Security trends 2017

3,151 Comments

1. August 4, 2017 at 9:01 am

   Tomi Engdahl says:

   Programmer’s < fumble jeopardizes thousands of medical reports
   Oh Danny boy, the typos, the typos are galling
   http://www.theregister.co.uk/2017/08/03/medical_report_bug/

   A bug in code that generates medical reports could force patients in Ireland to repeat their hospital and clinic scans.

   The Emerald Isle's healthcare bosses have admitted a flaw in the PACS software used to store documents in its National Integrated Medical Imaging System (NIMIS) causes some records to not display a single, but highly relevant, symbol.

   "The issue identified is in relation to the 'less than' symbol (<) being recorded in the examination report on the PACS component," the country's healthcare executive said today.

   "Where the < symbol is used on a report and when that report is viewed electronically within the PACS, the symbol has been omitted and is not visible."

   In this case, the < key is important because, of course, the symbol is used to denote measurement values, and in its absence, a reading of "less than" an amount would be read as "equal to" the amount (eg, '<30mg' becomes '30mg').

   The programming error affects radiology and cardiology scans, and other medical imaging, we're told.

   Reply
2. August 4, 2017 at 9:03 am

   Tomi Engdahl says:

   The HBO Hack Was Reportedly up to Seven Times Larger Than the Sony Hack
   https://www.vanityfair.com/hollywood/2017/08/hbo-hack-seven-times-larger-sony

   Only a few TV episodes and a script have been leaked so far—but video footage, internal documents, and e-mails might be next.

   It seems the recent HBO hack was just as bad as the hackers threatened it would be, according to [The Hollywood Reporter]http://www.hollywoodreporter.com/news/hbo-hack-insiders-fear-leaked-emails-as-probe-widens-1025827). When Netflix was hacked earlier this year, the cyber-criminals behind the attack demanded a ransom. But there was no such demand in the hack that struck HBO over the weekend, and the sheer amount of compromised data has led some to believe that video footage, internal documents, or e-mails could be leaked next. The premium-cable giant is working with the F.B.I. and cyber-security firm Mandiant to investigate the breach, in which hackers claimed to have stolen 1.5 terabytes’ worth of data. Per T.H.R., that would make this hack about seven times larger than the Sony attack in 2014, which buried the studio in leaked e-mails.

   “A traditional business-grade D.S.L. link would take about two weeks at full blast to exfiltrate that much data,” Farsight Security C.E.O. Paul Vixie told T.H.R. “If not for video and sound, a corporation the size of HBO might fit [entirely] in a terabyte, including all the e-mail and spreadsheets ever written or stored.” Another expert added that the entire Library of Congress contains an estimate of 10 terabytes of print material—so it is almost certain that video and/or audio were stolen.

   Incidentally, Mandiant, the cyber-security firm with whom HBO is reportedly working, led the Sony hack investigation as well.

   HBO has not yet commented beyond its initial statement acknowledging the hack: “HBO recently experienced a cyber incident, which resulted in the compromise of proprietary information. We immediately began investigating the incident and are working with law enforcement and outside cyber-security firms. Data protection is a top priority at HBO, and we take seriously our responsibility to protect the data we hold.”

   Reply
3. August 4, 2017 at 9:04 am

   Tomi Engdahl says:

   Mozilla’s EU Policy Manager: EU’s Copyright Reform is ‘a dysfunctional proposal’
   https://thenextweb.com/eu/2017/08/03/mozilla-exec-eus-copyright-reform-is-a-dysfunctional-proposal/#.tnw_zjN6ozet

   Reply
4. August 4, 2017 at 9:06 am

   Tomi Engdahl says:

   “Borrow” Payment Cards with NFC Proxy Hardware
   http://hackaday.com/2017/07/31/borrow-payment-cards-with-nfc-proxy-hardware/

   Contactless payments are growing in popularity. Often the term will bring to mind the ability to pay by holding your phone over a reader, but the system can also use NFC tags embedded in credit cards, ID card, passports, and the like. NFC is a reasonably secure method of validating payments as it employs encryption and the functional distance between client and reader is in the tens of centimeters, and often much less. [Haoqi Shan] and the Unicorn team have reduced the security of the distance component by using a hardware proxy to relay NFC interactions over longer distances.

   The talk, give on Sunday at DEF CON, outlined some incredibly simple hardware: an NFC antenna connected to a PN7462AU, an NRF24L01 wireless transceiver, and some power regulation. The exploit works by using a pair of these hardware modules. A master interfaces with the NFC reader, and a slave reads the card. The scenario goes something like this: a victim NFC card is placed near the slave hardware. The master hardware is placed over a payment kiosk as if making a normal payment. As the payment kiosk reader begins the process to read an NFC card, all of the communications between it and the actual card are forwarded over the 24L01 wireless connection.

   The demo video during the talk showed a fast-food purchase made on the Apple Pay network while the card was still at a table out in the dining area (resting on the slave hardware module). The card used was a QuickPass contactless payment card from China UnionPay. According to a 2016 press release from the company, over two billion of these cards had been issued at the time.

   Reply
5. August 4, 2017 at 9:38 am

   Tomi Engdahl says:

   Another day, another British Airways systems screwup causes chaos
   Flying from London? Add a few hours on for good measure
   https://www.theregister.co.uk/2017/08/02/british_airways_latest_systems_screwup_heathrow_gatwick_london_city_airports/

   British Airways is getting its grovelling in early after a systems crash caused chaos at Heathrow and Gatwick airports earlier this morning.

   The outage affected check-in desks at both the main London airports as well as the minor bizjet destination at London City Airport, with the inevitable hundreds of angry passengers taking to social media to air their ire at the airline.

   Inevitably one must compare the outage to the infamous BA meltdown of April, when both of its main data centres – primary and failover – went phut and caused the entire airline’s operations to literally grind to a halt as its flights were grounded worldwide. Although informed sources came up with plausible theories about what happened, the actual cause has not been acknowledged by British Airways.

   Reply
6. August 4, 2017 at 9:39 am

   Tomi Engdahl says:

   Chrome web dev plugin with 1m+ users hijacked, crams ads into browsers
   Toolmaker phished, Google account pwned, malicious code pushed out – and now fixed
   https://www.theregister.co.uk/2017/08/02/chrome_web_developer_extension_hacked/

   A popular Chrome extension was hijacked earlier today to inject ads into browsers, and potentially run malicious JavaScript, after the plugin’s creator was hacked.

   Chris Pederick, maker of the Web Developer for Chrome extension, is urging anyone who uses his programming tool to update to version 0.5 or later. That’s because miscreants apparently phished his Google account, updated the software to version 0.4.9, and pushed it out to its 1,044,000 users.

   That booby-trapped build fetched JavaScript code from the web and ran it within people’s browsers: the code forcibly slapped ads on pages, and may have done worse. If you installed v0.4.9, you should upgrade to the clean v0.5 replacement immediately, and consider changing passwords or nullifying login tokens and cookies used on sites visited while using the infected extension.

   Reply
7. August 4, 2017 at 11:07 am

   Tomi Engdahl says:

   No! Don’t turn off SELinux!
   https://seven.centos.org/2017/07/dont-turn-off-selinux/

   One of the daily activities of the CentOS Community Lead is searching the Internet looking for new and interesting content about CentOS that we can share on the @CentOSProject Twitter account, or Facebook, Google +, or Reddit. There’s quite a bit of content out there, too, since CentOS is very popular.

   Unfortunately, some of the content gets unshared, based on one simple text search:

   “SELinux AND disable”

   That setting is indicative of one thing: the author is advocating the deactivation of SELinux, one of the most important security tools any Linux user can have. When that step is outlined, we have to pass sharing it and even recommend readers ignore such advice completely.

   But why do articles feel the need to outright deactivate SELinux rather than help readers work through any problems they might have? Is SELinux that hard?

   Actually, it’s really not.

   According to Thomas Cameron, Chief Architect for Red Hat, SELinux is a form of mandatory access control. In the past, UNIX and Linux systems have used discretionary access control, where a user will own a file, the user’s group will own the file, and everyone else is considered to be other. Users have the discretion to set permissions on their own files, and Linux will not stop them, even if the new permissions might be less than secure, such as setting chmod 777 to your home directory.

