vulnerabilities affecting the web server service and the Real Time Streaming Protocol (RTSP) server of iDoorbell and Neo Coolcam NIP-22 cameras made by China-based Shenzhen Neo Electronics.
A remote, unauthenticated attacker can exploit the flaws to execute arbitrary code and take control of the vulnerable devices. While they focused on the iDoorbell and Neo Coolcam NIP-22 devices, researchers believe other products sold by the Chinese company are also likely affected.
Tomi Engdahl says:
The Truth About Micro-Segmentation (Part 2)
http://www.securityweek.com/truth-about-micro-segmentation-part-2
For the past few decades, visibility has been the Odyssey of security professionals. The saying, “You can’t protect what you can’t see” has launched a thousand security startups, most to fatally founder on irrelevance or poor execution.
In the data center and cloud security world, the role of visibility resurfaces with a redoubled effort. Most data centers are built on the “hard exterior” –i.e., firewalled perimeter with a soft chewy open interior school of network security. With the increasing spread of attacks inside the data center and cloud — malware, insider threats, or simply application or communications vulnerabilities exploited by bad actors – there is a growing focus around segmentation as a core data center strategy.
Gartner Distinguished Analyst and VP Greg Young has suggested:
“[Security and risk management leaders] should also consider redesigning their assets and moving different assets into more secure locations, or segmenting to add floodwalls between parts of their organization. Adding these obstacles will make it more challenging for hackers to penetrate an organization.”
However, strong microsegmentation approaches cannot be implemented unless IT Operations and Security have clear visibility into how their applications and communicating so that they can determine quickly what should be communicating.
This requires going beyond traditional network visibility to understand how the applications dependencies actually work.
The Neat & Clean World and The Real World
Traditionally, application dependency maps are built manually, as network flow and one server at a time. This approach is nearly unworkable in the largest data center and cloud environments.
When you get past the marketing side of things, there is a strong movement in the industry to use D3 Javascript diagrams to create stronger visibility into application and network environments.
https://d3js.org/
Tomi Engdahl says:
New Legislation Could Force Security Into IoT
http://www.securityweek.com/new-legislation-could-force-security-iot
After years of warnings from security experts and researchers, the Internet of Things (IoT) remains fundamentally insecure. Now a group of senators has introduced bipartisan legislation to force vendors to ensure basic security within their IoT devices if they wish to sell into the government market.
Sens. Mark R. Warner (D-VA) and Cory Gardner (R-CO), co-chairs of the Senate Cybersecurity Caucus, along with Sens. Ron Wyden (D-WA) and Steve Daines (R-MT) today introduced bipartisan legislation: Internet of Things (IoT) Cybersecurity Improvement Act of 2017. Its purpose is to require that all devices bought by the government meet defined minimum security requirements. Its effect will be that without compliance, vendors will lose their largest single market. Compliance, they hope, will then filter down from the public to private sectors, and on to consumers.
Tomi Engdahl says:
Threat Modeling the Internet of Things: Part 3 – A Real World Example
http://www.securityweek.com/threat-modeling-internet-things-part-3-real-world-example
One of the most bizarre beginnings in movie history involved a young Paul Newman decapitating a streetful of Duncan Model 50 parking meters in the existential-hero classic, “Cool Hand Luke.” Those old Duncan Model 50 parking meters were coin-operated and were the American standard for decades, but they had some drawbacks.
First, many modern economies are moving toward a cashless model, and hunting for coins in your car after finding a parking spot is no one’s idea of a good time. Users want the convenience of credit cards.
Smart parking meters (some powered by solar panels) overcome some of those old limitations; most today allow motorists to pay with credit cards. Some recapture unused credits by resetting when the space is empty.
Step 1: Identify the assets in play.
For the deployment of smart parking meter, the list of assets is relatively short and well-defined.
· Credit card payment info
· Money (coins)
· The parking meter
· The parking space
A manufacturer of the meter may have a different threat model involving the physical aspects of the device itself: device memory, firmware interface, ecosystem communications. Part 2 of the series catalogues these, but let’s focus on the deployment assets.
Step 2: Catalog the threats using STRIDE.
Recall that STRIDE is a threat classification model to help you identify threats to a system by considering these aspects of the asset: (S)poofing of user identity, (T)ampering, (R)epudiation, (I)nformation Disclosure, (D)enial of Service, and (E)scalation of Privilege.
