Year 2017 will not have any turn towards better data security. The internet is rife with such well-known than the unknown threats. The company’s systems are supposed to be protected.Hackers are going to continue to look for new ways to extort and steal information from businesses and organizations, which unfortunately means those businesses and organizations will have to continue to look for new ways to protect themselves.
Critical infrastructure cames under attack in 2017. Critical infrastructures must be better protected from criminals and terrorists who take advantage of modern technologies that are essential for the functioning of society and the economy. IT security functions of industrial control systems (ICS), energy grids and IoT networks needs to be improved in 2017.
There is push for better web security in 2017. Starting New Year’s Day, Google’s Chrome will begin labeling as “insecure” all websites that transmit passwords or ask for credit card details over plain text HTTP. Beginning in January 2017 (Chrome 56), HTTP sites that transmit passwords or credit cards are marked as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.
SHA-1 is insecure. Starting on Jan 1, 2017, most CAs will migrate to SHA-2 certificates, and major browser makers have already announced plans to adopt the change, including Microsoft, Google, and Mozilla. Their browsers will no longer trust sites that use SHA-1 starting with that date, and they will mark these websites as insecure. 1/3 of Websites Use SHA-1 Certificates Despite Looming Deadline. SHA-1 will still hang around, like a fart in a spacesuit, for many years to come because some people are lazy enough not to make the change.
There will be changes in how security is viewed in 2017 by businesses. We will likely see cloud adoption continue to grow across the United States, network visibility will no longer just be an option, AI and machine learning will shake old security models, and IoT-powered attacks will continue to rise. All of this will factor into how businesses set up, monitor and secure their networks.
The Commoditization of Cyberattacks Will Make Them More Frequent in 2017. More and more companies suffer from disruption to business due to cyber attacks. Cyber-attacks cause companies significant financial losses, but the studies shows that companies are not prepared for attacks. According to Gartner, by 2018 only 40 per cent of large companies have official plans in case of cyber attacks. Last year, the percentage was zero.
Strap yourself in for a bumpy ride in 2017. 2016 sucked. 2017 won’t be much better, sorry. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. DDoS attack toolkits have been around for years, as have services that will enable you to pay for an attack. Expect to see more of them. It seems that 2017 promises to be the most dramatic year yet in DDoS conflict. Whale-sized DDoS attacks will increase, the IoT will become a bigger factor in DDoS and DDoS will overshadow ransomware attacks and is used for extortion. Expect to see the Internet of Things (IoT) and other connected devices play an important part in these attacks.
Biometric identification will become more common in 2017, but it will not replace passwords. Fingerprint identification has become increasingly common in smartphones and already the technology is fast and reliable. This year biometric identification devices were sold for 4.5 billion dollars (most of them go to smart phones and laptops). 91 percent of biometric sales were fingerprint sensors, four per cent of face detection and three per cent iris detection.
Biometrics Won’t Kill Passwords any time soon. Even though PIN codes and passwords are actually pretty lousy protection case against skilled cybercriminal, the password will never disappear entirely, as two per cent of the world’s population is persons with a fingerprint not suitable for biometric identifier to work. Other biometric identification systems have also similar limitations and/or are not yet commonly available at reasonable cost. While biometrics, including fingerprint-, face-, iris-, palm- and speech-recognition, will continue to grow as a more secure substitute for passwords, they will not render passwords obsolete. Until the other common biometrics become commonplace, passwords are here to stay until circa 2030.
Fights with encryption and backdoors for them is not over in 2017. Many public figures in law enforcement have consistently argued that device encryption presents a new threat to police powers of investigation. On the other side House Judiciary Committee’s Encryption Working Group report says encryption backdoors pose a security threat, siding with tech experts in their latest report . The problem is that any system allowing police to get into those encrypted system (let it be phone, computer or communications) could also be exploited by criminals. Any action in this space should weigh any short-term benefits against the longterm impacts. Many industry experts will rightly tell you there is no such thing as partial data encryption. You either have a fully capable system or none at all.
Given the security events of 2016, coupled with the rapid advancements and adoption of cloud computing, 2017 will be the year in which many finally accept that network infrastructure and security will have to be rethought from the ground up. In 2017 the cloud will become a risk for users: The cloud becoming insecure – extortion and IoT openings.
The rivalry between the network attacks and network security is in acceleration. Crippling Internet services with denial of service attacks are becoming more common throughout the world. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. IoT-powered attacks will continue to rise and stopping the attack is not easy. For most companies the key thing is that the attack traffic is stopped before it reaches the company’s Internet connection or servers (needs to use telecom operator and external services increase). In addition to service disturbion Denial of Service Attacks are often used as distraction during the actual data burglary.DDoS may take over from ransomware as a cause for concern.
In 2017 the IT and security professionals talk about more about business risks. Historically, firewalls, DLP, antivirus, SIEM and other technical point solutions have been the centerpiece of security conversations, but the mindset is slowly shifting from technology to risk. The goal of stopping all attacks and preventing all business impact has been recognized as a fool’s errand, and has shifted to measuring risk and minimizing business impacts. Cyber security is increasingly being viewed as a risk management problem.
In 2017 ‘Security’ Must be Added to our Existing Ethical and Philosophic Concerns Over Artificial Intelligence and Algorithms. Algorithms soon run the world. They present problems that are seriously questioned on both ethical and philosophic grounds; and they have become the basis of fictional Armageddons.
Cyber insurance will be more thoughs as on solution for handling cyber risks in 2017. The global cyber insurance market is expected to generate $14 billion by 2022, according to a new report published by Allied Market Research (AMR). That figure represents an impressive compound annual growth rate (CAGR) of nearly 28% from 2016 to 2022.
In 2017 Big Brother will be watching you 24/7.Those of you who’ve read George Orwell’s book 1984 or seen the movie ,will remember how the citizens of the fictitious totalitarian state of Oceana are constantly under surveillance by order of its dictator, Big Brother. So now swap your home desktop computer, laptop or smart phone for the fictitious telescreen and not only are you sitting in front of what is a modern day version of the Big Brother telescreen you are also walking around with one in your pocket or handbag. Sound a bit far fetched to you? Well it’s set to become a reality in many countries.
Users will want better security or at least to feell more secure in 2017. Many people are prepared to to extremes for better security. According to a recent survey of over 2,000 adults conducted by Harris Poll Nearly 40% of Americans Would Give Up Sex for a Year or eating their favourite food in Exchange for Better Online Securit, meant they’d never have to worry about being hacked. When you consider that 87 percent of U.S. adults use the internet, it makes sense that cyber security is one of the biggest concerns today. The single biggest thing people can do to help keep their online identity safe is probably the easiest – a solid password – and not giving it to other people. Still nearly 50% of people have shared a password to an e-mail account or to an account like Netflix.
Security Becomes A Multi-System Issue and more people talking about the issue. Design teams will have to bake strategies in from the start, no matter how insignificant the device.The good news is that it more people talking about the issue. The real challenge is packing enough security features into designs to prevent security breaches of every sort, including those that can come from other electronics that weren’t even considered as part of the design process. Just as devices get more sophisticated, so do hackers.The reality is that security breaches can even cause physical harm. It’s time to look at this at a multi-system, multi-disciplinary level. Otherwise, we literally could be playing with fire.
Block chains have been a big trend for several years. The block chain market is divided now when 2017 starts. During the autumn 2016, we have seen a number of initiatives on cooperation between the financial sector and consulting companies. Microsoft has chosen a platform for Ethereum-block chain and offers it to the Azure cloud service. IBM has jumped Hyperledger consortium bandwagon and offering their own block chains to Bluemix service. Google and Amazon still shine by their absence. Even banks may prefer to see the use of cloud for the block chains.
Other prediction articles worth to look:
What Lies Ahead for Cybersecurity in 2017?
Network Infrastructure, Visibility and Security in 2017
DDoS in 2017: Strap yourself in for a bumpy ride
Cybersecurity Industry Outlook: 2017 to 2021 | CSO Online
IBM’s Cybersecurity Predictions for 2017 – eForensics
https://eforensicsmag.com/ibms-cybersecurity-predictions-2017/
Top 5 Cybersecurity Threats to Watch Out for in 2017
Experts Hopeful as Confidence in Risk Assessment Falls
3,151 Comments
Tomi Engdahl says:
Samuel Gibbs / The Guardian:
HBO hackers demand a multimillion-dollar ransom and release emails, scripts, and personal phone numbers of GoT stars in latest dump of stolen data
Game of Thrones stars’ personal details leaked as HBO hackers demand ransom
https://www.theguardian.com/technology/2017/aug/08/game-of-thrones-stars-personal-details-leaked-hbo-hackers-demand-ransom
Group tells company CEO to pay multimillion-dollar ransom or else risk 1.5TB of shows and confidential corporate data being released online
Hackers of US television network HBO have released personal phone numbers of Game of Thrones actors, emails and scripts in the latest dump of data stolen from the company, and are demanding a multimillion-dollar ransom to prevent the release of whole TV shows and further emails.
