Year 2017 will not have any turn towards better data security. The internet is rife with such well-known than the unknown threats. The company’s systems are supposed to be protected.Hackers are going to continue to look for new ways to extort and steal information from businesses and organizations, which unfortunately means those businesses and organizations will have to continue to look for new ways to protect themselves.
Critical infrastructure cames under attack in 2017. Critical infrastructures must be better protected from criminals and terrorists who take advantage of modern technologies that are essential for the functioning of society and the economy. IT security functions of industrial control systems (ICS), energy grids and IoT networks needs to be improved in 2017.
There is push for better web security in 2017. Starting New Year’s Day, Google’s Chrome will begin labeling as “insecure” all websites that transmit passwords or ask for credit card details over plain text HTTP. Beginning in January 2017 (Chrome 56), HTTP sites that transmit passwords or credit cards are marked as non-secure, as part of a long-term plan to mark all HTTP sites as non-secure.
SHA-1 is insecure. Starting on Jan 1, 2017, most CAs will migrate to SHA-2 certificates, and major browser makers have already announced plans to adopt the change, including Microsoft, Google, and Mozilla. Their browsers will no longer trust sites that use SHA-1 starting with that date, and they will mark these websites as insecure. 1/3 of Websites Use SHA-1 Certificates Despite Looming Deadline. SHA-1 will still hang around, like a fart in a spacesuit, for many years to come because some people are lazy enough not to make the change.
There will be changes in how security is viewed in 2017 by businesses. We will likely see cloud adoption continue to grow across the United States, network visibility will no longer just be an option, AI and machine learning will shake old security models, and IoT-powered attacks will continue to rise. All of this will factor into how businesses set up, monitor and secure their networks.
The Commoditization of Cyberattacks Will Make Them More Frequent in 2017. More and more companies suffer from disruption to business due to cyber attacks. Cyber-attacks cause companies significant financial losses, but the studies shows that companies are not prepared for attacks. According to Gartner, by 2018 only 40 per cent of large companies have official plans in case of cyber attacks. Last year, the percentage was zero.
Strap yourself in for a bumpy ride in 2017. 2016 sucked. 2017 won’t be much better, sorry. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. DDoS attack toolkits have been around for years, as have services that will enable you to pay for an attack. Expect to see more of them. It seems that 2017 promises to be the most dramatic year yet in DDoS conflict. Whale-sized DDoS attacks will increase, the IoT will become a bigger factor in DDoS and DDoS will overshadow ransomware attacks and is used for extortion. Expect to see the Internet of Things (IoT) and other connected devices play an important part in these attacks.
Biometric identification will become more common in 2017, but it will not replace passwords. Fingerprint identification has become increasingly common in smartphones and already the technology is fast and reliable. This year biometric identification devices were sold for 4.5 billion dollars (most of them go to smart phones and laptops). 91 percent of biometric sales were fingerprint sensors, four per cent of face detection and three per cent iris detection.
Biometrics Won’t Kill Passwords any time soon. Even though PIN codes and passwords are actually pretty lousy protection case against skilled cybercriminal, the password will never disappear entirely, as two per cent of the world’s population is persons with a fingerprint not suitable for biometric identifier to work. Other biometric identification systems have also similar limitations and/or are not yet commonly available at reasonable cost. While biometrics, including fingerprint-, face-, iris-, palm- and speech-recognition, will continue to grow as a more secure substitute for passwords, they will not render passwords obsolete. Until the other common biometrics become commonplace, passwords are here to stay until circa 2030.
Fights with encryption and backdoors for them is not over in 2017. Many public figures in law enforcement have consistently argued that device encryption presents a new threat to police powers of investigation. On the other side House Judiciary Committee’s Encryption Working Group report says encryption backdoors pose a security threat, siding with tech experts in their latest report . The problem is that any system allowing police to get into those encrypted system (let it be phone, computer or communications) could also be exploited by criminals. Any action in this space should weigh any short-term benefits against the longterm impacts. Many industry experts will rightly tell you there is no such thing as partial data encryption. You either have a fully capable system or none at all.
Given the security events of 2016, coupled with the rapid advancements and adoption of cloud computing, 2017 will be the year in which many finally accept that network infrastructure and security will have to be rethought from the ground up. In 2017 the cloud will become a risk for users: The cloud becoming insecure – extortion and IoT openings.
The rivalry between the network attacks and network security is in acceleration. Crippling Internet services with denial of service attacks are becoming more common throughout the world. DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. IoT-powered attacks will continue to rise and stopping the attack is not easy. For most companies the key thing is that the attack traffic is stopped before it reaches the company’s Internet connection or servers (needs to use telecom operator and external services increase). In addition to service disturbion Denial of Service Attacks are often used as distraction during the actual data burglary.DDoS may take over from ransomware as a cause for concern.
In 2017 the IT and security professionals talk about more about business risks. Historically, firewalls, DLP, antivirus, SIEM and other technical point solutions have been the centerpiece of security conversations, but the mindset is slowly shifting from technology to risk. The goal of stopping all attacks and preventing all business impact has been recognized as a fool’s errand, and has shifted to measuring risk and minimizing business impacts. Cyber security is increasingly being viewed as a risk management problem.
In 2017 ‘Security’ Must be Added to our Existing Ethical and Philosophic Concerns Over Artificial Intelligence and Algorithms. Algorithms soon run the world. They present problems that are seriously questioned on both ethical and philosophic grounds; and they have become the basis of fictional Armageddons.
Cyber insurance will be more thoughs as on solution for handling cyber risks in 2017. The global cyber insurance market is expected to generate $14 billion by 2022, according to a new report published by Allied Market Research (AMR). That figure represents an impressive compound annual growth rate (CAGR) of nearly 28% from 2016 to 2022.
In 2017 Big Brother will be watching you 24/7.Those of you who’ve read George Orwell’s book 1984 or seen the movie ,will remember how the citizens of the fictitious totalitarian state of Oceana are constantly under surveillance by order of its dictator, Big Brother. So now swap your home desktop computer, laptop or smart phone for the fictitious telescreen and not only are you sitting in front of what is a modern day version of the Big Brother telescreen you are also walking around with one in your pocket or handbag. Sound a bit far fetched to you? Well it’s set to become a reality in many countries.
Users will want better security or at least to feell more secure in 2017. Many people are prepared to to extremes for better security. According to a recent survey of over 2,000 adults conducted by Harris Poll Nearly 40% of Americans Would Give Up Sex for a Year or eating their favourite food in Exchange for Better Online Securit, meant they’d never have to worry about being hacked. When you consider that 87 percent of U.S. adults use the internet, it makes sense that cyber security is one of the biggest concerns today. The single biggest thing people can do to help keep their online identity safe is probably the easiest – a solid password – and not giving it to other people. Still nearly 50% of people have shared a password to an e-mail account or to an account like Netflix.
Security Becomes A Multi-System Issue and more people talking about the issue. Design teams will have to bake strategies in from the start, no matter how insignificant the device.The good news is that it more people talking about the issue. The real challenge is packing enough security features into designs to prevent security breaches of every sort, including those that can come from other electronics that weren’t even considered as part of the design process. Just as devices get more sophisticated, so do hackers.The reality is that security breaches can even cause physical harm. It’s time to look at this at a multi-system, multi-disciplinary level. Otherwise, we literally could be playing with fire.
Block chains have been a big trend for several years. The block chain market is divided now when 2017 starts. During the autumn 2016, we have seen a number of initiatives on cooperation between the financial sector and consulting companies. Microsoft has chosen a platform for Ethereum-block chain and offers it to the Azure cloud service. IBM has jumped Hyperledger consortium bandwagon and offering their own block chains to Bluemix service. Google and Amazon still shine by their absence. Even banks may prefer to see the use of cloud for the block chains.
Other prediction articles worth to look:
What Lies Ahead for Cybersecurity in 2017?