   “[Linux] will absolutely give you a gun, and you know where your foot is,” Cameron said back in 2015 at Red Hat Summit. The situation gets even more dangerous when a user has root permissions, but that is the nature of discretionary access control.

   With a mandatory access control system like SELinux in place, policies can be set and implemented by administrators that can typically prevent even the most reckless user from giving away the keys to the store.

   Reply
8. August 4, 2017 at 12:44 pm

   Tomi Engdahl says:

   HBO Security Contractor: Hackers Stole ‘Thousands of Internal Documents’ (EXCLUSIVE)
   http://variety.com/2017/digital/news/hbo-hack-thousands-of-documents-stolen-1202513573/

   The HBO hack may have been worse than the initial leaks of a few unaired TV show episodes suggested. A security company hired by HBO to scrub search results for the hacked files from search engines has told Google that the hackers stole “thousands of Home Box Office (HBO) internal company documents.”

   The disclosure came as part of a DMCA take-down notice sent to Google Tuesday to force the search engine to take down links to the leaked files. The take-down notice also detailed that the hackers did away with “masses of copyrighted items including documents, images, videos and sound.”

   HBO Hackers Threaten to Leak Additional Data This Coming Sunday
   http://variety.com/2017/digital/news/hbo-hackers-leak-threat-1202514935/

   HBO’s hacking problem may not be going away anytime soon: the hackers who leaked unaired episodes of the network’s shows earlier this week now threaten to release additional content this coming Sunday.

   In an automated email reply sent to Variety, the group wrote that it will “release the leak gradually every week,” adding that the next release may come “Sunday 12 GMT.” The group also repeated its claim that it had obtained a total of 1.5 terabyte of data when it broke into HBO’s computer networks.

   Word of the breach first broke Monday, when the hackers released a handful of unaired episodes of HBO shows, as well as other internal data, online. HBO has acknowledged the hack, but not commented on the types of files hackers were able to obtain. A spokesperson for the network also declined to comment on the new threat Thursday.

   Reply
9. August 4, 2017 at 12:45 pm

   Tomi Engdahl says:

   HBO Hack: CEO Tells Staff That Email System Likely Hasn’t Been Compromised
   http://www.hollywoodreporter.com/news/hbo-hack-ceo-tells-staff-email-system-hasnt-been-compromised-1026219

   At the same time, the pay cabler is going on the offensive, trying to thwart internet users from finding any stolen content that has already been leaked.

   HBO CEO Richard Plepler told staff in a note on Wednesday that “we do not believe that our e-mail system as a whole has been compromised, but the forensic review is ongoing.”

   The statement comes as the network deals with a major data breach that was discovered last week, with staffers expressing concern that their emails may have been caught up in the hackers’ net. At the same time, HBO is going on the offensive, attempting to prevent internet users from finding any stolen content that has already been made available.

   Google received a Digital Millennium Copyright Act takedown notice from HBO and is removing searches that link to sites hosting the leaked content. The unknown hackers, who claim to have pilfered 1.5 terabytes of data from the network, began releasing the content — a combination of rich-media data and text — on Sunday. But as quickly as the content appears on a site, the links stop working and users find an error messages.

   The DMCA move signals that HBO fears it has a lot more to lose than just soon-to-air episodes of Game of Thrones, Ballers and Insecure or the 2018 series Barry, starring Bill Hader. After all, much of that content quickly appears on torrent sites and is viewed by millions.

   Reply
10. August 4, 2017 at 12:55 pm

    Tomi Engdahl says:

    Linux kernel hardeners Grsecurity sue open source’s Bruce Perens
    Our customer contract doesn’t violate GPLv2, biz insists in defamation lawsuit
    https://www.theregister.co.uk/2017/08/03/linux_kernel_grsecurity_sues_bruce_perens_for_defamation/

    In late June, noted open-source programmer Bruce Perens warned that using Grsecurity’s Linux kernel security could invite legal trouble.

    “As a customer, it’s my opinion that you would be subject to both contributory infringement and breach of contract by employing this product in conjunction with the Linux kernel under the no-redistribution policy currently employed by Grsecurity,” Perens wrote on his blog.

    The following month, Perens was invited to court. Grsecurity sued the open-source doyen, his web host, and as-yet-unidentified defendants who may have helped him draft that post, for defamation and business interference

    Grsecurity offers Linux kernel security patches on a paid-for subscription basis. The software hardens kernel defenses through checks for common errors like memory overflows.

    According to Perens, “GPL version 2 section 6 explicitly prohibits the addition of terms such as this redistribution prohibition.”

    Linus Torvalds, who oversees the Linux kernel, has called Grsecurity’s patches “garbage”.

    Warning: Grsecurity: Potential contributory infringement and breach of contract risk for customers
    https://perens.com/blog/2017/06/28/warning-grsecurity-potential-contributory-infringement-risk-for-customers/

    Reply
11. August 5, 2017 at 3:01 pm

    Tomi Engdahl says:

    NEW ZEALAND
    GCSB ‘had no idea’ spy gear was still targeting Kim Dotcom
    http://www.nzherald.co.nz/index.cfm?objectid=11897719

    THE GCSB lost control of its surveillance technology and wasn’t aware its systems continued spying on Kim Dotcom, according to new documents from the spy bureau.

    It claimed that it turned off all surveillance systems targeting Dotcom and others but
    found out more than a year later that surveillance continued without its knowledge.

    The details in the documents have led Dotcom to state that there is now evidence the United States’ National Security Agency was carrying out surveillance on him.

    Dotcom, who should have been protected from GCSB surveillance as a New Zealand resident, said the GCSB did not know because its equipment was being used by the NSA, which was “directly involved”.

    Reply
12. August 6, 2017 at 6:05 am

    Tomi Engdahl says:

    Why ex-employees may be your company’s biggest cyberthreat
    http://www.techrepublic.com/article/why-ex-employees-may-be-your-companys-biggest-cyberthreat/?utm_content=bufferf226a&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer

    Some 20% of organizations say they have experienced data breaches by ex-employees. Here’s how IT leaders can protect their business.

    While news of ransomware and DDoS attacks constantly make headlines, another major cybersecurity threat lurks at nearly every company: Ex-employees.

    In a recent survey of 500 IT decision makers from security firm OneLogin, only about half of respondents said they were “very confident” that former employees could no longer access corporate applications. And 20% of organizations surveyed said they had experienced data breaches by ex-employees.

    Further, 48% of organizations said they are aware that former employees still have access to corporate network. Half of IT leaders said that ex-employee’s accounts remain active once they have left the company for longer than a day, 32% said it takes a week, and 20% said it takes a month or more. Another 25% said they don’t know how long accounts remain active once the employee has left the company.

    So why don’t companies take away this access immediately? For one, the process can be time consuming: 70% of IT decision makers surveyed said it can take up to an hour to deprovision all of a single former employee’s corporate application accounts.

    For another, IT and HR do not often work together,

    Reply
13. August 6, 2017 at 7:08 pm

    Tomi Engdahl says:

    Philip Michaels / Tom’s Guide:
    After data collection “false alarm”, Amazon resumes selling some Blu smartphones

    Blu’s Back: Smartphone Sales Resume at Amazon
    https://www.tomsguide.com/us/blu-phones-return-to-amazon,news-25605.html

    The Amazon-imposed timeout for Blu smartphones appears to be over. After the retail giant halted sales of its phones earlier this week when spyware allegations resurfaced, Blu announced today (Aug. 4) that sales had resumed.

    Reply
14. August 6, 2017 at 7:10 pm

    Tomi Engdahl says:

    Gary Mortimer / sUAS News:
    US Army calls for units to discontinue use of products from Chinese drone maker DJI due to “cyber vulnerabilities” — According to a U.S. Army memo obtained by sUAS News, the U.S. Army Research Lab and U.S. Navy have concluded that there are operational risks associated with DJI equipment …

    US Army calls for units to discontinue use of DJI equipment
    https://www.suasnews.com/2017/08/us-army-calls-units-discontinue-use-dji-equipment/

    According to a U.S. Army memo obtained by sUAS News, the U.S. Army Research Lab and U.S. Navy have concluded that there are operational risks associated with DJI equipment, a move that was run up the flag pole last month but kept under wraps.