In a five-minute video letter from somebody calling themselves “Mr Smith” to HBO chief executive Richard Plepler, the hackers told the company to pay within three days or they would put online the HBO shows and confidential corporate data they claim to have stolen.
The hackers claim to have taken 1.5TB of data – the equivalent to several TV series box sets or millions of documents – but HBO said that it doesn’t believe its email system as a whole has been compromised, although it did acknowledge the theft of “proprietary information”.
HBO said it is continuing to investigate and is working with police and cybersecurity experts.
Tomi Engdahl says:
Forget the Russians: Corrupt, Local Officials Are the Biggest Threat To Elections
https://it.slashdot.org/story/17/08/07/213226/forget-the-russians-corrupt-local-officials-are-the-biggest-threat-to-elections?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
It’s the Corruption, Stupid: why Russians aren’t the biggest threat to Election Security
https://securityledger.com/2017/08/its-the-corruption-stupid-why-russians-arent-the-biggest-threat-to-election-security/
In-brief: Russian hackers aren’t the biggest threat to the security and integrity of elections says Bev Harris of Black Box Voting. Instead, it’s a more common enemy: run of the mill political corruption, mostly at the local level. Also: Eric Hodge of CyberScout talks about the challenges of helping states secure their election systems. Problem number one: recalcitrant voting machine makers.
When the world’s top hackers and security experts gathered in Las Vegas last week for the DEFCON hacking conference, the security of election systems was put under the microscope in a “Voting Village,” in which attendees could try their hand at compromising some of the hardware and software that is used to tabulate votes and decide elections throughout the US.
According to news reports, it wasn’t much of a contest. The first voting machine, a WinVote system that was decertified in Virginia in 2015 because of security vulnerabilities, fell within minutes. And by the end of the weekend, every one of the roughly 30 machines, vote tabulators and portable devices used to check voters in at the polls had been compromised.
Sadly, this is nothing new. Many of the devices in use today have been known to be vulnerable for years, while other weaknesses in the election system such as poll workers and board of elections employees who are vulnerable to social engineering attacks may pose an even bigger threat than hackable hardware and software.
Their perspectives on this problem are enlightening and really worth hearing. Both tell us that the complexity and decentralized nature of the U.S. election system is both a strength and a weakness; it makes the system impossible to compromise in its entirety, while also creating many openings for mischief makers at the local, county or state level.
At the root of our current problem isn’t (just) vulnerable equipment, it’s also a shoddy ‘chain of custody’ around votes: where they are collected, how they are moved and tabulated and then how they are handled after the fact, should citizens or officials want to review the results of an election. That lack of transparency leaves the election system vulnerable to unwanted influence. That could be shadowy Russian hackers like whoever are the members of the “Fancy Bear” APT group. Even more likely is “Senator Bedfellow” that is: elected officials or career bureaucrats acting in their interest.
At the root of much election tampering is a common motive. “It’s money,” Harris told me. “There’s one federal election every four years, but there are about 100,000 local elections which control hundreds of billions of dollars in contract signings.”
“There are 1,000 convictions every year for public corruption,” Harris says, citing Department of Justice statistics. “Its really not something that’s even rare in the United States.”
We may not think that corruption is a problem, because we rarely see it manifested in the ways that most people associate with public corruption.
How does the prevalence of public corruption touch election security? Exactly in the way you might think. “You don’t know at any given time if the people handling your votes are honest or not,” Harris said. “But you shouldn’t have to guess. There should be able to check.”
And that’s exactly the problem Eric Hodge is working with at the state level. His company, CyberScout, has been contracted by officials in Kentucky and other states to help assess the security of elections systems.
Tomi Engdahl says:
PlayStation Network and Xbox Live have a porn bot spam problem
https://m.mic.com/articles/183416/playstation-network-and-xbox-live-have-a-porn-bot-spam-problem#.kY4PIS6k8
The porn bot problem isn’t new. It’s a lucrative endeavor, especially when you can hit critical mass on a place like Twitter. But it’s a fairly new issue for platforms like PlayStation Network and Xbox Live. If you’re unfamiliar, PlayStation Network (PSN) and Xbox Live (XBL) both have messaging platforms that allow users to interact with one another. It’s a bit ungainly to type on a controller, but they have mobile apps and Xbox Live is also connected to Windows 10 systems by default.
Tomi Engdahl says:
UK Introduces Data Protection Bill to Replace GDPR After Brexit
http://www.securityweek.com/uk-introduces-data-protection-bill-replace-gdpr-after-brexit
The UK government has announced its plans for a new Data Protection Bill. This was foreshadowed in the Queen’s Speech of 21 June when she announced, “A new law will ensure that the United Kingdom retains its world-class regime protecting personal data.”
This law is, in effect, the European General Data Protection Regulation designed to withstand Brexit. The UK will still be part of the European Union when GDPR comes into effect in May 2018. However, the government is already under great pressure to transpose 40 years of European laws onto the British statute books in time for the actual severance. It makes sense, therefore, to prepare a GDPR-compliant UK law immediately.
GDPR Industry Roundup: One Year to G
http://www.securityweek.com/gdpr-industry-roundup-one-year-go
Tomi Engdahl says:
Microsoft dumps notorious Chinese secure certificate vendor
http://www.zdnet.com/article/microsoft-dumps-notorious-chinese-secure-certificate-vendor/
Microsoft has joined Apple, Google, and Mozilla in disabling security certificates from Chinese company WoSign and its StartCom subsidiary.
Microsoft has had enough of the Chinese Certificate Authorities (CAs) WoSign and its subsidiary StartCom’s poor security. Soon, neither Internet Explorer nor Edge will recognize new security certificates from either company.
A CA is a trusted entity that issues X.509 digital certificates that verify a digital entity’s identity on the internet. Certificates include its owner’s public key and name, the certificate’s expiration date, encryption method, and other information about the public key owner. Typically, these are used to secure websites with the https protocol, lock down internet communications with Secure Sockets Layer and Transport Layer Security (SSL/TLS), and secure virtual private networks (VPNs). A corrupted certificate is barely better than no protection at all. It can be used to easily hack websites and “private” internet communications.
WoSign and StartCom lost their reputation for reliability over a year ago.
Tomi Engdahl says:
Ransomware turns even nastier: Destruction, not profit, becomes the real aim
Leaks and dumps are handing more tools for creating ransomware and other malicious software to cybercriminals.
http://www.zdnet.com/article/ransomware-turns-even-nastier-destruction-not-profit-becomes-the-real-aim/
Get used to global malware campaigns like Petya and WannaCry ransomware because Pandora’s Box has been opened and ‘destructive’ cyber attacks like these are here to stay.
The WannaCry epidemic hit organisations around the world in May, with the file-encrypting malware. It infected over 300,000 PCs and crippling systems across the Americas, Europe, Russia, and China.
The Petya outbreak followed a month later, mainly targeting organisations in Ukraine, but also infecting companies around the world. It didn’t infect as many systems as WannaCry, but it came with additional destructive capabilities designed to irrecoverably wipe computers infected.
Hackers are already attempting to exploit the worm-like capabilities which made these two global attacks so successful in order to provide a boost to other types of malware – and the problem is only going to get worse, researchers at Kaspersky Lab have warned.
“Destructive malware disguised as ransomware will continue to be a problem. In the last quarter we’ve seen two instances of this, and with the continued release of tools / exploits from dumps like Vault7 and ShadowBrokers, this is going to be a new alarming trend to deal with,” Kaspersky Lab’s Global Research and Analysis Team said in the new APT Trends report for Q2 2017.
Tomi Engdahl says:
Microsoft fixes ‘critical’ security bugs affecting all versions of Windows
Microsoft patched 48 separate vulnerabilities — the majority of which were the highest “critical” rating.
http://www.zdnet.com/article/critical-security-bugs-affect-all-windows-versions/
Microsoft has patched two security vulnerabilities affecting all supported versions of Windows.