Network Infrastructure, Visibility and Security in 2017
DDoS in 2017: Strap yourself in for a bumpy ride
Cybersecurity Industry Outlook: 2017 to 2021 | CSO Online
IBM’s Cybersecurity Predictions for 2017 – eForensics
https://eforensicsmag.com/ibms-cybersecurity-predictions-2017/
Top 5 Cybersecurity Threats to Watch Out for in 2017
Experts Hopeful as Confidence in Risk Assessment Falls
3,151 Comments
Tomi Engdahl says:
WordPress Delayed Disclosure of Critical Vulnerability
http://www.securityweek.com/wordpress-delayed-disclosure-critical-vulnerability
WordPress has disclosed a critical privilege escalation vulnerability patched on January 26 with the release of version 4.7.2. The developers of the content management system (CMS) said they wanted to make sure users were protected against potential attacks before making the details public.
When it announced the release of version 4.7.2, WordPress said the latest version patched three vulnerabilities, including SQL injection, cross-site scripting (XSS) and access control issues.
However, it turns out that WordPress 4.7.2 also addresses a severe privilege escalation flaw that can be exploited to hijack websites. Fortunately, there is no evidence that the weakness has been exploited in the wild.
Tomi Engdahl says:
Over 8,800 WordPress Plugins Have Flaws: Study
http://www.securityweek.com/over-8800-wordpress-plugins-have-flaws-study
Researchers at web application security firm RIPS Technologies have analyzed 44,705 of the roughly 48,000 plugins available in the official WordPress plugins directory and discovered that more than 8,800 of them are affected by at least one vulnerability.
Tomi Engdahl says:
GitLab.com luckily found lost data on a staging server
And restored itself. But the code locker lost about six hours of data for ~707 users
https://www.theregister.co.uk/2017/02/02/gitlabcom_has_found_and_restored_from_an_accidental_backup/
GitLab.com, the wannabe GitHub alternative that yesterday went down hard and reported data loss, has confirmed that some data is gone but that its services are now operational again.
Online opinion about the outage blends admiration for posting the incident report and making it public, thereby wearing the mistake. That GitLab ignored known best practice and seemingly didn’t test its backups is being widely condemned.
Tomi Engdahl says:
Joseph Cox / motherboard:
Hackers release iOS cracking tools used by Cellebrite, the Israeli firm known for breaking into phones; expert says the tools are similar to jailbreaking tools — In January, Motherboard reported that a hacker had stolen 900GB of data from mobile phone forensics company Cellebrite.
Hacker Dumps iOS Cracking Tools Allegedly Stolen from Cellebrite
https://motherboard.vice.com/en_us/article/hacker-dumps-ios-cracking-tools-allegedly-stolen-from-cellebrite
The hacker says this demonstrates that when organizations make hacking tools, those techniques will eventually find their way to the public.
Tomi Engdahl says:
Kate Conger / TechCrunch:
Snap Inc. lists hacking, phishing attacks, EU and US regulation, Brexit, and China’s Great Firewall as risks in S-1
Snap sees risks in Brexit, hacking and China’s Great Firewall
https://techcrunch.com/2017/02/02/snap-sees-risks-in-brexit-hacking-and-chinas-great-firewall/
Snapchat, which filed for its initial public offering today, sees potential risks to its business in cybersecurity and international regulation, particularly in China and the European Union.
Security breaches — and the privacy concerns that follow — have already caused problems for Snapchat, according to its filing.
“Mobile malware, viruses, hacking and phishing attacks, spamming, and improper or illegal use of Snapchat could seriously harm our business and reputation,”
“Terror and other criminal groups may use our products to promote their goals and encourage users to engage in terror and other illegal activities”
As Snap looks to expand its user base into Europe and China, it faces problems with Brexit and China’s massive internet censorship campaign.
The company also sees potential roadblocks in E.U. legislation, including a revision of the European Union Data Protection Directive that is currently under consideration and the General Data Protection Regulation, which is slated to go into effect in May of next year. Both laws could require Snap to make adjustments to the ways it manages and stores data for E.U. users.
Tomi Engdahl says:
Chaos, Progress In Mobile Payment Security
http://semiengineering.com/chaos-progress-in-mobile-payment-security/
Rapid transitions have stalled some development efforts, limited others, but improved security is on the way.
Semiconductor suppliers and their embedded software partners, internally and externally, have made tremendous strides in recent years supporting secure mobile payment processing.
It hasn’t been easy. Or simple. And it’s still evolving.
The result of those efforts, which is now set to play an increasingly important and widespread commercial role in 2017, are trusted execution environment technologies that physically separate and isolate transaction data and processing from the rest of a device’s hardware and software.
“Mobile payments is driving so much of the technologies in security today,”
A complex ecosystem
Within this ecosystem are a number of well-known and lesser-known players:
• The largest banks, including Barclaycard and Bank of America;
• EMVCo the standards and specifications consortium for the world’s credit card processors, including MasterCard, VISA and American Express/Discover;
• A long list of wireless communications carriers;
• “Wallets” such as ApplePay, SamsungPay and AndroidPay;
• “Over-the-top” payment modes, including TM, AliPay, WeChatPay, JioMoney and Pay, which are becoming a huge factor in China and India.
“The infrastructure and technology is complex,”
Trusted execution environments
Trustonic provides the trusted execution environment (TEE) in 800 million mobile devices, and can support “anything with an ARM chip in it.”
“One, how do you make that app, the digital wallet or the banking app, how you make that more secure? Two, how do you securely authenticate the user?… and three, and this is the more emerging area, how do you attest that the device is what you think it is, that it hasn’t been compromised in any way?” said Choudhury.
Conclusion
Trying to pick a winner in this market and develop semiconductor technology to tap that formula has been extremely difficult. There are too many companies with a stake in this market, and the technology itself is evolving too quickly.
But there is a widespread recognition that something needs to be done, as well as a number of competing technologies that show merit. Many of these will begin rolling out this year, at which point they can be market-tested to see whether they can withstand an increasingly devious and highly advanced network of hackers — and for how long.
Tomi Engdahl says:
IoT Security Ratings Needed
Companies are now focused on security, but so far there is no simple way to sell it.
http://semiengineering.com/iot-security-ratings-needed/
Concerns about security have been growing alongside adoption of the IoT, and it seems to be making some headway. This is good news, if it continues, because one of the biggest concerns about buying connected devices is that they can provide inroads into personal data.
Data security has been a persistent annoyance for several years.
IoT is being dragged into this, as well, even though the market for connected things is really just beginning. A good sign of this segment’s growth is that the debate about what to call it—IoT, IoE, Iox—has simmered down. Translation: People are finally getting to work on real products. Sales are up in many IoT segments, although the initial rush to develop connected watches and home appliances seems to have fizzled. Just adding an I/O subsystem into a washing machine is no guarantee that consumers will pay more for it, particularly if there is no accompanying literature about how secure it will be.
Two years ago, there was almost no security being added into these devices. Much has changed since then.
There are several measures of this.
First, startups in this area—which generally pass under the radar of financial analysts—are selling their technology to systems companies these days.
Second, established companies that sell IP are also beginning to sell secure versions of that IP. ARM has been particularly active in this space, building out its TrustZone concept into all of its IP to establish a chain of trust.
And third, anyone who has been attending security conferences lately can see that attendance is booming.
These are all good signs, but what’s missing is a standardized way of measuring all of this. If consumers could look at a device and figure out how secure it is, similar to the way Energy Star rates how much electricity an appliance will consume over a year, security would begin to determine buying decisions. Reporting a list of secure acronyms means nothing to most people. Numbering security from 1 to 10 would boost sales across the scale, and provide the impetus to close up any remaining security holes.
This would require an independent security agency to test devices, of course, but the impact on connected electronics would be enormous. Technology companies already recognize the need for security, and there is plenty of work underway to make devices more secure. But rating these devices would accelerate this process significantly.