    Reply
15. August 6, 2017 at 7:15 pm

    Tomi Engdahl says:

    Drone Data Security
    https://www.suasnews.com/2017/08/drone-data-security/

    Are you adhering to your clients Data Security and privacy requirements, as well as your own?

    So it’s a story that’s been bubbling away for a while now and it’s finally out.

    The US Army has issued a Memorandum enforcing the discontinued use of DJI Products due to cyber security concerns.

    It wasn’t long ago the US Banned Chinese CCTV Cameras on critical infrastructure with UK raising concerns also.

    So lets back track a bit to the good old days…

    Modern day – Smart Drone systems, that are easy to fly right out of the box and DJI are ensuring they land in everyone’s hands. With the launch of the Spark, it can take off and land using just your hands.

    But whats happening with the all the data

    Flight Log Information
    GPS Positioning
    Aerial Sensor Captured Data
    APP Stored Data

    So going back the good old days, your data was easy to control. The imagery was contained within the camera, and the flight data was contained within the system. It wasn’t connected to the internet, and at best could be accessed locally via a laptop for updates and trouble shooting. I won’t bother mentioning the IOSD as it rarely ever worked properly

    Modern day – Smart drone systems from DJI are syncing all of the above data when logged in to your DJI Go App back to the DJI Servers, and this includes some of your payload data.

    But here are some things you might not know

    DJI Includes in your flight log images from your flight – Remember this as well come back to it shortly
    DJI Syncs your flight logs to their servers
    DJI Syncs Cached Data from your APP Device when offline and re syncs when online. This includes Audio and Video / Imagery Data

    DJI Go APP Screenshot from a critical infrastructure inspection I carried out. As you can see it appears in the APP, but how did it get there, I didn’t take this image. It’s a still from a video DJI Captured that’s embedded in the DJI Log, that Syncs to DJI Servers..

    Can you see where the US Gov is coming from now with their recent ban now?

    Did you know the DJI Go APP communicates with a whole list of servers whilst your system is logged in?

    Check out what pilots are doing now, there blocking all the links associated to the DJI Go App Here. That’s a lot of comms going on there, and to where?

    Within the systems as well there are hidden secondary SD Cards. They are mentioned loosely in the Manuals

    Taken from the DJI Forums, where a Mavic user discovers a hidden SD Card. It has now been confirmed

    So let’s look at it from the clients perspective.

    Client : Thanks for doing such a great job, the images look great.
    Pilot: Thanks, here is the media release form.
    Client: Great, can you confirm this is the only copy of the data
    Pilot: ???

    How many of you who are using these products can 100% confirm that is the only single copy in existence?

    This affects sensitive sites that are being inspected, feature film content that’s been recorded, imagine you just shot some awesome scenes for the new Star Wars films with a DJI system, the copyright and data security infringement issues could be huge if you’re not managing and securing that data.

    So what happens next? Will the UK follow suit?

    Reply
16. August 6, 2017 at 7:19 pm

    Tomi Engdahl says:

    A Global Information Gathering Network for UAS – DJI data collection
    https://www.suasnews.com/2017/05/global-information-gathering-network-uas-dji-data-collection/

    James Clapper said in a Guardian article :

    “In the future, intelligence services might use the [internet of things] for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials,”

    That future he mentions has already arrived.

    The method and ability to perform data gathering from a UAS is currently being leveraged every day. Just by creating a personal account with DJI, you willingly provided many details about yourself. Using a simple Google search the data mined by DJI from your provided flights (imagery, position and flight logs) and your audio can be accessed without your knowing consent.

    The past several years has been an exciting with the amazing developments and availability of UAS technology. As with all things, there is always serious concerns with how a technology will be used. This applies to hobby and commercial UAS or drones.

    Recently, the release of methods describing global data collection by intelligence agencies rocked the world.

    I am now sharing that there is situation related to gathering of UAS-related information that has been ongoing for a length of time. It involves the use of DJI drones to collect audio, visual and telemetry data on all flights across the Globe. The details shared here are perhaps known to a limited number of the worldwide owners and users of the DJI technology. I feel that this sort of knowledge is something that every UAS pilot and every person/company/agency needs to understand related to your aerial missions.

    For the millions of flights that have been flown using DJI systems across the World, many have been flown at or near highly sensitive locations. Infrastructure, stadiums, military installations, construction sites etc. Among these locations, the conversations between the pilot and client or even the background conversations can reveal an incredible amount of information about these highly sensitive locations. Possibly specific details about security or details of the structure or asset being flown that are never to be shared outside of the project. Critical infrastructure access and layouts are being captured every day.

    First let’s look at the magnitude of this concern here in the USA. The FAA produced a FAA FORCAST citing that there will be millions of hobby drones flying by 2020. The commercial drone numbers show that there might be over 300,000 flying as of today. That’s just the commercial end of the drone units this year.

    Second, let’s consider exactly what is collected by DJI and why I have serious concerns about the use of this data.

    If a pilot is using the DJI GO 4 app and uploads a flight record to the DJI server, using the default settings on the app, there are many details provided related to your UAS mission:

    Telemetry – Where the drone was flown including GPS coordinates, the altitudes, speed and other details of the aircraft’s performance.
    Video – If a video was recorded, a down sampled version is also provided to DJI showing what was recorded.
    Audio – When using a phone or tablet, the microphone recording of all conversations and sound are embedded with the video cache file as well. If the sensor has a microphone, it is shared it’s audio as well.

    The combination of the above data produces a complete record of each and every flight EVER taken by your drone using the DJI application and drone. This information is stored on the DJI servers in the United States, China and Hong Kong.

    Reply
17. August 6, 2017 at 7:59 pm

    Tomi Engdahl says:

    College Students Will Give Up Friends’ Personal Details For A Slice Of Pizza, Study Finds
    http://www.iflscience.com/editors-blog/college-students-will-give-up-friends-personal-details-for-a-slice-of-pizza-study-finds/

    A study of college students has found they are willing to give up personal details of their friends for a single slice of pizza.

    Almost three-quarters (74 percent) of Americans have previously said that it’s “very important” for them to be in control of who can get information about them. A whopping 60 percent have said that they would never feel comfortable sharing their email contacts.

    Reply
18. August 7, 2017 at 4:16 am

    Tomi Engdahl says:

    Nicole Friedman / Wall Street Journal:
    Customer satisfaction with home and auto insurance claims has risen as insurers use more drones and AI to help inspect damage and automate decisions

    That Drone Hovering Over Your Home? It’s the Insurance Inspector
    About 40% of car insurers no longer use employees to physically inspect damage in some cases
    https://www.wsj.com/articles/that-drone-hovering-over-your-home-its-the-insurance-inspector-1501839002

    Reply
19. August 7, 2017 at 4:26 am

    Tomi Engdahl says:

    Kevin Roose / New York Times:
    Strict hacking laws, outdated government hiring rules, and a lack of incentives prevent ethical hackers from pitching in on cyber defense

    A Solution to Hackers? More Hackers
    https://www.nytimes.com/2017/08/02/technology/a-solution-to-hackers-more-hackers.html

    If there’s a single lesson Americans have learned from the events of the past year, it might be this: Hackers are dangerous people. They interfere in our elections, bring giant corporations to their knees, and steal passwords and credit card numbers by the truckload. They ignore boundaries. They delight in creating chaos.

    But what if that’s the wrong narrative? What if we’re ignoring a different group of hackers who aren’t lawless renegades, who are in fact patriotic, public-spirited Americans who want to use their technical skills to protect our country from cyberattacks, but are being held back by outdated rules and overly protective institutions?

    In other words: What if the problem we face is not too many bad hackers, but too few good ones?

    The topic of ethical hacking was on everyone’s mind at Def Con, the hacker convention last week in Las Vegas.

    The problem, they told me, is that the government doesn’t make it easy for well-meaning hackers to pitch in on defense. Laws like the Computer Fraud and Abuse Act make poking around inside many government systems, even for innocent research purposes, a criminal offense. More than 209,000 cybersecurity jobs in the United States currently sit unfilled

    National Security Agency said last year that the agency’s cybersecurity experts “are increasingly leaving in large numbers” for jobs in the private sector.