The software giant said Tuesday that an attacker could remotely exploit a “critical”-rated remote code execution vulnerability in how Windows Search handles objects in memory, allowing a full takeover of an affected computer.
An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights, said the company in an advisory. The attacker would have to send a specially crafted message to the Windows Search service. An attacker could then elevate privileges and “take control of the computer,” the advisory said.
It added that an unauthenticated attacker in an enterprise setting could remotely trigger the flaw through an SMB connection, which Trend Micro researchers said in a blog post is “pretty close to wormable,” referring to its spreadability.
Every supported version of Windows 7 and all versions of Windows 10, as well as Windows Server systems, are affected by the bug.
Although technical details or a proof-of-concept have not been made public and it is not known to be under active exploitation by an attacker, the company warned that there is a “more likely” chance of a future attack.
Tomi Engdahl says:
Google: Android 8.0 OTA updates will still work even when phones have no space
Google is removing one more obstacle to installing its monthly Android security updates.
http://www.zdnet.com/article/google-android-8-0-ota-updates-will-still-work-even-when-phones-have-no-space/
Google is enhancing an update system for Android that will ensure devices can install new OS versions and critical patch updates even when there’s no storage space.
Ars Technica spotted the change in new Android documentation for Google’s A/B or Seamless System Updates, which Google introduced in the Pixel and Pixel XL. The system is borrowed from the update engine in ChromeOS.
This seamless system allows users to continue using the device during an update and doesn’t require the cache partition to store OTA update packages.
Android device makers can implement A/B on Android 7.1 and up, but it’s not clear any have. If they did, it could help Google improve Android’s historically poor patching record.
For example, Google notes seamless updates helped ensure Pixel owners install its monthly security updates faster. As of May, 95 percent of Pixel owners were running the latest security update after one month, compared with 87 percent of Nexus users.
Android 8.0’s “streaming OS updates” will work even if your phone is full
Android’s new OS update scheme should banish the “insufficient space” error forever.
https://arstechnica.com/gadgets/2017/08/android-8-0s-streaming-os-updates-will-work-even-if-your-phone-is-full/
We’ve probably all had this happen at one point or another: it’s time for an OS update, and your phone wants to download a ~1GB brick of an update file. On Android, normally this gets downloaded to the user storage partition and flashed to the system partition. But wait—if your phone is full of pictures, or videos, or apps, there may not be enough space to store the update file. In such circumstances, the update fails, and the user is told to “free up some space.” According to the latest source.android.com documentation, Google has cooked up a scheme to make sure that an “insufficient space” error will never stop an update again.
Where the heck can Google store the update if your phone is full, though? If you remember in Android 7.0, Google introduced a new feature called “Seamless Updates.” This setup introduced a dual system partition scheme—a “System A” and “System B” partition. The idea is that, when it comes time to install an update, you can normally use your phone on the online “System A” partition while an update is being applied to the offline “System B” partition in the background. Rather than the many minutes of downtime that would normally occur from an update, all that was needed to apply the update was a quick reboot. At that point, the device would just switch from partition A to the newly updated partition B.
Tomi Engdahl says:
You Can Trick Self-Driving Cars By Defacing Street Signs
https://hardware.slashdot.org/story/17/08/08/2045233/you-can-trick-self-driving-cars-by-defacing-street-signs
A team of eight researchers has discovered that by altering street signs, an adversary could confuse self-driving cars and cause their machine-learning systems to misclassify signs and take wrong decisions, potentially putting the lives of passengers in danger. The idea behind this research is that an attacker could (1) print an entirely new poster and overlay it over an existing sign, or (2) attach smaller stickers on a legitimate sign in order to fool the self-driving car into thinking it’s looking at another type of street sign.
You Can Trick Self-Driving Cars by Defacing Street Signs
https://www.bleepingcomputer.com/news/security/you-can-trick-self-driving-cars-by-defacing-street-signs/
A team of eight researchers has discovered that by altering street signs, an adversary could confuse self-driving cars and cause their machine-learning systems to misclassify signs and take wrong decisions, potentially putting the lives of passengers in danger.
The idea behind this research is that an attacker could (1) print an entirely new poster and overlay it over an existing sign, or (2) attach smaller stickers on a legitimate sign in order to fool the self-driving car into thinking it’s looking at another type of street sign.
While scenario (1) will trick even human observers and there’s little chance of stopping it, scenario (2) looks like an ordinary street sign defacement and will likely affect only self-driving vehicles.
Street sign defacements fool cars in 67% to 100% of cases
Tomi Engdahl says:
70% of Windows 10 users are totally happy with our big telemetry slurp, beams Microsoft
Alternatively: 30% have found the option to switch it off
https://www.theregister.co.uk/2017/08/09/microsofts_privacy_enhancements/
Microsoft claims seven out of ten Windows 10 users are happy with Redmond gulping loads of telemetry from their computers – which isn’t that astounding when you realize it’s a default option.
In other words, 30 per cent of people have found the switch to turn it off, and the rest haven’t, don’t realize it’s there, or are genuinely OK with the data collection.
Ever since Windows 10 was released, folks have been complaining the operating system is far too grabby and that it allows Redmond to collect huge volumes of intelligence on its users. In April the software giant responded by simplifying the collection.
Tomi Engdahl says:
Hotspot Shield VPN throws your privacy in the fire, injects ads, JS into browsers – claim
CDT tries to set fed trade watchdog on internet biz
https://www.theregister.co.uk/2017/08/07/hotspot_shield_deceives_with_false_privacy_promises_complaint_claims/
The Center for Democracy & Technology (CDT), a digital rights advocacy group, on Monday urged US federal trade authorities to investigate VPN provider AnchorFree for deceptive and unfair trade practices.
AnchorFree claims its Hotspot Shield VPN app protects netizens from online tracking, but, according to a complaint filed with the FTC, the company’s software gathers data and its privacy policy allows it to share the information.
Worryingly, it is claimed the service forces ads and JavaScript code into people’s browsers when connected through Hotspot Shield: “The VPN has been found to be actively injecting JavaScript codes using iframes for advertising and tracking purposes.”
Tomi Engdahl says:
It’s 2017 and Hyper-V can be pwned by a guest app, Windows by a search query, Office by…
Update IE, Edge, Windows, SQL Server, Office and – of course – Flash
https://www.theregister.co.uk/2017/08/08/august_patch_tuesday/
Microsoft has released the August edition of its Patch Tuesday update to address security holes in multiple products. Folks are urged to install the fixes as soon as possible before they are exploited.
Among the flaws are remote code execution holes in Windows, Internet Explorer/Edge and Flash Player, plus a guest escape in Hyper-V. Of the 48 patches issued by Redmond, 25 are rated as critical security risks.
Tomi Engdahl says:
The Man Who Wrote the Password Rules Regrets Doing So
https://it.slashdot.org/story/17/08/08/2035239/the-man-who-wrote-the-password-rules-regrets-doing-so
According to a report in The Wall Street Journal (Warning: source may be paywalled, alternative source), the author behind the U.S. government’s password requirements regrets wasting our time on changing passwords so often. From the report: “The man who wrote the book on password management has a confession to make: He blew it. Back in 2003, as a midlevel manager at the National Institute of Standards and Technology, Bill Burr was the author of ‘NIST Special Publication 800-63. Appendix A.’ The 8-page primer advised people to protect their accounts by inventing awkward new words rife with obscure characters, capital letters and numbers — and to change them regularly. The document became a sort of Hammurabi Code of passwords, the go-to guide for federal agencies, universities and large companies looking for a set of password-setting rules to follow. The problem is the advice ended up largely incorrect, Mr. Burr says. Change your password every 90 days? Most people make minor changes that are easy to guess, he laments. Changing Pa55word!1 to Pa55word!2 doesn’t keep the hackers at bay.
The Guy Who Invented Those Annoying Password Rules Now Regrets Wasting Your Time
http://gizmodo.com/the-guy-who-invented-those-annoying-password-rules-now-1797643987
We’ve all been forced to do it: create a password with at least so many characters, so many numbers, so many special characters, and maybe an uppercase letter. Guess what? The guy who invented these standards nearly 15 years ago now admits that they’re basically useless. He is also very sorry.
The only problem is that Bill Burr didn’t really know much about how passwords worked back in 2003, when he wrote the manual. He certainly wasn’t a security expert. And now the retired 72-year-old bureaucrat wants to apologize.
“Much of what I did I now regret,” Bill Burr told The Wall Street Journal recently, admitting that his research into passwords mostly came from a white paper written in the 1980s, well before the web was even invented. “In the end, [the list of guidelines] was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree.”