Step 3: Score the threats using DREAD.
The old DREAD system can help us quantify these threats. Assume maximal values for Reproducibility and Discoverability, and just score the Damage, Exploitability, and Affected Users categories.
Prioritizing Mitigations
The point of threat modeling is to create a table similar to the above; to enumerate and prioritize threats. The mitigation of each should be a natural follow-on. Prioritization helps decision makers in a world of sparse development resources; not everything needs be fixed at once. And sometimes documentation or merely risk acceptance is the appropriate tactic to take.
While this threat model focused mostly on traditional InfoSec threats, the operator was also doing risk analysis from a legal perspective, as well. The company has other projects under review for a smart city; it has decided that risks associated with sensors for systems such as waste treatment, sewer flow, and traffic reporting are okay. But it is not comfortable with traffic-changing systems or other systems that might involve risk of life.
Threat Modeling the Internet of Things
Those points get back one of the larger problems hinted at in Part 2; that a proper threat model for the Internet of Things includes the entire demesne of existing infrastructure; web applications, web services, cloud, transport security and, finally, people.
Tomi Engdahl says:
Chris Duckett / ZDNet:
DigiCert to acquire Symantec’s web certificate business for about $950M up front in cash, and a 30% stake in DigiCert stock at close
Symantec to get almost $1b plus stock in certificate business sale
http://www.zdnet.com/article/symantec-to-get-almost-1b-plus-stock-in-certificate-business-sale/
DigiCert will part with $950 million upfront in cash, and hand Symantec a 30 percent stake in exchange for its website security unit.
Symantec’s embattled website security business is set to have new owners in the third quarter of next year, following the purchase of the business by DigiCert.
The terms of the deal will see Symantec receive $950 million in cash up front, and gain a 30 percent stake in DigiCert upon the closing of the transaction.
In recent months, Symantec has been embroiled in discussion with Google and Mozilla to begin a process of distrust in its TLS certificates. Last week, Google released its final proposal, which would see Chrome 66 remove trust from certificates issued prior to June 1, 2016 when it is released in April next year.
A year later when Chrome 70 is released, it is proposed the browser will distrust any certificate issued by Symantec’s old infrastructure, including those sold after June 1, 2016.
In a statement, Symantec CEO Greg Clark said selling the business would allow the security giant to “sharpen” its enterprise focus.
“I’m thrilled that our customers will benefit from a seamless transition to DigiCert, a company that is solely focused on delivering leading identity and encryption solutions.”
DigiCert said Symantec customers would be able to move to a “new platform that meets all industry standards and browser requirements and provides the foundation for future innovation in the certificate authority space for the benefit of customers”.
Tomi Engdahl says:
Facial recognition service becomes a weapon against Russian porn actresses
“FindFace” was created to find friends, but some are using it to harass women.
https://arstechnica.co.uk/tech-policy/2016/04/facial-recognition-findface-used-against-russian-porn-actresses/
The developers behind “FindFace,” which uses facial recognition software to match random photographs to people’s social media pages on Vkontakte, say the service is designed to facilitate making new friends. Released in February this year, FindFace started gaining popularity in March after a software engineer named Andrei Mima wrote about using the service to track down two women he photographed six years earlier on a street in St. Petersburg.
From the start, FindFace has raised privacy concerns.
“In theory,” Tsvetkov told RuNet Echo, “this service could be used by a serial killer or a collector trying to hunt down a debtor.”
Hoping to raise concerns about the potential misuses of FindFace, Tsvetkov seems to have inspired a particularly nasty effort to identify and harass Russian women who appear in pornography. On April 9, three days after the media reported on Tsvetkov’s art project, users of the Russian imageboard “Dvach” (2chan) launched a campaign to deanonymize actresses who appear in pornography. After identifying these women with FindFace, Dvach users shared archived copies of their Vkontakte pages and spammed the women’s families and friends with messages informing them about the discovery. The effort also targeted women registered on the website “Intimcity,” which markets prostitution services.
The Internet users behind the doxing campaign say their motivation is moral outrage, claiming that women in the sex industry are “corrupt and deceptive.”
Tomi Engdahl says:
40,000 Tinder pics scraped into big data service
Trove then disappears, as folks point out the privacy problem
http://www.theregister.co.uk/2017/05/01/people_of_tinder_data_disappears_amid_uproar/
Amid a storm of criticism, a set of facial images built by scraping the Tinder dating service has been pulled from Kaggle.