    Partly, that’s because private sector jobs tend to pay more. But it’s also because the government can be an inhospitable place for a hacker. Talented hackers can be disqualified for government jobs by strict background checks, and dissuaded by hiring processes that favor candidates with more formal credentials.

    These rules may keep a few bad apples away from critical government systems, but they also prevent many talented hackers from contributing.

    hackers could be enormously valuable, if they were properly enlisted in the fight against attacks.

    “These people may be all hackers, and they may occasionally break the law, but they all still want the banking system to work,” Mr. Kanuck said.

    The private sector has already discovered the benefits of hackers. Most major tech companies — including Facebook, Apple and Microsoft — offer “bug bounty” programs, in which they offer financial rewards to hackers who find holes in their security measures. These companies know that paying hackers up front for their expertise is significantly cheaper than cleaning up after a breach, and they understand that the risk of a hacker going rogue inside their systems is outweighed by the benefits of having well-trained experts catch bugs and vulnerabilities before the bad guys do.

    The most talked-about session at this year’s Def Con was when hackers were let loose on a series of computerized voting machines. These machines had been used in recent American elections, and most ran on comically outdated software. Hackers eventually broke into every machine and were able to manipulate the software to register fake ballots and change vote totals. (One enterprising hacker even rigged a voting machine to play the music video for Rick Astley’s “Never Gonna Give You Up.”)

    There is, of course, the problem of outdated software. But some of the world’s best security researchers have also been prohibited from poking and prodding at these machines by a thicket of copyright and anti-tampering laws. (The reason Def Con was able to test them at all is a 2015 exemption to the Digital Millennium Copyright Act that gave researchers a temporary pass to experiment on voting machines.) Now that white-hat hackers have found flaws in these machines, they can pass that knowledge on to the manufacturers and election officials, who can secure the machines ahead of the next election cycle.

    The hackers showed me how, with a few more clicks, they could have stolen all of my data and used it to ruin my life. Then, they helped me protect myself against a future attack by strengthening my passwords, fortifying my devices and teaching me what suspicious activities to look out for.

    Reply
20. August 7, 2017 at 4:29 am

    Tomi Engdahl says:

    I dared two expert hackers to destroy my life. Here’s what happened.
    http://splinternews.com/i-dared-two-expert-hackers-to-destroy-my-life-heres-wh-1793854995

    So I decided to stage an experiment that, in hindsight, sounds like a terrible idea: I invited two of the world’s most elite hackers (neither of whom I’d ever met) to spend two weeks hacking me as deeply and thoroughly as they could, using all of the tools at their disposal. My only conditions were that the hackers had to promise not to steal money or any other assets from me, reveal any of my private information, or do any harm to me, my data, or anyone else. And then, at the end of the hack, I wanted them to tell me what they found, delete any copies they’d made, and help me fix any security flaws or vulnerabilities I had.

    Fortune 500 companies do this kind of thing all the time. It’s called “penetration testing,” or “pentesting,” and it’s a staple of the modern corporate security arsenal. Large corporations and government agencies pay professional white-hat hackers thousands of dollars an hour to try to hack their servers, in the hopes that they’ll find holes and vulnerabilities that can be patched before a malicious hacker gets hold of them.

    I’m not a Fortune 500 company, but I still wanted to subject myself to a personal penetration test to see how my security measured up.

    If I had to give myself an overall digital security grade, I’d give myself an A-.

    But as it turned out, it didn’t matter how good my defenses were. Against a pair of world-class hackers, my feeble protections were about as useful as cardboard shields trying to stop a rocket launcher.

    Part 1: Social Engineering
    Part 2: The Shell
    Part 3: The Cleanup

    The first thing Marquis-Boire told me is that, relatively speaking, I’m pretty unlikely to be hacked by someone as skilled as Chris Hadnagy or Dan Tentler. I’m not a government official, a CEO, an intelligence officer, or a celebrity. And even though some journalists (and a few normal people) have been hacked to an extreme degree, it’s not likely that I fit the profile of someone whose life an attacker would be interested in destroying.

    This principle is called “privacy through obscurity.” Basically, the idea is that although anyone can theoretically be hacked by anyone with enough skill and time on their hands, the vast majority of us simply aren’t interesting enough for hackers to care about.

    His point, he explained, was that while people can—and should—take basic steps to protect their digital security, most people probably shouldn’t worry about being subjected to a mega-hack like the one Dan and Chris had put me through.

    Reply
21. August 7, 2017 at 4:31 am

    Tomi Engdahl says:

    Justin McCurry / The Guardian:
    Internal probe by South Korean spy agency shows that, under its former director, it backed an online disinformation campaign to sway SK’s 2012 presidential race

    South Korea spy agency admits trying to rig 2012 presidential election
    https://www.theguardian.com/world/2017/aug/04/south-koreas-spy-agency-admits-trying-rig-election-national-intelligence-service-2012

    National Intelligence Service says it mobilised cyberwarfare experts to ensure Park Geun-hye beat rival and now president Moon Jae-in

    Reply
22. August 7, 2017 at 9:13 am

    Tomi Engdahl says:

    Police security arrangements deplored during Putin’s visit in Finland – police explain embarrassing suffocation: “The reason for the keystroke bug”

    Oulu, Minna Timonen, was surprised to receive email from the police on July 27. When a woman opened the message, she did not have faith in her eyes; The text was internal police communication about the security measures associated with the meeting of Finnish airspace Vladimir Putin and Finnish President Sauli Niinistö.

    “This is always embarrassing,” says Taisto Huokko, Head of the Eastern Finland Police Department, commenting on Iltalehti.

    Iltalehti reported on Monday that secretary’s e-mail ended up with secret information about Russian President Vladimir Putin’s visit to Finland.

    The head of the Eastern Finland Police Department, Taisto Huokko, tells Iltalehti that an outsider had come to police communication because of a police misconduct.

    Iltalehti reported on Monday that police massive security arrangements in connection with the visit of Russian President Vladimir Putin to Finland were badly blown when police secret communication came to an outside person’s email.

    The topic that was seen by Oulu’s Minna Timonen contained information on movements of President Sauli Niinistö’s movements and information on Putin’s exact time of arrival.

    - The two helicopters in the air and landing at 13.37 and 13.38, at 12.06 pm, were told.

    The thread also contained more informal texts, such as “one consignor identified from the back”.

    - I can not understand how that thread ended up in my Hotmail address, Timonen commented on Iltalehde and told her that she had originally thought it was a spam or a junk.

    Messages to the outside just in the evening

    The appetite does not take the stage at this stage of how relevant the references in the topic thread have been, for example, to the back of the consignee.

    Sometimes this is embarrassing. On the other hand, one might think that this is very human.

    The distress emphasizes that, on the basis of the preliminary proclamation, the security of the presidents has not been compromised in any way.

    - Messaging occurred around midday, and an external ended up closer to nine, when the presidents were already at the opera.

    Source: http://www.iltalehti.fi/kotimaa/201708072200309915_u0.shtml

    Reply
23. August 7, 2017 at 10:39 am

    Tomi Engdahl says:

    Managing Security and Network Implications of Mergers and Acquisitions
    http://www.securityweek.com/managing-security-and-network-implications-mergers-and-acquisitions

    M&A Madness: Five Tips for Reconciling Your Data Security Posture When Going Through an Acquisition or Merger

    Here are five tips, based on our own experience, to help you manage the security and network implications of mergers and acquisitions:

    1. Immediately conduct a robust security assessment

    The first thing you should do—even before the ink dries—is to gather all stakeholders from both sides of the table and assess each companies’ existing network infrastructures. Differences in policies, procedures, and technology should be reviewed, and a plan put in place to standardize.

    2. Make sure the acquired company knows its responsibilities

    Security should not be the sole responsibility of the acquiring company. The IT team at the acquired company needs to step up and educate their new colleagues on the security requirements that previously affected their business, and how they may affect the new entity.

    3. Ensure data security consistency

    One of the hardest IT tasks associated with M&A is data integration. A plan to integrate both structured and unstructured data needs to be put into place so no data is lost, users continue to have access to pertinent information, and both companies remain compliant throughout the merging process. There are three options. A forklift solution would simply migrate one dataset to the other. If there is not an easy way to do that, IT may try to force a solution—which can be risky and expensive. The third option is to just simply maintain two separate datasets, but that would seriously affect workflows and create massive inefficiencies. Choosing what works for each situation requires an in-depth analysis of the overall cost, capabilities and effectiveness of each choice.