Tomi Engdahl says:
Fixing Security Holes
Why chipmakers need to pay attention to side-channel attacks.
http://semiengineering.com/fixing-security-holes/
Connected devices can do everything from save lives to improve the quality of life. They also destroy that quality or cause harm if these things or systems of things are not secure.
Security is a complex multi-level problem. It spans the entire seven-layer OSI communication stack, as well as the software that is used to run, manage and operate hardware. And it needs to be dealt with from multiple angles, from the smallest IP block and memory to the bus that connects them together.
The goal in most cases isn’t to make devices impenetrable. Given enough time and resources, and enough incentive, even the most sophisticated security systems can be hacked. As hardware engineers, though, what we should be worrying about is slowing down the hackers, minimizing the damage, and making it unprofitable for them to hack into devices.
The best known of these approaches uses power analysis—whether simple or differential—to create what is known as a side-channel attack.
The time has come to close the loopholes, and the best way to do that is by providing incentives for companies to invest in this technology, and disincentives for those that do not.
Tomi Engdahl says:
How Ransomware Threatens Unsecured Systems
Ransomware payments hit $1 billion in 2016, and that number will only increase.
http://semiengineering.com/how-ransomware-threatens-unsecured-systems/
Cyber criminals typically use ransomware to lock systems and encrypt files, effectively denying access to data until payment is remitted. Unsurprisingly, ransomware payments for 2016 were estimated to hit a billion dollars, with some businesses paying considerable sums to unlock their data. Cyber criminals continue to set their sights on a wide range of targets, including CCTV cameras, schools, hotels and even hospitals.
Instances of ransomware are only expected to increase in 2017, as more and more vulnerable systems and “things” connect to the Internet. According to Beazley, organizations appear to be particularly vulnerable to attacks during IT system freezes, at the end of financial quarters and during busy shopping periods.
Perhaps most importantly, unprotected endpoints allow attackers to remotely access everyday physical features that are critical to maintaining routine business operations.
Although it is difficult to prevent, the frequency of successful malware attacks can be reduced by understanding that any endpoint, which may have originally been designed to work offline, is exposed to attack once it is connected to the Internet. Unfortunately, there is a common misconception that only critical infrastructure and big businesses are prone to remote attacks. Nevertheless, with connectivity and automation becoming ever more common, implementing effective security solutions should be a top priority for mid-size and small businesses.
In conclusion, simple and affordable solutions require a comprehensive solution that implements security at the transistor level (as per DHS recommendations), while protecting vulnerable endpoints and services.
Tomi Engdahl says:
Hackers Take Over Unsecured Radio Transmitters, Play Anti-Trump Song
https://tech.slashdot.org/story/17/02/02/2151255/hackers-take-over-unsecured-radio-transmitters-play-anti-trump-song
Ars Technica is reporting that “a certain model of Low Power FM radio transmitter with known vulnerabilities has been targeted in a new wave of radio-station hacks this week.” Hackers have taken advantage of an exploit that was known all the way back in April 2016 to take over terrestrial radio stations and broadcast the YG and Nipsey Hussle song “Fuck Donald Trump.”
Radio stations that ignored major vulnerability start playing anti-Trump song
Vulnerability had been known for nearly a year, flared up shortly after inauguration.
https://arstechnica.com/security/2017/02/unsecured-radio-transmitters-get-hacked-play-anti-trump-song/
A certain model of Low Power FM radio transmitter with known vulnerabilities has been targeted in a new wave of radio-station hacks this week. Armed with an exploit that was known all the way back in April 2016, hackers have commandeered terrestrial radio stations—and in apparent unity, the hackers all decided to broadcast the YG and Nipsey Hussle song “Fuck Donald Trump.”
News of the song’s unexpected playback on radio stations began emerging shortly after Trump’s inauguration on January 20, and the hack has continued to affect LPFM stations—a type of smaller-radius radio station that began to roll out after the FCC approved the designation in 2000. Over a dozen stations experienced confirmed hacks in recent weeks, with more unconfirmed reports trickling in across the nation. Thus far, the stations’ commonality isn’t the states of operation or music formats; it’s the transmitter.
Specifically, hackers have targeted products in the Barix Exstreamer line, which can decode many audio file formats and send them along for LPFM transmission. If that sounds familiar, that’s because Ars Technica reported on this kind of hack last year.
Neither that April alert nor the immediate post-inauguration burst of hacking activity spurred enough Barix Exstreamer users into taking action, leaving a population of FCC-approved LPFM stations vulnerable to invasion.
Tomi Engdahl says:
Popular Printers Pwned In Prodigious Page Prank
http://hackaday.com/2017/02/04/popular-printers-pwned-in-prodigious-page-prank/
A new day dawns, and we have another story involving insecure networked devices. This time it is printers of all makes and descriptions that are causing the panic, as people are finding mystery printouts bearing messages such as this:
“Stackoverflowin has returned to his glory, your printer is part of a botnet, the god has returned“
The real message here is one with which we expect Hackaday readers will be very familiar, and which we’ve covered before. Many network connected appliances have scant regard for security, and are a relative push-over for an attacker. The solution is relatively straightforward to those of a technical inclination, be aware of which services the devices is exposing, lock down services such as uPNP and close any open ports on your router. Unfortunately these steps are probably beyond many home users
Another one. Popped up on the printer at work
https://www.reddit.com/r/hacking/comments/5rvfk7/another_one_popped_up_on_the_printer_at_work/
Tomi Engdahl says:
33C3: Memory Deduplication, the Hacker’s Friend
http://hackaday.com/2017/02/04/33c3-memory-deduplication-the-hackers-friend/
At the 33rd annual Chaos Communications Congress, [Antonio Barresi] and [Erik Bosman] presented not one, not two, but three (3!!) great hacks that were all based on exploiting memory de-duplication in virtual machines. If you’re interested in security, you should definitely watch the talk, embedded below. And grab the slides too
Basically, it takes slightly longer to access that memory when it’s de-duplicated, because the VM has to go lookup the address of memory that’s outside of itself. If an attacker were interested in finding out if another VM was watching cat videos, he could put the cat video in his memory, wait for the VM manager to de-duplicate it, and then time how long it takes to make a modification in his memory. If it’s longer than some threshold, someone else is watching cat videos. The rest of the talk explains three exploits of this vulnerability.
lecture: Memory Deduplication: The Curse that Keeps on Giving
https://fahrplan.events.ccc.de/congress/2016/Fahrplan/events/8022.html
Tomi Engdahl says:
Thought your data was safe outside America after the Microsoft ruling? Think again
US court decides Google must cough up emails held abroad
https://www.theregister.co.uk/2017/02/04/google_must_provide_emails_held_overseas/
The US Department of Justice will be happy campers this weekend. A court in Pennsylvania has ruled that Google must obey domestic search warrants for data stored overseas.
In other words, Google has to hand over to the FBI suspects’ email regardless of where it is held. The ad giant had previously refused to comply with two court orders.
Specifically, Microsoft was served a Stored Communications Act (SCA) warrant by a court in New York. The corporation successfully argued that US investigators should have gone to the Irish authorities to request access to files on the Irish servers. The DoJ’s lawyers saw it another way: that Microsoft is an American corporation and thus must always yield to American courts.
Tomi Engdahl says:
New SMB bug: How to crash Windows system with a ‘link of death’
Security researcher publishes exploit code after Microsoft drags feet on fix
https://www.theregister.co.uk/2017/02/04/windows_flaw_adds_crashing_as_a_service/
US CERT on Thursday issued a security advisory warning that all currently supported versions of Windows are vulnerable to a memory corruption bug that can be exploited to crash computers from afar.
“Windows fails to properly handle a specially-crafted server response that contains too many bytes following the structure defined in the SMB2 TREE_CONNECT Response structure,” the security organization said. “By connecting to a malicious SMB server, a vulnerable Windows client system may crash (BSOD) in mrxsmb20.sys.”