Bill is not wrong. Simple math shows that a shorter password with wacky characters is much easier to crack than a long string of easy-to-remember words.
classic XKCD comic shows how four simple words create a passphrase that would take a computer 550 years to guess, while a nonsensical string of random characters would take approximately three days
This is why the latest set of NIST guidelines recommends that people create long passphrases rather than gobbledygook words like the ones Bill thought were secure.
Inevitably, you have to wonder if Bill not only feels regretful but also a little embarrassed. It’s not entirely his fault either. Fifteen years ago, there was very little research into passwords and information security, while researchers can now draw on millions upon millions of examples.
Bill also wasn’t the only one to come up with some regrettable ideas in the early days of the web, either. Remember pop-ads, the scourge of the mid-aughts internet? The inventor of those is super sorry as well.
Technology is often an exercise of trial and error. If you get something right, like Jeff Bezos or Mark Zuckerberg have done, the rewards are sweet. If you screw up and waste years of unsuspecting internet users’ time in the process, like Bill did, you get to apologize years later. We forgive you, Bill. At least some of us do.
Tomi Engdahl says:
Privacy and Security
Create an Ultra-Secure, Easy-to-Remember Passphrase Using Dice
http://gizmodo.com/create-an-ultra-secure-easy-to-remember-passphrase-usi-1694021321#_ga=2.158159546.1854159288.1502107954-122581585.1444279257
So you replaced the letter “e” with “3″ and capitalized a random letter, and now you think your password is secure? Nope. Hackers (and the NSA) know those tricks, too. That’s why you should use this crazy dice technique to create a practically unbreakable passphrase.
A passphrase is inherently more secure than a password. Since it’s often a series of words, it ostensibly offers more entropy, but since many people lift language from literature, computers can easily guess the phrase.
The method takes advantage of the Diceware technique. You just roll a set of regular old six-side dice to generate a numerical phrase that you can then translate into a random word from the Diceware word list.
Diceware.com Dice-Indexed Passphrase Word List
http://world.std.com/~reinhold/dicewarewordlist.pdf
Tomi Engdahl says:
Cyber Threats Prompt Return of Radio For Ship Navigation
https://tech.slashdot.org/story/17/08/08/2213212/cyber-threats-prompt-return-of-radio-for-ship-navigation
The risk of cyber attacks targeting ships’ satellite navigation is pushing nations to delve back through history and develop back-up systems with roots in World War Two radio technology. Ships use GPS (Global Positioning System) and other similar devices that rely on sending and receiving satellite signals, which many experts say are vulnerable to jamming by hackers. About 90 percent of world trade is transported by sea and the stakes are high in increasingly crowded shipping lanes. Unlike aircraft, ships lack a back-up navigation system and if their GPS ceases to function, they risk running aground or colliding with other vessels. South Korea is developing an alternative system using an earth-based navigation technology known as eLoran, while the United States is planning to follow suit. Britain and Russia have also explored adopting versions of the technology, which works on radio signals.
Cyber specialists say the problem with GPS and other Global Navigation Satellite Systems (GNSS) is their weak signals, which are transmitted from 12,500 miles above the Earth and can be disrupted with cheap jamming devices that are widely available. Developers of eLoran – the descendant of the loran (long-range navigation) system created during World War II – say it is difficult to jam as the average signal is an estimated 1.3 million times stronger than a GPS signal. To do so would require a powerful transmitter, large antenna and lots of power, which would be easy to detect, they add.
Cyber threats prompt return of radio for ship navigation
https://www.reuters.com/article/us-shipping-gps-cyber-idUSKBN1AN0HT
Tomi Engdahl says:
Melody Kramer / Poynter:
Interview with Jacob Hoffman-Andrews, EFF’s senior staff technologist, on increasing user trust by decreasing the use of third-party trackers
Want readers to start trusting you again? Stop stalking them across the internet
http://www.poynter.org/2017/want-readers-to-start-trusting-you-again-stop-stalking-them-across-the-internet/469730/
Last year, Steven Englehardt and Arvind Narayanan at Princeton University looked at the top 1 million sites on the internet and found that news organizations generally have more third-party trackers on them than other types of sites.
The trackers, they wrote, impede HTTPS adoption, which is offered by less than half of news sites. And the trackers often “rely on one of a handful of companies to collect the data, perform analysis or deliver ‘appropriate’ advertisements,” writes researcher Sarah Jamie Lewis in a recent paper on the centralization of tracking technologies.
“This means that the 3rd parties…have access to data from many, many of the most commonly visited websites — and as such have opportunity to build large, detailed profiles on the visitors to those websites,” she writes.
In recent months, there have been many thoughtful conversations about how to optimize news organizations around public trust. Many of these conversations are centered on what journalists can do — how we can use transparency and audience engagement techniques to build deeper and more meaningful connections with readers.
But building public trust must also involve thinking thoughtfully about the platforms and tools we use to track readers, measure behavior and determine how to monetize. It must involve thinking about the data we collect — or let others collect — and then what could be done with that data.
Tomi Engdahl says:
Fuzzing Tests Show ICS Protocols Least Mature
http://www.securityweek.com/fuzzing-tests-show-ics-protocols-least-mature
Fuzzing tests conducted last year by customers of Synopsys, a company that provides tools and services for designing chips and electronic systems, revealed that protocols used in industrial control systems (ICS) are the least mature.
Fuzzing is a testing technique designed for finding software vulnerabilities by sending malformed input to the targeted application. If the software crashes or behaves unexpectedly, it could indicate the presence of a security flaw and further investigation is warranted. If the number of crashes is high and the time to first failure (TTFF) is short, the likelihood of exploitable vulnerabilities increases.
Synopsys’ State of Fuzzing 2017 report is based on 4.8 billion results obtained in 2016 from tests targeting 250 protocols used in industrial, Internet of Things (IoT), automotive, financial services, government, healthcare and other sectors.
In the case of ICS, Synopsys customers tested protocols such as IEC-61850 MMS, IEC-104 Server, Modbus PLC, OPC UA, DNP3 and MQTT. There are also some protocols used for both ICS and IoT, including CIP and CoAP Server.
Many of these protocols had the TTFF within five minutes. Modbus, for instance, had 37 failures after 1.5 million tests and an average test runtime of 16 minutes. The OPC UA protocol had over 16,000 failures with a testing runtime of 4.5 hours.
In comparison, the Address Resolution Protocol (ARP), which is used to convert an IP address into a physical address and is the most mature protocol, had zero failures after over 340,000 tests with an average runtime of 30 hours.
Four of the five least mature protocols, based on average TTFF, are ICS protocols, including IEC-61850 MMS, Modbus PLC, DNP3 and MQTT.
“The protocols typically associated with ICS showed the most immaturity,”
“Many demonstrated rapid time to first failures, with IEC-61850 MMS measured in a matter of seconds. This has bearing on IoT, as many of the protocols used in ICS are also used in IoT. Clearly, more testing is needed for the protocols within ICS and IoT, as the potential for discovering more vulnerabilities is greater in these industry verticals than in others.”
State of Fuzzing 2017
https://www.synopsys.com/content/dam/synopsys/sig-assets/reports/state-of-fuzzing-2017.pdf
Fuzzing is a proven technology used to find vulnerabilities in software by sending malformed input to a
target and observing the result. If the target behaves unexpectedly or crashes, then further investigation
is required. That investigation may expose a vulnerability that may be exploited for malicious purposes.
Fuzzing is equally valuable to those who develop software and those who consume it. It plays a role in
the implementation, verification, and release phases of the software development life cycle (SDLC) and
can be a vital indicator of undetected vulnerabilities (zero days) that may affect the integrity of systems
already in use. The real goal of fuzzing is not merely to crash a program but to hijack it
Tomi Engdahl says:
‘Bollywood blocks the Internet Archive’
http://www.bbc.com/news/technology-40875528
Access to the Internet Archive is being barred within India.
The move appears to be the result of two Bollywood production companies attempting to stop pirated copies of their films being viewed online within the country.
A government agency emailed the BBC copies of the court orders involved.
They list 2,650 websites that a judge ordered internet providers to block. Most are file-sharing services, but the Internet Archive is also included.
The San Francisco-based non-profit is best known for its Wayback Machine – an online tool that allows the public to see old versions of websites. It contains more than 302 billion saved web pages.
Affected users are now being shown a message saying that access has been restricted under the orders of the government’s Department of Telecommunications.
The notice had not explained the cause, which had led to confusion.