    4. Check, double check and recheck all compliance requirements

    Especially as individual companies, watchdog groups and governing bodies issue new regulations on data security and privacy, compliance needs to be an underlying consideration throughout the M&A process.

    5. Reconcile your cloud policies

    Everyone is migrating to the cloud in some way, shape or form, but there is no standardized playbook for how to get there. As a result, merging companies likely have different policies and vendors when it comes to the cloud. IT teams need to identify the current cloud approach at each company, reassess risk, and develop a consistent strategy for the combined entity. It may make sense to stick to the public cloud, create a virtual private cloud or adopt a hybrid model. Again, it is all about identifying what works in the context of the new organization.

    Reply
24. August 7, 2017 at 10:40 am

    Tomi Engdahl says:

    Microsoft Makes Third Attempt at Fixing Old Stuxnet Flaw
    http://www.securityweek.com/microsoft-makes-third-attempt-fixing-old-stuxnet-flaw

    One of the patches released by Microsoft as part of its June 2017 security updates represents the company’s third attempt at patching an old vulnerability exploited by the notorious Stuxnet worm in 2010.

    The initial vulnerability, tracked as CVE-2010-2568, allows a remote attacker to execute arbitrary code on a system using specially crafted shortcut files with the LNK or PIF extension.

    CVE-2010-2568 was one of the four zero-day vulnerabilities exploited in the 2010 Stuxnet attacks targeting Iran’s nuclear program. Despite being patched by Microsoft in August 2010, it has remained one of the most exploited vulnerabilities.

    In 2015, researchers discovered that Microsoft’s initial fix could be bypassed and the tech giant released another patch. The flaw, tracked as CVE-2015-0096, was treated by Microsoft as a completely new issue.

    Reply
25. August 7, 2017 at 10:56 am

    Tomi Engdahl says:

    The Coolest Talk at Defcon 25 That No One is Writing About
    http://www.securityweek.com/coolest-talk-defcon-25-no-one-writing-about

    This year, I was starting to think “I’m too old for this stuff!” Don’t get me wrong, I still love the community-oriented DIY hacker spirit of the conference, but after all this time, I was starting to think I’d seen it all. Yeah.

    But one talk blew my mind, and its surprising that no one’s been writing about it. The room was packed for “CableTap: Wireless Tapping Your Home Network.” I was expecting it to be a DIY class that could help hobby hackers see what’s happening on their home networks (because Comcast doesn’t provide a way). Instead, the scope of the talk was much, much broader and more entertaining.

    Three researchers, Marc Newlin and Logan Lamb, with Bastille Networks and Christopher Grayson with Web Sight, found 26 vulnerabilities within ISP network devices that would have given them remote admin access to the majority of home networks in the United States.

    The abstract of CableTap reads: “Our research revealed a wide array of critical vulnerabilities in ISP-provided, RDK-based wireless gateways and set-top boxes from vendors including Cisco, Arris, Technicolor, and Motorola. We demonstrated that it was possible to remotely and wirelessly tap all Internet and voice traffic passing through an affected gateway. We estimate tens of millions of ISP customers are affected by these findings.”

    The breadth of their hacks ranged from reverse-engineering the MAC address generation for Comcast’s Xfinity routers to exploiting vulnerabilities in the 20-year-old FastCGI subsystem used by webservers you never heard of, like Apache, NGiNX and lighthpttd.

    But the most significant analysis of the talk was around the mysterious reference development kit (RDK), an open-source platform (github link) used by ISPs within their cable modems and set-top boxes. The RDK is maintained and patched regularly by developers around the world. Since it is open source, anyone can see the source changes for vulnerability fixes, months before those fixes actually get built and pushed down to the millions of set-top boxes in America. This could be a source of vulnerabilities for months or years to come. Ah, the perils of open source.

    Reply
26. August 7, 2017 at 10:57 am

    Tomi Engdahl says:

    Hackers Can Use Git Repos for Stealthy Attack on Developers
    http://www.securityweek.com/hackers-can-use-git-repos-stealthy-attack-developers

    Malicious actors can abuse GitHub and other services that host Git repositories for stealthy attacks aimed at software developers, experts showed recently at the Black Hat security conference in Las Vegas.

    Clint Gibler, security researcher at NCC Group, and Noah Beddome, security researcher and Director of Infrastructure Security at Datadog, have been testing the systems of organizations involved in software development and noticed that a key point of security failure in many cases was introduced by improperly managed or improperly understood trust relationships.

    An in-depth analysis of the trust relationships between an organization, its developers, platforms and code revealed a series of security holes that can be exploited to evade the target’s defenses and gain persistent access to its systems.

    Development-focused environments consist of workstations, general users, local and remote developers, version control systems, code repositories, continuous integration systems, and staging and production systems.

    Reply
27. August 7, 2017 at 3:01 pm

    Tomi Engdahl says:

    Forget sexy zero-days. Siemens medical scanners can be pwned by two-year-old-days
    Take ‘em off the network, docs told, until 2015 patches arrive
    http://www.theregister.co.uk/2017/08/04/win7_brain_scanners_hacked/

    Hackers can exploit trivial flaws in network-connected Siemens’ medical scanners to run arbitrary malicious code on the equipment.

    These remotely accessible vulnerabilities lurk in all of Siemens’ positron emission tomography and computed tomography (PET-CT) scanners running Microsoft Windows 7. These are the molecular imaging gizmos used to detect tumors, look for signs of brain disease, and so on, in people. They pick up gamma rays from radioactive tracers injected into patients, and perform X-ray scans of bodies.

    US Homeland Security warned on Thursday that exploits for bugs in the equipment’s software are in the wild, and “an attacker with a low skill would be able to exploit these vulnerabilities.” That’s because the flaws lie within Microsoft and Persistent Systems’ code, which runs on the Siemens hardware, and were patched years ago.

    The patches just didn’t make their way to the scanners. That means an attacker on, say, a hospital network could access the machines and hijack them, or from afar over the internet if the device isn’t properly secured and left facing the public web.

    https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-822184.pdf

    Reply
28. August 7, 2017 at 3:04 pm

    Tomi Engdahl says:

    WannaCry researcher denies creating banking malware at court hearing
    The security researcher rose to fame for curbing the spread of the WannaCry ransomware in May.
    http://www.zdnet.com/article/wannacry-researcher-pleads-in-banking-malware-case/

    A security researcher who helped curb a global outbreak of the WannaCry ransomware earlier this year has told a court he is not guilty of charges of allegedly creating a notorious banking malware.

    Marcus Hutchins, 22, said he was not guilty during a hearing at a Las Vegas court after he was arrested and detained earlier this week.

    The news was confirmed by his attorney Adrian Lobo, speaking on Facebook Live to local reporter Christy Wilcox, at the court house.

    Hutchins was granted bail on a bond of $30,000 during a hearing at a Las Vegas court.

    He will not be allowed access to devices with an internet connection, said Wilcox, and he will be tagged to be monitored at all times.

    The security researcher, a British native, was arrested shortly before boarding a flight home. He had been attending the Def Con security conference late last month. He was briefly detained in a federal detention facility in Nevada, then later questioned by the FBI at its field office in Las Vegas.

    Hutchins was later indicted, along with an unnamed defendant, on six charges relating to allegations that he created the Kronos malware, a trojan that can steal banking usernames and passwords from victims’ computers.

    Reply
29. August 7, 2017 at 3:05 pm

    Tomi Engdahl says:

    Australian bank: Buggy software made us miss money laundering scam
    NB reports stop flowing, suits don’t notice for 3 YEARS… but bank throws devs under bus
    http://www.theregister.co.uk/2017/08/07/cba_blames_software_for_money_laundering_miss/

    Australia’s Commonwealth Bank has blamed a software update for a money laundering scam that saw criminals send over AU$70m (US$55m, £42.5m) offshore after depositing cash into automatic teller machines.

    News of the Bank’s involvement in the laundering scam broke last week, when Australia’s financial intelligence agency AUSTRAC announced that it had found over 53,500 occasions on which the Bank failed to submit reports on transactions over $10,000. All transactions of that value are reportable in Australia, as part of efforts to crimp the black economy, crime and funding of terrorism.