The vulnerability was initially rated 10 out of 10 in terms of severity, but has since been downgraded to 7.8. To make use of the vulnerability, an attacker would have to get the Windows system to connect to a malicious SMB share.
He said the bug can be used to make a target reboot either locally, via Netbios or LLMNR poisoning, or remotely via a UNC link.
Tomi Engdahl says:
A Hacker Just Pwned Over 150,000 Printers Exposed Online
https://hardware.slashdot.org/story/17/02/04/1837246/a-hacker-just-pwned-over-150000-printers-exposed-online?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
Last year an attacker forced thousands of unsecured printers to spew racist and anti-semitic messages. But this year’s attack is even bigger.
A grey-hat hacker going by the name of Stackoverflowin has pwned over 150,000 printers that have been left accessible online. For the past 24 hours, Stackoverflowin has been running an automated script that searches for open printer ports and sends a rogue print job to the target’s device. The script targets IPP (Internet Printing Protocol) ports, LPD (Line Printer Daemon) ports, and port 9100 left open to external connections. From high-end multi-functional printers at corporate headquarters to lowly receipt printers in small town restaurants, all have been affected. The list includes brands such as Afico, Brother, Canon, Epson, HP, Lexmark, Konica Minolta, Oki, and Samsung.
A Hacker Just Pwned Over 150,000 Printers Left Exposed Online
https://www.bleepingcomputer.com/news/security/a-hacker-just-pwned-over-150-000-printers-left-exposed-online/
A grey-hat hacker going by the name of Stackoverflowin says he’s pwned over 150,000 printers that have been left accessible online.
Speaking to Bleeping Computer, the hacker says he wanted to raise everyone’s awareness towards the dangers of leaving printers exposed online without a firewall or other security settings enabled.
For the past 24 hours, Stackoverflowin has been running an automated script that he wrote himself, which searches for open printer ports and sends a rogue print job to the target’s device.
Tomi Engdahl says:
Avast Releases Three New Decryption Tools to Fight Ransomware
There are now 14 anti-ransomware tools available from Avast
http://news.softpedia.com/news/avast-releases-three-new-decryption-tools-to-fight-ransomware-512534.shtml
With the threat now posed by ransomware, cyber security firm Avast has released three more decryption tools to help victims, reaching a total of 14 such tools.
“In the past year more than 200 new strains of ransomware were discovered, it’s growth of in-the-wild samples two-folded, but the good news is that hundreds of millions of Avast and AVG users were protected against this popular threat,” reads a blog post signed by Jakub Kroustek, reverse engineer and malware analyst at Avast.
Free Ransomware Decryption Tools
Hit by ransomware? Don’t pay the ransom!
https://www.avast.com/ransomware-decryption-tools
Tomi Engdahl says:
Dutch will count all election ballots by hand to thwart hacking
https://www.theguardian.com/world/2017/feb/02/dutch-will-count-all-election-ballots-by-hand-to-thwart-cyber-hacking
Ministers want no repeat of US-Russia controversy in the March poll that could see Geert Wilders’ far-right party win power
Dutch authorities will count by hand all the votes cast in next month’s general elections, ditching “vulnerable” computer software to thwart any cyber hacking bid, a senior minister has said.
“I cannot rule out that state actors may try to benefit from influencing political decisions and public opinion in the Netherlands,” interior minister Ronald Plasterk said in a letter to parliament on Wednesday.
On 15 March, the Netherlands kicks off a year of crucial elections in Europe which will be closely watched amid the rise of far-right and populist parties on the continent.
Tomi Engdahl says:
Jonathan Stempel / Reuters:
US Judge orders Google to comply with warrants seeking user emails stored outside the US, diverging from decision in similar Microsoft case; Google plans appeal
Google, unlike Microsoft, must turn over foreign emails: U.S. judge
http://www.reuters.com/article/us-google-usa-warrant-idUSKBN15J0ON
A U.S. judge has ordered Google to comply with search warrants seeking customer emails stored outside the United States, diverging from a federal appeals court that reached the opposite conclusion in a similar case involving Microsoft Corp (MSFT.O).
“Though the retrieval of the electronic data by Google from its multiple data centers abroad has the potential for an invasion of privacy, the actual infringement of privacy occurs at the time of disclosure in the United States,” Rueter wrote.
Tomi Engdahl says:
Joseph Cox / motherboard:
Interview with the hacker who says he took down Freedom Hosting II, a service reportedly hosting 15-20% of dark web sites
Talking to the Hacker Who Took Down a Fifth of the Dark Web
https://motherboard.vice.com/en_us/article/talking-to-the-hacker-who-took-down-a-fifth-of-the-dark-web
On Friday, a hacker took down a huge chunk of the dark web. Visitors to over 10,000 Tor hidden services running on Freedom Hosting II—a hosting provider for dark web sites—were greeted with a perhaps surprising message, The Verge reported.
On Saturday, the hacker claiming responsibility told me in more detail how and why they took down the service.
The hacker said they first compromised the service on January 30, but only had read access
“Initially I didn’t want to take down FH2, just look through it,” the hacker said. But they then allegedly found several large child pornography sites which were using more than Freedom Hosting II’s stated allowance. Usually, Freedom Hosting II has a quota of 256MB per site, but these illegal sites comprised of gigabytes of material, the hacker claimed.
“This suggests they paid for hosting and the admin knew of those sites. That’s when I decided to take it down instead,”
the hacker has laid out a relatively simple 21 step process
The hacker said they had released a dump of system files from Freedom Hosting II, but not user data. They didn’t want to publicly distribute this because, as mentioned, it allegedly contains a high amount of child pornography. But the hacker said he will provide a copy to a security researcher who will then hand it to law enforcement.
The feds, however, might not be all that pleased.
the agency used a hacking tool to grab visitors’ IP addresses.
But now with the plethora of Freedom Hosting II child pornography sites shut down, the feds might not be able to use that sort of tactic at all.
Tomi Engdahl says:
Google, unlike Microsoft, must turn over foreign emails: U.S. judge
http://www.reuters.com/article/us-google-usa-warrant-idUSKBN15J0ON
A U.S. judge has ordered Google to comply with search warrants seeking customer emails stored outside the United States, diverging from a federal appeals court that reached the opposite conclusion in a similar case involving Microsoft Corp (MSFT.O).
Tomi Engdahl says:
Microsoft’s DRM can expose Windows-on-Tor users’ IP address
Anonymity-lovers best not watch movies as .WMV files
https://www.theregister.co.uk/2017/02/06/microsoft_drm_and_tor/
Windows users running the Tor browser can be tricked into uncloaking themselves, with a pretty straightforward trick based on Microsoft’s DRM system.
The discovery was made by Hacker House, which says it’s been researching social engineering attacks made using DRM-protected content.
What the UK-based security outfit found is that a pretty straightforward bit of social engineering – “click on this media file” – can, at the very least, reveal the user’s real IP address.
Windows DRM Social Engineering Attacks & TorBrowser
https://www.myhackerhouse.com/windows_drm_vs_torbrowser/
Tomi Engdahl says:
New SMB bug: How to crash Windows system with a ‘link of death’
Security researcher publishes exploit code after Microsoft drags feet on fix
https://www.theregister.co.uk/2017/02/04/windows_flaw_adds_crashing_as_a_service/
US CERT on Thursday issued a security advisory warning that all currently supported versions of Windows are vulnerable to a memory corruption bug that can be exploited to crash computers from afar.
“Windows fails to properly handle a specially-crafted server response that contains too many bytes following the structure defined in the SMB2 TREE_CONNECT Response structure,” the security organization said. “By connecting to a malicious SMB server, a vulnerable Windows client system may crash (BSOD) in mrxsmb20.sys.”
The vulnerability was initially rated 10 out of 10 in terms of severity, but has since been downgraded to 7.8. To make use of the vulnerability, an attacker would have to get the Windows system to connect to a malicious SMB share.