“Courts and security agencies do block certain websites and the reasons are sometimes not disclosed,” Shambhu Choudhary, the director of the government’s Press Information Bureau told the BBC.
The Internet Archive had earlier told the Medianama news site that it was also at a loss to explain the situation.
Tomi Engdahl says:
Data breaches through wearables put target squarely on IoT in 2017
http://www.cio.com/article/3154147/internet-of-things/data-breaches-through-wearables-put-target-squarely-on-iot-in-2017.html
Security needs to be baked into IoT devices for there to be any chance of halting a DDoS attack, according to security experts.
Forrester predicts that more than 500,000 internet of things (IoT) devices will suffer a compromise in 2017, dwarfing Heartbleed. Drop the mic — enough said.
With the sheer velocity of how the distributed denial-of-service (DDoS) attacks spread through common household items such as DVR players, makes this sector scary from a security standpoint.
“Today, firms are developing IoT firmware with open source components in a rush to market. Unfortunately, many are delivering these IoT solutions without good plans for updates, leaving them open to not only vulnerabilities but vulnerabilities security teams cannot remediate quickly,” write Forrester analysts.
The analyst firm adds that when smart thermostats alone exceed over 1 million devices, it’s not hard to imagine a vulnerability that easily exceeds the scale of Heartbleed. Security as an afterthought for IoT devices is not an option, especially when you can’t patch IoT firmware because the vendor didn’t plan for over-the-air patching.
Alex Vaystikh, co-founder/CTO of advanced threat detection software provider SecBI, says small-to-midsize businesses and enterprises alike will suffer breaches originating from an insecure IoT device connected to the network.
The internet of insecure things: Thousands of internet-connected devices are a security disaster in the making
http://www.cio.com/article/3130468/internet-of-things/the-internet-of-insecure-things-thousands-of-internet-connected-devices-are-a-security-disaster-in-.html
Tomi Engdahl says:
Rise of the IoT machines
How can enterprises protect themselves from DDoS attacks by IoT devices?
http://www.cio.com/article/3135091/internet-of-things/rise-of-the-iot-machines.html
Tomi Engdahl says:
Exploiting the Java Deserialization Vulnerability
https://www.synopsys.com/software-integrity/resources/white-papers/java-deserialization-vulnerability.html
In the security industry, we know that operating on untrusted inputs is a significant area of risk; and for penetration testers and attackers, a frequent source of high-impact issues. Serialization is no exception to this rule, and attacks against serialization schemes are innumerable. Unfortunately, developers enticed by the efficiency and ease of reflection-based and native serialization continue to build software relying on these practices.
The research presented within this document describes the methods that Synopsys employs for post-exploitation in network-hardened environments using RCE payloads.
Tomi Engdahl says:
Security Scan Checks Binary Open Source
http://www.eetimes.com/document.asp?doc_id=1332132&
A Korean startup launched an online service that uses a novel approach to scan open source code for known security flaws. Insignary, Inc. let’s users scan files of up to 5 Mbytes for free on its Web site but charges for larger files and more detailed reports.
The code looks for function and variable names and other constants that don’t vary among different compilations of a program. After identifying programs it checks open source repositories for known security flaws.
The company maintains a database compiled from hundreds of thousands of open source repositories its searches. It uses a free U.S. Homeland Security database and a licensed repository to check for published security flaws.
“Our customers say we do better on the benchmarks,” said Taejin Kang, CEO of Insignary.
The company charges a base price of $100,000 per server per year for customers to run its Insignary Clarity program on their systems. Alternatively it lets users access a complete Web service the startup hosts for $3,000 per scan.
Tomi Engdahl says:
Robert McMillan / Wall Street Journal:
How NIST ended up rewriting its 2003 password guidelines from scratch because they were largely ineffective and had a negative impact on usability
The Man Who Wrote Those Password Rules Has a New Tip: N3v$r M1^d!
Bill Burr’s 2003 report recommended using numbers, obscure characters and capital letters and updating regularly—he regrets the error
https://www.wsj.com/articles/the-man-who-wrote-those-password-rules-has-a-new-tip-n3v-r-m1-d-1502124118
The man who wrote the book on password management has a confession to make: He blew it.
Back in 2003, as a midlevel manager at the National Institute of Standards and Technology, Bill Burr was the author of “NIST Special Publication 800-63. Appendix A.” The 8-page primer advised people to protect their accounts by inventing awkward new words rife with obscure characters, capital letters and numbers—and to change them regularly.
The document became a sort of Hammurabi Code of passwords, the go-to guide for federal agencies, universities and large companies looking for a set of password-setting rules to follow.
The problem is the advice ended up largely incorrect, Mr. Burr says. Change your password every 90 days? Most people make minor changes that are easy to guess, he laments. Changing Pa55word!1 to Pa55word!2 doesn’t keep the hackers at bay.
Also off the mark: demanding a letter, number, uppercase letter and special character such as an exclamation point or question mark—a finger-twisting requirement.
“Much of what I did I now regret,” said Mr. Burr, 72 years old, who is now retired.
Tomi Engdahl says:
Command Execution Flaw Affects Several Version Control Systems
http://www.securityweek.com/command-execution-flaw-affects-several-version-control-systems
Several popular version control systems are affected by a potentially serious command execution vulnerability. The developers of the impacted products have released updates this week to patch the security hole.
The flaw affects version control systems such as Git (CVE-2017-1000117), Apache Subversion (CVE-2017-9800), Mercurial (CVE-2017-1000116) and CVS. No CVE identifier has been assigned for CVS as the system was last updated more than 9 years ago.
The vulnerability, discovered by Joern Schneeweisz of Recurity Labs, can be exploited by a remote attacker to execute arbitrary commands by getting the targeted user to click on a specially crafted “ssh://” URL.
“A malicious third-party can give a crafted ‘ssh://…’ URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim’s machine being executed. Such a URL could be placed in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running ‘git clone –recurse-submodules’ to trigger the vulnerability,” Git developers explained in their security advisory.
Tomi Engdahl says:
Cyberattack Leaves Millions Without Mobile Phone Service in Venezuela
http://www.securityweek.com/cyberattack-leaves-millions-without-mobile-phone-service-venezuela
A massive cyberattack that took down government websites in Venezuela earlier this week also has left seven million mobile phone users without service, the government said Thursday.
A group that calls itself The Binary Guardians claimed responsibility for attacks that targeted the websites of the government, the supreme court and the National Assembly.
“These terrorist actions which affected the Movilnet’s GSM platform on Wednesday left without communication seven of the state operator’s 13 million users,” Science and Technology Minister Hugbel Roa said.
Venezuela has two other private mobile phone operators: Spanish-owned Movistar and Digitel.
Tomi Engdahl says:
Kaspersky Details APT Trends for Q2 2017
http://www.securityweek.com/kaspersky-details-apt-trends-q2-2017
While continuing to deploy their usual set of hacking tools onto compromised systems, advanced persistent threat (APT) actors were observed using leveraging zero-day vulnerabilities and quickly adopting new exploits during the second quarter of 2017, Kaspersky Lab reports.
According to the security company’s APT Trends report Q2 2017, threat actors such as Sofacy and Turla were observed using zero-day exploits targeting Microsoft’s Office and Windows products. The BlackOasis group too was associated with a zero-day that was quickly adopted by OilRig, while the Lazarus sub-group BlueNoroff adopted the National Security Agency-associated EternalBlue exploit.
In March and April, security researchers discovered three zero-day flaws the Sofacy and Turla Russian-speaking threat actors had been using in live attacks. Sofacy was associated with two vulnerabilities targeting Microsoft Office’s Encapsulated PostScript (CVE-2017-0262) and a Microsoft Windows Local Privilege Escalation (CVE-2017-0263), while Turla was targeting a different Office Encapsulated PostScript bug (CVE-2017-0261).
Tomi Engdahl says:
Disjointed Tools Challenge Security Operations: Survey
http://www.securityweek.com/disjointed-tools-challenge-security-operations-survey
Insufficient staffing levels and quality, together with poor orchestration between too many security point products mean that complete breach intolerance is an aspiration not currently achieved by today’s security operations centers (SOCs).
This is the conclusion of a new study by Forrester Consulting, commissioned by Endgame, a provider of enterprise threat protection solutions. Forrester surveyed a small number (156) of senior security decision makers (directors, C-Suite and VPs) in US companies with more than 1000 employees (84% have more than 5000 employees). The survey was conducted in May 2017.