    The news was not a good look for the Bank (CBA), because most of the cash was deposited into accounts established with fake drivers licences.

    Worse still is that each failure of this type can attract a fine of AU$18m, leaving CBA open to a sanction that would kill it off.

    Today the bank has explained the reason for its failure: “a coding error” that saw the ATMs fail to create reports of $10,000+ transactions. The error was introduced in a May 2012 update designed to address other matters, but not repaired until September 2015.

    Reply
30. August 7, 2017 at 5:09 pm

    Tomi Engdahl says:

    Brendan Koerner / Wired:
    How a Russian hacking team reverse-engineers slot machine pseudorandom generators, then sends agents to casinos to beat machine’s odds, blackmail manufacturers — LATE LAST AUTUMN, a Russian mathematician and programmer named Alex decided he’d had enough of running his eight-year-old business.

    Meet Alex, the Russian Casino Hacker Who Makes Millions Targeting Slot Machines
    https://www.wired.com/story/meet-alex-the-russian-casino-hacker-who-makes-millions-targeting-slot-machines

    Late last autumn, a Russian mathematician and programmer named Alex decided he’d had enough of running his eight-year-old business. Though his St. Petersburg firm was thriving, he’d grown weary of dealing with payroll, hiring, and management headaches. He pined for the days when he could devote himself solely to tinkering with code, his primary passion. The time had come for an exit strategy.

    But Alex couldn’t just cash out as if he owned an ordinary startup because his business operates in murky legal terrain. The venture is built on Alex’s talent for reverse engineering the algorithms—known as pseudorandom number generators, or PRNGs—that govern how slot machine games behave. Armed with this knowledge, he can predict when certain games are likeliest to spit out money—insight that he shares with a legion of field agents who do the organization’s grunt work.

    These agents roam casinos from Poland to Macau to Peru in search of slots whose PRNGs have been deciphered by Alex. They use phones to record video of a vulnerable machine in action, then transmit the footage to an office in St. Petersburg. There, Alex and his assistants analyze the video to determine when the games’ odds will briefly tilt against the house.

    Reply
31. August 7, 2017 at 5:37 pm

    Tomi Engdahl says:

    https://www.google.fi/amp/s/arstechnica.com/gadgets/2017/08/army-tells-troops-to-stop-using-dji-drones-immediately-because-cyber/%3famp=1

    Reply
32. August 7, 2017 at 6:40 pm

    Tomi Engdahl says:

    Alexander J Martin / Sky News:
    UK government proposes Data Protection Bill that includes new “right to be forgotten” legislation for users and fines for companies that breach users’ privacy — Google and Facebook could face fines stretching into billions of pounds if they breach users’ privacy under a new law.

    Google and Facebook could be fined billions under new law
    http://news.sky.com/story/google-and-facebook-could-be-fined-billions-under-new-law-10977211

    The UK will be able to fine companies 4% of their global turnover if they breach users’ privacy under new laws.

    The fines are part of the Data Protection Bill which the Government is introducing to give citizens more control over their data.

    It will place new requirements on companies about how they are allowed to hold and use data on ordinary citizens.

    In the case of the most serious breaches of these rules, it allows the data regulator, the Information Commissioner’s Office (ICO), to fine companies £17m or 4% of their global turnover, whichever is higher.

    The fines for the largest companies which use individuals’ data to sell advertisements, such as Google and Facebook, could stretch to billions of pounds.

    Reply
33. August 7, 2017 at 6:47 pm

    Tomi Engdahl says:

    Tatiana Siegel / Hollywood Reporter:
    Group alleging they’re behind HBO data breach say they’re delaying releasing leaked material while they negotiate with potential buyers — The data dump will be delayed “because of some new buyers,” said an email to The Hollywood Reporter purported to be from the hackers.

    HBO Hack: No New Material Surfaces Despite Threat of Sunday Leak
    http://www.hollywoodreporter.com/news/hbo-hack-no-new-material-surfaces-threat-sunday-leak-1026862

    The data dump will be delayed “because of some new buyers,” said an email to The Hollywood Reporter purported to be from the hackers. “Some of HBO’s top competitors are negotiating with us.”

    The hacker or hackers behind the recent HBO breach did not carry through with a threat to release leaked material Sunday.

    It’s highly unlikely that any of HBO’s network rivals in the U.S. would purchase stolen content or other information obtained by a security breach. So either the email is an empty threat or its definition of an HBO “competitor” is very broad.

    It is unclear if the author of the email is involved in the hack, but it originated from the same account as that of previous communications with THR, which said there would be leaked emails Sunday. Other media outlets received word that HBO content would be downloaded.

    The next day, The Hollywood Reporter received an email purported to be from the hackers, which said email leaks would take place Sunday. “HBO (specially Poor Richard) is Bluffing,” the email said, in an apparent reference to Plepler’s memo. “We have ‘STILL’ full access to their webmails…. It’s just about money. We have weeks of negotiations with HBO officials, but they broke their promises and want to play with us…. So we have one option…. Wait till Sunday. HBO is Falling………..”

    Throughout the ordeal, HBO has been removing leaked content almost as quickly as it appears on sites. An entire Reddit thread that offered working links to Sunday night’s episode of Game of Thrones was removed.

    Reply
34. August 7, 2017 at 6:54 pm

    Tomi Engdahl says:

    F-Secure’s security chief estimates: “Hard data is handled inside the bubble”

    Iltalehti revealed on Monday that a completely outsider Oululaisnainen has received information from the police on the security measures of Russian President Vladimir Putin’s visit to Finland.

    Internal communications between police and security personnel in Russia and the Finnish Presidents ended up entirely with the external person’s email.
    The messages reported, among other things, when Putin’s copteries had risen and when they landed.

    Because of the typing error, the message of the police had ended up with Minna Timonen’s e-mail. The right recipient would have been Minna Immonen, Director of Police Communications.

    A woman’s e-mail had come up with a text message from the police, which discussed, inter alia, the exact time of the arrival of Putin’s helicopters. The chain also had information on the movements of Finnish President Sauli Niinistö .

    The reason for the end of the information to the wrong person was a typing mistake, says Arto Tynkkynen , the communications officer of the Eastern Finland Police Officer, criminal police officer. Tynkkynen had started a thread, some of which had come to an outsider. Some of the information received by the outside was confidential.

    - There has been a human error in it. There, the security of either president was not disturbed, as the posting of messages to the civilian population only took place after 9 pm, Tynkkynen tells STT.

    Because of the typing error, the message of the police had ended up with Minna Timonen’s e-mail. The right recipient would have been Minna Immonen, Director of Police Communications.

    The biggest secrets are hidden

    According to F-Secure’s Data Security Director Erka Koivunen , error-sending error messages can be easily accessed by all mail clients. He thinks that the police can hardly divide the fire with information in the normal email.

    - As a former state employee, I think if data is processed on an internet-connected device, it has not been the biggest secret in the world. Handling secrets is a separate bubble, from which sending a message to the outside world would be behind a bigger job.

    E-mail programs can also reduce the potential for human error. For example, you can turn off a feature that automatically fills the recipient’s address. In addition, users can utilize various encryption technologies. However, these actions may slow down the basic work, Koivunen says.

    The birch is an easy way to improve email security a lot. This information can be stored in an organization’s existing system and only e-mail the link to the required information.

    - Even if the wrong person had a link, he would not have the content open.

    Deputy Police Chief of Security Police Officer Annina Hautala says she can not tell exactly how police protect emails for security reasons. It is still unclear whether the police will change their communication practices because of the case.

    Source: http://www.iltalehti.fi/kotimaa/201708072200310647_u0.shtml

    Reply
35. August 7, 2017 at 11:54 pm

    Tomi Engdahl says:

    Defeating Samsung KNOX With Zero Privilege by Di Shen
    Published July 27, 2017 in Technology
    https://speakerdeck.com/retme7/defeating-samsung-knox-with-zero-privilege

    In this talk I will describe how I used an exploit chain to defeat the Samsung KNOX 2.6 with zero privilege, including KASLR bypassing, DFI bypassing, SELinux fully bypassing and privilege escalation.