Vulnerability Note VU#867968
Microsoft Windows SMB Tree Connect Response denial of service vulnerability
https://www.kb.cert.org/vuls/id/867968
Microsoft Windows contains a memory corruption bug in the handling of SMB traffic, which may allow a remote, unauthenticated attacker to cause a denial of service on a vulnerable system.
Description
Microsoft Windows fails to properly handle traffic from a malicious server. In particular, Windows fails to properly handle a specially-crafted server response that contains too many bytes following the structure defined in the SMB2 TREE_CONNECT Response structure. By connecting to a malicious SMB server, a vulnerable Windows client system may crash (BSOD) in mrxsmb20.sys. We have confirmed the crash with fully-patched Windows 10 and Windows 8.1 client systems, as well as the server equivalents of these platforms, Windows Server 2016 and Windows Server 2012 R2.
Tomi Engdahl says:
Thought your data was safe outside America after the Microsoft ruling? Think again
US court decides Google must cough up emails held abroad
https://www.theregister.co.uk/2017/02/04/google_must_provide_emails_held_overseas/
Tomi Engdahl says:
14,000 Domains Dropped Dyn’s DNS Service After Mirai Attack
https://it.slashdot.org/story/17/02/05/2046224/14000-domains-dropped-dyns-dns-service-after-mirai-attack
New data suggests that some 14,500 web domains stopped using Dyn’s Managed DNS service in the immediate aftermath of an October DDoS attack by the Mirai botnet. That’s around 8% of the web domains using Dyn Managed DNS… “The data show that Dyn lost a pretty big chunk of their customer base because they were affected by (Mirai),”
Exclusive: Mirai Attack Was Costly For Dyn, Data Suggests
https://securityledger.com/2017/02/mirai-attack-was-costly-for-dyn-data-suggests/
In-brief: More than 14,000 Internet domains stopped using managed DNS services from Dyn, the New Hampshire based company, following an October botnet attack on the company, data from Bitsight suggests.
The Mirai botnet attacks that took managed Domain Name System services from New Hampshire based Dyn offline in October caused short-lived pain for Internet users trying to reach popular web sites like PayPal, Twitter, Reddit, Amazon, Netflix, and Spotify.
The attacks may have had more lasting implications for Dyn – and other Internet companies like it- as new data suggests that around 8% of the web domains relying on Dyn’s managed DNS service dropped the service in the immediate aftermath of the attack.
“The data show that Dyn lost a pretty big chunk of their customer base because they were affected by (Mirai),”
Dyn was one of a handful of organizations that were the victim of a series of distributed denial-of-service (DDoS) attacks starting on October 21st. The attacks were launched by a global population of Internet of Things devices like IP enabled cameras and digital video recorders (DVRs) that had been infected with malicious software known as “Mirai.”
Following the attack, 139,000 of the 145,000 domains continued to use Dyn exclusively, a loss of 6,000 domains or around 4% of the total.
The impact of the botnet attack would have hit companies that exclusively used Dyn’s services the most severely, preventing Internet users who were trying to reach those web sites, hosted web applications and other services from doing so. But the public facing outages may have only been a small part of the total impact, Dahlberg said. Companies using DYN for API (application program interface) or software updates would have been affected in many ways – not just web site availability, he said.
It is unclear whether some of the 14,500 domains that dropped Dyn’s services in the immediate aftermath of the botnet attack may have returned to Dyn.
Tomi Engdahl says:
Hello? Police? My darknet drug market was just hacked by criminals
That headline will never happen, so one darkmart just started a bug bounty program
https://www.theregister.co.uk/2017/02/06/hansa_darknet_bug_bounty/
A popular dark net marketplace hawking drugs and stolen credit cards has opened a security bug bounty offering to pay hackers for reporting vulnerabilities.
The “Hansa” marketplace announced the bounty last week inviting security researchers to disclose vulnerabilities worth up to 10 bitcoins (US$10,170) for bugs that could lead to users, vendors, or administrators.
The payouts are likely measly compared to the cash rewards on offer to hackers taking more conventional routes and exploiting vulnerabilities with blackmail or other evil acts.
https://www.reddit.com/r/HansaDarknetMarket/comments/5r3lnl/hansas_bug_bounty_program/
Tomi Engdahl says:
A Hacker Just Pwned Over 150,000 Printers Left Exposed Online
https://www.bleepingcomputer.com/news/security/a-hacker-just-pwned-over-150-000-printers-left-exposed-online/
A grey-hat hacker going by the name of Stackoverflowin says he’s pwned over 150,000 printers that have been left accessible online.
Speaking to Bleeping Computer, the hacker says he wanted to raise everyone’s awareness towards the dangers of leaving printers exposed online without a firewall or other security settings enabled.
Tomi Engdahl says:
DRM Company Denuvo Forgets To Secure Its Server, Leaks Two Years Of Emails
https://yro.slashdot.org/story/17/02/06/0642259/drm-company-denuvo-forgets-to-secure-its-server-leaks-two-years-of-emails
Denuvo “left several private directories on its website open to the public,” TorrentFreak wrote Sunday, calling it “an embarrassing blunder” for the digital rights management company. “Members of the cracking community are downloading and scrutinizing the contents,”
Denuvo Website Leaks Secret Information, Crackers Swarm
https://torrentfreak.com/crackers-swarm-as-denuvo-website-leaks-secret-information-170205/
While the folks at Denuvo are leaders in the field of video game protection, the same cannot be said about their website. In an embarrassing blunder, the company has left some directories and files open to the public and right now members of the cracking community are downloading and scrutinizing the contents.
While any leak of confidential data is a serious event, this developing situation appears to be getting worse. Within the last few minutes, more insecure directories have been discovered, some of them containing relatively large files.
Needless to say, the contents of these files will be of great interest to Denuvo’s adversaries. With that in mind, TF headed over to a platform where crackers meet and sure enough, they are extremely excited and all over this breach.
Tomi Engdahl says:
Got an OpenBSD Web server? Better patch it
DoS-able bugs splatted
https://www.theregister.co.uk/2017/02/07/got_an_openbsd_web_server_better_patch_it/
OpenBSD and two of its SSL libraries need patches against a pair of denial-of-service bugs that can crash Web-facing servers.
The first is in the operating system’s SSL implementation, specifically in the HTTP daemon. An advisory says that daemon can be crashed with repeated SSL renegotiation.
A single renegotiation thread, the post claims, can soak up 70 per cent of CPU cycles, meaning if the attacker fires multiple renegotiation threads at the target, the daemon will crash, and “there is no trace of such attacks in the httpd logs.
The second, which has been given the common vulnerabilities and exposures number CVE-2017-5850, is a memory exhaustion bug, again in the HTTP daemon.
Tomi Engdahl says:
Hacker: I made 160,000 printers spew out ASCII art around the world
Check your firewalls, people – no need to leave all this gear facing the internet
https://www.theregister.co.uk/2017/02/06/hacker_160000_printers/
Printers around the world have been hacked and instructed to churn out pages and even sales receipts of alarming ASCII art.
The messages, which began spewing from internet-connected printers on Thursday, read: “Hacked. Stackoverflowin/stack the almighty, hacker god has returned to his throne, as the greatest memegod. Your printer is part of a flaming botnet. Your printer has been pwn’d.”
The miscreant claiming responsibility, Stackoverflowin, boasts to have hijacked more than 160,000 printers from across the internet and commanded them to emit pages of ASCII art. It appears the hacked devices range from office printers to sales terminals.
“It was kind of on impulse,” Stack told The Register.
Tomi Engdahl says:
Trump’s cybersecurity strategy kinda makes sense, so why delay?
Out of all the executive orders he didn’t sign, why did it have to be that one
https://www.theregister.co.uk/2017/02/07/trump_cybersecurity_strategy_analysis/
But here’s what’s got computer security experts scratching their heads: why did Donald postpone signing a new cybersecurity executive order.