‘Complete breach intolerance’ is defined as stopping all attacks before there is damage to systems or data loss. Breach statistics, however, show how difficult this will be. Of the companies surveyed, 92% have suffered at least one successful breach in the last year. One-third have suffered more than 20 breaches; and one-in-eight have suffered more than 50 successful breaches.
Currently unable to prevent all breaches, 64% of the organizations fear that the next breach could be the big one; or at least, it could be ‘somewhat to significantly severe’. The two biggest fears are that it could lead to a loss of revenue, and brand damage. “We have a large presence in our community,” said the CISO of a US banking company; “if we had a major breach, it would really be detrimental to our brand. Our reputation would be ruined for the most part.”
SOCs are considered an important route to preventing this and improving breach intolerance. Seventy-six percent of the organizations already operate a SOC, with another 17% planning to deploy one in the next 12 months.
Tomi Engdahl says:
Tails 3.1 is out
https://tails.boum.org/news/version_3.1/index.en.html
This release fixes many security issues and users should upgrade as soon as possible.
Tomi Engdahl says:
Microsoft Announces Windows 10 Antivirus Changes Following Kaspersky Complaint
Windows 10 Fall Creators Update to introduce AV tweaks
http://news.softpedia.com/news/microsoft-announces-windows-10-antivirus-changes-following-kaspersky-complaint-517371.shtml
Microsoft has just announced that it would make a series of changes to the way the operating system works with third-party antivirus in the Fall Creators Update, following an antitrust complaint filed by security company Kaspersky in Russia and Europe.
Microsoft is addressing several of the complaints brought forward by Kaspersky, including the limited time antivirus vendors are provided with before the release of new Windows versions in order to address compatibility issues.
Starting with the Fall Creators Update, security vendors will get the chance to look for compatibility issues in advance of each feature update, though specifics as to how much each company will get are yet to be provided.
The company, however, says that it will “increase the amount of time AV partners will have to review final builds before the next Windows 10 feature update is rolled out to customers.”
Tomi Engdahl says:
‘Adversarial DNA’ breeds buffer overflow bugs in PCs
Boffins had to break gene-reading software but were able to remotely exploit a computer
https://www.theregister.co.uk/2017/08/11/malware_in_dna/
Tomi Engdahl says:
Schoolboy bags $10,000 reward from Google with easy HTTP Host bypass
Nice birthday gift for clever kid who found a way to access web giant’s confidential info
https://www.theregister.co.uk/2017/08/10/schoolboy_google_bug_bounty_http_host/
A teenager in Uruguay has scored big after finding and reporting a bug in Google’s App Engine to view confidential internal Google documents.
While bored in July, high schooler Ezequiel Pereira, who has all the makings of a competent security researcher, used Burp to manipulate the Host header in web connections to Google’s App Engine. The 17-year-old’s target: webpages protected by MOMA, Google’s employees-only portal apparently named after a museum of modern art.
Normally, connecting to a private staff-only Google service requires signing in via MOMA. However, it appears not all of these services fully checked a visitor was authorized to view the content.
Burp Suite Editions
https://portswigger.net/burp
Coverage of over 100 generic vulnerabilities, such as SQL injection and cross-site scripting (XSS), with great performance against all vulnerabilities in the OWASP top 10.
Tomi Engdahl says:
Andrew Wallenstein / Variety:
Leaked email: HBO offered hackers who stole scripts, shows, and employee info a $250K bug bounty; source says the message was an HBO stalling tactic — The HBO hacker has struck yet again. — Variety has obtained a copy of another message released Thursday by the anonymous hacker …
HBO Hacker Leaks Message From HBO Offering $250,000 ‘Bounty Payment’ (EXCLUSIVE)
http://variety.com/2017/tv/news/hbo-hacker-leaks-message-from-hbo-offering-250000-bounty-payment-exclusive-1202522897/
The HBO hacker has struck yet again.
Variety has obtained a copy of another message released Thursday by the anonymous hacker to select journalists in which HBO is apparently responding to the initial video letter that was sent informing the Time Warner-owned company of the massive data breach. The message from HBO, dated July 27, features the network’s offer to make a “bounty payment” of $250,000 as part of a program in which “white hat IT professionals” are rewarded for “bringing these types of things to our attention.”
While the message takes a curiously non-confrontational tone in response to a hacker out to damage HBO, a source close to the investigation who confirmed the veracity of the email explained it was worded that way to stall for time while the company attempted to assess the serious situation. It also opened the possibility that a $250,000 payment would be enough to appease the hacker and avert the kind of leak that impacted other companies, from Sony to Netflix.
Tomi Engdahl says:
Fake Google firm shut down after probe
http://www.bbc.com/news/technology-40878392
A Manchester-based company that pretended it was linked to Google has been closed following an investigation by the UK’s Insolvency Service.
The agency said Movette had used “deceptive methods” to bill clients for the use of Google My Business – a free service provided by the US search firm.
Movette had been in business for two-and-a-half years before being wound up in the High Court.
It had received more than £500,000 in fees before the intervention.
Google My Business is a service that encourages companies to share information and images about themselves to help the tech firm display relevant listings in its Search and Maps tools.
Movette had charged its victims between £199 to £249 a year to manage their entries.
The agency said its probe had followed “a significant volume” of customer complaints.
Several clients had also posted their concerns online.
“This company contacted me telling me my Google page was about to expire and following a conversation claimed I had bought their services,” wrote one on the Who Called Me site.
“Now they hound me every day demanding money and threatening to send in bailiffs.”
Tomi Engdahl says:
Ukrainian postal service hit by 48-hour cyber-attack
http://www.bbc.com/news/technology-40886418
Ukraine’s national postal service has been hit by a two-day-long cyber-attack targeting its online system that tracks parcels.
Unknown hackers carried out a distributed denial of service (DDoS) attack against Ukrposhta’s website.
The attack began on Monday morning, but ended shortly after 21:00 local time (1900 BST).
However, Ukrposhta reported on Facebook that the DDoS attack continued again on Tuesday.
“Friends, we’ve been DDoSed,” the company in a post on Tuesday. “During the first wave of the attack, which began yesterday in the morning, our IT services could normalise the situation, and after 17:00, all the services on the site worked properly.
“But today, hackers are at it again. Due to their actions, both the website and services are working, but slowly and with interruptions.”
‘Inadequate protection’
DDoS attacks occur when hackers flood a website’s servers with a huge amount of web traffic, with the intent of taking the website offline.
Attackers do this by secretly infecting computers, routers and Internet of Things-enabled devices, such as thermostats, washing machines and other home appliances, with malware and then roping the zombie computers into a botnet.
“With critical systems exposed to the internet and inadequate protection, denial of service attacks can have an impact way beyond taking a website down or preventing online transactions from taking place,” Sean Newman, director of Corero Network Security, told the BBC.
This is not the first time that Ukraine’s postal service has been targeted this year – in June, Ukrposhta was hit by the NotPetya ransomware attacks, as part of a wider national attack on Ukrainian banks, the state power provider, television stations and public transport services.
Tomi Engdahl says:
ANSI/TIA-5017: Telecommunications Physical Network Security Standard
http://blog.siemon.com/standards/ansitia-5017-telecommunications-physical-network-security-standard
Properly planned and installed physical network security systems can protect critical telecommunications infrastructure and components from theft, vandalism, intrusions, and unauthorized modifications. It is significantly less expensive and less disruptive to install physical network security systems during the building construction or renovation phase than during the building occupancy phase.
ANSI/TIA-5017 “Telecommunications Physical Network Security Standard” was developed by the TIA TR-42.1 Commercial Building Cabling Subcommittee and published in February, 2016. This Standard specifies requirements and guidelines to protect and secure the telecommunications infrastructure (e.g. telecommunications cables, pathways, spaces, and other elements of the physical infrastructure) in customer owned premises. It establishes three levels of physical infrastructure security and provides design guidelines, installation practices, administration, management, and other additional considerations to enhance the physical security of the telecommunications infrastructure.
ANSI/TIA-5017 Improves Physical Security for Buildings and Infrastructure
http://www.belden.com/blog/datacenters/ANSI-TIA-5017-Improves-Physical-Security-for-Buildings-and-Infrastructure.cfm
ANSI/TIA-5017 will provide specific requirements for protecting cabling infrastructure to prevent theft, sabotage and terrorism. But not only will ANSI/TIA-5017 provide guidance about guarding your telecommunications infrastructure – it can also be used to leverage infrastructure to protect other assets (people, property or premises) as a part of your overall security plan.