    Reply
36. August 8, 2017 at 12:01 am

    Tomi Engdahl says:

    Former Bupa employee offered 1 million customer records for sale on dark web
    http://securityaffairs.co/wordpress/61636/data-breach/bupa-security-breach.html

    A former employee of healthcare giant Bupa was selling between 500,000 and 1 million records on the healthcare giant Bupa was selling between 500,000 and 1 million records on the dark web. The former employee whose identity remains undisclosed had sold several batches of hundreds of thousands of records managed by Bupa.

    Analysts at DataBreaches found a first batch of records stolen by the former employee on June 23, the man was offering them on a dark web marketplace. DataBreaches revealed the vendor MoZeal was offering for sale at least 500,000 records

    The listing contained insurance data from 122 countries and customers’ personal information including member and registration IDs, names, birthdates, contact information and information about intermediaries.information including member and registration IDs, names, birthdates, contact information and information about intermediaries.

    Reply
37. August 8, 2017 at 9:14 am

    Tomi Engdahl says:

    Tatiana Siegel / Hollywood Reporter:
    Hackers leak a month’s worth of HBO VP Leslie Cohen’s emails and internal documents, HBO says it does not believe that entire email system was compromised — The release of a month’s worth of vp Leslie Cohen’s inbox is the first indication that HBO’s emails have been penetrated, at least partially.

    HBO Hackers Leak Top Executive’s Emails
    http://www.hollywoodreporter.com/news/hbo-hackers-leak-top-executives-emails-1027417

    Reply
38. August 8, 2017 at 9:49 am

    Tomi Engdahl says:

    Georgina Prodhan / Reuters:
    Siemens to patch medical PET scanners running Windows 7 by the end of month, following last week’s DHS notice about available exploits

    Siemens to update medical scanner software to deal with security bugs
    http://www.reuters.com/article/us-siemens-healthcare-cyber-idUSKBN1AN1XB

    Reply
39. August 8, 2017 at 9:50 am

    Tomi Engdahl says:

    Brendan Koerner / Wired:
    How a Russian hacking team reverse-engineers slot machine pseudorandom generators, then sends agents to casinos to beat machine’s odds, blackmail manufacturers

    Meet Alex, the Russian Casino Hacker Who Makes Millions Targeting Slot Machines
    https://www.wired.com/story/meet-alex-the-russian-casino-hacker-who-makes-millions-targeting-slot-machines

    Reply
40. August 8, 2017 at 10:17 am

    Tomi Engdahl says:

    China’s Web Users Fear Losing Tools to Bypass ‘Great Firewall’
    http://www.securityweek.com/chinas-web-users-fear-losing-tools-bypass-great-firewall

    Enterprising internet users in China fear the tools they use to tunnel through the country’s “Great Firewall” may soon disappear, as Beijing tightens its grip on the web.

    Tens of millions of people are estimated to use Virtual Private Networks (VPNs) to bypass Chinese internet restrictions — getting access to blocked websites such as Facebook and Twitter.

    Beijing has for years turned a blind eye to these holes in its Great Firewall, but recent events suggest the virtual tunnels may soon be bricked up.

    In January China’s Ministry of Industry and Information Technology (MIIT) announced it would be banning the use of unlicensed providers of the services.

    In the months since the rule’s announcement, rumours have swirled that a crackdown was coming, but there was little clarity on what exactly the rule meant and how, or even if, it would be implemented.

    In the past few weeks, however, omens of significant tightening seem to be everywhere.

    Several luxury hotels in Beijing have said they will stop using the tools, which once provided unfiltered Internet as a convenience to their customers.

    On Thursday, a cloud service provider in the capital notified users that it would practise shutting down and reporting VPN providers on the orders of Beijing’s Public Security bureau.

    Reply
41. August 8, 2017 at 10:18 am

    Tomi Engdahl says:

    Windows 10 Can Detect PowerShell Attacks: Microsoft
    http://www.securityweek.com/windows-10-can-detect-powershell-attacks-microsoft

    Windows 10 can detect suspicious PowerShell activities, code injection, and malicious documents, including attacks where a process connects to a web server and starts dropping and launching an app, Microsoft says.

    The functionality is integrated into Defender Advanced Threat Protection (Windows Defender ATP), which was released along Windows 10 Creators Update (and built into the core of Windows 10 Enterprise). The security software is also set to receive a series of enhancements in the Fall Creators Update. Courtesy of endpoint sensors built into Windows 10, along with machine learning technologies, Windows Defender ATP relies on a generic stream of behavioral events to improve detection, the tech giant says.

    According to Microsoft, a process’ behavior is defined “not only by its own actions but also by the actions of descendant processes and other related processes,” and many of the actions associated with process execution are usually performed by other processes (injected with malicious code) when malware is involved. Thus, Windows Defender ATP incorporates process behavior trees, being able to analyze the actions and behaviors of a process and its descendants, related either through process creation or memory injection.

    Reply
42. August 8, 2017 at 10:19 am

    Tomi Engdahl says:

    SMBs Eye Managed Security Solutions: Survey
    http://www.securityweek.com/smbs-eye-managed-security-solutions-survey

    Webroot commissioned Wakefield Research to query 600 SMB IT decision makers in the US, UK and Australia to discover current attitudes towards IT security among companies with less than 500 employees. Such companies are often thought to be more at risk of successful cyber-attacks because of smaller budgets, fewer IT staff, and fewer infosecurity products designed for the smaller company.

    The results of the survey (PDF) show the curious mixture of reality and wishful-thinking that often affects perception of infosecurity. For example, only 31% of US SMBs consider ransomware to be a major threat in 2017 — despite 49% being concerned about ‘new forms of malware’. In the UK, ransomware is considerd a bigger threat at 50%, with 59% worrying about new forms of malware. This is despite previous Webroot research (PDF) showing that over 60% of companies have already been affected by ransomware; while most analysts believe the threat is still increasing.

    Self-confidence is high. First, 72% of SMBs globally believe that they are at least “almost completely ready to manage IT security and protect against threats”; second, 89% of SMBs around the world believe they have staff who could successfully address and/or eliminate a cyber-attack; and thirdly, 87% are confident in their staff cyber security education.

    Reply
43. August 8, 2017 at 10:20 am

    Tomi Engdahl says:

    Schneider Electric, Claroty Partner on Industrial Network Security
    http://www.securityweek.com/schneider-electric-claroty-partner-industrial-network-security

    Energy management and automation giant Schneider Electric has teamed up with industrial cybersecurity startup Claroty to offer its customers solutions for protecting industrial control systems (ICS) and operational technology (OT) networks.

    Claroty, which emerged from stealth mode in September 2016 with $32 million in funding, will market its products through Schneider’s Collaborative Automation Partner Program (CAPP).

    Schneider’s CAPP enables its customers to find the right technology solutions and integrate them with the company’s own offering. Claroty, whose products have undergone rigorous testing to ensure interoperability, will provide network monitoring solutions.

    Claroty’s platform is designed to protect ICS and continuously monitor OT networks for threats without disrupting operations. The product enables organizations to control remote employee and third-party access to critical systems, including record their sessions. It also creates a detailed inventory of industrial network assets, identifies configuration issues, monitors traffic, and looks for anomalies that could indicate the presence of a malicious actor.

    The product can be integrated with Schneider Electric’s existing cybersecurity and edge control offerings through the company’s EcoStruxure architecture.

    Reply
44. August 8, 2017 at 10:22 am

    Tomi Engdahl says:

    Arrest Shines Light on Shadowy Community of Good, Bad Hackers
    http://www.securityweek.com/arrest-shines-light-shadowy-community-good-bad-hackers

    Two months ago, Marcus Hutchins was an “accidental hero,” a young computer whiz living with his parents in Britain who found the “kill switch” to the devastating WannaCry ransomware.

    Today, the 23-year-old is in a US federal prison, charged with creating and distributing malicious software designed to attack the banking system.

    His arrest this week stunned the computer security community and shines a light on the shadowy world of those who sometimes straddle the line between legal and illegal activities.

    Hutchins’ arrest following Def Con in Las Vegas, one of the world’s largest gathering of hackers, delivered “an extreme shock,” according to Gabriella Coleman, a McGill University professor who studies the hacker community.