For one thing, according to a leaked draft, the order will hold US government department chiefs more accountable than ever for computer security failings. As previously reported, the executive order will require senior government leaders to implement the cybersecurity defense framework developed by NIST – America’s National Institute of Standards and Technology.
Richard Stiennon, chief strategy officer of Blancco Technology Group and author of There Will be Cyberwar, reckons the draft executive order made sense.
“Obviously more has to be done to not only protect federal agencies from cyber attack but also the nation’s critical infrastructure,” Stiennon said. “The concept of holding cabinet secretaries and agency heads accountable for the cybersecurity of their organizations is a good one. Each head of agency should take that a step further and push down accountability to those who are actually responsible.
“Each network administrator, system admin, and program manager should be held accountable for the security of their own systems. This will immediately surface major vulnerabilities as those responsible identify the obstacles to cyber defence they face.”
The first draft of the executive order called for a 60-day review of vulnerabilities in US government networks. “This will not be too burdensome since this has been done by the previous administration,” said Stiennon. “So, all that is needed is fresh look at priorities in the new reality of nation state influence and attacks.”
Rules and roles
“There are probably too many different groups claiming to be responsible for cybersecurity,” Stiennon concluded. “Centralization could clear the confusion, although Department of Defense leadership may not be the right direction. It would be better to have a separate cabinet-level cyber leader, one with the technical and policy background to offer a real contribution.”
Cybersecurity discussions in the aftermath of Trump’s unexpected success in the 2016 presidential election have centered on accusations of Kremlin interference.
Security experts speculate that the Trump administration’s delay in releasing its cybersecurity policy may be connected to a dispute with tech companies over H-1B visas, a program the Trump administration is looking to curtail against the objections of Silicon Valley.
Tomi Engdahl says:
Police drones, robo surgeons and chatbot civil servants. What could go wrong?
Reform outlines chilling vision of future in wonky research
https://www.theregister.co.uk/2017/02/06/police_drones_rob_surgeons_and_chatbot_civil_servants_what_could_go_wrong/
A think tank is calling for hundred-of-thousands of UK public sector jobs to be automated. Blighty should also take a look at using drones for policing, apparently.
The report, Work in progress. Towards a leaner, smarter public-sector workforce [PDF], by centre-right wonkers Reform reckons up to 250,000 state employees in Britain could be replaced by robots.
One chilling paragraph reads: “Various companies aim to develop artificial intelligence that can diagnose conditions more accurately than humans. The UK should evaluate drones and facial-recognition technology as alternatives to current policing practice, while recognising concerns about the holding of people’s images.”
Tomi Engdahl says:
Why does it cost 20 times as much to protect Mark Zuckerberg as Tim Cook?
Tech CEO crazy security spending rundown
https://www.theregister.co.uk/2017/02/06/why_does_it_cost_20_times_as_much_to_protect_mark_zuckerberg_as_tim_cook/
When Snap’s filed documents last week for its IPO filing, among the interesting snippets that emerged was the cost of security for its CEO Evan Spiegel: a somewhat extraordinary $890,000.
What does $890,000 buy you in terms of security and why it is necessary for the CEO of Snapchat to have that degree of protection? And how does that compare to other tech CEOs?
Perhaps unsurprisingly, companies are not all that keen on explaining exactly where the money goes beyond the legal requirements to let the SEC know the amount. But it is a safe bet that most costs fit into one of three buckets:
Protecting the CEO’s home (often homes)
Bodyguards, and
Costs of travel and protection while travelling
When it comes to security, it all depends on the number of people that a CEO feels he needs to protect him.
The cost of a four-man team, according to those that know, is between $15,000 to $20,000 a week. Few CEOs have a permanent security detail. So the cost is largely built around how much time they spend on the road and how paranoid they are.
Then there’s home security: obviously a big concern, especially if there’s children. And the cost depends on two main things: an initial security upgrade, and the size of the property. There is often a big initial cost to install new systems that can be anywhere from $25,000 to $50,000 and then there are ongoing security needs. And the larger the property, the more it costs to secure.
So who spends the most on security? Facebook CEO Mark Zuckerberg.
SEC filings show the social media giant spent a whopping $4.26m on our Mark last year.
Just for comparison, the next most expensive security arrangement is Jeff Bezos at the very healthy $1.6m
Zuckerberg is notoriously private and, let’s be honest, more than a little paranoid.
Tomi Engdahl says:
John Eggerton / Multichannel News:
House passes Email Privacy Act, an update to ECPA that will require law enforcement to get warrants for access to digital communications older than 180 days
House Passes E-mail Privacy Act
Senate yet to vote on bill
http://www.multichannel.com/news/congress/house-passes-e-mail-privacy-act/410716
The baseline bill updates the Electronic Communications Privacy Act to require the government to get a probable cause criminal warrant to access emails, social media posts and other online content stored in the cloud by internet service providers and other email service providers, like Google. In a nod to the longevity of cloud storage, it eliminates the 180-day sunset on stored communications. Previously a warrant was not required for communications stored beyond 180 days.
Tomi Engdahl says:
Rukmini Callimachi / New York Times:
How ISIS operatives anonymously and remotely direct attacks in other countries over the internet using apps like Twitter, Telegram, and ChatSecure
Not ‘Lone Wolves’ After All: How ISIS Guides World’s Terror Plots From Afar
https://www.nytimes.com/2017/02/04/world/asia/isis-messaging-app-terror-plot.html
When the Islamic State identified a promising young recruit willing to carry out an attack in one of India’s major tech hubs, the group made sure to arrange everything down to the bullets he needed to kill victims.
For 17 months, terrorist operatives guided the recruit, a young engineer named Mohammed Ibrahim Yazdani, through every step of what they planned to be the Islamic State’s first strike on Indian soil.
They vetted each new member of the cell as Mr. Yazdani recruited helpers. They taught him how to pledge allegiance to the terrorist group and securely send the statement.
And from Syria, investigators believe, the group’s virtual plotters organized for the delivery of weapons as well as the precursor chemicals used to make explosives, directing the Indian men to hidden pickup spots.
Until just moments before the arrest of the Indian cell, here last June, the Islamic State’s cyberplanners kept in near-constant touch with the men
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Google security engineer recounts how the company brought KrebsOnSecurity into Project Shield and defended the site against massive DDoS attacks
How Google fought back against a crippling IoT-powered botnet and won
Behind the scenes defending KrebsOnSecurity against record-setting DDoS attacks.
https://arstechnica.com/security/2017/02/how-google-fought-back-against-a-crippling-iot-powered-botnet-and-won/
OAKLAND, Calif.—In September, KrebsOnSecurity—arguably the Internet’s most intrepid source of security news—was on the receiving end of some of the biggest distributed denial-of-service attacks ever recorded. The site soon went dark after Akamai said it would no longer provide the site with free protection, and no other DDoS mitigation services came forward to volunteer their services. A Google-operated service called Project Shield ultimately brought KrebsOnSecurity back online and has been protecting the site ever since.
At the Enigma security conference on Wednesday, a Google security engineer described some of the behind-the-scenes events that occurred shortly after Krebs asked the service for help, and in the months since, they said yes. While there was never significant hesitancy to bring him in, the engineers did what engineers always do—weighed the risks against the benefits.
“What happens if this botnet actually takes down google.com and we lose all of our revenue?” Google Security Reliability Engineer Damian Menscher recalls people asking. “But we considered [that] if the botnet can take us down, we’re probably already at risk anyway. There’s nothing stopping them from attacking us at any time. So we really had nothing to lose here.”
Tomi Engdahl says:
Web services security vulnerabilities are extremely common, occurs in Second Nature Finnish Security (2NS) has developed a new system for funding from Tekes, which companies themselves can investigate possible security flaws and monitor the web services security status in real time. The system is designed for continuous monitoring of the status of the particular business and public administration maintained by web services security.