The document delves into areas like risk assessment, design, installation, leveraging intelligent building systems (IBSs) and administration. Although many standard documents are prescriptive, ANSI/TIA-5017 is much more descriptive. This allows each facility to develop its own security implementations that will fit current and anticipated security needs while staying within budget.
The standard maps three security levels (SL1 through SL3) you can select from to best describe the requirements of your particular installation:
SL1: Basic security
SL2: Tamper resistant
SL3: Critical security
From there, the document provides a solid framework and foundation for the thought processes, procedures and actions that will help you develop a specific security plan for either your telecommunications infrastructure itself or as part of the overall security plan for the facility – or both.
The first section of ANSI/TIA-5017 covers guidelines for risk assessments and creating a security plan relevant to your specific situation. The security plan is, or should be, a living process and approach to deal with risk management. As part of your security plan, you must:
Identify the potential for negative events and their causes
Reduce (and ideally eliminate) negative events
Limit the impacts of these events
Provide recovery from the events
Review the events and subsequent activities (whether or not there are impacts) to evolve the security plan
ANSI/TIA-5017 also includes:
Security requirements for telecommunications elements based on the appropriate security level
Security requirements for installations with protected distribution systems (PDSs)
Requirements for intrusion detection and surveillance
Use of AIM (automated infrastructure management) systems to enhance overall security
Tomi Engdahl says:
Nyshka Chandran / CNBC:
Chinese regulators are investigating Tencent’s WeChat, Baidu’s Tieba, and Sina Weibo for user-generated content that “endangers national security” — – Tencent, Baidu and Sina Weibo are being investigated by Chinese cyber-security regulators for potential violations
China’s three internet giants being investigated for content that ‘endangers national security’
https://www.cnbc.com/2017/08/10/tencent-baidu-and-sina-under-investigation-for-cyber-security-violations.html
Chinese internet giants Tencent, Baidu and Sina Weibo are under investigation for cyber-security violations, the mainland’s office for cyberspace administration said on Friday.
An English translation of a notice on the office’s website said the social media platforms of the three companies — WeChat, Tieba and Weibo respectively — have users spreading “violence and terror, false rumors, obscene pornography and other content that endangers national security, public safety and social order.”
notice said the platforms were “suspected of violating cyber-security laws and did not fulfill duties to manage information published by their users.”
Tomi Engdahl says:
WiFi Deauthentication VS WiFi Jamming: What is the difference?
http://hackaday.com/2017/08/13/wifi-deauthentication-vs-wifi-jamming-what-is-the-difference/
Terminology is something that gets us all mixed up at some point. [Seytonic] does a great job of explaining the difference between WiFi jammers and deauthenticators in the video embedded below. A lot of you will already know the difference however it is useful to point out the difference since so many people call deauth devices “WiFi Jammers”.
In their YouTube video they go on to explain that jammers basically throw out a load of noise on all WiFi channels making the frequencies unusable in a given distance from the jammer.
WiFi deauthentication on the other hand works in a very different way. WiFi sends unencrypted packets of data called management frames. Because these are unencrypted, even if the network is using WPA2, malicious parties can send deauthentication commands which boot users off of an access point. There is hope though with 802.11w which encrypts management frames.
WiFi Jammers vs Deauthers | What’s The Difference?
https://www.youtube.com/watch?v=6m2vY2HXU60
Tomi Engdahl says:
Infosec eggheads rig USB desk lamp to leak passwords via Bluetooth
Malicious gadgets can snoop on keypresses, other data, through ports, it is claimed
https://www.theregister.co.uk/2017/08/11/leaky_usb_research/
Malicious USB gadgets can secretly spy on data flowing in and out of devices plugged into adjacent USB ports, security researchers in Australia have warned.
For example, keypresses from a USB keyboard could be read by a specially modified thumb drive placed in the next-door port. The spy stick can pick up electrical signals leaking from one port to another; analyzing this leakage opens the door to keylogging attacks in this case.
It means miscreants can potentially read off sensitive info from a computer if they are able to get a booby-trapped thumb drive or some other evil gadget into a victim’s machine. It’s not a particularly practical or terrifying scenario, but interesting nonetheless – and definitely something to be aware of if you plug your devices into public charging points at, say, airports.
“Electricity flows like water along pipes – and it can leak out. In our project, we showed that voltage fluctuations of the USB port’s data lines can be monitored from the adjacent ports on the USB hub,” said Dr Yuval Yarom, research associate with the University of Adelaide’s School of Computer Science, on Thursday.
Tomi Engdahl says:
Ships fooled in GPS spoofing attack suggest Russian cyberweapon
https://www.newscientist.com/article/2143499-ships-fooled-in-gps-spoofing-attack-suggest-russian-cyberweapon/
Reports of satellite navigation problems in the Black Sea suggest that Russia may be testing a new system for spoofing GPS, New Scientist has learned. This could be the first hint of a new form of electronic warfare available to everyone from rogue nation states to petty criminals.
On 22 June, the US Maritime Administration filed a seemingly bland incident report. The master of a ship off the Russian port of Novorossiysk had discovered his GPS put him in the wrong spot – more than 32 kilometres inland, at Gelendzhik Airport.
After checking the navigation equipment was working properly, the captain contacted other nearby ships. Their AIS traces – signals from the automatic identification system used to track vessels – placed them all at the same airport. At least 20 ships were affected.
While the incident is not yet confirmed, experts think this is the first documented use of GPS misdirection – a spoofing attack that has long been warned of but never been seen in the wild.
Tomi Engdahl says:
APT28 Targets Hospitality Sector, Presents Threat to Travelers
https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html
FireEye has moderate confidence that a campaign targeting the hospitality sector is attributed to Russian actor APT28. We believe this activity, which dates back to at least July 2017, was intended to target travelers to hotels throughout Europe and the Middle East. The actor has used several notable techniques in these incidents such as sniffing passwords from Wi-Fi traffic, poisoning the NetBIOS Name Service, and spreading laterally via the EternalBlue exploit.
FireEye has moderate confidence that a campaign targeting the hospitality sector is attributed to Russian actor APT28. We believe this activity, which dates back to at least July 2017, was intended to target travelers to hotels throughout Europe and the Middle East. The actor has used several notable techniques in these incidents such as sniffing passwords from Wi-Fi traffic, poisoning the NetBIOS Name Service, and spreading laterally via the EternalBlue exploit.
APT28 is using novel techniques involving the EternalBlue exploit and the open source tool Responder to spread laterally through networks and likely target travelers. Once inside the network of a hospitality company, APT28 sought out machines that controlled both guest and internal Wi-Fi networks. No guest credentials were observed being stolen at the compromised hotels; however, in a separate incident that occurred in Fall 2016, APT28 gained initial access to a victim’s network via credentials likely stolen from a hotel Wi-Fi network.
Upon gaining access to the machines connected to corporate and guest Wi-Fi networks, APT28 deployed Responder. Responder facilitates NetBIOS Name Service (NBT-NS) poisoning. This technique listens for NBT-NS (UDP/137) broadcasts from victim computers attempting to connect to network resources. Once received, Responder masquerades as the sought-out resource and causes the victim computer to send the username and hashed password to the attacker-controlled machine. APT28 used this technique to steal usernames and hashed passwords that allowed escalation of privileges in the victim network.
To spread through the hospitality company’s network, APT28 used a version of the EternalBlue SMB exploit. This was combined with the heavy use of py2exe to compile Python scripts.
Tomi Engdahl says:
Russian group that hacked DNC used NSA attack code in attack on hotels
Fancy Bear used Eternal Blue 3 months after it was leaked by a mysterious group.
https://arstechnica.co.uk/information-technology/2017/08/dnc-hackers-russia-nsa-hotel/
A Russian government-sponsored group accused of hacking the Democratic National Committee last year has likely been infecting other targets of interest with the help of a potent Windows exploit developed by, and later stolen from, the National Security Agency, researchers said Friday.
A Russian government-sponsored group accused of hacking the Democratic National Committee last year has likely been infecting other targets of interest with the help of a potent Windows exploit developed by, and later stolen from, the National Security Agency, researchers said Friday.
Tomi Engdahl says:
State of Fuzzing 2017
Where the zero days are
https://www.synopsys.com/software-integrity/resources/analyst-reports/state-of-fuzz-testing-2017.html
Fuzz testing is an excellent way to locate vulnerabilities in software. The premise is to deliver intentionally malformed input to target software and detect failure. In fact, Synopsys’ used its own fuzz testing technology to discover the infamous Heartbleed vulnerability OpenSSL, which had gone unidentified for more than two years and impacted more than 500,000 websites.