    “The community at Def Con would not admire a hacker who was doing hard core criminal activity for profit or damage — that is frowned upon,” Coleman told AFP.

    “But there are people who do security research… who understand that sometimes in order to improve security, you have to stick your nose in areas that may break the law. They don’t want to hurt anyone but they are doing it for research.”

    Hackers are generally classified as “white hats” if they stay within the law and “black hats” if they cross the line.

    At gatherings like Def Con, “you have people who dabble on both sides of the fence,” said Rick Holland, vice president at the security firm Digital Shadows.

    An indictment unsealed by US authorities charges Hutchins and a second individual — whose name was redacted — of making and distributing in 2014 and 2015 the Kronos “banking Trojan,” a reference to malicious software designed to steal user names and passwords used at online banking sites.

    Reply
45. August 8, 2017 at 10:24 am

    Tomi Engdahl says:

    User and Entity Behavior Analytics – A Floor Wax and a Dessert Topping
    http://www.securityweek.com/user-and-entity-behavior-analytics-floor-wax-and-dessert-topping

    User and Entity Behavioral Analytics (UEBA) has evolved quite a bit over the past several years. It started as just User Behavioral Analytics, which focused on catching malicious insider threats and then practitioners and vendors realized that user activity is only part of the picture and that the behavior of servers and endpoints are also important to get a more complete perspective. This is especially true when analyzing the Internet of Things and Industrial Control System environments. Today, UEBA is no longer being used as just a single point solution, it is being touted as a feature or a major element of everything from insider threat tools to SIEM tools to cyber risk analytics to endpoint protection.

    Organizations are increasingly combining UEBA technology with other data sources and analytics methods to overcome cyber risk challenges on a broader scale. For example, they are using UEBA to analyze the intersection of unusual user and machine behavior with indicators of attack/compromise to identify compromised accounts. They are using UEBA to identify vendor-based insider threats and combining that information with other risk intelligence to obtain a 360-degree view of third party risk that can be used by both security and vendor risk management stakeholders to reduce risk posed by outsiders with access to corporate networks and information. With the General Data Protection Regulation (GDPR), taking effect in May 2018, there has been a renewed focus on protecting the private data of employees, customers and shareholders. UEBA is being used to detect the mishandling of sensitive data, which could result in enterprises being out of compliance with the GDPR. This includes understanding the behavioral patterns of what people are accessing, unusual access, unusual handling of data classification levels, unusual unencryption actives and unusual email and cloud upload patterns.

    Reply
46. August 8, 2017 at 10:31 am

    Tomi Engdahl says:

    Engineer gets 18 months in the clink for looting ex-bosses’ FTP server
    Chap admits he carried on accessing confidential email, schematics after qutting
    https://www.theregister.co.uk/2017/08/08/us_engineer_gets_18mo_ftp_access/

    An engineer has been jailed for 18 months after admitting to stealing blueprints from his former employer’s FTP server.

    Jason Needham, 45, of Arlington, Tennessee, USA, worked at engineering firm Allen & Hoshall up until 2013, when he left to set up his own consultancy, HNA. But in the two years following his departure he hacked his former employer’s file server repeatedly and downloaded schematics, staff emails, and budget and marketing documents.

    “The corporate community is a vital part of growth and development for any city. Security crimes will not be tolerated in this district. We will come after you.”

    Earlier this year, a Tennessee district heard that Needham accessed the email account of a former colleague at Allen & Hoshall and used it to plunder documents. The IP address Needham used to illegally access the inbox was logged, and traced back to Needham’s home internet connection.

    He also got access to Allen & Hoshall’s FTP server and downloaded more than 100 PDF documents and 82 AutoCAD files containing A&H’s schematics, job bids, and other proprietary information.

    Reply
47. August 8, 2017 at 10:32 am

    Tomi Engdahl says:

    US Homeland Security CIO hits ctrl-alt-delete after just three months
    Staropoli lasts just under nine Mooches
    https://www.theregister.co.uk/2017/08/08/dhs_cio_steps_down/

    The chief information officer of America’s Department of Homeland Security has become the latest Trump administration appointee to resign.

    Richard Staropoli, the former US secret service agent who at one time vowed to run the department “like a hedge fund,” will be leaving at the end of the month. Staropoli had been appointed to the CIO position by the Trump White House in May of this year. Prior to that he had worked at hedge fund Fortress Investment group as the CISO and head of global security.

    Staropoli had also spent 25 years working in the US Secret Service. According to his bio, Staropoli’s duties included work with the Presidential Protective Division, the Counter Assault Team, and the Secret Service’s Hostage Rescue Unit.

    Reply
48. August 8, 2017 at 10:33 am

    Tomi Engdahl says:

    Cisco loses customer data in Meraki cloud muckup
    ‘Erroneous policy’ upload deleted custom apps, IVR menus and custom bling
    https://www.theregister.co.uk/2017/08/06/cisco_meraki_data_loss/

    Cisco has admitted to a cloud configuration cockup that erased customer data.

    The networking giant explained: “On August 3rd, 2017, our engineering team made a configuration change that applied an erroneous policy to our North American object storage service and caused certain data uploaded prior to 11:20AM Pacific time on August 3 to be deleted.”

    “Our engineering team is working over the weekend to investigate what data we can recover,” Cisco’s advisory says, adding that the company is working on “tools we can build to help our customers specifically identify what has been lost from their organization.”

    Reply
49. August 8, 2017 at 10:35 am

    Tomi Engdahl says:

    Big question of the day: Is it time to lock down .localhost?
    IETF considering making a new .onion
    https://www.theregister.co.uk/2017/08/08/time_to_lock_down_localhost/

    A proposal to tightly lock down localhost as a reserved top-level domain name has bubbled up to the surface again at the Internet Engineering Task Force.

    The hostname localhost is used just about everywhere: it’s useful for referring to the computer you’re using in front of you, or whatever machine a piece of software is running on. It’s useful during the development of applications and networked systems. So useful, in fact, that it is one of a very few “special” names given formal protection on the internet (the others being “test,” “example,” and “invalid”).

    But, as Google engineer Mike West noted in September last year, the protections in place may not be sufficiently strict. The relevant RFCs covering use of localhost say that the IPv4 block 127.0.0.1/8 and IPv6 block ::1/128 are reserved as loopback addresses: packets to these addresses stay on the local machine, aka the localhost. This localhost name and any names falling within .localhost are reserved, and that programmers can “assume that IPv4 and IPv6 address queries for localhost names will always resolve to the respective IP loopback address.”

    Thus, software connecting to localhost should resolve to, say, 127.0.0.1, and therefore connect to the host machine.

    This may seem tickety-boo, but it doesn’t seem very concrete – particularly when you realize that software is expected to run localhost past DNS resolvers to look up, which are expected to return a loopback address, such as 127.0.0.1. That has resulted, West claims, in people hardcoding localhost to 127.0.0.1 in their system configurations to ensure an external resolver doesn’t hijack localhost.

    Great. So what? Well, the inclusion of a hardcoded IPv4 address is only going to cause problems down the line as we slowly move to IPv6. It’s just bad engineering.

    And now implementation

    Which all seems pretty reasonable and straightforward. Except this being the internet and the IETF, the question is not whether you should do it, but how. And that is where the problems start.

    West put out a revised version of his draft proposal on Sunday, and is looking to move it forward to becoming an IETF standard. The new draft has already prompted online discussion.

    The big question is whether, in order to ensure that “localhost” connections never reach out to the broader internet, you need to add the name to the internet’s root servers.

    One advocate for the new RFC agrees that adding “.localhost” to the root zone is a bad idea “because it would mask implementation errors” – any accidental live connections should get an error.

    Reply
50. August 8, 2017 at 3:43 pm

    Tomi Engdahl says:

    The Man Who Wrote Those Password Rules Has a New Tip: N3v$r M1^d!
    https://www.wsj.com/amp/articles/the-man-who-wrote-those-password-rules-has-a-new-tip-n3v-r-m1-d-1502124118

    Bill Burr’s 2003 report recommended using numbers, obscure characters and capital letters and updating regularly—he regrets the error

    Back in 2003, as a midlevel manager at the National Institute of Standards and Technology, Bill Burr was the author of “NIST Special Publication 800-63. Appendix A.” The 8-page primer advised people to protect their accounts

    Reply