Developer Stuart Colianni had built the 40,000-strong set of “hoes” (the charming variable name* in his source code – more below in case that repo also dies) on the premise that facial datasets are generally too small to be useful.
At the GitHub page, Colianni attributes the removal to a request from Tinder.
In any jurisdiction with medium-strength privacy regulations, scraping and publishing the data without consent probably represents a breach.
Likewise, the popular hobby of inferring personally identifiable information from multiple datasets is a breach of privacy legislation in many countries.
Wilson notes that the word “public” almost never occurs in data privacy laws around the world.
Tomi Engdahl says:
White House Says Russia’s Hackers Are Too Good to Be Caught but NSA Partner Called Them “Morons”
https://theintercept.com/2017/08/02/white-house-says-russias-hackers-are-too-good-to-be-caught-but-nsa-partner-called-them-morons/
The hackers behind the dump of Democratic Party emails in the midst of last year’s presidential race left apparent evidence of their identity — a breadcrumb trail winding from the stolen files back to the Russian government, according to assessments from the U.S. intelligence community. Some of this evidence was there from the beginning, embedded inside the first documents to hit the web, raising a niggling question: Why would diabolically skilled Russian operatives operate so sloppily?
The competence of Russian hackers became a prominent issue once more last Sunday, when the president’s communications director Anthony Scaramucci — since removed from his post but quoting the president directly — said the following to Jake Tapper on CNN:
“Somebody said to me yesterday, uh, I won’t tell you who, that if the Russians actually hacked this situation and actually spilled out those emails, you would have never seen it, you would have never had any evidence of them, meaning they’re super confident in their deception skills and hacking.”
Seconds later, Scaramucci revealed his anonymous technical source on the matter to have been Donald Trump himself.
The CSE presentation, provided by NSA whistleblower Edward Snowden, dates to no earlier than 2011, and describes the agency’s work tracking a set of Russian government-sponsored hackers codenamed MAKERSMARK. The MAKERSMARK team was believed by NSA “with a high level of confidence” to be sponsored by a Russian intelligence agency
CSE’s account of the Russian actors does not exactly jibe with the White House’s vision of ninja-like computer users. The agency presentation, prepared by a “cyber counter intelligence” agent focused on MAKERSMARK, highlights Russian hackers’ “misuse of operational infrastructure” and “poor OPSEC [operational security] practices,” both of which made it elementary for the Canadians to trace attacks back to their source. The document says Russian hackers were provided with “really well designed” systems with which to launch attacks, but because the execution was so shoddy, “this has not translated into security for MAKERSMARK operators.”
Put more bluntly, the Russian attacks CSE observed were “designed by geniuses” but “implemented by morons,” according to the presentation.
Tomi Engdahl says:
LinkedIn Case Tests Whether Firms Can Use Your Data
Startup scrapes public profiles to predict whether people are likely to leave their jobs. LinkedIn says that violates privacy
https://www.wsj.com/articles/suit-against-linkedin-could-affect-data-analytics-industry-1501147801
Tomi Engdahl says:
‘Real’ people want govts to spy on them, argues UK Home Secretary
Magical thinking meets willful ignorance at closed meeting
https://www.theregister.co.uk/2017/08/01/amber_rudd_on_encryption/
UK Home Secretary Amber Rudd kicked off a firestorm in the tech community Tuesday when she argued that “real people” don’t need or use end-to-end encryption.
In an article in the Daily Telegraph timed to coincide with Rudd’s appearance at a closed event in San Francisco, Rudd argued: “Real people often prefer ease of use and a multitude of features to perfect, unbreakable security.”
The reference to “real people” struck a nerve with a host of security experts, sysadmins, privacy advocates and tech-savvy consumers who took to Twitter to point out that they were real people, and not ISIS sympathizers – as Rudd implied in her piece. Rudd essentially declared that people who use strong encryption are not normal, not real people, which is a rather dangerous sentiment.
More broadly, her argument is an effort to square the circle on the issue of encryption: where tech companies and security experts say they cannot allow access to encrypted messages without compromising the entire system; and politicians and the security services argue that they need to be able to gain access to all communications for national security reasons.
Magic
The politicians’ argument has long been disparaged as “magical thinking” by the tech industry (and some federal agency representatives): simply wishing something to be true does not make it possible.