Turva.io-called solution to detect possible deviations and vulnerabilities regular security scanning.
- In many companies, the antivirus and firewalls are already at a good level, but it is important to understand, they alone are not enough to prevent malicious hacking.
Source: http://www.etn.fi/index.php/13-news/5798-suomalainen-palvelu-skannaa-tietoturva-aukkoja
More: https://www.turva.io/
Tomi Engdahl says:
Jacob Kastrenakes / The Verge:
Vizio settles FTC lawsuit accusing it of tracking customers’ TV habits, agrees to pay $2.2M, obtain consent before collecting and sharing data, delete user data — Vizio will pay $2.2 million to settle a lawsuit alleging it collected customers’ TV-watching habits without their permission.
Vizio settles FTC lawsuit and agrees to get viewer consent before tracking TV habits
http://www.theverge.com/2017/2/6/14522582/vizio-ftc-lawsuit-tv-viewing-habits-tracking-privacy
Vizio will pay $2.2 million to settle a lawsuit alleging it collected customers’ TV-watching habits without their permission.
The lawsuit was filed by the Federal Trade Commission and the state of New Jersey. It alleged that, in 2014, Vizio began using software built into over 11 million smart TVs to capture “highly-specific, second-by-second information about television viewing.” Vizio was then said to have worked with another company to associate demographic information with each household, so that viewing habits could be paired with information like a viewer’s “sex, age, income, marital status,” and more.
In addition to the $2.2 million in payments, Vizio will now have to obtain clear consent from viewers before collecting and sharing data on their viewing habits. It’ll also have to delete all data gathered by these methods before March 1st, 2016.
Vizio doesn’t admit fault as part of the settlement, and, in a statement, said it was “pleased” with the resolution.
Tomi Engdahl says:
Will Strafach:
Researcher finds 76 popular iOS apps vulnerable to interception of TLS-protected data while in use
76 Popular Apps Confirmed Vulnerable to Silent Interception of TLS-Protected Data
https://medium.com/@chronic_9612/76-popular-apps-confirmed-vulnerable-to-silent-interception-of-tls-protected-data-2c9a2409dd1
During the development of our web-based mobile app analysis service verify.ly, it was essential to have a clear understanding of the most common security issues which plague mobile applications today. Automatically scanning the binary code of applications within the Apple App Store en-masse allowed us to get a vast amount of information about these security issues.
During the testing process, I was able to confirm 76 popular iOS applications allow a silent man-in-the-middle attack to be performed on connections which should be protected by TLS (HTTPS), allowing interception and/or manipulation of data in motion.
According to Apptopia estimates, there has been a combined total of more than 18,000,000 (Eighteen Million) downloads of app versions which are confirmed to be affected by this vulnerability.
Tomi Engdahl says:
Bank card information is at risk because of the nearby payments
A large part of contactless payment cards is copied into the smart phone always the three-digit security number all the way down. Criminals resort has been known for a long time.
Small swing close enough to your wallet. After that a criminal may well be known by your name, bank card number and card expiration date.
Those data are sufficient in many online stores, such as Amazon international, to make purchases.
Most of the shops requires in addition to the card number and expiry of course, the three-digit security code, known as the CVV number. That, too, is often readily available.
- How the banks are responsible for this, it is an interesting question.
In its simplicity, the job goes like this: First, the local debit card is read remotely, for example through the wallet. Data is fed to a specific mobile application, followed by a three-digit CVV security code will test one at a time through.
The choice is a total of 1,000, so even one person to cycle through in under an hour. From the computer time is much less. Too, with the pace, however, the risk that the bank alarm systems recognize fraudulent companies, is growing.
Payment cards have always been a risk of abuse. The consumer is safe, because the risk of a bank.
- If it turns out that the card information is stolen, it can submit a complaint to the bank.
If you want to play correctly on the safe side, reading the card data is also possible to prevent. One option is the tertiary-developed physical card protection – foil around the card
Source: http://www.iltalehti.fi/uutiset/201702062200064688_uu.shtml
Tomi Engdahl says:
Russians Engineer a Brilliant Slot Machine Cheat—And Casinos Have No Fix
https://www.wired.com/2017/02/russians-engineer-brilliant-slot-machine-cheat-casinos-no-fix/
In early June 2014, accountants at the Lumiere Place Casino in St. Louis noticed that several of their slot machines had—just for a couple of days—gone haywire. The government-approved software that powers such machines gives the house a fixed mathematical edge, so that casinos can be certain of how much they’ll earn over the long haul—say, 7.129 cents for every dollar played. But on June 2 and 3, a number of Lumiere’s machines had spit out far more money than they’d consumed, despite not awarding any major jackpots
Since code isn’t prone to sudden fits of madness, the only plausible explanation was that someone was cheating.
Instead he’d simply play, pushing the buttons on a game like Star Drifter or Pelican Pete while furtively holding his iPhone close to the screen
Several casinos soon discovered that they had been cheated the same way
“Through targeted and prolonged observation of the individual game sequences as well as possibly recording individual games, it might be possible to allegedly identify a kind of ‘pattern’ in the game results,” the company admitted in a February 2011 notice to its customers
Recognizing those patterns would require remarkable effort.
But as the “pseudo” in the name suggests, the numbers aren’t truly random.
the operatives use their phones to record about two dozen spins on a game they aim to cheat. They upload that footage to a technical staff in St. Petersburg, who analyze the video and calculate the machine’s pattern based on what they know about the model’s pseudorandom number generator. Finally, the St. Petersburg team transmits a list of timing markers to a custom app on the operative’s phone; those markers cause the handset to vibrate roughly 0.25 seconds before the operative should press the spin button.
“The normal reaction time for a human is about a quarter of a second, which is why they do that,”
Tomi Engdahl says:
Prosecutors to seek indictment against former NSA contractor as early as this week
https://www.washingtonpost.com/world/national-security/prosecutors-to-seek-indictment-against-former-nsa-contractor-as-early-as-this-week/2017/02/06/362a22ca-ec83-11e6-9662-6eedf1627882_story.html?utm_term=.a16f097a1130
Federal prosecutors in Baltimore are expected to seek an indictment as early as this week against a former National Security Agency contractor who is accused of carrying out the biggest theft of classified information in U.S. history.
The indictment against Harold T. Martin III is expected to contain charges of violating the Espionage Act by “willfully” retaining information that relates to the national defense, including classified data such as NSA hacking tools and operational plans against “a known enemy” of the United States, according to individuals familiar with the case.
Tomi Engdahl says:
Printer Vulnerabilites Almost as Bad as IoT
http://hackaday.com/2017/02/07/printer-vulnerabilites-almost-as-bad-as-iot/
Recently ZDNet and Gizmodo published articles outlining a critical flaw in a large array of personal printers. While the number of printers with this flaw is staggering, the ramifications are even more impressive. Ultimately, any of these printers could have documents sent to them stolen even if the document was only intended to be printed as a hard copy.
Luckily the people responsible for this discovery are white-hat in nature, and the release of this information has been made public so the responsible parties can fix the security flaws. Whether or not the “responsible party” is the manufacturer of the printer, though, is still somewhat unclear because part of the exploit takes advantage of a standard that is part of almost all consumer-grade printers. The standard itself may need to be patched.
Right now, however, it doesn’t seem clear exactly how deep the rabbit hole goes.
Flaws in popular printers can let hackers easily steal printed documents
http://www.zdnet.com/article/flaws-in-popular-printers-can-let-hackers-easily-steal-printed-documents/
Thousands of internet-connected printers could allow an attacker to steal sensitive data, as well as passwords that could allow further compromise of a network.