In the State of Fuzzing 2017, Synopsys analyzed over 4.8 billion individual fuzz tests to identify the average time to first failure and overall maturity of protocols.
https://www.synopsys.com/software-integrity/security-testing/fuzz-testing.html
Tomi Engdahl says:
Your ‘Anonymous’ Browsing Data Isn’t Actually Anonymous
https://motherboard.vice.com/en_us/article/gygx7y/your-anonymous-browsing-data-isnt-actually-anonymous
Researchers said it was “trivial” to identify users and view their browsing habits in purchased ‘anonymous’ browsing data.
A day after originally soliciting the data broker, Rosenberg received a phone call. A salesperson representing the broker gave Rosenberg the credentials she’d need to access the browsing data that was part of her free trial. The broker agreed to allow Rosenberg access to the complete browsing history of 3 million German users for one month, with the stipulation that for a part of this period, some of the browsing data would be collected live (that is, refreshed every day or so).
There was only one problem: Neither Anna Rosenberg nor the startup she claimed to represent existed.
Rosenberg was the alias of Svea Eckert, an undercover investigative journalist with the German media organization NDR who was looking into data sales practices and how difficult it is to de-anonymize the internet browsing data that is being collected and sold in bulk by third-party browser plugins.
Tomi Engdahl says:
Ex-MI5 chief warns against crackdown on encrypted messaging apps
https://www.theguardian.com/technology/2017/aug/11/ex-mi5-chief-warns-against-crackdown-encrypted-messaging-apps
Jonathan Evans says although encryption services have hampered terrorism fight he does not support curtailment of its use
A former head of MI5 has spoken out against curtailing use of encryption in messaging apps despite warning that Islamist terrorism will remain a threat for up to another 30 years.
Jonathan Evans said the terrorist threat to Britain was a “generational problem”, and suggested the Westminster Bridge attack in March may have had an energising effect on extremists.
But Lord Evans, who retired from the security service in 2013, told BBC Radio 4’s Today programme that he would not support a clampdown on use of encryption.
His comments came after Amber Rudd, the home secretary, argued that internet companies were not doing enough to tackle extremism online. She has previously singled out the use of encryption as a problem.
Acknowledging that use of encryption had hampered security agencies’ efforts to access the content of communications between extremists, Evans added: “I’m not personally one of those who thinks we should weaken encryption because I think there is a parallel issue, which is cybersecurity more broadly.
“While understandably there is a very acute concern about counter-terrorism, it is not the only threat that we face. The way in which cyberspace is being used by criminals and by governments is a potential threat to the UK’s interests more widely.
“It’s very important that we should be seen and be a country in which people can operate securely – that’s important for our commercial interests as well as our security interests, so encryption in that context is very positive.”
Looking ahead, Evans warned of the threat of a cyber-attack against the internet of things – the networking of physical devices, ranging from cars to lightbulbs to TVs – as a major issue.
“As our vehicles, air transport, our critical infrastructure is resting critically on the internet, we need to be really confident that we have secured that because our economic and daily lives are going to be dependent on the security we can put in to protect us from cyber-attack,” he said.
But the threat of Islamist terrorism was likely to remain at the fore for 20-30 years, he warned.
“I think that we are going to be facing 20 or 30 years of terrorist threats and therefore we need absolutely critically to persevere.”
“We did see a huge upsurge in threat intelligence after 7 July and I suspect that there’s the same sort of feeling in the period after the Westminster Bridge attack”
Tomi Engdahl says:
END OF HATE: ANONYMOUS NOW IN CONTROL OF DAILY STORMER
https://www.dailystormer.com/hacked-anonymous-now-in-control-of-daily-stormer/
THIS SITE IS NOW UNDER THE CONTROL OF ANONYMOUS
WE HAVE TAKEN THIS SITE IN THE NAME OF HEATHER HEYER A VICTIM OF WHITE SUPREMACIST TERRORISM
FOR TOO LONG THE DAILY STORMER AND ANDREW ANGLIN HAVE SPEWED THEIR PUTRID HATE ON THIS SITE
THAT WILL NOT BE HAPPENING ANYMORE
WE HAVE ALL OF THE DETAILS ON THE SERVERS AND WILL BE RELEASING THE DATA WHEN WE FEEL THE TIME IS RIGHT
GoDaddy bans neo-Nazi website The Daily Stormer
http://bnonews.com/news/index.php/news/id6332
Internet hosting provider GoDaddy will ban The Daily Stormer after the prominent neo-Nazi website published an article that attacked the victim of Saturday’s car-ramming attack at a protest in Charlottesville.
Tomi Engdahl says:
Hackers release more HBO episode shows: report
http://www.reuters.com/article/us-usa-hbo-cyber-idUSKCN1AU01B
Hackers have released more unaired episodes of popular HBO shows but the latest leak did not include anything on the hit series “Game of Thrones,” the Associated Press reported on Sunday.
The hackers, who broke into HBO’s computer network and have released stolen information for several weeks, provided more unaired episodes, including the popular show “Curb Your Enthusiasm, ” which returns in October.
They also leaked episodes of “Insecure,” “Ballers” and “The Deuce,” according to the Associated Press.
New Game of Thrones episode leak wasn’t part of HBO hack
Aug 4, 2017
https://www.theverge.com/2017/8/4/16094764/game-of-thrones-episode-4-leak-hack-star-india-hbo
An unaired episode of Game of Thrones appeared on the internet early this morning. While HBO’s servers were breached earlier this week, The Verge has learned that this episode leak was not part of that successful hacking attempt. Sources familiar with HBO’s security breach tell The Verge that a leak from a distribution partner is the source of this episode appearing online.
The distribution partner is Star India, and the company’s logo appears watermarked throughout the leaked episode. A Star India spokesperson confirmed the leak in a statement to The Verge.
Tomi Engdahl says:
GoDaddy Has the Best Password Practices, Netflix, Spotify, Uber Have the Worst
https://www.bleepingcomputer.com/news/security/godaddy-has-the-best-password-practices-netflix-spotify-uber-have-the-worst/
The team at Dashlane — a password manager app — has analyzed the password policies of 40 popular online services and has discovered that not all websites are alike when it comes to password security, but some are worse than others.
In their latest study, researchers registered accounts on 40 sites and recorded which websites follow five simple rules:
✑ Does the website require users to have passwords that are 8 or more characters?
✑ Does the website require users to have passwords with a combination of letters, numbers, and symbols?
✑ Does the website provide an on-screen password strength meter to show users how strong their password is?
✑ Does the website feature brute-force protection as to allow 10 incorrect login attempts without providing additional security (CAPTCHA, account lockout, 2-Factor, etc.)?
✑ Does the website support 2-Factor Authentication?
Tomi Engdahl says:
Leaky PostgreSQL passwords plugged
DBAs: strap on your patching boots. Every DB in your clusters needs work
https://www.theregister.co.uk/2017/08/13/postgresql_password_flaws_fixed/
PostgreSQL has released three security patches for versions 9.6.4, 9.5.8, 9.4.13, 9.3.18, and 9.2.22.
In CVE-2017-7547, a remote attacker can retrieve others’ passwords because of a user mapping bug.
The authorisation oopsie derives from the database’s handling of pg_user_mappings, allowing an authenticated remote attacker retrieve passwords from user mappings defined by the server owner – all the way up to passwords set by the server admin.
Settle in with lots of coffee, sysadmins: after fetching the patch, there’s a set of fix commands that have to be run on every database in a cluster.
In CVE-2017-7546, the server accepts empty passwords
Tomi Engdahl says:
Top repo managers clone, then close, a nasty SSH vector
Git, Mercurial, SVN patched; CVS hasn’t got around to it yet
https://www.theregister.co.uk/2017/08/13/ssh_flaw_in_git_mercurial_svn/
Users of the world’s most popular software version control systems can be attacked when cloning a repository over SSH.
When first announced by Recurity Labs’ Joern Schneeweisz, the vulnerability was attributed to Git, Mercurial and Subversion; and over the weekend, Hank Leininger of Korelogic told the OSS-Sec list the issue also affects the ancient CVS (Concurrent Versions System).
Tomi Engdahl says:
Kremlin’s hackers ‘wield stolen NSA exploit to spy on hotel guests in Europe, Mid East’
Putin’s favorite attack dogs APT28 fingered by FireEye
https://www.theregister.co.uk/2017/08/12/hotel_hackers/