“This is not about asking the companies to break encryption or create so-called ‘back doors’,” Rudd argued, while failing to recognize that any method of breaking encryption on demand is, by definition, the introduction of a backdoor. She added:
“I know some will argue that it’s impossible to have both – that if a system is end-to-end encrypted then it’s impossible ever to access the communication. That might be true in theory. But the reality is different.”
Remember Snowden?
What Rudd’s argument fails to acknowledge, however, is the entire reason that the encryption debate took off in the first place: mass surveillance carried out by the National Security Agency (NSA) that was revealed in confidential documents released by Edward Snowden back in 2013.
Lest anyone forget, Snowden revealed that not only were the US authorities monitoring every phone call made in the US, but they had tapped the internet’s backbone and tech giants’ data centers without letting them know.
Many of those programs have since been declared illegal, but the enormous breach of trust felt by the US tech companies that had been working with the authorities to provide legal access to communications resulted in immediate efforts to encrypt all data and so cut off the NSA’s data firehose.
Tomi Engdahl says:
Pwned Passwords
https://haveibeenpwned.com/Passwords
Pwned Passwords are hundreds of millions of real world passwords exposed in data breaches. This exposure makes them unsuitable for ongoing use as they’re at much greater risk of being used to take over other accounts. They’re searchable online below as well as being downloadable for use in other online system. Do not send any password you actively use to a third-party service – even this one!
NIST’s guidance: check passwords against those obtained from previous data breaches
The Pwned Passwords service was created after NIST released guidance specifically recommending that user-provided passwords be checked against existing data breaches . The rationale for this advice and suggestions for how applications may leverage this data is described in detail in the blog post titled Introducing 306 Million Freely Downloadable Pwned Passwords.
Downloading the Pwned Passwords list
The entire set of passwords is downloadable
Tomi Engdahl says:
Bypassing Common Two-Factor Solutions
https://www.nixu.com/en/blog/2017-07/bypassing-common-two-factor-solutions
So what does two-factor authentication actually mean? There are three general types of authentication:
Something you know; password, PIN code, gesture pattern or similar.
Something you have; a phone, a keycard or a fob (that produces a code in a way or another).
Something you are; a biometric feature like fingerprint or voice recognition.
There are also different forms of 2FA that are not really two-factor, which everyone should avoid. Example of this would be using email address as the username and the same email address as the destination for the two-factor authentication codes. In case the email address was compromised, the second factor, authentication codes, couldn’t provide any further security.
Currently the most common combination is to use password and a phone, to which you get a one-time code as an SMS. After logging in with username and password you will asked to input this usually short numeric code, which is valid for some period of time – note that this varies, the codes might be valid for minutes or for hours.
Increasingly used replacement for SMS is time-based authentication tokens. They come both in physical form like well-known RSA SecurID and in mobile applications like Google’s Authenticator. As even venerable NIST has began deprecating SMS as a secure 2FA method, time-based tokens are gaining popularity because they are arguably more secure than SMS, which is burdened by the widely-known vulnerabilities in SS7 protocol. The risk is not even theoretical any more: hackers compromised activists’ Telegram accounts that require the SMS code for authorizing a new device.
Physical authentication method may also be used. In this case, the correct authentication device needs to inserted into the correct computer for it to work. In organizational context, this usually comes in the form of keycards or authentication “fobs”.
Bypassing two factor authentication methods
1. Account recovery features (all 2FA methods)
With account recovery features, say a Google or Microsoft account, you can bypass the 2FA entirely. If you can compromise the recovery email or answer the security questions (information for both can usually be found online) you might be able to turn off the 2FA in minutes.
2. Phishing attacks (all one-time token 2FAs)
With the growing number of web services offering 2FA this type of attack is attractive for cybercrime being the most scalable one. Phishing attacks can be automated along with other means like malvertising. Phishing attacks, in this case, have two main attack techniques:
-Clickjacking; inserting a malicious iframe or similar which directs you to a website that is stealing logins.
- Phishing emails; emails containing links that seem safe but lead to sites stealing logins.
3. Via the telecommunications company (SMS-based 2FAs)
There are also ways to compromise 2FA through the telecommunications company with social engineering. Usually the customer service strongly prefers to keep the customer happy. If you can confidently impersonate the victim and you are armed with victim’s SSN and some similar basic information you can make any changes you want. This includes call & SMS forwarding and ordering a new SIM card.