Tomi Engdahl says:
keybase.io:
Keybase unveils end-to-end encrypted desktop chat apps that uses usernames from other sites instead of phone numbers or emails as secure addresses
Introducing Keybase Chat
https://keybase.io/blog/keybase-chat
Tomi Engdahl says:
Dustin Volz / Reuters:
NSA contractor Harold Martin faces 20 criminal counts in connection with theft of 50TB+ of data, the largest theft of classified government information ever
NSA contractor indicted over mammoth theft of classified data
http://www.reuters.com/article/us-usa-cybersecurity-nsa-contractor-idUSKBN15N2N4
A former National Security Agency contractor was indicted on Wednesday by a federal grand jury on charges he willfully retained national defense information, in what U.S. officials have said may have been the largest heist of classified government information in history.
The indictment alleges that Harold Thomas Martin, 52, spent up to 20 years stealing highly sensitive government material from the U.S. intelligence community related to national defense, collecting a trove of secrets he hoarded at his home in Glen Burnie, Maryland.
The government has not said what, if anything, Martin did with the stolen data.
Tomi Engdahl says:
HTTPS Security Weakened by AV Products, Middleboxes: Study
http://www.securityweek.com/https-security-weakened-antiviruses-middleboxes-study
An increasing number of antiviruses and network appliances intercept TLS connections to gain visibility into encrypted traffic, but in many cases this weakens connection security and introduces vulnerabilities, according to a new study.
The study, focusing on the security impact of HTTPS interception, was carried out last summer by researchers at Mozilla, Google, CloudFlare, the University of Michigan, the University of Illinois Urbana-Champaign, the University of California Berkeley, and the International Computer Science Institute.
Experts have analyzed the TLS handshakes associated with web browsers, security products and malware, and created a set of heuristics designed to allow web servers to detect HTTPS interception and identify the product responsible.
Tests were conducted by deploying these heuristics on Mozilla’s Firefox update servers, the CloudFlare content distribution network (CDN), and some major e-commerce websites. The analysis showed that 4% of the Firefox connections, 6.2% of the e-commerce connections, and nearly 11% of US-based CloudFlare connections were intercepted.
Worryingly, 97% of the Firefox, 54% of the CloudFlare and 32% of the e-commerce connections that were intercepted became less secure. More than 62% of the middlebox connections were weakened and over 58% had severe vulnerabilities.
The Security Impact of HTTPS Interception
https://zakird.com/papers/https_interception.pdf
Tomi Engdahl says:
Two-thirds of Enterprises Usually Breached by White Hat Hackers
http://www.securityweek.com/two-thirds-enterprises-usually-breached-white-hat-hackers
Analysis of 128 penetration tests conducted in the fourth quarter of 2016 shows that approximately two-thirds of tested companies were successfully breached. This is despite the limited time — in 89% of cases, less than two weeks — available to the pentesters compared to the effectively unlimited time available to blackhat attackers.
Rapid7, which was appointed a CVE numbering authority in December 2016, analyzed 128 of the engagements it undertook in the closing months of last year. These involved both internal testing and external testing. In most cases the client company was more interested in external testing (67.2%) over internal testing (21.1%). A few (8.6%) combined both internal and external tests, while a smaller number of tests (3.1%) were neither (code and IoT audits, for example).
External pentests involved testing web sites, phishing, VPNs and so on. Internal tests looked at, for example, network misconfigurations, software, and wifi. Although there were fewer internal tests, states Rapid7, “Overall, penetration testers successfully compromised the target organization through software vulnerabilities or network misconfigurations just over 80% of the time.”
Tomi Engdahl says:
Russia Detains Nine ‘Hackers’ Over $17 Million Bank Thefts
http://www.securityweek.com/russia-detains-nine-hackers-over-17-million-bank-thefts
Russia has detained nine people alleged to be part of a cybercrime ring accused of stealing some $17 million dollars from bank accounts, the interior ministry said Wednesday.
The detentions followed a nationwide manhunt. The FSB security agency launched a major operation last year against the alleged 50-strong “hacker group” that pilfered more than one billion rubles ($16.8 million, 15.8 million euros) since 2013, the statement said.
“Nine individuals suspected of participating in hacking attacks were detained on January 25,” ministry spokeswoman Irina Volk said. One was placed under arrest.
Tomi Engdahl says:
Sophos to Acquire Invincea for up to $120 Million
http://www.securityweek.com/sophos-acquire-invincea-120-million
IT security firm Sophos announced on Wednesday that it has agreed to acquire Invincea, a provider of endpoint security solutions that leverage virtual containers to protect against advanced malware and other threats.
Under the terms of the agreement Sophos will pay $100 million in cash to buy the endpoint protection firm, with a possible $20 million earn-out.
Tomi Engdahl says:
Absolute Extends Self-Healing Capabilities to Third-Party Software
http://www.securityweek.com/absolute-extends-self-healing-capabilities-third-party-software
Vancouver, Canada-based endpoint security company Absolute announced this week the launch of a new product that provides self-healing capabilities to third-party security and management applications.
Absolute’s Persistence technology is embedded in the firmware of over one billion PCs and mobile devices from manufacturers such as Dell, ASUS, HP, Microsoft, Lenovo, Acer, Samsung, Toshiba, Panasonic and Fujitsu. This approach aims to ensure that IT teams are provided uncompromised visibility and real-time remediation capabilities for devices, data and applications.
The company’s Absolute Device & Data Security (DDS) product is designed to allow organizations to monitor endpoints and data stored on computers and cloud storage devices, and quickly address incidents.
Absolute has now announced the availability of Application Persistence, a product that provides self-healing capabilities to third-party endpoint controls, including antiviruses, VPNs, encryption, and management tools.
Tomi Engdahl says:
The Role of the Network in Preventing Dyn 2.0
http://www.securityweek.com/role-network-preventing-dyn-20
Much has been said about the DDoS attacks on Dyn and the subsequent security issues surrounding IoT devices. In late 2016, hackers exploited hundreds of thousands of IoT devices, such as security cameras and DVRs, to cause massive internet outages over a prolonged period of time.
While this attack has resulted in an uproar of conversation about how we can enhance IoT security, the truth of the matter is that there are fundamental security issues that simply cannot be fixed with the industry’s current approach. DDoS attacks and the like are really just a symptom of the larger issues we are facing as an industry when it comes to botnets and securing IoT devices.
The current approach towards preventing botnets and securing IoT devices has serious limitations. As we saw with the Dyn attack, many IoT devices in the market are inherently insecure. Why? Simple business priorities. The margins on these consumer devices are very small and many of the smaller manufacturers who produce these devices are unable or unwilling to invest enough in security. Simple security fixes like not relying on default passwords may seem like an obvious mitigation, but many smaller companies struggle to implement it.
Even when devices do integrate some form of security, consumers rarely act on these capabilities. Many consumers are either unaware that there are measures they have to take to secure their devices – such as changing the default password or performing software updates – or, they are unwilling to apply these measures. This also adds to the perpetual issue of insecure devices being able to be used for botnets.
These examples indicate that there is no perfect solution currently being implemented that enables truly secure IoT. Instead of putting the onus on the devices, consumers or cloud providers, these attacks need to be stopped at the network level – any further out and they become almost impossible to contain. Every attack, no matter where it originates or where it is headed, has to traverse the network at one point or another. Stopping these attacks and bad traffic at the network level, by placing enforcement points in more parts of the network, directly addresses the problem without relying on the endpoints themselves to be secure.
For enterprises, this means ensuring you have a fully secure network, with security capabilities woven throughout the network to stop attacks at any point.
For consumers, this shifts the responsibility away from these other parties and directly onto those who have the best ability to fix the issue: the service providers. Service providers have always faced a certain level of liability when it comes to keeping their customers up and running. They have service level agreements (SLAs) for availability, so why not have SLAs for security? As a matter of fact, the aggregation of IoT devices is what allowed the DDoS to overwhelm Dyn. What if you could have stopped it earlier in the network before it built up momentum at an aggregation point? This is valid not only from a liability perspective, but also because SPs have a real opportunity to provide a necessary service to their customers.