2FA is good security, but it’s not bulletproof and is even vulnerable for mass compromise for a skilled attacker. Obviously there are more ways to compromise different kinds of 2FA solutions than outlined here.
Tomi Engdahl says:
New Legislation Could Force Security Into IoT
http://www.securityweek.com/new-legislation-could-force-security-iot
After years of warnings from security experts and researchers, the Internet of Things (IoT) remains fundamentally insecure. Now a group of senators has introduced bipartisan legislation to force vendors to ensure basic security within their IoT devices if they wish to sell into the government market.
Tomi Engdahl says:
UK Security Researcher ‘Hero’ Accused of Creating Bank Malware
http://www.securityweek.com/uk-security-researcher-hero-accused-creating-bank-malware
A British computer security researcher hailed as a hero for thwarting the “WannaCry” ransomware onslaught was in US custody on Thursday after being indicted on charges of creating malware to attack banks.
Marcus Hutchins, known by the alias “Malwaretech,” was charged in an indictment dated July 12 and unsealed by federal authorities in Wisconsin.
The US Justice Department said in a statement Hutchins was arrested Wednesday in Las Vegas, where a major Def Con hacker security conference took place over the weekend.
Tomi Engdahl says:
‘Dumbo’ Tool Helps CIA Agents Disable Security Cameras
http://www.securityweek.com/dumbo-tool-helps-cia-agents-disable-security-cameras
The U.S. Central Intelligence Agency (CIA) has developed a tool that disables security cameras and corrupts recordings in an effort to prevent its agents from getting compromised, according to documents published on Thursday by WikiLeaks.
The tool, dubbed “Dumbo,” is executed directly from a USB thumb drive by an operative who has physical access to the targeted device. Once executed, the program can mute microphones, disable network adapters, and suspend processes associated with video recording devices.
Dumbo also informs its user of where those video recording processes store footage so that the files can be corrupted or deleted.
The user guides made available by WikiLeaks — the latest version is dated June 2015 — show that the tool was developed in response to the need for a capability to disrupt webcams and corrupt recordings in an effort to prevent a PAG (Physical Access Group) deployment from getting compromised.
PAG is a special branch within the CIA’s Center for Cyber Intelligence (CCI) and its role is to gain physical access to computers and exploit this access, WikiLeaks said.
The tool, designed for Windows XP and newer versions of the Microsoft operating system, needs SYSTEM privileges to function correctly.
“[The tool] identifies installed devices like webcams and microphones, either locally or connected by wireless (Bluetooth, WiFi) or wired networks. All processes related to the detected devices (usually recording, monitoring or detection of video/audio/network streams) are also identified and can be stopped by the operator,” WikiLeaks said. “By deleting or manipulating recordings the operator is aided in creating fake or destroying actual evidence of the intrusion operation.”
Dumbo developers pointed out that home security products (e.g. Kaspersky antivirus) may block some of the tool’s functions, and advised users to disable any protections before installation.
https://wikileaks.org/vault7/#Dumbo
Tomi Engdahl says:
The Amazon Echo As A Listening Device
http://hackaday.com/2017/08/03/the-amazon-echo-as-a-listening-device/
It is an inevitability that following swiftly on the heels of the release of a new device there will be an announcement of its rooting, reverse engineering, or other revealing of its hackability. Now the device in question is the Amazon Echo, as MWR Labs announce their work in persuading an Echo to yield the live audio from the microphone and turn the voice assistant device into a covert listening device.
The work hinges on a previous discovery and reverse engineering (PDF) of Amazon’s debug connector on the base of the Echo, which exposes both an SD card interface and a serial terminal.
Alexa, are you listening?
https://labs.mwrinfosecurity.com/blog/alexa-are-you-listening
The Amazon Echo is vulnerable to a physical attack that allows an attacker to gain a root shell on the underlying Linux operating system and install malware without leaving physical evidence of tampering. Such malware could grant an attacker persistent remote access to the device, steal customer authentication tokens, and the ability to stream live microphone audio to remote services without altering the functionality of the device.
This vulnerability is due to two hardware design choices:
Exposed debug pads on the base of the device
Hardware configuration setting which allows the device to boot from an external SD Card
Here we present a technique for rooting an Amazon Echo and then turning it into a ‘wiretap’.